Web+Center Security – Best Practices and community Reporting

Web+Center security – Best Practices and community reporting

Sadly we have come to a time in our computer/Internet centric connected world when our level of costs and effort to secure and protect data applications and development  exceeds the costs of the development and maintenance of the software itself.  For many home users now, the cost of their virus and annual computer protection software cost probably easily exceeds the yearly cost of originally buying the desktop or laptop, OS and required work applications.

Internet Software Sciences has always been aware of potential exploits of our web-based software by hackers and we have carefully designed our application with that in mind.  There are design features we include in the software to help prevent abuses but more importantly there are many best practices we now plan to recommend in  hosting, reporting, Web+Center system backup and recovery protocols.

To better secure Web+Center within your organization will require a multi-part best practices methodology.  Many of these steps will not only be help with securing Web+Center, but also provide better security for any of your hosted applications in your organization if you haven’t taken the time or effort to do perform best secure practices for other apps or your network operations.  Several of the security recommendations we have outlined apply to your entire network and computing environments.

Web+Center Security Best Practices is broken down in to (5) categories.  Each category will have a recommended set of steps that may apply to your environment.  This Web+Center Security Best Practices is a work in progress as we research the options and get feedback from our Web+Center user community.  A more finalized Best Practices document will be available in a few months after feedback from the Web+Center community.

Web+Center Security Best Practices – Category 1

  • Backup and recovery of Web+Center

Probably the most important security step you can take to make Web+Center secure is have the ability to recover Web+Center in the event of an attack on your network or other environment, OS, data failure.  It is very important to  know that you are daily backing up Web+Center application (code and database) to a location that is secure.  It should be backed up to a location or device that can not be compromised.

Luckily Web+Center is fairly compact and it’s components are centralized into 3 simple parts.

  1. Database – The entire database is located in one database called Webcenter in a single ACCESS *.mdb file in the database directory OR in a single SQL database called webcenterXX.  You should be backing up that database source daily to location that can not be compromised.
  2. Code: The entire Web+Center application code should be located under the single folder and it’s sub folders underc:\program files (x86)\Internet Software Sciences\Web+Center 9.0\.   You should back up this folder and all sub folders probably weekly as these files do not change day to day unless you are making customizations to the software
  3. Thirdly, the only other component is the attached file folder where customers or techs attached files are located and stored.  These are typically located in the c:\program files (x86)\Internet Software Sciences\Web+Center 9.0\wctemp\ folder or where ever you have decided to store your attached files for cases and other features.
Web+Center Security Best Practices – Category 2
  • http Web logging and logging management and notifications

We recommend that you enable your web server HTTP logging.  The amount of disk space that is used to store these log files far exceeds the value they can bring in the event of a data breach event.  We have other features in the software now that may report some suspicious behaviors to Web+Center administrators and having web logs allows you to drill down and narrow potential abusers attempting to compromise your systems.

To enable web login, open up IIS and select the “logging”  icon and then enable and use the default settings for the log files.

We recommend you review and confirm that EVERY Web+Center request, click and form submit is being by grabbed by the log file.  Run a few page hits of Web+Center and then open up the current log file and confirm your specific page hits are there!

These log files are your best defense for both proactively monitoring issues before they occur or analyzing events after they occur.
These log files can be extremely cryptic  to view and time consuming analyze. Now might be time to invest some time and money into web log monitors and analyze.

There are several vendors out there who have developed very pro-active products to continually monitor your IIS logs and find abuses and create reports.  Most importantly, these vendors products can alert you of potential abuses before they actually perform issues.

One vendor we have looked at is XPLG and their web log monitoring software.  As we solicit input from the Web+Center user community, we will probably find better vendors.  From their pricing, it looks like for $9 month, you can get most of their features that would need from this type of service.  It can monitor many other types of logs, but this products and others can easily monitor and better report on your Web+Center IIS web activity.  Although we haven’t tested and verified these services, we are interested in some Web+Center use these web monitoring services and which ones they recommend.

Web+Center Security Best Practices – Category 3

  • Understand your user community and tighten security options when possible

The Web+Center help desk is used for a wide range of IT and customer support applications.  The environments in which it is installed in varies from super secure military bases, and 911 call centers that has super secure and real “air gap” networks to networks behind a fairly simple firewall or others configurations that are out on the open Internet.  We have designed Web+Center to run entirely off local resources and purposefully not running from CDN (content delivery network) which also poses additional risks.  See our article on the pros and cons of CDN.

Web+Center is primarily designed to be accessible on the public internet now, especially with new features support by the Tech+Mobile and Customer+Mobile applications designed to run on your smart phones via the public internet.

That being said, there are ways to limit access to your Web+Center application if all of your users are part of a Windows active directory (AD) environment.
If all of your techs and customers are part of a Windows based Active Directory system, you can experiment with changing the “Integrated Windows Security” settings for your entire Web+Center folder tree.

By default, the file security permissions for the Web+Center folder and sub folders is set to “Everyone Full Control” to allow anonymous users to access the Web+Center applications.  We use a cookie based approach for security with each Web+Center application page checking and validating either the customer security cookie or Tech security cookie.  You can make the application more secure if all of your users can windows authenticate by setting the Web+Center folder permission to domain users or authenticated users.  This will require users to initially windows authenticate to the network when running Web+Center.   With this file restriction change, Web+Center will require both our Web+Center cookie security and windows authentication security to operate.   Do not attempt to adjust the webserver IUSER account for better security.

We are developing a tech windows authentication login as well but just setting the file security permissions for the Web+Center folder and sub folders will force techs to authenticate before they can access the application.

Web+Center Security Best Practices – Category 4

  • Share your best web hosting practices and report any Web+Center abuse attempts

Report any security issues or attempts to compromise the system to Internet Software Sciences so we can quickly patch and release updates to our systems.

If you have any best practices you use and would like to recommend for your Web+Center environments, please share them with us. We will include them in our hosting best practices guide but we won’t list who provided this information unless you want credit.

Please report all software abuses to Internet Software Sciences so we can better code and alert customers of potential abuses and modify the code and release new updates.

Web+Center Security Best Practices – Category 5

  • Web server geo blocking, web application firewalls (WAF) and other hardware level options

For most organizations that have more advanced firewall and supported firewall services, you can enable many of these geo blocking services on your firewall or even Windows Firewall.  If your Web+Center is just for staff, students and techs all within one country or even a smaller set of networks, then you can block other countries from access.  The majority of website attacks come from specific countries, such as China, Russia and Turkey.  You may want to research your firewall capabilities or find out what your peers are doing in similar colleges, government agencies or companies.

Web+Center Security Best Practices – Category 6

  • Proper installation and configuration of Web+Center

One of the most important installation configuration steps is to configure your Web+Center application and download file attachment directories exactly as specified in the install steps.

All of the Web+Center application IIS directories (tech90, customer90, language90, customermobile90, etc) are IIS “application” directories.  The Web+Center download file directory must be configured as a “virtual” directory.  Virtual directories DO NOT allow execution of any scripts or file so a properly IIS configured download directory (as a virtual directory) is crucial to preventing a user from downloading and executing a file.  We are developing file download threat assessment code that will analyze each download by file type and report to Web+Center administrators potential abuses.