Server Misconfiguration

What is Server Misconfiguration?

Server misconfiguration attacks exploit configuration weaknesses found in web and application servers. Many servers come with unnecessary default and sample files, including applications, configuration files, scripts, and webpages. They may also have unnecessary services enabled, such as content management and remote administration functionality. Debugging functions may be enabled or administrative functions may be accessible to anonymous users. Servers may include well-known default accounts and passwords. Failure to fully lock down or harden the server can leave improperly set file and directory permissions. 

All of these server misconfiguration features can be used by attackers to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges. SSL vulnerabilities such as misconfigured certificates and encryption settings, the use of default certificates, and improper authentication implementation with external systems all have the potential to compromise the confidentiality of information.

How to prevent Server Misconfiguration?

Once you understand your entire environment, the best way to manage risk is to lock down the most critical infrastructure, allowing only desired behaviour. Any communication which is not necessary for an application should be blocked. This can include:

• Disable administration interfaces.
• Disable debugging.
• Disable use of default accounts/passwords.
• Configure server to prevent unauthorized access, directory listing, etc.
• Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches.