Updating our Software
every new update to our system always come with an enhanced security feature,hence you are encouraged to always run the latest software.For PHP,Apache HTTP Server, and Microsoft Internet Information (IIS),it is advisable that you go to the appropriate website like (http://www.php.net,httpd.apache.org, or www.microsoft.com/iis) on regular basis because these bare the trusted sites and downloads from these sites are free from viruses and those malicious codes also these updates comes with security related bug fixes.
Setting up Software New version
we are advised to always follow the laid down steps in configuring and installation of these software programs.these is always because these will ensure we get all the right modules and extension correct.whenever you follow installation of new version of the software you are assured not to forget something important,which only cause trouble later on .these steps are quiet many such that we may not be able to remember.
Setting of the php.ini file
These file contains the large number of configuration options for the module we need not to use ,if these modules are disabled then we need not to to worry but just ignore but for more guide we neen to check on the documentation that is provided online at http://www.php.net/manual to see each and every options that those modules offers
The trick behind these settings is on user if to choose to use legacy software vwritten in PHP hence will require that all register_globals or register_long_arrays to be on.we also have to evaluate whether using the software is worth the security risk, and to mitigate the risk we can frequently be checking on the updates.
Web Server Configuration
Apache HTTP Server
With using these server configuration options is done at the httpd.conf located in the /conf directory on the base installation of httpd( program Files/apache Software Foundation/Apache2.2/conf),for more obtain from these online documentation http://httpd.apache.org/docs-project
In addition to these also carry out the following:
- Ensure that the httpd run as a user without the high priorities
- Ensure that the file permissions on the apache installation are well set
- Ensure that the server is able tohandle the require number of connection
- Hide files that you do not want to be seen including appropriate directives found in httpd.conf example to exclude .inc add the following
With IIS configuration
- We should avoid having websites residing on same drive as operating system.
- We use the NTFS file system and we remove the the write permissions from other locations
- We should delete all the files installed by IIS into the document root by default.
- We should avoid using common names
You are advised to read the documentation for IIS to learn on security features.