Jadu recommend following normal system hardening such as removing unrequired users, disabling unrequired services but points to note:
A unprivileged user should be used to contain the scheduled tasks. This user needs to have “Logon as batch job” privilege configured through Local Security Policy or Group Policy and write permissions set on log files in
Jadu recommend following Microsoft's patching guidelines to ensure the systems are up to date.
As Jadu uses an unprivileged system user for installation and uses that user's home directory this has problems with the standard SELinux implementation on RedHat. The solution is to either set SELinux to permissive, disabled or write a new SELinux policy to allow Apache to access to the home directory.
PHP versions and distribution security
When running under Windows, security updates to PHP require a re-installation of the latest version as PHP security is maintained directly by the PHP project.
RedHat back port all security fixes to their supported PHP version in their distribution and so keeping the OS up to date will include all latest security fixes, keep this in mind when doing a security audit as they will highlight all security notices after the main version of PHP was installed.
Penetration testing should be conducted on at least an annual basis and after significant changes to ensure newly discovered vulnerabilities are not affecting the external infrastructure and web application. This will also ensure that good security practice has been maintained.
When enabled, the
register_globals configuration setting makes several types of variable available in the global scope of your application. This includes those from
Making user submitted data available in this way can easily lead to security issues as the source of the data can not be easily determined.
As of PHP 5.4.0 this option has been removed, however if you are running a PHP < 5.4.0 ensure that
register_globals is off.
Error logging can be useful in spotting problems, but can also expose information about your system's architecture to the outside world. In production environments you must therefore ensure that you configuration in php.ini includes the following:
display_errors = Off display_startup_errors = Off error_reporting = E_ALL & ~E_NOTICE log_errors = On
With these settings, errors will still be logged to the server's error log, but will not be shown to external users. Refer to the PHP manual for further information on these settings.
Good practice is to ensure that all systems are patched when a new release containing security fixes is released.