# Intro - First, create an app inventory including both external and inter-facing apps - use `nmap`, `eyewitness`, `aquatone`, or the like - Common measure to secure apps: - `Access controls`: Proper access control mechanisms should be implemented per application. For example, login pages should not be accessible from the external network unless there is a valid business reason for this access. Similarly, file and folder permissions can be configured to deny uploads or application deployments. - `Disable unsafe features`: Features such as PHP code editing in WordPress can be disabled to prevent code execution if the server is compromised. - `Regular updates`: Applications should be updated regularly, and patches supplied by vendors should be applied as soon as possible. - `Backups`: System administrators should always configure website and database backups, allowing the application to be quickly restored in case of a compromise. - `Security monitoring`: There are various tools and plugins that can be used to monitor the status and various security-related issues for our applications. Another option is a Web Application Firewall (WAF). While not a silver bullet, a WAF can help add an extra layer of protection provided all the measures above have already been taken. - `LDAP integration with Active Directory`: Integrating applications with Active Directory single sign-on can increase ease of access, provide more auditing functionality (especially if synced with Azure), and make managing credentials and service accounts more streamlined. It also decreases the number of accounts and passwords that a user will have to remember and give fine-grained control over the password policy. # App-Specific Tips |Application|Hardening Category|Discussion| |---|---|---| |[WordPress](https://wordpress.org/support/article/hardening-wordpress/)|Security monitoring|Use a security plugin such as [WordFence](https://www.wordfence.com/) which includes security monitoring, blocking of suspicious activity, country blocking, two-factor authentication, and more| |[Joomla](https://docs.joomla.org/Security_Checklist/Joomla!_Setup)|Access controls|A plugin such as [AdminExile](https://extensions.joomla.org/extension/adminexile/) can be used to require a secret key to log in to the Joomla admin page such as `http://joomla.inlanefreight.local/administrator?thisismysecretkey`| |[Drupal](https://www.drupal.org/docs/security-in-drupal)|Access controls|Disable, hide, or move the [admin login page](https://www.drupal.org/docs/7/managing-users/hide-user-login)| |[Tomcat](https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html)|Access controls|Limit access to the Tomcat Manager and Host-Manager applications to only localhost. If these must be exposed externally, enforce IP whitelisting and set a very strong password and non-standard username.| |[Jenkins](https://www.jenkins.io/doc/book/security/securing-jenkins/)|Access controls|Configure permissions using the [Matrix Authorization Strategy plugin](https://plugins.jenkins.io/matrix-auth)| |[Splunk](https://docs.splunk.com/Documentation/Splunk/8.2.2/Security/Hardeningstandards)|Regular updates|Make sure to change the default password and ensure that Splunk is properly licensed to enforce authentication| |[PRTG Network Monitor](https://helpdesk.paessler.com/en/support/solutions/articles/76000062446-what-security-features-does-prtg-include-)|Secure authentication|Make sure to stay up-to-date and change the default PRTG password| |osTicket|Access controls|Limit access from the internet if possible| |[GitLab](https://about.gitlab.com/blog/2020/05/20/gitlab-instance-security-best-practices/)|Secure authentication|Enforce sign-up restrictions such as requiring admin approval for new sign-ups, configuring allowed and denied domains|