INSTITUTE : UIE

DEPARTMENT : CSE
Bachelor of Engineering (Computer Science & Engineering)
WEB AND MOBILE SECURITY (Professional Elective-I)
(20CST/IT-333)

TOPIC OF PRESENTATION:
IIS and LAMP servers.

DISCOVER . LEARN . EMPOWER

 Lecture Objectives

In this lecture, we will discuss:

•Introduction to IIS and LAMP
servers
 3
What is IIS?
• Internet Information Server (IIS) is one of the most popular web servers from Microsoft that is
used to host and provide Internet-based services to ASP.NET and ASP Web applications.

• Internet Information Server (IIS) has it's own ASP.NET Process Engine to handle the ASP.NET
request. The way you configure an ASP.NET application depends on what version of IIS the
application is running on.
How IIS works

It works through several different standard languages and protocols. HTML is used for creating a
variety of elements. For example, texts, buttons, hyperlinks, and direct/indirect behaviors.
The HTTP (or Hyper Text Transfer Protocol) is used for exchanging the information between the
two or more servers and users. 
HTTPS --HyperText Transfer Protocol Secure over the SSL (or Secure Sockets Layer) -- uses SSL
(secure sockets layer ) to encrypt the communication to add additional data security. The FTP (or
File Transfer Protocol ), or its secure variant, FTPS, can transfer files.
 1. A Web service extension is an IIS feature
Web server Security that extends the basic IIS functionality
beyond serving static content. Examples of
1. Web services extensions Web service extensions are active server
2. MIME types pages (. asp), ASP.NET, and server-side
includes (SSI). InstallShield lets you add Web
3. Permissions(scripts, service extensions to your installation. Turn
executable)
on during configuration.
4. IP address restrictions
2. MIME types in IIS are used to define and
5. Log file and content allow a specific file type to be served out
(Configure in IIS manager) by IIS. Usually this is used with new media
files types, such as FLV, MP4, and etc.

https://www.youtube.com/watch?v=O8L7eMAcXWs
Some of the ways that can be used to harden the IIS to avoid the security breaches are
listed below:
• Configuration of error pages should be done in such a way that they will display only
relevant information about the issues received. The error pages do not display
unnecessary information such as IP addresses of servers, user IDs and passwords or any
other type of information that can help hackers in exploiting the webserver.
• The "URL authorization" must be used in order to apply rules for specific requests e.g.,
dealing with a particular kind of URLs. URL authorization allows a company to
authorize only certain users to view the requested pages.
• Any feature of IIS that does not help in reducing the potential attack should be disabled.
• The access of domains and IP addresses must be controlled that can reach the webserver.
• Always use the firewall to ensure that only valid data package can reach the server.
• Whenever Windows gets an update, the Windows operating system should be updated
with the latest security patches.
• The logging must be used to manage the record of the visitors that access the webserver.
 LAMP Server(Lamp Stack)
• LAMP is an open-source Web development platform
that uses Linux as the operating system, Apache as
the Web server, MySQL as the relational database
management system and PHP/Perl/Python as the
object-oriented scripting language.
• LAMP has classic layered architecture, with Linux at
the lowest level. The next layer is Apache and
MySQL, followed by PHP. Although PHP is at the
top or presentation layer, the PHP component sits
inside Apache.
• The LAMP stack order of execution shows how the
elements interoperate. The process starts when the
Apache webserver receives requests for web pages
from a user's browser. If the request is for a PHP file,
Apache passes the request to PHP, which loads the
file and executes the code contained in the file. PHP
also communicates with MySQL to fetch any data
referenced in the code.
What is Apache?
• Apache, or The Apache HTTP web server, is an open source Web server application
managed by the Apache Software Foundation.
• The server software is freely distributed, and the open source license means users can edit
the underlying code to tweak performance and contribute to the future development of
the.
• Although we call Apache a web server, it is not a physical server, but rather a software that runs on
an HTTP server. Its job is to establish a connection between a server and the browsers of website
visitors (Firefox, Google Chrome, Safari, etc.) while delivering files back and forth between them
(client-server structure). The Apache software is also compatible with any operating system, from
Windows to Unix. 
• The server and the client communicate through the HTTP protocol, and the Apache web
server is responsible for the smooth and secure communication between the two
machines.
• Support, fixes and development are handled by the loyal user community and coordinated
by the Apache Software Foundation.
Working Features
• The Apache web server has modules which add more functions to its software, such as MPM
(for handling multi-processing modes) or mod_ssl for enabling SSL v3 and TLS
• .htaccess : The .htaccess file is a basic configuration file used by the Apache web server to
let you create special rules that tell your web server how to function. It located in the root
folder. To configure Apache, you’ll need to access .htaccess. 
• IPv6, FTP, HTTP/2 .
• Some high-profile companies using Apache include Cisco, IBM, Salesforce, General
Electric, Adobe, VMware, Xerox, LinkedIn, Facebook, Hewlett-Packard, AT&T, Siemens,
eBay, and many more.

Because Apache doesn’t perform as well in some benchmarks, especially for static websites or
websites with high traffic, Kinsta uses the NGINX web server instead of Apache.
Security Practices
1. Disable Trace HTTP Request
2. Restrict Access to a Specific Network or IP
3. Use only TLS 1.2
4. Disable Directory Listing
5. Disable Null and Weak Ciphers
6. Always upgrade to the latest stable version of Apache.

https://geekflare.com/10-best-practices-to-secure-and-harden-your-apache
-web-server
/
Apache Pros and Cons
Pros:
• Open-source and free, even for commercial use.
• Reliable, stable software.
• Frequently updated security patches.
• Flexible due to its module-based structure.
• Easy to configure, beginner-friendly.
• Cross-platform (works on both Unix and Windows servers).
• Optimal deliverability for static files and compatibility with any programming
language (PHP, Python, etc)
• Works out of the box with WordPress sites.
• Huge community and easily available support in case of any problem.
Cons:
• Performance problems on extremely traffic-heavy websites.
IIS Vs Apache
Accessing Web Servers

• Request documents from Web servers

• know the Host names
• Local Web servers
• Access through machine name or localhost
• Remote Web servers
• Access through machine name
• Domain name or Internet Protocol (IP) address
• Domain name server (DNS): Computer that maintains a database of host names and
their corresponding IP address
  Web Resources

• www.microsoft.com/msdownload/ntoptionpack/askwiz.asp
• www.w3.org/Protocols
• www.apache.org
• httpd.apache.org
• httpd.apache.org/docs-2.0
• www.apacheweek.com
• linuxtoday.com/stories/18780.html
• www.iisanswers.com
• www.iisadministrator.com
 References:
Books:
1. Web Design With HTML, CSS, JavaScript and jQuery Set, 1st Edition, by
Jon Duckett.
2. Hacking Exposed Web Applications, 3rd edition, Joel Scambray, Vincent
Liu, Caleb Sima, Released October 2010, Publisher(s): McGraw-Hill

Video Lectures :
3. https://www.techtarget.com/searchwindowsserver/definition/IIS
4. https://www.youtube.com/watch?v=vazRx1Ei8VA
Reference Links:
5. https://www.upguard.com/blog/iis-apache
6. https://www.h2kinfosys.com/blog/web-servers-apache-web-server-iis/
7. http://www.uh.edu/~smiertsc/2336itec/Deitel_21Ch.pdf
8. http://www.differencebetween.net/technology/difference-between-iis-and-
apache/
THANK YOU