OK, so I totally geeked out with my recommendations on how to better secure your webmaster computing environment. As a result, I had too much material for one post and thus had to split it up into two pieces. Let’s wrap up this long series of posts on malware by finishing up with the last of the security recommendations.
In Part 1 of this series on malware, we discussed how to detect a malware infection on your website using tools like Bing’s Webmaster Center. The Part 2 post covered the resources and strategies for identifying the types and locations of malware code that typically affect websites with advice on how to remove it. The Part 3 post began the run-down through 10 recommendations (well, the first 5, anyway!) on how to better secure your workstation and web server computers to prevent the malware from coming back. Today’s post, Part 4, finishes the list, and then includes information on what steps you can take to get that pesky malware warning message removed from your recently cleaned site in the Bing index.
Recommendations continued
Getting rid of malware is only part of the battle. Hardening your security practices to keep it away is just as important. Let’s continue the list of recommended security strategies started in the previous post.
6. Run Microsoft Update
I am presuming with this recommendation that you are running a modern Microsoft Windows operating system. Regularly run Microsoft Update on every Windows-based computer you use to touch your website. When you do so, I recommend that you click Custom to see the total list of available updates for your computer rather than seeing only the High Priority updates. Always keep current with the latest High Priority updates and strongly consider applying others updates as well.
Note that the second Tuesday of every month is commonly referred to as “Patch Tuesday” for Microsoft Update, and time should be set aside on those dates to make sure all Windows-based systems in your web server infrastructure get the necessary security updates. Occasionally Microsoft, when necessary, also provides high-priority security updates ahead of this schedule, so it pays to stay on top of these releases as they occur. Signing up to receive Microsoft Technical Security Notifications can help!
7. Update non-Microsoft applications, too
Applications that touch the Internet are at least as vulnerable to security holes as are web browsers and operating systems. Some major software manufacturers are beginning to build into their applications an online update system analogous to Microsoft Update. But not all have this feature yet, and not all that do perform the update automatically. It’s a really good idea to scan for and plug the often nasty security holes in the applications on your workstation through a software updating tool. I like the Secunia Software Inspector tool (check the licensing requirements for commercial use, but it’s free for many users), but there are many other choices out there. Be sure that the web applications you use are checked in that process. The bottom line is you need to regularly check for and install any software updates on all of the computers associated with your website.
Keep in mind that software manufacturers regularly release updates for their products when they discover faulty features and security holes. The hacker community makes a point of studying those patches to learn what exploits the updates fix. If you don’t stay current with software updates, your computer may become vulnerable to reverse-engineered exploits.
8. Improve your wireless security
Many computers these days, especially laptops, are connected to the Internet only by wireless connections. If you work in a big organization with a security-conscious IT shop, you’re probably fine (while you’re at work, anyway). But many small shops and even more home users install their new Wi-Fi routers using default settings across the board. Hackers have developed such efficient wireless security cracking tools over the past decade that paranoia is no longer considered irrational or delusional behavior among IT security folks. (But if tin foil hats come out, all bets are off.)
There are several things you can do to improve the security of your wireless network router. Dig up the user’s manual for that old router and learn how to do all of the following:
Note that none of these changes by themselves will sufficiently upgrade your wireless security, but the aggregate value of implementing them all will make your wireless network much more difficult to crack. And unless you are dealing with extremely determined hackers with an abundance of both technical resources and time to focus on cracking your specific, secured network, they will almost always move on to another of the ubiquitous, softer targets in the wifisphere.
9. Protect your website’s configuration files
Ensure that the sensitive configuration files of your web server and your web applications aren't accessible to unauthorized, external users. Place them in directories that are not served to the public and then disable directory browsing on your web server. Refer to your web server documentation for specific instructions on how to do this. I also recommend researching additional methods of securing your web server, such as IIS or Apache, from attack.
10. Perform data validation on user input
If your website accepts user input, ensure it is validated before processing or displaying it back to the user. For example, if you have a login form that accepts user names and passwords that are checked against a database, ensure that the input is scrubbed of any unexpected or invalid characters that might offer malicious manipulation of the database. Also, if user input is accepted and displayed (such as on forums), ensure users aren't able to modify the source code of the webpage, such as adding script for running <iframe> HTML code.
Also be sure that input from backend systems is validated. This protects the users of your website, even if attackers "only" managed to break into a backend system, like your database. For more information on similar, related website attacks, look into the topic of cross-site scripting (XSS).
Bonus tip: Backup your clean web content
Once you’ve ensured your site’s content and source code is clean, back it up! Disaster recovery is not just about fires, floods, and earthquakes. A sudden, major malware infection ranks right up there in terms of potential business outages, so protect your work, your site, your business, and your customers who depend on you with proper, functional backups of clean code.
Even more information on securing servers
To be ultra secure, you might simply consider flattening and rebuilding the server from scratch. But don’t simply rebuild it to the way it was – remember, it was hacked in that state! Put in place all of the hardening steps mentioned earlier, as well as triple-checking all of your permissions settings, before putting the server back in service online. For more information on dealing with hacked servers, check out What to Do If Your Website Has Been Hacked by Phishers.
Request removal of the Bing malware warning
Once you’ve resolved your malware infection, closed the security vulnerabilities that allowed your computer to be successfully attacked, and uploaded your cleaned-up source code to your web server, you’ve got one more job to do. It’s time to request that Bing re-evaluate your website for malware. Here’s how:
By following this procedure, Bing will rescan your website to check that the malware has been removed. If confirmed, your content can then be reincluded in normal search results. Once done, keep monitoring your site’s malware status in the Crawl Issues tool of Bing’s Webmaster Center, just to be sure you stay on top of any new issues.
If you have any questions or comments about malware, please feel free to post them in our General Questions forum. For regular SEM and SEO questions and suggestions, please go to our SEM forum. See you again soon…
-- Rick DeJarnette, Bing Webmaster Center
thanks dear..
<A HREF="http://www.youtubeline.com">watch</A>
thanks dear
thanks www.qqfox.cn www.nfcyw.com
I just installed Microsoft Security Essentials: great stuff!
Hi,
Thanks for the info.
http://www.websitebuttons.net
thanks for such a good article.
regards..
Pushpendra
scholarsresearchlibrary.com
thanks bing
thanks a lot it's very helpful
very
Very Best..........useful stuff ......... i used it.
Thanks
http://www.sudhanshu.com
In past SEM 101 articles, we've talked about the importance of inbound links to successful ranking (see
Thanks - useful info. Another recommendation is to check the forums of any applications you have installed ( eg ecommerce packages) for threads about security - I use osCommerce and there's a lot of recommendations for security tweaks that don't come as standard in the package, and I've seen a couple of (unsuccesful) hack attempts on my store based around known flaws.
Thanks for the great and useful information, I just installed Microsoft Security Essentials.
When I was a kid in high school, I used to go to the public library and do initial research in the Encyclopedia
thanx b but i think that the security essentials no strong i compared with other security programs
i hope it will strong ienough in the future so we can trust it
--------------------------------------------------
http://www.arab-max.com/vb
This is the fourth of five posts on the topic of conducting your own site reviews. In the previous posts
