Security Recommendations

EzeScan WebApps is an application that runs on Windows IIS Web Server.

It is typically be deployed onto a Microsoft Windows Operating that is running on server hardware that is either 'on premise' at your office, 'hosted' in a local data-centre, or 'cloud hosted' in Amazon or Azure.

Irrespective of where the IIS Web Server is installed, it is always the customer's responsibility to ensure that the IIS Web Server has the built in security features enabled and configured correctly.

While IIS is a proven web server that offers many layers of security, there are often things that are overlooked which can result in serious security issues.

We recommend the following:

  1. Keep up the Windows Operating system and IIS Web Server up to date with windows updates.
  2. Disable unnecessary services by disabling any features of IIS that are not required, such as FTP.
  3. Configure IIS to use HTTPS.
  4. Use strong passwords.
  5. Keep the application pool running as an isolated user that only has write access to required directories where files will be written.
    1. Leaving the application pool running as "ApplicationPoolIdentity" and then adding write access to the app_data folder for "IIS AppPool\AppPoolName" is the recommended method.
      1. You may have other limitations or requirements which mean you need to run the application pool under a standard user account. If this is the case, ensure this account is heavily locked down.

The customer's IT Security team is responsible for ensuring that its IIS Web Server is properly configured to be able to detect, manage and stop any attempts to compromise the data security of the IIS Web Server and underlying Microsoft Operating system.