A university with a large public web application perimeter had a number of old web applications running on legacy windows server infrastructure. Updating applications and upgrading infrastructure was well underway, however the work had to be staged given technical and commercial limitations.
From a technical perspective Windows Server 2003 doesn’t support IIS 7.0, .NET 4.5 or TLS 1.1 whilst Windows Server 2008 doesn’t support IIS 8.0 or TLS 1.3.
From a commercial perspective, the cost of mass application rewrite was prohibitive, whilst some vendors would not support software running on a infrastructure stack that didn’t match that initially deployed.
All problems were addressable given time, but due to the security implication of unsupported software and the rise of observed attempted breaches, time is something they did not have.
RedShield was engaged to see if this was a problem that we could address.
The proposed solution only required that inbound web browsing traffic be directed through RedShield reverse proxies. These could be either shared devices in the RedShield cloud or dedicated devices at a location of the university’s choosing.
In the solution:
- TLS stacks can be independent and the public facing stack continually hardened towards the access network with a compatibility stack implemented towards the server
- Server technology component fingerprinting would be removed
- Relevant CVEs addressed either through detect and block of attack traffic or hardening and modification of application behaviour
- Audits against all known reconnaissance and exploit techniques tested against the applied controls conducted weekly
RedShield researchers maintain awareness of new and emerging issues with the component technologies
- RedShield to maintain 24/7 end customer helpdesks
- Defense against evolving threats across DDoS, Bot, malicious exploit, malicious actor and misuse were also included
Continuing to publish applications that can’t be patched but that have current security issues, with 100% confidence that more will be released was unacceptable. But to replatform everything just takes time. With RedShield we started with Server 2003 and now have Server 2008 secured. They brought us the time we needed.
Following a successful proof of concept, the university selected a dedicated node deployed within their datacentre.
Initially web apps running on Windows Server 2003 hosts were secured. Once in place, those on Windows Server 2008 hosts were addressed.
The secure application publishing was operational managed by RedShield with portal reporting available real time and monthly management reports supplied.
During the process the security surrounding the applications started to spiral up. After the initial bow wave of hygiene hardening and known security flaw mitigation was complete, application specific flaws discovered through both periodic scans and pen testing were addressed. As new relevant Common Vulnerability and Exposures (CVEs) were announced the RedShield team responds with modified or now controls to address.
In parallel the university is continuing their modernization project and is progressing turning off Windows Server 2003 hosts, this will soon be complete and they will begin on the Windows Server 2008 hosts.
They can execute these migration projects without the interference of urgent security risks changing their plan.