Simple Ways to Secure Legacy Web Servers and Applications
Whether we like to admit it or not, there are tons of insecure servers out there. Most companies will migrate their applications and data off aging servers, but a fair number of clients do not.
For those firms running insecure, outdated operating systems like Windows Server 2003 and Windows Server 2008, Microsoft ended support for these servers (July 14, 2015 & Jan. 14, 2020) and will no longer supply security fixes.
If you choose to keep running on a server that is outdated and no longer receiving security updates, you’ll want to take steps to reduce your server’s vulnerability.
Securing on-premise legacy servers
If you aren't in the cloud, one way to secure an on-premise legacy server is to setup a reverse proxy in front of it. You can quickly spin up a linux machine in the cloud or on-premise, install NGINX, Let's Encrypt, and point it to your old servers to provide an extra layer of protection for those older applications.
To see how to apply this same technique using IIS, see our article on setting up a reverse proxy server using IIS.
You can securely connect using an old server like Windows Server 2003, but you have to use something other than SSL. One approach is to install an SSH server on the legacy machine, lock down the server by IP address, and have your NGINX proxy connect to it using an SSH tunnel (AutoSSH is your friend).
While this adds a bit more complexity to your setup, it's a very durable solution. SSH powers a ton of the internet and has been rock solid when it comes to connecting to servers securely.
By adding a newer, more modern server in front of your old server, you apply a layer of protection, which buys more time to fix the root of the underlying issues.
What if you can't take a system offline to upgrade?
Securing servers in the cloud can be done in a few simple steps. If you're running on any of the major cloud providers, the easiest way to implement some form of protection is through API gateway services. This makes it super simple to add a layer of security between you and your legacy systems.
All major cloud providers offer ways to link on-premise servers to their cloud through any number of secure mechanisms (VPN, SSH, private peering, etc).
Once your network is connected, configure your virtual network to help isolate the legacy server behind the API gateway. Then, configure the API gateway to handle all incoming request for your application and it will pass those on to the legacy server. It doesn't get any easier than that - but if you have questions, feel free to reach out to us at Tevpro by email.
Run archaic websites or applications at your own risk!
Companies running internet facing websites or applications are also more vulnerable to attacks and security breaches.
"We often get calls from clients running IIS 6 who get concerned when they see the infamous "Not Secure" in the address bar because any modern web browser since TLS 1.0 & TLS 1.1 is no longer supported."
For an outdated website or application, we usually rely on a reverse proxy server. This allows you to put a lightweight layer of protection in front of your insecure application. It ensures you still have proper SSL termination to your clients. Although this method is not bullet proof, it can mitigate pressing issues while you work on a long term solution to improve security.
Any of the methods we suggest are simply a band-aid to the real problem. You shouldn't plan to keep hardware or software around for the long term if it's no longer supported or receiving updates from the vendor. However, using these simple methods will buy you time until you're able to upgrade or decommission your old legacy server.
We've helped many clients secure their legacy systems. If you have questions or need help comparing, for example, on-premise servers vs cloud servers, we specialize in cloud and custom software solutions. Feel free to reach out to us on Twitter or via email with any questions.
If you like our content and want more tutorials, sign up for our monthly newsletter below.
Photo by chris panas