Web server and application server configurations play a key role in the security of a web application.
o Make sure web server, operating system are ALWAYS up-to-date with patches
o Turn off all unused ports and services
o Harden your servers
o Use scanning tools
o Perform penetration testing periodically
o Make sure there are no improperly shared drives / data
o Do not allow weak passwords
o Eliminate rogue devices.
An indirect way that a malicious user can compromise your application is by making it unavailable. The malicious user can keep the application too busy to service other users, or it can simply cause the application to crash. Follow these guidelines:
o Use error handling
o Configure IIS to use process throttling, which prevents an application from using up a disproportionate amount of CPU time.
o Test size limits of user input before using or storing it.
o Put size safeguards on database queries. For example, before you display query results in a web page, be sure that there are not an unreasonable number of records.
o Put a size limit on file uploads, if those are part of your application. Check content-type on uploaded files.