Server WTP Overview

What Is Server WTP?

If your websites and applications have vulnerabilities, attackers can exploit them to obtain permissions, tamper with web pages or put hidden links on websites to spread malicious information. This may lead to information leak, website interruption, economic loss, bad brand image, and even lawsuits.

Web Tamper Protection (WTP) uses technologies to prevent tampering and protect website integrity.

The server WTP of HSS can detect and prevent tampering of files in specified directories, including web pages, documents, and images, and quickly restore them using valid backup files.

Server WTP Principles

Server WTP supports static and dynamic web page protection. How WTP works shows the protection mechanism.

**Table 1** How WTP works
Protection Type	Mechanism
Static web page protection	Linux Real-time monitoring WTP monitors the files in web directories in real time and identifies unauthorized modifications. Proactive backup and restoration In blocking mode, if WTP detects that a file in the protection directory is tampered with, it immediately uses the backup file on the local host to restore the file. Remote backup and restoration After a remote backup server is configured, if a file in a protected directory is changed, HSS will back up the updated file. If the file and backup directory on the local server become invalid, you can log in to the remote backup server, obtain backup files, and manually restore the tampered websites. You can view backup paths on the Manage Remote Backup Server page. For details, see Modifying a Remote Backup Server. Windows WTP locks files in a web file directory in a drive to prevent attackers from modifying them. Website administrators can update the website content by using privileged processes.
Dynamic web page protection	The Huawei-proprietary RASP can detect application program behaviors, prevent attackers from tampering with web pages through application programs, and provide self-protection in Tomcat application runtime.

Server WTP Application Scenarios

Websites that are directly deployed on servers can be protected, including but are not limited to:

Government institution websites, where important policy information, laws, and regulations are released.
Educational institution websites, where training information, courses, and other services are released.
Traditional enterprise websites, where the company background, culture, milestones, and core values are displayed.

Constraints

Server WTP is available only in the HSS WTP edition. For details about how to purchase HSS and enable the WTP edition, see Purchasing an HSS Quota and Enabling Web Tamper Protection.
Currently, dynamic WTP can only protect Tomcat applications using JDK 8, JDK 11, and JDK 17.
After Server WTP is enabled, you can add privileged processes to modify web page files. The privileged process function is compatible with Linux and Windows. However, Linux only supports kernel versions 5.10 or later.

Server WTP Usage Process

Figure 1 Usage process
Click to enlarge

**Table 2** Process of using server WTP
Operation	Description
Enabling Server WTP	Enable the Server WTP to enjoy the web tamper protection provided by HSS. For details, see Features. When enabling Server WTP, select servers and configure protection policies (including protected directories, scheduled protection, privileged processes, and dynamic WTP).
(Optional) Configuring Remote Backup	By default, for Linux servers, HSS backs up the files in the protected directories to the local backup paths you specified. For stronger security, you can configure remote backup, so that your data can still be restored even if the local backup is damaged.
Viewing Server WTP Events	Tamper events that occur during web tamper protection are recorded and displayed in the event list.

Related Operations

After Server WTP is enabled, files and folders in the protected directory will be set to read-only and cannot be modified. To update a web page, you can:

Configure privileged processes
You can configure privileged processes to modify files in protected directories. For details, see Modifying Server WTP Configuration.
Configure scheduled protection
You can configure an unprotected period. In this period, static web page protection is automatically disabled and you can update web pages. For details, see Modifying Server WTP Configuration.
Manually enable or disable protection on directories
You can disable protection for protected directories, update web pages, and enable protection again. For details, see Manually Enabling or Disabling Directory Protection.