Enabling Web Tamper Protection

Scenarios

The HSS web tamper protection (WTP) edition can protect dynamic and static web pages from being tampered with, enhancing the security and integrity of website content. It also includes the server protection capabilities of the premium edition, such as asset management, vulnerability detection, baseline check, intrusion detection, and ransomware protection, to detect attacks on servers.

This section describes how to enable WTP.

Prerequisites

Ensure that the agent has been installed on the server and is online. For details, see Installing the Agent on Cloud Platform Servers.

Constraints

Before you enable protection for a Windows server, enable the Windows firewall to block the source IP addresses of brute-force attacks. If the Windows firewall is not enabled, HSS only generates alarms for detected brute-force attacks, but does not block them.

After the Windows firewall is enabled, HSS automatically adds firewall rules hostguard_AllowAnyIn and hostguard_AllowAnyOut to allow all inbound and outbound traffic. This ensures that the firewall does not affect your services. If HSS detects a brute-force attack, it adds an inbound rule to the firewall to block the attack source IP address. This does not affect your servers.

Do not disable the Windows firewall when using HSS, or HSS cannot block the source IP addresses of brute-force attacks. Once it is disabled, HSS may fail to block the attack source IP addresses even after you manually enable it again.

Enabling Web Tamper Protection

Log in to the management console.
Click in the upper left corner and select a region or project.
In the upper left corner of the page, click and choose Security > Host Security Service.
In the navigation pane, choose Server Protection > Web Tamper Protection. On the Web Tamper Protection page, click Add Server.
On the Add Server page, click the Available Servers tab. Select the target server, and click Add and Enable Protection.
You can check the server protection status on the Web Tamper Protection page.
- Choose Server Protection > Web Tamper Protection. If the Protection Status of the server is Protected, WTP has been enabled.
- After WTP is enabled for a website, if you need to update the website, add a privileged process or temporarily disable WTP. Enable WTP after the update is complete. Otherwise, the website will fail to be updated. Your website is not protected while WTP is disabled. Enable it immediately after updating your website.

Advanced Defense Functions

HSS provides a series of advanced defense functions. You can enable or use them as required to enhance the security protection level of your servers. For details, see Table 2.

**Table 1** Advanced defense functions
Function	Description
Application Protection	To protect your applications with RASP, you simply need to add probes to them, without having to modify application files.
Ransomware Prevention	The function can detect and defend against ransomware. It can automatically back up data either at a scheduled time, or immediately if ransomware is detected. This can help you defend against ransomware and reduce loss. Ransomware prevention is automatically enabled with the container edition. HSS will deploy honeypot files on servers and automatically isolate suspicious encryption processes. You can modify the ransomware protection policy.
Application Process Control	Application process control helps to enhance the security of applications and processes running on servers. It can automatically identify and analyze application processes, and classify them into trusted, suspicious, and malicious processes. It allows trusted processes to run, and generates alarms for suspicious and malicious processes. This helps to build a secure environment for application processes, and protects servers from untrusted or malicious application processes.
Virus Scanning and Removal	This function combines cloud-based and local antivirus mechanisms to scan executable files, compressed files, scripts, documents, images, and audiovisual files for viruses. You can perform quick scan, full-disk scan, and custom scans on servers as needed to detect and remove virus files in a timely manner, enhancing the virus defense of the system.
Dynamic Port Honeypot	The dynamic port honeypot function is a proactive defense measure. It uses a real port as a honeypot port to induce attackers to access the network. In the horizontal penetration scenario, the function can effectively detect attackers' scanning, identify faulty servers, and protect real resources of the user.