Web server hardening: How should web servers be configured regarding unauthorized access?

Introduction / Context:
Security best practices for web servers include minimizing attack surface, enforcing least privilege, and controlling access. Proper configuration reduces the risk of data breaches and service disruption.

Given Data / Assumptions:

• Servers are exposed to untrusted networks.
• Authentication and authorization are required for protected resources.
• Defense-in-depth practices are applied.

Concept / Approach:
Restrict unauthorized access using authentication, authorization, network ACLs, firewalls, TLS, and secure defaults. While making unauthorized access “impossible” is unrealistic, strong restrictions measurably reduce risk.

Step-by-Step Solution:

Verification / Alternative check:
Compliance frameworks (for example, CIS Benchmarks) recommend explicit access controls and secure defaults.

Why Other Options Are Wrong:

• Unrestricted access contradicts security fundamentals.
• “Impossible” security is unattainable; risk can be reduced, not eliminated.
• Allowing or ignoring unauthorized access is negligent.

Common Pitfalls:
Relying solely on client-side controls; misconfigurations that leave admin endpoints exposed.

Final Answer:
Unauthorized access is restricted through configuration and controls.