It is far from a dispute that the internet has brought the world closer than ever before. Quite like the Big Bang, the internet too has altered life today. However, what is also not far from dispute is that it has made us vulnerable more than ever and that too in the most precarious ways we can fathom. While as we progress towards becoming more digital and automating our day-to-day living, and our businesses and the farther we walk down the ‘online’ route, it is only safe to say that virtual security is important now more than ever. In that pursuit, in this blog, we will delve down the lane of securing and hardening a server environment.
What do you mean by securing and hardening the server environment?
Hardening and securing the server is the procedure of enhancing the security of the server using a variety of means to create a secure operating environment. Most operating systems are built with a default configuration which is generally not designed keeping security in mind, rather they are more focussed on communication, functionality, and usability of the operating system. Server Security hardening will ensure that the website continues to work on optimal levels of security, that is protecting the sensitive information robustly passing across the circuit of the server.
How can we secure and harden the server environment?
To start with hardening your server environment following are some of the most generic best-proven practices for improving the security of the server that must be implemented –
- Creating a secured password using a combination of upper keys, lower keys, numbers, and characters.
- Using Secure Shell (SSH) Port which is an access credential for automated processes like single sign-on by system administrators.
- Setting a required password strength which ensures robust password setup at all times.
- Changing the SSH port.
- Using alternate SSH Users
While these are some general security measures, some more server-specific measures that will prevent any malicious attacks in the future are mentioned below.
The complete checklist for securing and hardening your server environment in 2023.
As technologies continue to push the boundaries of the unfathomable, emphasizing cyber security through the maintenance and upgradation of security systems is crucial more than ever. This os hardening checklist will help your entity accelerate your server environment’s security.
Managing Server Access
- Physical server security
- Only allow trusted personnel
- Aware, inform and train the staff
- Manage access to your servers and critical infrastructure
- Restrict critical application and system files for admins solely
- Reduce physical access to sensitive items, e.g. routers, switches, servers, hubs, etc.
Minimizing External Footprint
- Install on an intranet
- Firewall Installation/Configuration
- Examine Options for External User Access, including:
- Require VPN and Reverse Proxy for external network connections
- Further blocks direct access to sensitive servers
- Use IP Filtering
- Consider Hosting with IIS
- Restrict/Whitelist IP address ranges
- Client Certificate Authentication
- Other Authorization Rules
- Require VPN and Reverse Proxy for external network connections
- Consider a Hardware Firewall, etc.
Hardening the Network
- Establish an understanding of the network, components, and devices
- Minimize open network ports
- Manage and audit firewall and firewall rules
- Use Virtual LAN (VLAN) to isolate traffic to group subsets
- Shut down unused interfaces, switch ports, etc.
- Monitor and log all access attempts to network devices
Patching Vulnerabilities
- Keep Browsers & Plugins updated
- Update the OS & other applications
Minimizing Attack Surface
- Minimize unnecessary software on your servers
- Install on a Windows Server Core
- Remove unnecessary operating system components
- Unnecessary services should be disabled
- Component/Feature Management – Add what you need, remove what you don’t
Restricting Admin Access
- Limit membership to admin users/groups
- Create multiple admin accounts with lesser access
- Limit dedicated servers to admin responsibilities
Keeping the Inventory Updated
- Keep track of assets
- Manage components and devices added to the environment
- When new items are introduced
- State of the device
- Update the changes made to those devices
Being Vigilante
- Periodically review logs for suspicious activity
- Authentications
- User Access activity & changes
- Privilege Elevation & usage
- Maintain server logging, and monitor periodically
- Mirror logs to a separate log server
- Audits of the server – check for malware or hacks
Minimizing User Access Permissions
- Limit user account access to the least privilege needed
- Group user access/permissions by role
- Restrict sensitive information to trusted accounts only
- Manage security considerations of user directory accounts
- e.g. AD Account Security (external link)
- Elevated access should only be on an as-and-when-needed basis
- Delete unnecessary OS users
Establishing Communications
- Use the best data encryption Protocols & Cipher Suites for your Communications
- Disable insecure protocols
Securing Software Applications
- Use Security applications, such as anti-virus/anti-malware
- Choose reputable, well-known, well-tested
- Choose secure settings suggested by the software vendor
- Keep Security applications updated
- Use Stable versions with the latest security patches
- Remove unnecessary and insecure 3rd-party apps, especially those of low credibility
Using MFA & Single Sign-On
- Require Multi-Factor Authentication for sensitive user accounts, systems, or items
- Prefer Single Sign-On for applications, minimize the need to remember/type passwords
Preventing Data Loss
- Use regular VM snapshots, database/application/file backups
- Use Disaster Recovery (DR) and High-Availability (HA) safeguards
- Periodically review and practice Recovery steps
- Consider Data Loss Prevention (DLP) software
- Establish a periodic archive of your data to a remote site storage location
Further Hardening / Protecting Credentials
- Have users use very strong passwords or passphrases, especially for Administrative passwords
- Rotate credentials & keys
- passwords infrequently, do not reuse them
- private keys periodically, if possible
- Change regular account names from ‘admin’ or ‘guest’
- Lock accounts after too many login failures. These might be illegitimate attempts to gain access.
- Note: be careful with setting LDAP/AD directories lockout policies, as some configurations could become lockout-prone/problematic.
- Use auto-lock OS features
Backup Plans
- Maintain proper backups
- Use non-elevated account privileges where possible
Preventing Time Drift
- Keep server clock in-sync
Hardening Remote Sessions
- Secure and monitor SSH
- Change the port from the default
- Disable elevated privileges where possible
- Use non-elevated account privileges where possible
Using Recommended Security Configurations
- Review recommended Security Settings from trusted sources, e.g.:
- Windows Security Baseline
- Relevant security-related config options and tools
- CIS Benchmarks
- Best practices for securely configuring a system, guidance on CIS controls
- Highlights specific setting changes that map to compliance and regulatory frameworks:
- NIST Cybersecurity Framework (CSF), NIST SP 800-53, ISO 27000 standards, PCI DSS, HIPAA, etc.
- Highlights specific setting changes that map to compliance and regulatory frameworks:
- Best practices for securely configuring a system, guidance on CIS controls
- Establish a security baseline for your organization
- Windows Security Baseline
Prioritizing Vulnerabilities
- Identify the highest risks with the biggest impacts relevant to your critical assets
- Consolidate vulnerabilities and cyber risks into one list
- Use modern sophisticated scoring mechanisms, for example:
- CVSS (Common Vulnerability Scoring System)
- Severity Scanning
- OWASP Top 10
- Work together with department teams
- Consider using some tool automation