Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

Articles

Home  >  Articles  >  Infrastructure  >  What is server hardening ?
NextPrevious

What is server hardening ?

Articles, Infrastructure | 31 March, 2020 | 0

Server hardening is a set of disciplines and techniques which improve the security of an ‘off the shelf’ server.  Server Hardening is requirement of security frameworks such as PCI-DSS and is typically included when organisations adopt ISO27001.

 

Contents

  • 1 What is the attack surface
  • 2 Create configuration standards to ensure a consistent approach
  • 3 How separating server roles improves security
  • 4 How vulnerability scans can help server hardening
  • 5 Server hardening checklist

What is the attack surface

The aim of server hardening is to reduce the attack surface of the server.  The attack surface is all the different points where an attacker can to attempt to access or damage the server.  This includes all network interfaces and installed software.  By removing software that is not needed and by configuring the remaining software to maximise security the attack surface can be reduced. As a result, an attacker has fewer opportunities to compromise the server.

 

Create configuration standards to ensure a consistent approach

It is rarely a good idea to try to invent something new when attempting to solve a security or cryptography problem.  Proven, established security standards are the best choice – and this applies to server hardening as well.  Start with industry standard best practices

The CIS Benchmarks are a comprehensive resource of documents covering many operating systems and applications.

openSCAP is a good starting point for Linux systems. It provides open source tools to identify and remediate security and compliance issues against policies you define.

For Windows systems, Microsoft publishes security baselines and tools to check the compliance of systems against them.

These baselines are a good starting point, but remember they are a starting point and should be reviewed and amended according to the specific needs of your organisation and each server’s role.

How separating server roles improves security

The goal of sever hardening is to remove all unnecessary components and access to the server in order to maximise its security.  This is easiest when a server has a single job to do such as being either a web server or a database server.   A web server needs to be visible to the internet whereas a database server needs to be more protected, it will often be visible only to the web servers or application servers and not directly connected to the internet.

If a single server is hosting both a webserver and a database there is clearly a conflict in the security requirements of the two different applications – this is described as having different security levels.

It is best practice not to mix application functions on the same server – thus avoiding differing security levels on the same server. (It is a requirement under PCI-DSS 2.2.1).

Using virtual servers, it can be cost effective to separate different applications into their own Virtual Machine. For larger networks with many virtual machines, further segregation can be applied by hosting all servers with similar security levels on the same host machines.

How vulnerability scans can help server hardening

Vulnerability Scans will identify missing patches and misconfigurations which leave your server vulnerable. Ports that are left open or active subsystems that respond to network traffic will be identified in a vulnerability scan allowing you to take corrective action.  A vulnerability scan will also identify new servers when they appear on your network allowing the security team to ensure the relevant configurations standards are followed in line with your Information Security Policy.

 

Server hardening checklist

This checklist provides a starting point as you create or review your server hardening policies.

Accounts and logins

Change default credentials and remove (or disable) default accounts – before connecting the server to the network (PCI requirement 2.1).

Disable guest accounts and vendor remote support accounts (Vendor accounts can be enabled on demand).

Components and subsystems

Turn off services that are not needed – this includes scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

On Windows systems only activate the Roles and Features you need, on Linux systems remove package that are not required and disable daemons that are not needed

Updates and vulnerabilities

Install security updates promptly – configure for automatic installation where possible.

Ensure applications as well as the operating system have updates installed.

Clocks and Timestamps

Accurate time keeping is essential for security protocols like Kerberos to work. Active Directory domain controllers provide time synch for members of the domain, but need an accurate time source for their own clocks.  Configure NTP servers to ensure all servers (and other network devices) share the same timestamp.  It is much harder to investigate security or operational problems if the logs on each device are not synchronised to the same time.

Networks and firewalls

Only publish open network ports that are required for the software and features active on the server.  If the server has connections to several different subnets on the network, ensure the right ports are open on the correct network interfaces.  For example, an administrative web-portal may be published onto the internal network for support staff to use, but is not published onto the public facing network interface.

Configure perimeter and network firewalls to only permit expected traffic to flow to and from the server.

Remote access security

RDP is one of the most attacked subsystems on the internet – ideally only make it available within a VPN and not published directly to the internet.

For Linux systems, remote access is usually using SSH.  Configure SSH to whitelist permitted IP addresses that can connect and disable remote login for root.  If possible, use certificate based SSH authentication to further secure the connection.

Logging and SIEM

Configure operating system and application logging so that logs are captured and preserved.  Consider a SIEM solution to centralise and manage the event logs from across your network.

Application hardening

When considering server hardening, remember the applications that will run on the server and not just the operating system.

For well known applications, such as SQL Server, security guidelines are available from the vendor.  Check with your application vendor for their current security baselines.

For custom developed and in-house applications, an application penetration test is a good starting point to identify any vulnerabilities or misconfigurations that need to be addressed.

 

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
Linux, microsoft, patching, penetration testing, RDP, Security operations, security testing, SIEM

Related Post

  • Two thirds of cyber-crimes repeated within 12 months

    By Mark Faithfull

    According to a new report, 68% of organisations that suffered a network breach are the victim of a repeat attack within a year.  Cyber-criminals assume that organisation will not learn a lesson from the firstRead more

  • Microsoft Patches Critical Bugs

    By Mark Faithfull

    Microsoft starts the year with their first patch Tuesday bundle of security fixes targeting 10 Critical vulnerabilities include a zero-day being exploited in Windows Defender. The Windows Defender vulnerability (CVE-2021-1647) is reported by Microsoft asRead more

  • Bluekeep exploits seen in the wild

    By Mark Faithfull

    Bluekeep is serious vulnerability in the RDP protocol affecting Windows systems.  After months of waiting, active exploits have now been spotted in the wild for the first time, attempting to install cryptomining malware on theRead more

  • 600 failed login attempts per hour for public RDP servers

    By Mark Faithfull

    Recent research from Sophos highlights your public RDP server as the primary attack vector against your data centre. During April and May 2019, Sophos deployed 10 standard out-of-the-box configured Windows 2019 servers into AWS dataRead more

  • Bluekeep – critical Windows vulnerability

    By Mark Faithfull

    Microsoft included a fix for a serious RDP remote code execution vulnerability known as BlueKeep in the May patch Tuesday update. The vulnerability, which has become known as BlueKeep or CVE-2019-0708, remains unpatched on millionsRead more

NextPrevious

Recent Posts

  • CISA Warns of Pass-the-Cookie attack
  • Microsoft Patches Critical Bugs
  • Flash is dead – now delete it from your system
  • 100000 Zyxel firewalls have hardcoded backdoor exposed
  • When Good Employees Go Bad

Tags

Android blockchain Bluetooth Chrome Cisco credential stuffing cyber crime cyber essentials cyber security cyber security news Data Protection DNS Ethereum Exchange Server exim fileless formjacking GDPR Intel IoT Linux MacOS Meltdown microsoft ncsc patching penetration testing phishing ransomware RDP Row Hammer security breach Security operations security testing SIEM Spectre supply chain attacks Sysinternals Tomcat TPM VNC vulnerability management web applications web browsers wireless

Archives

  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • July 2018
  • June 2018
  • April 2018
  • January 2018
  • October 2017
BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
information. secured.
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us
SecureTeam
SecureTeam use cookies on this website to ensure that we give you the best experience possible. If you continue to use our site we will assume that you are happy with cookies being used.OkRead more