Articles

What is server hardening ?

Server hardening is a set of disciplines and techniques which improve the security of an ‘off the shelf’ server. Server Hardening is requirement of security frameworks such as PCI-DSS and is typically included when organisations adopt ISO27001.

What is the attack surface

The aim of server hardening is to reduce the attack surface of the server. The attack surface is all the different points where an attacker can to attempt to access or damage the server. This includes all network interfaces and installed software. By removing software that is not needed and by configuring the remaining software to maximise security the attack surface can be reduced. As a result, an attacker has fewer opportunities to compromise the server.

Create configuration standards to ensure a consistent approach

It is rarely a good idea to try to invent something new when attempting to solve a security or cryptography problem. Proven, established security standards are the best choice – and this applies to server hardening as well. Start with industry standard best practices

The CIS Benchmarks are a comprehensive resource of documents covering many operating systems and applications.

openSCAP is a good starting point for Linux systems. It provides open source tools to identify and remediate security and compliance issues against policies you define.

For Windows systems, Microsoft publishes security baselines and tools to check the compliance of systems against them.

These baselines are a good starting point, but remember they are a starting point and should be reviewed and amended according to the specific needs of your organisation and each server’s role.

How separating server roles improves security

The goal of sever hardening is to remove all unnecessary components and access to the server in order to maximise its security. This is easiest when a server has a single job to do such as being either a web server or a database server. A web server needs to be visible to the internet whereas a database server needs to be more protected, it will often be visible only to the web servers or application servers and not directly connected to the internet.

If a single server is hosting both a webserver and a database there is clearly a conflict in the security requirements of the two different applications – this is described as having different security levels.

It is best practice not to mix application functions on the same server – thus avoiding differing security levels on the same server. (It is a requirement under PCI-DSS 2.2.1).

Using virtual servers, it can be cost effective to separate different applications into their own Virtual Machine. For larger networks with many virtual machines, further segregation can be applied by hosting all servers with similar security levels on the same host machines.

How vulnerability scans can help server hardening

Vulnerability Scans will identify missing patches and misconfigurations which leave your server vulnerable. Ports that are left open or active subsystems that respond to network traffic will be identified in a vulnerability scan allowing you to take corrective action. A vulnerability scan will also identify new servers when they appear on your network allowing the security team to ensure the relevant configurations standards are followed in line with your Information Security Policy.

Server hardening checklist

This checklist provides a starting point as you create or review your server hardening policies.

Accounts and logins

Change default credentials and remove (or disable) default accounts – before connecting the server to the network (PCI requirement 2.1).

Disable guest accounts and vendor remote support accounts (Vendor accounts can be enabled on demand).

Components and subsystems

Turn off services that are not needed – this includes scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

On Windows systems only activate the Roles and Features you need, on Linux systems remove package that are not required and disable daemons that are not needed

Updates and vulnerabilities

Install security updates promptly – configure for automatic installation where possible.

Ensure applications as well as the operating system have updates installed.

Clocks and Timestamps

Accurate time keeping is essential for security protocols like Kerberos to work. Active Directory domain controllers provide time synch for members of the domain, but need an accurate time source for their own clocks. Configure NTP servers to ensure all servers (and other network devices) share the same timestamp. It is much harder to investigate security or operational problems if the logs on each device are not synchronised to the same time.

Networks and firewalls

Only publish open network ports that are required for the software and features active on the server. If the server has connections to several different subnets on the network, ensure the right ports are open on the correct network interfaces. For example, an administrative web-portal may be published onto the internal network for support staff to use, but is not published onto the public facing network interface.

Configure perimeter and network firewalls to only permit expected traffic to flow to and from the server.

Remote access security

RDP is one of the most attacked subsystems on the internet – ideally only make it available within a VPN and not published directly to the internet.

For Linux systems, remote access is usually using SSH. Configure SSH to whitelist permitted IP addresses that can connect and disable remote login for root. If possible, use certificate based SSH authentication to further secure the connection.

Logging and SIEM

Configure operating system and application logging so that logs are captured and preserved. Consider a SIEM solution to centralise and manage the event logs from across your network.

Application hardening

When considering server hardening, remember the applications that will run on the server and not just the operating system.

For well known applications, such as SQL Server, security guidelines are available from the vendor. Check with your application vendor for their current security baselines.

For custom developed and in-house applications, an application penetration test is a good starting point to identify any vulnerabilities or misconfigurations that need to be addressed.

Windows Server Hardening Checklist

What is server hardening ? There are many different ways for a hacker to attack a Windows server, from unpatched system vulnerabilities to misconfigured settings, unnecessary protocols, or vulnerable applications. The process of getting these vulnerabilities closed off or patched (or at least most of them) is server hardening

Unfortunately, like a bodybuilder, a hardened system does not stay hard without continuous attention. OS, driver and application patches must be updated promptly; user and application settings should be checked regularly, security systems should be installed, and logging should be enabled to identify what attacks are being tried against the server. Keep reading to learn more about Windows server hardening.

Table of Contents

Windows Server Hardening Checklist

#1 Update Installation

In server hardening process many administrators are reluctant to automatically install Windows patches since the chances of a patch causing problems with either the OS or an application are relatively high. There are a number of solutions beyond manually installing patches, such as Microsoft management server products or third-party solutions (some of which cannot only manage OS patches, but also hardware drivers, application software patches, plus a wide variety of other system management tasks). Some can install patches in a sandbox environment, allowing you to test them before applying them to production systems.

Server hardening software can make the needed changes for you, rather than requiring an admin to manually change settings. There are also many pricing models, from per server per month to a fixed price for any number of servers. The number of servers you have and the amount of free time your administrator has will guide you to the best server hardening tool option.

#2 User Configuration

At the simplest level, this server hardening step refers to basic confirmation options, like requiring complex passwords for all user and administrative accounts, or enabling two-factor authentication or other enhanced security models like biometrics. There are server hardening tools that can help you to audit user, application and administrative accounts, and ensure that passwords are sufficiently complex and are changed as required. It also includes limiting rights for any given account to those strictly necessary.

It’s often the case that some roles, whether accounts used to execute SQL Server commands or user accounts belonging to executives, will wind up with more rights than they should, either because the users want all rights (whether they need them or not), or because troubleshooting applications is harder than just granting administrative rights.

Unfortunately, giving excess rights to these accounts and users can result in malware being installed when a user clicks on a malware link. Or it can result in an SQL exploit in your e-commerce application that allows a hacker to access data they shouldn’t be able to read. In server hardening process it can truly be a pain to make some applications work with limited rights, but it is one of the best ways to block attacks, many of which that have resulted in well-publicized breaches over the last few years.

#3 Network Configuration

At the simplest level, a firewall maps TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) port from external requests to specific ports on internal servers. Blocking all ports by default and then enabling only the ones needed to get applications to work is a basic step in server hardening .

This can actually be done at different levels — the firewall/router that is the interface between the Internet and the internal private network on each Windows (or other) server, and at the application level. In addition to disabling unused protocols, you can also map ports from the standard number (for example, port 80 for HTTP and port 443 for secure HTTP) to alternate port numbers.

#4 Features and Roles Configuration

During the server hardening process , in addition to limiting the rights of accounts that are used by users and applications, it’s also a good idea to create roles, remove others, and add or subtract Windows Features as needed. For instance, creating sub-roles for lower-tier administrators means that access doesn’t need to be an all-or-nothing affair. Junior administrators can be given the right to edit users’ configuration files without letting them view private files in users’ home directories or providing access to the configuration settings for file or application servers.

SQL administrators can likewise be given rights to create and run test queries on some servers while being blocked from making changes to production servers. Features work in similar ways at the application level — If there’s no need for an HTTP or HTTPS server on an SQL or file server, removing that role can reduce potential attack vectors and other vulnerabilities at this step of Windows server hardening.

#5 NTP (Network Time Protocol) Configuration

Network Time Protocol is intended to ensure that all servers in an organization (whether all in one data center or located all over the world) are synced up to the same time standard. Servers or workstations out of sync by as little as a few minutes can cause configuration errors or leave the potential for security holes. However, some caution should be used when implementing NTP. For instance, by default, Windows Servers and workstations are set to use time.windows.com to get their Internet time. This can introduce vulnerabilities, since man-in-the-middle attacks and other spoofing count on systems using this standard.

From the standpoint of server hardening, a safer option may be to set up one system, perhaps even a Linux system or other system with no other roles, and have that system get its time synchronization from one of the major Internet NTP servers (such as pool.ntp.org) and then have all the other servers in your organization poll that NTP server to get their time.

#6 Firewall Configuration

In terms of server hardening firewalls can be critical to stopping most hacking attacks. If an outside connection cannot reach an internal system, it can’t steal information. Blocking everything by default and whitelisting only the necessary ports is a good start, but firewalls can also create logs of every attempt to connect to an internal system. Scanning these logs can give you a good idea of whether attempts are caused by users with incorrect login credentials, or by hackers for hire working for your competitors.

In addition, many firewalls can detect traffic that is typical for certain attacks, or identify internal users or applications that are sending information to an outside system. Using these logs directly (or through an application like SIEM (security information and event management) can help you to identify the few lines in the hundreds of pages of log information that you need to know about.

#7 Remote Access Configuration

Remote access allows a user with the proper credentials to connect to a Windows server from another system and access the desktop, applications, configuration tools and so forth. It’s the next best thing in terms of server hardening. However, it’s also a great way for an unauthorized user to get access to all sorts of things you don’t want them to have.

Beyond the basics of limiting remote access to specific roles and ensuring that users of those roles don’t share passwords, it’s possible to limit remote access to specific IP addresses or blocks of addresses or to add additional token-based authentication to ensure that the user really is authorized. In addition, logging all remote access and the originating IP address can help you discover users’ actions if a breach does occur.

#8 Service Configuration

As with removing or limiting server roles and features, services are lower-level apps that enable specific network protocols, access to server hardware, application functionality, etc. Many services can be shut off or configured to run on demand, rather than being constantly enabled.

The trick is to know what services are needed for which applications. (You don’t want to open Task Manager and start randomly shutting down services.) Shutting down the right services can not only help server hardening by disabling common ways to attack the server, it can also speed up operations because unnecessary services aren’t using CPU or memory.

#9 Logging and Monitoring

Logging and monitoring can be a security administrator’s best friends. It may not always be possible to block every attack (with new forms arising every day), but at least you can discover a problem and keep it from happening again as long as you’re logging and monitoring your systems.

Simply logging everything isn’t practical. System logs can generate hundreds of thousands of lines of text per day. The key to successful W indows server hardening is to log only the system events that are helpful, and then find the right events if there’s a problem. SIEM tools are a great way of handling this, or you can hire an experienced systems administrator who can do the same thing with less expensive tools.

#10 Additional Server Hardening Measures — Email

There’s a quote from Ron Burns: “You can’t make anything idiot-proof, because idiots are so ingenious.” However, as one means of protection, firewalls, and email security applications can stop a majority of phishing emails.

Currently, it’s estimated that as many as 95% of security breaches start with a successful phish.

Conclusion

Server hardening is a complex process that, like most things, will deliver results in proportion to the effort you put into it. A simple one-page Windows Server hardening checklist will likely make your systems more secure than they are now, but hardening a web server, file server or SQL server will have very different requirements, and will yield better results with more research into the specifics of what each type of server requires and what they can do without.

This eBook provides an overview of how to design an efficient and effective network:

• How to choose routers and switches
• Overview of DCHP and DNS
• Guide to subnets and IP addresses, and more