Checklist for Securing and Hardening your Server Environment
Use KeePass with Pleasant Password Server
This general security checklist can serve as a starting point for organizations to improve the security of their servers and environment. As the technology behind cyber security is always evolving, it is important to regularly maintain and upgrade their security systems.
Have Questions? Contact Us!
Manage Server Access
- Don't forget physical server security
- Only allow trusted personnel
- Keep staff aware, informed, and trained
- Manage access to your servers and critical infrastructure
- Restrict critical apps and system files to admins
- Reduce physical access to sensitive items
- e.g. routers, switches, servers, hubs, etc.
Minimize the External Footprint
- Install on an intranet
- Firewall Installation/Configuration
- Examine Options for External User Access, including:
- Require VPN, or Azure AD App Proxy, or Reverse Proxy for external network connections
- Further blocks direct access to sensitive servers / data
- Use IP Filtering
- Consider Hosting with IIS
- Restrict/Whitelist IP address ranges
- Client Certificate Authentication
- Other Authorization Rules
- Require VPN, or Azure AD App Proxy, or Reverse Proxy for external network connections
- Consider a Hardware Firewall, etc.
Harden the Network
- Establish an understanding of the network, components, and devices
- Minimize open network ports
- Manage and audit firewall and firewall rules
- Use Virtual LAN (VLAN) / network segmentation, to isolate traffic into group subsets
- Shutdown unused interfaces, switch ports, etc.
- Monitor and log all access attempts to network devices
Patch Vulnerabilities
- Keep Browsers & Plugins updated
- Update the OS & other applications
Minimize Attack Surface
- Minimize unnecessary software on your servers
- Install on a Windows Server Core
- Remove unnecessary operating system components
- Unnecessary services should be disabled
- Component/Feature Management - Add what you need, remove what you don't
Restrict Admin Access
- Limit membership to admin users/groups
- Create multiple admin accounts with lesser access
- Limit dedicated servers to admin responsibilities
Keep Inventory Updated
- Keep track of assets
- Manage components and devices added to the network/environment
- When new items are introduced
- State of the device
- Update the changes made to those devices
Know What's Happening
- Periodically review logs for suspicious activity
- Authentications
- User Access activity & changes
- Privilege Elevation & usage
- Maintain server logging, monitor periodically
- Mirror logs to a separate log server
- Scans/Audits of the server - check for malware/hacks
Minimize User Access Permissions
- Limit user account access to the least privilege needed
- Group user access / permissions by role
- Restrict sensitive information to trusted accounts only
- Manage security considerations of user directory accounts
- e.g. AD Account Security (external link)
- Elevated access should only be on an as-needed basis
- Delete unnecessary OS users
Establish Communications
- Use the best data encryption Protocols & Cipher Suites for your Communications
Secure Software Applications
- Use Security applications, such as anti-virus/anti-malware
- Choose reputable, well-known, well-tested
- Choose secure settings recommended by the software vendor
- Keep Security applications updated
- Use Stable versions with latest security patches
- Remove unnecessary/insecure 3rd-party apps, especially those of low reputation
Use MFA & Single Sign-On
- Require Multi-Factor Authentication for sensitive user accounts, systems or items
- Prefer Single Sign-On for applications, minimize the necessity to remember/type passwords
Safeguard against Data Loss
- Use regular VM snapshots, database/application/file backups
- Categorize data - which data must remain highly available
- Use Disaster Recovery (DR) and High-Availability (HA) safeguards
- Periodically review and practice Recovery steps
- Consider Data Loss Prevention (DLP) software
- Establish a periodic archive of your data to a remote site / data storage location
Further Hardening / Protecting Credentials
- Have users use very strong passwords or passphrases, especially for Administrative passwords
- Rotate credentials & keys
- passwords infrequently, do not reuse them
- private keys periodically, if possible
- Change regular account names from 'admin' or 'guest'
- Lock accounts after too many login failures. These could be illegitimate attempts to gain access.
- Note: be careful with setting LDAP/AD directories lockout policies, as some configurations could become lockout-prone/problematic.
- Use auto-lock OS features
Backup Plans
- Maintain proper backups
- Use non-elevated account privileges where possible
Prevent Time Drift
- Keep server clock in-sync
Harden Remote Sessions
- Secure and monitor SSH
- Change the port from default
- Disable elevated privileges where possible
- Use non-elevated account privileges where possible
Use Recommended Security Configurations
- Review recommended Security Settings from trusted sources, e.g.:
- Windows Security Baseline
- Relevant security-related config options and tools
- CIS Benchmarks
- Best practices for securely configuring a system, guidance on CIS controls
- Highlights specific setting changes that maps to compliance and regulatory frameworks:
- NIST Cybersecurity Framework (CSF), NIST SP 800-53, ISO 27000 series of standards, PCI DSS, HIPAA, etc.
- Windows Security Baseline
-
Establish a security baseline for your organization
Prioritize Vulnerabilities
- Identify the highest risks with the biggest impacts relevant to your critical assets
- Consolidate vulnerabilities and cyber risks to one list
- Use modern sophisticated scoring mechanisms, for example:
- CVSS (Common Vulnerability Scoring System)
- Severity Scanning
- OWASP Top 10
- Work together with department teams
- Consider using some tool automations
Other References: