Checklist for Securing and Hardening your Server Environment

Use KeePass with Pleasant Password Server

This general security checklist can serve as a starting point for organizations to improve the security of their servers and environment. As the technology behind cyber security is always evolving, it is important to regularly maintain and upgrade their security systems.

Have Questions?  Contact Us!

Manage Server Access

• Don't forget physical server security
  • only allow trusted personnel
  • keep staff informed/trained
• Manage access to your servers
  
  • restrict critical apps and system files to admins

Minimize the External Footprint

• Install on an intranet
• Firewall Installation/Configuration
• Examine Options for External User Access, including:
  
  • Require VPN and/or Reverse Proxy for external network connections
    • Further blocks direct access to sensitive servers / data
  • Use IP Filtering
  • Consider Hosting with IIS
    
    • Restrict/Whitelist IP address ranges
    • Client Certificate Authentication
    • Other Authorization Rules
• Consider a Hardware Firewall, etc. 

Patch Vulnerabilities

• Keep Browsers & Plugins updated
• Update the OS & other applications

Minimize Attack Surface

• Minimize unnecessary software on your servers
• Install on a Windows Server Core
• Remove unnecessary operating system components
• Unnecessary services should be disabled
• Component/Feature Management - Add what you need, remove what you don't

Restrict Admin Access

• Limit membership to admin users/groups
• Create multiple admin accounts with lesser access
• Limit dedicated servers to admin responsibilities

Know What's Happening

• Periodically review logs for suspicious activity
  • Authentications
  • User Access activity & changes
  • Privilege Elevation & usage
• Maintain server logging, monitor periodically
  
  • Mirror logs to a separate log server
• Scans/Audits of the server - check for malware/hacks

Minimize User Access Permissions

• Limit user account access
• Group user access / permissions by role
• Restrict sensitive information to trusted accounts only
• Manage security considerations of user directory accounts
  • e.g. AD Account Security (external link)
• Elevated access should only be on an as-needed basis
• Delete unnecessary OS users

Establish Communications

• Use the best data encryption Protocols & Cipher Suites for your Communications
  
  • Disable insecure protocols
• Minimize open network ports

Further Hardening / Protecting Credentials

• Use Security applications, such as anti-virus/anti-malware
  • Choose reputable, well-known, well-tested
• Keep Security applications updated
• Use very strong passwords, especially for Administrative passwords
• Rotate credentials & keys
  • passwords infrequently, do not reuse them
  • private keys periodically, if possible
• Change regular account names from 'admin' or 'guest'
• Lock accounts after too many login failures. These could be illegitimate attempts to gain access.
  
  • Note: be careful with setting LDAP/AD directories lockout policies, as some configurations could become lockout-prone/problematic.
• Use auto-lock OS features

Backup Plans

• Maintain proper backups
• Use non-elevated account privileges where possible

Prevent Time Drift

• Keep server clock in-sync

 
Harden Remote Sessions

• Secure and monitor SSH
  • Change the port from default
  • Disable elevated privileges where possible
  • Use non-elevated account privileges where possible

Use Recommended Security Configurations

• Review recommended Security Settings from trusted sources, e.g.:
  
  • Windows Security Baseline

• Establish a security baseline for your organization

References:

• Active Directory Accounts
• Difference Between DMZ & Reverse Proxy