Checklist for Securing and Hardening your Server Environment

Use KeePass with Pleasant Password Server

This general security checklist can serve as a starting point for organizations to improve the security of their servers and environment. As the technology behind cyber security is always evolving, it is important to regularly maintain and upgrade their security systems.

Have Questions?  Contact Us!

Manage Server Access

  • Don't forget physical server security
    • Only allow trusted personnel
    • Keep staff aware, informed, and trained
  • Manage access to your servers and critical infrastructure
    • Restrict critical apps and system files to admins
    • Reduce physical access to sensitive items
      • e.g. routers, switches, servers, hubs, etc.

Minimize the External Footprint


Harden the Network

  • Establish an understanding of the network, components, and devices
  • Minimize open network ports
  • Manage and audit firewall and firewall rules
  • Use Virtual LAN (VLAN) / network segmentation, to isolate traffic into group subsets
  • Shutdown unused interfaces, switch ports, etc.
  • Monitor and log all access attempts to network devices

Patch Vulnerabilities

  • Keep Browsers & Plugins updated
  • Update the OS & other applications


Minimize Attack Surface

  • Minimize unnecessary software on your servers
  • Install on a Windows Server Core
  • Remove unnecessary operating system components
  • Unnecessary services should be disabled
  • Component/Feature Management - Add what you need, remove what you don't


Restrict Admin Access

  • Limit membership to admin users/groups
  • Create multiple admin accounts with lesser access
  • Limit dedicated servers to admin responsibilities


Keep Inventory Updated

  • Keep track of assets
  • Manage components and devices added to the network/environment
    • When new items are introduced
    • State of the device
    • Update the changes made to those devices


Know What's Happening

  • Periodically review logs for suspicious activity
    • Authentications
    • User Access activity & changes
    • Privilege Elevation & usage
  • Maintain server logging, monitor periodically
    • Mirror logs to a separate log server
  • Scans/Audits of the server - check for malware/hacks


Minimize User Access Permissions

  • Limit user account access to the least privilege needed
  • Group user access / permissions by role
  • Restrict sensitive information to trusted accounts only
  • Manage security considerations of user directory accounts
  • Elevated access should only be on an as-needed basis
  • Delete unnecessary OS users


Establish Communications


Secure Software Applications

  • Use Security applications, such as anti-virus/anti-malware
    • Choose reputable, well-known, well-tested
  • Choose secure settings recommended by the software vendor
  • Keep Security applications updated
    • Use Stable versions with latest security patches
  • Remove unnecessary/insecure 3rd-party apps, especially those of low reputation


Use MFA & Single Sign-On

  • Require Multi-Factor Authentication for sensitive user accounts, systems or items
  • Prefer Single Sign-On for applications, minimize the necessity to remember/type passwords


Safeguard against Data Loss

  • Use regular VM snapshots, database/application/file backups
  • Categorize data - which data must remain highly available
  • Use Disaster Recovery (DR) and High-Availability (HA) safeguards
  • Periodically review and practice Recovery steps
  • Consider Data Loss Prevention (DLP) software
  • Establish a periodic archive of your data to a remote site / data storage location

Further Hardening / Protecting Credentials

  • Have users use very strong passwords or passphrases, especially for Administrative passwords
  • Rotate credentials & keys
    • passwords infrequently, do not reuse them
    • private keys periodically, if possible
  • Change regular account names from 'admin' or 'guest'
  • Lock accounts after too many login failures. These could be illegitimate attempts to gain access.
    • Note: be careful with setting LDAP/AD directories lockout policies, as some configurations could become lockout-prone/problematic.
  • Use auto-lock OS features

Backup Plans

  • Maintain proper backups
  • Use non-elevated account privileges where possible

Prevent Time Drift

  • Keep server clock in-sync

Harden Remote Sessions

  • Secure and monitor SSH
    • Change the port from default
    • Disable elevated privileges where possible
    • Use non-elevated account privileges where possible


Use Recommended Security Configurations

  • Review recommended Security Settings from trusted sources, e.g.:
    • Windows Security Baseline
      • Relevant security-related config options and tools
    • CIS Benchmarks
      • Best practices for securely configuring a system, guidance on CIS controls
      • Highlights specific setting changes that maps to compliance and regulatory frameworks: 
        • NIST Cybersecurity Framework (CSF), NIST SP 800-53, ISO 27000 series of standards, PCI DSS, HIPAA, etc.
  • Establish a security baseline for your organization


Prioritize Vulnerabilities

  • Identify the highest risks with the biggest impacts relevant to your critical assets
  • Consolidate vulnerabilities and cyber risks to one list
  • Use modern sophisticated scoring mechanisms, for example:
  • Work together with department teams
  • Consider using some tool automations


Other References: