In today’s society, data is a valuable commodity that’s easy to sell or trade, and your servers are where most of your company’s most valuable data resides. Here are some tips for securing those servers against all threats. Create a server deployment checklist, and make sure all of the following are on the list, and that each server you deploy complies 100% before it goes into production.
1. Server List - A quick reference that is easy to update and maintain
Maintain a server list that details all the servers on your network - including :
2. Responsible party per server
The person or team who knows what the server is for, and is responsible for ensuring it is kept up-to-date, and can investigate any anomalies associated with that server.
3. Naming Convention
Naming conventions may seem like a strange thing to tie to security, but being able to quickly identify a server is critical when you spot some strange traffic, and if an incident is in progress, every second saved counts.
4. Network Configuration
Ensure that all network configurations are done properly, including
All servers should be assigned static IP addresses, and that data needs to be maintained in your IP Address Management tool (even if that’s just an Excel spreadsheet). When strange traffic is detected, it’s vital to have an up-to-date and authoritative reference for each ip. addr on your network.
Every server deployed needs to be fully patched as soon as the operating system is installed, and added to your patch management application immediately.
All servers need to run antivirus software and report to the central management console. Scanned exceptions need to be documented in the server list so that if an outbreak is suspected, those directories can be manually checked.
8. Host Intrusion Prevention/ Firewall
If you use host intrusion prevention, you need to ensure that it is configured according to your standards, and reports up to the management console. Software firewalls need to be configured to permit the required traffic for your network, including remote access, logging and monitoring, and other services.
9. Remote Access
Pick one remote access solution, and stick with it. I recommend the built-in terminal services for Windows clients, and SSH for everything else, but you may prefer to remote your Windows boxes with PCAnywhere, RAdmin, or any one of
the other remote access applications for management. Whichever one you choose, choose one and make it the standard.
10. UPS and Power Saving
Make sure all servers are connected to a UPS, and if you don’t use a generator, that they have the agent needed to gracefully shut down before the batteries are depleted. While you don’t want servers to hibernate, consider spinning down disks during periods of low activity (like after hours) to save electricity.
11. Domain Joined
Unless there’s a really good reason not to, such as application issues or because it’s in the DMZ, all Windows servers should be domain joined, and all non-Windows servers should use LDAP to authenticate users against Active Directory. You get centralized management and a single user account store for all your users.
12. Administrator Account Renamed and password set
Rename the local administrator account, and make sure you set (and document) a strong password. It’s not a foolproof approach, but nothing in security is. We’re layering things here.
13. Local Group Membership set and permissions assigned
Make any appropriate assignments using domain groups when possible, and set permissions using domain groups too. Only resort to local groups when there is no other choice and avoid local accounts.
14. Correct OU with appropriate policies
Different servers have different requirements, and Active Directory Group Policies are just the thing to administer those settings. Create as many OUs as you need to accommodate the different servers, and set as much as possible using a GPO instead of the local security policy.
15. Conform reporting to management consoles
No matter what you use to administer and monitor your servers, make sure they all report in (or can be polled by) before putting a server into production. Never let this be one of the things you forget to get back to.
16. Disable unnecessary services
If a server doesn’t need to run a particular service, disable it. You’ll save memory and CPU.
17. SNMP configured
If you are going to use SNMP, make sure
you configure your community strings, and
restrict management access to your known
18. Agents installed
Backup agents, logging agents, management agents; whatever software you use to manage your network, make sure all appropriate agents are installed before the server is considered complete.
If it’s worth building, it’s worth backing up; no production data should ever get onto a server until it is being backed up.
And no backup should be trusted until you confirm it can be restored.
21. Vulnerability Scan
If you really think the server is ready to go, and everything else on the list has been checked off, there’s one more thing to do - scan it. Run a full vulnerability scan against each server before it goes production to make sure nothing has been missed, and
then ensure it is added to your regularly scheduled scans.
22. Signed into Production
Someone other than the person who built the server should spot check it to be sure it’s good to go, before it’s signed into production. By “signing” it, that user is saying they confirmed the server meets your company’s security requirements and
is ready for whatever the world can throw at it. That person is also the second pair of eyes, so you are much less likely to find that something got missed.
These server deployment tips will go a long way in helping you secure your servers against all threats. Good luck in your continued fight to protect your company’s network from attack!