100+ Server Security & Best Practices Tips on Securing a Server

Share on facebook
Share on twitter
Share on linkedin
Share on email
server security tips and methods to follow

What is server security? 

Servers are the backbone of an organisation’s IT infrastructure as they provide both information and computational services to its users. And because of their critical role, servers are always a prime target for hackers looking to exploit any vulnerability they can find, leading to data breaches and financial and reputational damage.

The security database on the server is a vital part of ensuring the organisation’s overall security posture. Securing a server consists of the configurations, tools and processes that must be implemented to ensure that a server will be protected from all internal and external threats. 

What is server security? 

Common server security issues 

Something as simple as weak/default passwords, lack of antivirus solutions or unintentional user errors could put the organisation at risk. Below is a list of common server security issues that are usually exploited to compromise systems.

This article is about server security tips; we will only brief the security issues encountered during penetration testing assessments. Should you wish to read about security issues, there are several articles in our blog, mainly OWASP Top 10 application risks, API Top 10, OWASP Mobile Top 10 and more. 

Usage of weak or default passwords

Many organisations fail to change the default manufacturer password of applications they use, such as logins for switches, routers, administrative consoles, backup software etc. A hacker can easily find these passwords just by a simple internet search and log into the application using admin credentials.

Using outdated components

When targeting a server, the first step for an attacker is to fingerprint the software/hardware components versions used. If any of these components are outdated, i.e., have some underlying vulnerability publicly disclosed, then a hacker can exploit the flaws and compromise the system.

It is essential always to maintain secure patch management for all organisations.

Open network ports

Ports are always tied to a service being provided by the server. If a hacker readily enumerates open ports, this increases the attack surface and gives a larger area for the hacker to attack.

Information leakage

Due to human error or server misconfigurations, systems can leak sensitive data; this can be information related to the server itself, such as version disclosures, passwords, API keys etc., or it can be data related to the organisation itself. Combining and chaining these with other attack vectors a hacker can cause serious damage.

critical vulnerabilities

 

Improper authorisation or access control

An improper authorisation or insecure access control can be defined for an application or operating system (OS) level. This generally means that users are granted more privileges than they should be given. For example, a customer support employee can perform system administrative level tasks.

Server misconfigurations

Server misconfigurations are typically user errors, i.e., servers are not configured properly, leading to security risks. Typical server misconfigurations include: 

  • Disclosing debugging information
  • Using hardcoded passwords
  • Insecure file permissions
  • Misconfigured SSL certificates
  • Inadequate permissions granted
  • Directory listings available
  • Insecure error handling

Insufficient endpoint protection

Using efficient endpoint solutions, i.e., antivirus software or intrusion detection systems (IDS), is essential to detect and prevent any malicious activity being carried out on a system. Without adequate endpoint protection, the servers will not be protected from any malware.

Use of insecure communication protocols

System administrators often use insecure protocols such as Telnet or HTTP for communication instead of HTTPS and secure equivalents. This is a cleartext protocol and does not use any encryption for data at motion. An attacker can use multiple sniffing techniques and intercept all the communication transferred to and from the systems.

Insufficient logging and monitoring

While talking about cyber-attacks, it is vital to mention logging and monitoring. It is a network or system administrator to enable all-important logs for servers and periodically monitor those logs. This will ensure that a cyber incident or attack does not go unnoticed.

Cross-site scripting (XSS)

Cross-site scripting or XSS is a vulnerability that does not directly target the server but the browser instead. It uses browser executable code (E.g., JavaScript or HTML) to steal sensitive information such as session cookies.

Injection attacks

Injection flaws occur when the user supplied input is sent directly to the server for processing without filtering or checking the input for any malicious payloads. Injection attacks refer to OS command injections, SQL injections, CSV injection, LDAP injection etc. SQL server security can help prevent SQL injection attacks.

How does server security work?

A hundred per cent security can never be achieved; there will always be some exploit or malware out there that can affect your organisation. But a company’s IT department needs to do everything possible to protect its assets from all internal and external threats. This is where server security or server hardening comes into play.

It is the responsibility of the relevant team/personnel to ensure maximum protection of their servers. This can be achieved by maintaining a baseline configuration guide that they follow when setting up any server machine. 

The configurations should include a combination of security measures (just like a layered approach) and settings to reduce vulnerabilities and improve the organisation’s overall security.

How do you secure a server?

Below are some server security tips to help relevant teams identify and configure their servers to guarantee maximum security.  

Password security

    1. Enforce password complexity

      Password complexity, such as using all symbols, numbers, uppercase and lowercase letters in a password, makes it strong and prevents password guessing or brute force attacks.

    2. Set password age/expiry

      Password expiry age should be set (60-90 days). This will reduce the likelihood of an attacker using leaked credentials. As per the latest NCSC guidance, this may not be needed in certain scenarios; however, you might have to show this in your plans for the sake of certain benchmarks. 

    3. Set minimum password length

      Minimum password length (12 characters or more) will ensure that the credentials are protected against brute force attacks.

    4. Do not use dictionary words.

      Dictionary words are easily guessable and do not make for good passwords.

    5. Do not use repeated characters.

      Using repeated sequences of characters makes it easier for an attacker to perform password guessing attacks like brute-forcing.

    6. Do not use personal details.

      Personal details such as birthdates, phone numbers etc., should not be used as passwords as they are easily guessable.

    7. Do not store passwords on notes, text files or paper

      If passwords are written down on any soft or hard copy, then the chances of credential leakage increase. Use a password manager.

    8. Set multi-factor authentication where applicable

      Wherever possible, MFA should be considered to create multiple levels of security.

best recommendations to keep the password secure

Account lockouts

  1. Set account lockout duration

    Configure a fixed duration (3-15 minutes) which locks a user account from any further login request. This protects against Denial of Service (DoS) and brute force attacks.

  2. Set account lockout threshold

    Configure a fixed number of login attempts before the account is locked.

User rights assignment 

  1. Do not allow users to change system time/time zone

    Users should not be allowed to change system time, as this can result in incorrect timestamps in logs causing difficulty to track any security incident.

  2. Do not allow users to force shutdown/restart systems

    Shutting down or restarting a server can result in denial of service and unavailability of resources, so normal users should not be allowed this option.

  3. Do not allow users to generate security audits.

    Normal users should not be allowed to generate audit records in the security logs. This will create a large number of audited events and make it difficult to locate legitimate cyber incidents.

  4. Do not allow users to manage auditing and security logs

    Normal users should not be given the right to manage security logs because anyone with these rights can erase important cyber incidents.

  5. Linux systems /boot should have Read-only permissions

    Ensure /boot directory is set to read-only to protect from unauthorised modifications.

  6. Disable boot from removable media

    The server should not be allowed to be booted from any removable media such as USBs.

    The BIOS should be configured to disallow it.

  7. Do not allow modification of firmware environment variables

     Any user with these rights can configure the settings of hardware components and cause a denial of service and loss of availability of the components.

For other security, controls click here.

Interactive logon

interactive logon security option

  1. Do not display the previous username.

    Displaying information about users will help the attacker in enumerating valid usernames and facilitate password guessing attacks.

  2. Set machine inactivity limit

    Always set an inactivity or session timeout limit (900 seconds or less) to lock the system.

  3. Configure message for users attempting login

    By displaying a warning message before logon will notify the users of the consequences of attempting any malicious activity.

  4. Prompt users to change passwords before expiration

    Users should be prompted and reminded that their password is going to expire soon.

  5. Do not display network selection UI

    Network selection should not be displayed on the logon screen so that unauthorised users could not disconnect the system from the network.

  6. Turn off app and toast notifications on the lock screen

    App and toast notifications should be turned off so that they do not display sensitive information.

  7. Turn off picture password sign-in

    Picture passwords increase the likelihood of an attacker to login to the system as this is easier to guess/observe than a complex password.

  8. Turn off convenience PIN sign-in

    Pin code sign-in should be disabled because a smaller pin is easily guessable than a complex password.

  9. Do not display the password reveal button.

    This reduces the risk of someone shoulder surfing and seeing the user’s password.

  10. Do not display administrative accounts on elevation

    Users should not see a list of valid administrative accounts, as it will make it easier for a malicious user to perform password guessing attacks with valid usernames.

Use of secure communication protocols

  1. Use SFTP instead of FTP.

    Secure File Transfer Protocol (SFTP) should be used for all file transfers so that data is not sent in cleartext.

  2. Use SSH instead of the telnet protocol.

    While connecting to any system to get a command-line interface, Secure Shell Protocol (SSH) should be used. This uses the secure socket layer (SSL) to encrypt all commands and data sent rather than sending data in cleartext.

  3. Use secure email protocols such as POP3S, IMAPS, SMTPS

    Using POP3S, IMAPS or SMTPS secures the email protocols with transport layer security (SSL) and protects against any malicious interception or modification.

  4. Uses HTTPS instead of HTTP for all web applications that deal with user input

    Using HTTPS secures the data transmitted by the web application by encrypting it using SSL. This ensures that no sensitive data such as passwords or financial information is leaked or manipulated.

using HTTPS instead HTTP

Patch management 

  1. Configure automatic updates

    If the operating system allows, automatic updates should be configured to install the latest patches to protect the system from any known vulnerabilities.

  2. Regularly check for Operating System (OS) updates

    The server should be regularly checked for any available updates, and critical patches should be implemented immediately.

Operating System updates check

Network access for Windows servers

  1. Disallow anonymous SID/Name translation

    If this is enabled, a user can enumerate administrator accounts and use them in a password guessing attack.

  2. Do not allow anonymous enumeration of SAM accounts and shares

    If this is enabled, an unauthorised user can list account names and shared resources and use this information as password guessing attacks.

  3. Do not allow storage of passwords and credentials for network authentication.

    If this is allowed, passwords will be stored in the cache and can be used by malicious code for unauthorised access.

  4. Do not let Everyone permissions apply to anonymous users

    If this is enabled, an unauthorised user can list account names and shared resources and use this information as password guessing attacks.

  5. Do not assign any value to Shares that can be accessed anonymously

    If any value is assigned it will be accessed by any network user, resulting in information leakage.

User account controls

All operating systems

  1. Ensure proper access privileges are granted

    Access should be granted on the principle of least privilege. User access to directories, networks, files, and other resources should be granted as per their requirements and monitored.

  2. Ensure proper access to the file system is granted

    Users should be granted read, write and execution rights on the relevant file systems as per their user role.

example for proper access to the file system

Windows server

Displayed prompt for allowing app to make changes.

  1. Display prompt for the elevation for administrators

    This setting ensures that a prompt is displayed when any privileged operation is performed from an administrative user.

  2. Deny elevation for standard users

    For all standard / normal users, applications should not run with elevated or admin privileges.

  3. Detect application installations and prompt for elevation

    This setting will ensure that no programs are installed automatically without displaying a prompt and notifying the user about the installation.

Linux server security

  1. Use the root account only when required.

    The root user account should not be used for daily activities but should only be used if it is the last option.

  2. Use SUDO to grant users root-level privileges.

    Normal users should not be granted root privileges. Instead, they use the SUDO utility to perform privileged actions.

Cyphere also provides secure configuration reviews for Linux.

Controls for endpoint solutions (Anti-virus / IDS / IPS)

Real-time monitoring

  1. Turn on real-time behavioural monitoring

    For any host-based security solutions such as antivirus software, intrusion prevention system or intrusion detection systems, enable real-time monitoring so threats can be detected and treated in real-time, and the risk of infections is decreased.

  2. Prevent users from accessing known malicious websites

    This will help stop users from visiting dangerous websites that may host phishing scams or exploits, malware etc.

Scanning

Scanning procedure

  1. Conduct regular scanning

    Ensure complete scanning of the server regularly to ensure no malware is installed.

  2. Scan all removable drives

    All removable media should be scanned immediately to reduce the advent of malware in the network.

  3. Turn on email scanning.

    Attachments of incoming emails should be scanned to make sure there are no malicious attachments.

  4. Prevent users from modifying settings

    Users should not be allowed to change the settings of any security solution.

  5. Turn on protection from Potentially Unwanted Applications (PUA)

    Enable this setting to prevent users from installing malicious applications.

Controls for Windows server firewall

  1. Turn on the Firewall state

    Always turn on the built-in windows firewall and create relevant rules.

  2. Block all inbound connections that do not match firewall rules

    All incoming connections other than the allowed ones should be blocked to reduce remote attacks from a hacker.

  3. Allow outbound connections that do not match firewall rules

    Outgoing connections other than the defined ones should be allowed as blocking all connections will result in many prompts and disturb the user.

  4. Configure firewall Logging Size limit (KB)

    The firewall should record all events, and it should have a sufficient log size (16348 KB or more)

firewall & network protection settings

Auditing configurations

Logon / Logoff

  1. Success and failure of account lockouts events

    All events that report a user’s account is locked out should be logged and monitored.

  2. Successful account logoff events

    All successful attempts of a user logging off should be logged and monitored.

  3. Success and failure of account login events

    All successful and unsuccessful attempts of a user logging in should be logged and monitored. This can be useful when trying to find brute force and other password guessing attacks.

Discuss your concerns today

Removable storage

  1. Success and failure of accessing removable storage

    All attempts to access files on a removable storage device should be logged to ensure no sensitive data is leaked via USBs.

Privilege sse

  1. Success and failure of using elevated privileges

    All attempts of using elevated privileges on a system should be logged.

System events 

  1. Success and failure of all other system events

    System events such as logs from the firewall should be captured to ensure it is working as expected.

File monitoring

  1. Track changes made to files

    Record changes made to sensitive files by comparing two versions of the same file side by side. This will ensure that no unauthorised changes are made.

Service monitoring

  1. Monitoring and auditing all services running on the server

    Periodic auditing of running will ensure that no unused service is being used on the system. This will reduce the attack surface for a hacker.

Internet communication management

  1. Turn off downloading of drivers over HTTP

    Do not allow users to download drivers as they may download compromised files containing malware.

  2. Turn off printing over HTTP

    Since HTTP is a cleartext protocol, all information transferred can be intercepted and leaked to an attacker.

  3. Turn off “Publish to Web” for files and folders.

    Users may unintentionally or intentionally publish sensitive content to the public network, leading to sensitive information disclosure to unauthorised users.

Power management

  1. Do not allow network connectivity during sleep mode

    Disabling this setting will ensure that the system is not accessible to any attacker when it is left unattended.

  2. Enable password is required when a system wakes from sleep mode

    This setting will ensure that unattended servers are protected from unauthorised use because the server would not be accessible without login credentials.

Enabling required password when a system wakes up from sleep mode.

NTP server configuration

  1. Enable NTP Client

    A reliable and accurate NTP server should be configured on all servers that serve as a synchronised clock for all systems.

    For configuring a local NTP server, read this article.

Camera settings

  1. Do not allow the use of the camera on the device

    Cameras can introduce security risks in sensitive environments and, therefore, should be disabled.

Location settings 

  1. Turn off location

    It is not wise to share the server’s physical location via GPS or any other location tracking from a security perspective, so this setting should be disabled.

Network sharing

  1. Do not allow users to share files within the network

    Users could accidentally share sensitive data with unauthorised users on the network. This setting should be disabled so that unintentional data leakage can be reduced.

Managing unattended systems

  1. Enable screen savers

    If a user forgets to lock their system when they leave, a screen saver should be enabled to protect against unauthorised access.

  2. Set screen saver timeout

    Screen saver timeout should be configured (300 seconds or more).

  3. Password protect the screen savers.

    A timed password-protected screen saver should be implemented to protect unattended systems from hijacking.

screen saver settings

Installer configuration

  1. Restrict users from installing software

    The only use of authorised software should be allowed, and standard users should not perform installations.

  2. Disable always install with privileges

    Windows servers disable this functionality so that malicious users cannot exploit it by installing malicious software or performing unauthorised activities.

Remote desktop configurations for Windows server

Resource redirection

  1. Do not allow drive redirection

    This will allow the remote desktop to access data from the local machine. Malicious software on a compromised system would have direct access to the local computer.

  2. Do not allow Plug and Play device redirection.

    Plug and Play devices like flash drives should be disallowed to reduce chances of data exfiltration.

device redirection settings in windows server

Security

  1. Always prompt users for password upon connection

    Users should always be asked for login credentials, even for stored sessions, to minimise access by unauthorised users.

Session timeout limits

  1. Set time limit for active but idle Remote Desktop Services sessions

    Configure the time limit for 15 minutes or less to prevent RDP from tying up resources for long periods of time.

  2. Set a time limit for disconnected sessions

    This setting is important to ensure all inactive and disconnected sessions are terminated properly. Configure the time limit to 15 minutes or less.

SMB configuration

  1. Disable SMBv1 server and clients

    Do not use SMB version 1 server and clients as these have been deprecated and contain many known vulnerabilities.

  2. Disable the use of unencrypted passwords when connecting to third-party SMB servers

    If this setting is not disabled, then passwords are transmitted in clear text across the network to the SMB server, leading to credential leakage.

SSH configuration

  1. Disable direct root login in SSH

    As the root is a default username in Linux distributions, it is easy for attackers to assume that the root user will exist for SSH connections. This gives an attacker a valid username so that they can perform password guessing attacks. Hence the root user should be disabled.

  2. Remove password with SSH keys.

    Passwords or passphrases should be removed from SSH keys.

  3. Use a port other than the default port.

    Using custom ports other than the default port 22 for SSH may add obfuscation.

Network services

  1. Disable all unused open ports

    All open ports should be closed to reduce the attack surface for an attacker.

  2. Disable all unused services

    All unused services should be stopped on the server so that an attacker cannot leverage and exploit them.

  3. Hide open ports from external entities

    If an attacker scans the server’s IP address, he should not be able to enumerate the services running on the server based on open ports. The status of the ports should return as filtered or closed rather than open.

Nmap external port scan result | Download Scientific Diagram

Creating backups

  1. Maintain regular backups.

    Regularly take backups of the server to ensure that no data is lost.

  2. Secure store backup files.

    Backup files should be stored in a secure location and not on production servers. If any backup file is leaked, the hacker will gain access to all the data stored on the server.

  3. Periodically restore and test backups.

    Test the backup files by restoring them periodically to check if the backup files maintained are working correctly.

Maintaining regular backups.

Use of Virtual Private Network (VPN)

  1. Do not expose servers to the internet

    Servers should not be exposed on the public internet because it increases the security risk as more attackers can target the server. Instead, a VPN should be used to access the servers.

Web server security

  1. Sanitise and filter user supplied input.

    User input should not be trusted as it may contain malicious payloads. Input should be sanitised to remove all unwanted characters.

  2. Ensure file upload functionality only allows legitimate files

    Using insecure file uploads, an attacker can upload malicious code to the server, resulting in uploading remote shells and compromising the entire server.

  3. Secure administration panels with IP address safelisting

    IP safe listing should be used to ensure that only legitimate known users are accessing the admin panels.

  4. Use a web application firewall (WAF) where necessary

    A WAF should be used for public-facing applications to protect the web application and web server from incoming attacks.

  5. Do not store sensitive files in the document root

    Sensitive files should not be stored in the document root folder because an attacker might access them, leading to information leakage.

  6. Do not trust HTTP headers.

    HTTP headers such as Host and Referrer headers can be forged and thus should not be trusted while making logic decisions.

  7. Use POST requests for data submission.

    Because URLs get logged in various places, including third-party websites, all sensitive data submitted should be through POST requests to avoid information leakage.

    Discuss your concerns today

  8. Validate all user input supplied on the server-side

    An attacker can circumvent client-side validation, so all user input should be validated and checked on the server-side.

  9. Specify file permissions when creating files

    If the web application handles file creation, then permissions should be set properly based on the principle of least privilege.

  10. Implement proper error handling

    Proper error handling should be configured on the server, so that information such as stack traces, database queries or other sensitive information is not displayed.

  11. Do not trust cookie values for session management

    Since a user can manipulate cookie values, cookies should not be used as the only mechanism for session management because they can be changed.

  12. Disable dangerous PHP functions

    Dangerous PHP functions such as eval() and include() should not be used. These functions can allow attacks to carry out malicious activities.

  13. Log and monitor web traffic and requests for unusual activity

    All activities performed on the web application should be logged and reviewed periodically to ensure that no malicious incidents occur.

Conclusion

As highlighted above, there are many recommendations around how to secure a server. You should implement these security measures during the initial setup of the server and perform continuous or periodic validations, such as a build and configuration review and penetration testing. Additionally, make sure that if there is no automated way for monitoring servers, design scheduled security checks while following our roadmap in this article on protecting assets!

In the modern world, we have to be vigilant about our security. The servers that store and transmit data are a prime target for malicious actors looking to steal sensitive information or cause damage.  

Get in touch for a virtual coffee.

BOOK A CALL