What is server security?
Servers are the backbone of an organisation’s IT infrastructure as they provide both information and computational services to its users. And because of their critical role, servers are always a prime target for hackers looking to exploit any vulnerability they can find, leading to data breaches and financial and reputational damage.
The security database on the server is a vital part of ensuring the organisation’s overall security posture. Securing a server consists of the configurations, tools and processes that must be implemented to ensure that a server will be protected from all internal and external threats.
Common server security issues
Something as simple as weak/default passwords, lack of antivirus solutions or unintentional user errors could put the organisation at risk. Below is a list of common server security issues that are usually exploited to compromise systems.
This article is about server security tips; we will only brief the security issues encountered during penetration testing assessments. Should you wish to read about security issues, there are several articles in our blog, mainly OWASP Top 10 application risks, API Top 10, OWASP Mobile Top 10 and more.
Usage of weak or default passwords
Many organisations fail to change the default manufacturer password of applications they use, such as logins for switches, routers, administrative consoles, backup software etc. A hacker can easily find these passwords just by a simple internet search and log into the application using admin credentials.
Using outdated components
When targeting a server, the first step for an attacker is to fingerprint the software/hardware components versions used. If any of these components are outdated, i.e., have some underlying vulnerability publicly disclosed, then a hacker can exploit the flaws and compromise the system.
It is essential always to maintain secure patch management for all organisations.
Open network ports
Ports are always tied to a service being provided by the server. If a hacker readily enumerates open ports, this increases the attack surface and gives a larger area for the hacker to attack.
Due to human error or server misconfigurations, systems can leak sensitive data; this can be information related to the server itself, such as version disclosures, passwords, API keys etc., or it can be data related to the organisation itself. Combining and chaining these with other attack vectors a hacker can cause serious damage.
Improper authorisation or access control
An improper authorisation or insecure access control can be defined for an application or operating system (OS) level. This generally means that users are granted more privileges than they should be given. For example, a customer support employee can perform system administrative level tasks.
Server misconfigurations are typically user errors, i.e., servers are not configured properly, leading to security risks. Typical server misconfigurations include:
- Disclosing debugging information
- Using hardcoded passwords
- Insecure file permissions
- Misconfigured SSL certificates
- Inadequate permissions granted
- Directory listings available
- Insecure error handling
Insufficient endpoint protection
Using efficient endpoint solutions, i.e., antivirus software or intrusion detection systems (IDS), is essential to detect and prevent any malicious activity being carried out on a system. Without adequate endpoint protection, the servers will not be protected from any malware.
Use of insecure communication protocols
System administrators often use insecure protocols such as Telnet or HTTP for communication instead of HTTPS and secure equivalents. This is a cleartext protocol and does not use any encryption for data at motion. An attacker can use multiple sniffing techniques and intercept all the communication transferred to and from the systems.
Insufficient logging and monitoring
While talking about cyber-attacks, it is vital to mention logging and monitoring. It is a network or system administrator to enable all-important logs for servers and periodically monitor those logs. This will ensure that a cyber incident or attack does not go unnoticed.
Cross-site scripting (XSS)
Injection flaws occur when the user supplied input is sent directly to the server for processing without filtering or checking the input for any malicious payloads. Injection attacks refer to OS command injections, SQL injections, CSV injection, LDAP injection etc. SQL server security can help prevent SQL injection attacks.
How does server security work?
A hundred per cent security can never be achieved; there will always be some exploit or malware out there that can affect your organisation. But a company’s IT department needs to do everything possible to protect its assets from all internal and external threats. This is where server security or server hardening comes into play.
It is the responsibility of the relevant team/personnel to ensure maximum protection of their servers. This can be achieved by maintaining a baseline configuration guide that they follow when setting up any server machine.
The configurations should include a combination of security measures (just like a layered approach) and settings to reduce vulnerabilities and improve the organisation’s overall security.
How do you secure a server?
Below are some server security tips to help relevant teams identify and configure their servers to guarantee maximum security.
- Enforce password complexity
Password complexity, such as using all symbols, numbers, uppercase and lowercase letters in a password, makes it strong and prevents password guessing or brute force attacks.
- Set password age/expiry
Password expiry age should be set (60-90 days). This will reduce the likelihood of an attacker using leaked credentials. As per the latest NCSC guidance, this may not be needed in certain scenarios; however, you might have to show this in your plans for the sake of certain benchmarks.
- Set minimum password length
Minimum password length (12 characters or more) will ensure that the credentials are protected against brute force attacks.
- Do not use dictionary words.
Dictionary words are easily guessable and do not make for good passwords.
- Do not use repeated characters.
Using repeated sequences of characters makes it easier for an attacker to perform password guessing attacks like brute-forcing.
- Do not use personal details.
Personal details such as birthdates, phone numbers etc., should not be used as passwords as they are easily guessable.
- Do not store passwords on notes, text files or paper
If passwords are written down on any soft or hard copy, then the chances of credential leakage increase. Use a password manager.
- Set multi-factor authentication where applicable
Wherever possible, MFA should be considered to create multiple levels of security.
- Enforce password complexity
- Set account lockout duration
Configure a fixed duration (3-15 minutes) which locks a user account from any further login request. This protects against Denial of Service (DoS) and brute force attacks.
- Set account lockout threshold
Configure a fixed number of login attempts before the account is locked.
User rights assignment
- Do not allow users to change system time/time zone
Users should not be allowed to change system time, as this can result in incorrect timestamps in logs causing difficulty to track any security incident.
- Do not allow users to force shutdown/restart systems
Shutting down or restarting a server can result in denial of service and unavailability of resources, so normal users should not be allowed this option.
- Do not allow users to generate security audits.
Normal users should not be allowed to generate audit records in the security logs. This will create a large number of audited events and make it difficult to locate legitimate cyber incidents.
- Do not allow users to manage auditing and security logs
Normal users should not be given the right to manage security logs because anyone with these rights can erase important cyber incidents.
- Linux systems /boot should have Read-only permissions
Ensure /boot directory is set to read-only to protect from unauthorised modifications.
- Disable boot from removable media
The server should not be allowed to be booted from any removable media such as USBs.
The BIOS should be configured to disallow it.
- Do not allow modification of firmware environment variables
Any user with these rights can configure the settings of hardware components and cause a denial of service and loss of availability of the components.
For other security, controls click here.
- Do not display the previous username.
Displaying information about users will help the attacker in enumerating valid usernames and facilitate password guessing attacks.
- Set machine inactivity limit
Always set an inactivity or session timeout limit (900 seconds or less) to lock the system.
- Configure message for users attempting login
By displaying a warning message before logon will notify the users of the consequences of attempting any malicious activity.
- Prompt users to change passwords before expiration
Users should be prompted and reminded that their password is going to expire soon.
- Do not display network selection UI
Network selection should not be displayed on the logon screen so that unauthorised users could not disconnect the system from the network.
- Turn off app and toast notifications on the lock screen
App and toast notifications should be turned off so that they do not display sensitive information.
- Turn off picture password sign-in
Picture passwords increase the likelihood of an attacker to login to the system as this is easier to guess/observe than a complex password.
- Turn off convenience PIN sign-in
Pin code sign-in should be disabled because a smaller pin is easily guessable than a complex password.
- Do not display the password reveal button.
This reduces the risk of someone shoulder surfing and seeing the user’s password.
- Do not display administrative accounts on elevation
Users should not see a list of valid administrative accounts, as it will make it easier for a malicious user to perform password guessing attacks with valid usernames.
Use of secure communication protocols
- Use SFTP instead of FTP.
Secure File Transfer Protocol (SFTP) should be used for all file transfers so that data is not sent in cleartext.
- Use SSH instead of the telnet protocol.
While connecting to any system to get a command-line interface, Secure Shell Protocol (SSH) should be used. This uses the secure socket layer (SSL) to encrypt all commands and data sent rather than sending data in cleartext.
- Use secure email protocols such as POP3S, IMAPS, SMTPS
Using POP3S, IMAPS or SMTPS secures the email protocols with transport layer security (SSL) and protects against any malicious interception or modification.
- Uses HTTPS instead of HTTP for all web applications that deal with user input
Using HTTPS secures the data transmitted by the web application by encrypting it using SSL. This ensures that no sensitive data such as passwords or financial information is leaked or manipulated.
- Configure automatic updates
If the operating system allows, automatic updates should be configured to install the latest patches to protect the system from any known vulnerabilities.
- Regularly check for Operating System (OS) updates
The server should be regularly checked for any available updates, and critical patches should be implemented immediately.
Network access for Windows servers
- Disallow anonymous SID/Name translation
If this is enabled, a user can enumerate administrator accounts and use them in a password guessing attack.
- Do not allow anonymous enumeration of SAM accounts and shares
If this is enabled, an unauthorised user can list account names and shared resources and use this information as password guessing attacks.
- Do not allow storage of passwords and credentials for network authentication.
If this is allowed, passwords will be stored in the cache and can be used by malicious code for unauthorised access.
- Do not let Everyone permissions apply to anonymous users
If this is enabled, an unauthorised user can list account names and shared resources and use this information as password guessing attacks.
- Do not assign any value to Shares that can be accessed anonymously
If any value is assigned it will be accessed by any network user, resulting in information leakage.
User account controls
All operating systems
- Ensure proper access privileges are granted
Access should be granted on the principle of least privilege. User access to directories, networks, files, and other resources should be granted as per their requirements and monitored.
- Ensure proper access to the file system is granted
Users should be granted read, write and execution rights on the relevant file systems as per their user role.
- Display prompt for the elevation for administrators
This setting ensures that a prompt is displayed when any privileged operation is performed from an administrative user.
- Deny elevation for standard users
For all standard / normal users, applications should not run with elevated or admin privileges.
- Detect application installations and prompt for elevation
This setting will ensure that no programs are installed automatically without displaying a prompt and notifying the user about the installation.
Linux server security
- Use the root account only when required.
The root user account should not be used for daily activities but should only be used if it is the last option.
- Use SUDO to grant users root-level privileges.
Normal users should not be granted root privileges. Instead, they use the SUDO utility to perform privileged actions.
Cyphere also provides secure configuration reviews for Linux.
Controls for endpoint solutions (Anti-virus / IDS / IPS)
- Turn on real-time behavioural monitoring
For any host-based security solutions such as antivirus software, intrusion prevention system or intrusion detection systems, enable real-time monitoring so threats can be detected and treated in real-time, and the risk of infections is decreased.
- Prevent users from accessing known malicious websites
This will help stop users from visiting dangerous websites that may host phishing scams or exploits, malware etc.
- Conduct regular scanning
Ensure complete scanning of the server regularly to ensure no malware is installed.
- Scan all removable drives
All removable media should be scanned immediately to reduce the advent of malware in the network.
- Turn on email scanning.
Attachments of incoming emails should be scanned to make sure there are no malicious attachments.
- Prevent users from modifying settings
Users should not be allowed to change the settings of any security solution.
- Turn on protection from Potentially Unwanted Applications (PUA)
Enable this setting to prevent users from installing malicious applications.
Controls for Windows server firewall
- Turn on the Firewall state
Always turn on the built-in windows firewall and create relevant rules.
- Block all inbound connections that do not match firewall rules
All incoming connections other than the allowed ones should be blocked to reduce remote attacks from a hacker.
- Allow outbound connections that do not match firewall rules
Outgoing connections other than the defined ones should be allowed as blocking all connections will result in many prompts and disturb the user.
- Configure firewall Logging Size limit (KB)
The firewall should record all events, and it should have a sufficient log size (16348 KB or more)
Logon / Logoff
- Success and failure of account lockouts events
All events that report a user’s account is locked out should be logged and monitored.
- Successful account logoff events
All successful attempts of a user logging off should be logged and monitored.
- Success and failure of account login events
All successful and unsuccessful attempts of a user logging in should be logged and monitored. This can be useful when trying to find brute force and other password guessing attacks.
Discuss your concerns today
- Success and failure of accessing removable storage
All attempts to access files on a removable storage device should be logged to ensure no sensitive data is leaked via USBs.
- Success and failure of using elevated privileges
All attempts of using elevated privileges on a system should be logged.
- Success and failure of all other system events
System events such as logs from the firewall should be captured to ensure it is working as expected.
- Track changes made to files
Record changes made to sensitive files by comparing two versions of the same file side by side. This will ensure that no unauthorised changes are made.
- Monitoring and auditing all services running on the server
Periodic auditing of running will ensure that no unused service is being used on the system. This will reduce the attack surface for a hacker.
Internet communication management
- Turn off downloading of drivers over HTTP
Do not allow users to download drivers as they may download compromised files containing malware.
- Turn off printing over HTTP
Since HTTP is a cleartext protocol, all information transferred can be intercepted and leaked to an attacker.
- Turn off “Publish to Web” for files and folders.
Users may unintentionally or intentionally publish sensitive content to the public network, leading to sensitive information disclosure to unauthorised users.
- Do not allow network connectivity during sleep mode
Disabling this setting will ensure that the system is not accessible to any attacker when it is left unattended.
- Enable password is required when a system wakes from sleep mode
This setting will ensure that unattended servers are protected from unauthorised use because the server would not be accessible without login credentials.
NTP server configuration
- Enable NTP Client
A reliable and accurate NTP server should be configured on all servers that serve as a synchronised clock for all systems.
For configuring a local NTP server, read this article.
- Do not allow the use of the camera on the device
Cameras can introduce security risks in sensitive environments and, therefore, should be disabled.
- Turn off location
It is not wise to share the server’s physical location via GPS or any other location tracking from a security perspective, so this setting should be disabled.
- Do not allow users to share files within the network
Users could accidentally share sensitive data with unauthorised users on the network. This setting should be disabled so that unintentional data leakage can be reduced.
Managing unattended systems
- Enable screen savers
If a user forgets to lock their system when they leave, a screen saver should be enabled to protect against unauthorised access.
- Set screen saver timeout
Screen saver timeout should be configured (300 seconds or more).
- Password protect the screen savers.
A timed password-protected screen saver should be implemented to protect unattended systems from hijacking.
- Restrict users from installing software
The only use of authorised software should be allowed, and standard users should not perform installations.
- Disable always install with privileges
Windows servers disable this functionality so that malicious users cannot exploit it by installing malicious software or performing unauthorised activities.
Remote desktop configurations for Windows server
- Do not allow drive redirection
This will allow the remote desktop to access data from the local machine. Malicious software on a compromised system would have direct access to the local computer.
- Do not allow Plug and Play device redirection.
Plug and Play devices like flash drives should be disallowed to reduce chances of data exfiltration.
- Always prompt users for password upon connection
Users should always be asked for login credentials, even for stored sessions, to minimise access by unauthorised users.
Session timeout limits
- Set time limit for active but idle Remote Desktop Services sessions
Configure the time limit for 15 minutes or less to prevent RDP from tying up resources for long periods of time.
- Set a time limit for disconnected sessions
This setting is important to ensure all inactive and disconnected sessions are terminated properly. Configure the time limit to 15 minutes or less.
- Disable SMBv1 server and clients
Do not use SMB version 1 server and clients as these have been deprecated and contain many known vulnerabilities.
- Disable the use of unencrypted passwords when connecting to third-party SMB servers
If this setting is not disabled, then passwords are transmitted in clear text across the network to the SMB server, leading to credential leakage.
- Disable direct root login in SSH
As the root is a default username in Linux distributions, it is easy for attackers to assume that the root user will exist for SSH connections. This gives an attacker a valid username so that they can perform password guessing attacks. Hence the root user should be disabled.
- Remove password with SSH keys.
Passwords or passphrases should be removed from SSH keys.
- Use a port other than the default port.
Using custom ports other than the default port 22 for SSH may add obfuscation.
- Disable all unused open ports
All open ports should be closed to reduce the attack surface for an attacker.
- Disable all unused services
All unused services should be stopped on the server so that an attacker cannot leverage and exploit them.
- Hide open ports from external entities
If an attacker scans the server’s IP address, he should not be able to enumerate the services running on the server based on open ports. The status of the ports should return as filtered or closed rather than open.
- Maintain regular backups.
Regularly take backups of the server to ensure that no data is lost.
- Secure store backup files.
Backup files should be stored in a secure location and not on production servers. If any backup file is leaked, the hacker will gain access to all the data stored on the server.
- Periodically restore and test backups.
Test the backup files by restoring them periodically to check if the backup files maintained are working correctly.
Use of Virtual Private Network (VPN)
- Do not expose servers to the internet
Servers should not be exposed on the public internet because it increases the security risk as more attackers can target the server. Instead, a VPN should be used to access the servers.
Web server security
- Sanitise and filter user supplied input.
User input should not be trusted as it may contain malicious payloads. Input should be sanitised to remove all unwanted characters.
- Ensure file upload functionality only allows legitimate files
Using insecure file uploads, an attacker can upload malicious code to the server, resulting in uploading remote shells and compromising the entire server.
- Secure administration panels with IP address safelisting
IP safe listing should be used to ensure that only legitimate known users are accessing the admin panels.
- Use a web application firewall (WAF) where necessary
A WAF should be used for public-facing applications to protect the web application and web server from incoming attacks.
- Do not store sensitive files in the document root
Sensitive files should not be stored in the document root folder because an attacker might access them, leading to information leakage.
- Do not trust HTTP headers.
HTTP headers such as Host and Referrer headers can be forged and thus should not be trusted while making logic decisions.
- Use POST requests for data submission.
Because URLs get logged in various places, including third-party websites, all sensitive data submitted should be through POST requests to avoid information leakage.
Discuss your concerns today
- Validate all user input supplied on the server-side
An attacker can circumvent client-side validation, so all user input should be validated and checked on the server-side.
- Specify file permissions when creating files
If the web application handles file creation, then permissions should be set properly based on the principle of least privilege.
- Implement proper error handling
Proper error handling should be configured on the server, so that information such as stack traces, database queries or other sensitive information is not displayed.
- Do not trust cookie values for session management
Since a user can manipulate cookie values, cookies should not be used as the only mechanism for session management because they can be changed.
- Disable dangerous PHP functions
Dangerous PHP functions such as eval() and include() should not be used. These functions can allow attacks to carry out malicious activities.
- Log and monitor web traffic and requests for unusual activity
All activities performed on the web application should be logged and reviewed periodically to ensure that no malicious incidents occur.
As highlighted above, there are many recommendations around how to secure a server. You should implement these security measures during the initial setup of the server and perform continuous or periodic validations, such as a build and configuration review and penetration testing. Additionally, make sure that if there is no automated way for monitoring servers, design scheduled security checks while following our roadmap in this article on protecting assets!
In the modern world, we have to be vigilant about our security. The servers that store and transmit data are a prime target for malicious actors looking to steal sensitive information or cause damage.
Get in touch for a virtual coffee.