What is server security?
Servers are the backbone of an organisation’s IT infrastructure as they provide both information and computational services to its users. And because of their critical role, servers are always a prime target for hackers looking to exploit any security vulnerability, leading to data breaches and financial and reputational damage.
The security of the server or servers is a vital part of ensuring the organisation’s overall security posture. Securing a server consists of the configurations, tools and processes that, when implemented, ensure server protection from all internal and external threats. To improve internal infrastructure security, an organisation must conduct an internal pen test to assess an estate’s overall security posture.
Common server security issues
Something as simple as weak/default passwords, lack of antivirus solutions or unintentional user errors could put the organisation at risk. Below is a list of common server security issues usually exploited to compromise systems.
This article is about server security tips; we will brief on the security issues encountered during penetration testing assessments. Should you wish to read about security issues, there are several articles in our blog, mainly OWASP Top 10 application risks, API Top 10, OWASP Mobile Top 10, etc.
Usage of weak or default passwords
Many organisations fail to change the default manufacturer password of applications they use, such as logins for switches, routers, administrative consoles, backup software etc. A hacker can easily find these passwords just by a simple internet search and log into the application using admin credentials.
Privileged Accounts Abuse
Weaknesses linked with privileged accounts include weak passwords, password reuse (same password) amongst standard and privileged accounts and use of excessive privileges for service accounts or within configuration files. For Windows servers, you should consider using the Microsoft LAPS solution to ensure unique local administrator passwords are in use. On the same note, review Active Directory security groups and memberships to ensure strict adherence to the least privilege principle.
Using outdated components
When targeting a remote server, the first step for an attacker is to fingerprint the software/hardware components versions used. If any of these components are outdated, i.e., have some underlying security vulnerability publicly disclosed, a hacker can exploit the flaws and compromise the system.
It is essential always to maintain security patches using an established patch management process for all organisations.
Open network ports
Ports are always tied to a service being provided by the server. If a hacker readily enumerates open ports, this increases the attack surface and gives a larger area for the hacker to attack.
Due to human error or server misconfigurations, systems can leak sensitive data; this can be information related to the server itself, such as version disclosures, passwords, API keys, etc. It can be data related to the organisation itself. Combining and chaining these with other attack vectors, a hacker can cause serious damage.
An improper authorisation or access control
An improper authorisation or insecure access control can be defined for an application or operating system (OS) level. This generally means that users are granted more privileges than they should be given. For example, a customer support employee can perform system administrative level tasks.
Server misconfigurations are typically user errors, i.e., servers are not configured properly, leading to security risks. Typical server misconfigurations that cause data breach include:
- Disclosing debugging information
- Using hardcoded passwords
- Insecure file permissions
- Misconfigured SSL certificates used for web traffic and user authentication for online security
- Inadequate permissions granted
- Directory listings available
- Insecure error handling
Insufficient endpoint protection
Using efficient endpoint solutions, i.e., antivirus software or intrusion detection system (IDS), is essential to detect and prevent any malicious activity being carried out on a system. Without adequate endpoint protection, the servers will not be protected from malware.
Use of insecure communication protocols
System administrators often use less secure protocols such as Telnet or HTTP for communication instead of HTTPS (TCP port 443) and secure equivalents. This is a cleartext protocol and does not use any encryption for data at motion. An attacker can use multiple sniffing techniques and intercept all the communication transferred to and from the systems.
Insufficient logging and monitoring
While talking about cyber-attacks, it is vital to mention logging and monitoring. It is the task of a network or system administrator to enable all-important logs for servers and periodically monitor those logs. This will ensure that a cyber security attack or an incident does not go unnoticed.
Cross-site scripting (XSS)
Injection flaws occur when the user-supplied input is sent directly to the server for processing without filtering or checking the input for malicious payloads. Injection attacks refer to OS command injections, SQL injections, CSV injections, LDAP injections etc. SQL server security can help prevent SQL injection attacks.
Security for servers
One can never achieve a hundred per cent security; there will always be some exploit or malware out there that can affect your organisation. But a company’s IT department needs to do everything possible to protect its assets from all internal and external cyber threats. This is where server protection comes into play. Read our excellent article on system hardening to reduce the attack surface on a similar note.
It is the responsibility of the relevant team/personnel to ensure maximum protection of their servers. You can achieve this by maintaining a baseline configuration guide that they follow when setting up any server machine.
How do you secure a server?
Below are some tips for server protection to help relevant teams identify and configure their servers to guarantee maximum security. The configurations should include a combination of security measures (just like a layered approach) and settings to reduce security vulnerabilities and improve the organisation’s overall security.
Server security best practices
These checklists serve as How to secure a server and help you follow the server security best practices. We have included relevant information and may not reflect the same environment as yours because of the differences in Operating Systems, services hosted, service accounts configuration and the entire tech stack. This article would give you enough to think about similar concepts for different systems or OS.
Isolated execution environments
Where possible, consider dedicated server environments with your hosting providers. Ensure that virtual isolated environments are created to isolate execution environments for security purposes.
Virtual isolated environments in data center (containers, VM virtualization, etc) serve a critical security benefit. This ensures that in case of any security issues being identified and exploited, sensitive or critical data is not accessed by threat actors. For UNIX related servers, creating chroot jails is a secure way to isolate a process and its children from the rest of the system. Another benefit of dedicated servers is physical security offered by data center environments.
Simper features such as DEP must be utilised where possible via group policy across the estate. This offers granular control over restricting execution of untrusted binaries.
- Enforce password complexity
Password complexity, such as using all symbols, numbers, uppercase and lowercase letters in a password, makes it strong and prevents password guessing or brute force attacks. Enforce enforce minimum password length, and complexity, disable reversible encryption and block common passwords (you can also add leaked passwords to the list).
- Set password age/expiry
Password expiry age should be set (60-90 days). This will reduce the likelihood of an attacker using leaked credentials. As per the latest NCSC guidance, One may not need this in certain scenarios; however, you might have to show this in your plans for certain benchmarks.
- Set minimum password length
Minimum password length (12 characters or more) will protect the credentials against brute force attacks.
- Do not use dictionary words.
Dictionary words are easily guessable and do not make for good passwords. Try to avoid repeating the characters in the same password.
- Do not use repeated characters.
Using repeated sequences of characters makes it easier for an attacker to perform password guessing attacks like brute-forcing.
- Do not use personal details.
Personal details such as birthdates, phone numbers etc., should not be used as passwords as they are easily guessable.
- Do not store passwords on notes, text files or system files
If passwords are written down on any soft or hard copy, then the chances of credential leakage increase significantly. Use of clear-text formats to store passwords in system files, batch files, debug logs, config files and any other text readable formats. Mandate the use of password manager software.
- Set multi-factor authentication where applicable
Wherever possible, MFA should be considered to create multiple levels of security.
- Enforce password complexity
- Set account lockout duration
Configure a fixed duration (3-15 minutes) which locks a user account from any further login request. This protects against Denial of Service (DoS) and brute force attacks.
- Set account lockout threshold
Configure a fixed number of login attempts to gain access before the account is locked.
User rights assignment
- Do not allow users to change system time/time zone
Users should not be allowed to change system time, as this can result in incorrect timestamps in logs causing difficulty to track any security incident.
- Do not allow users to force shutdown/restart systems
Shutting down or restarting a remote server can result in denial of service and unavailability of resources, so normal users should not be allowed this option.
- Do not allow users to generate security audits.
Normal users should not be allowed to generate audit records in the security logs, and this will create many audited events and make it difficult to locate legitimate cyber incidents.
- Do not allow users to manage auditing and security logs
Normal users should not be given the right to manage security logs because anyone with these rights can erase important cyber security incidents.
- Linux systems /boot should have Read-only permissions
Ensure /boot directory is set to read-only to protect from unauthorised modifications.
- Disable boot from removable media
The server should not be allowed to be booted from any removable media such as USBs. You should configure the BIOS to disallow removable media connectivity.
- Do not allow modification of firmware environment variables
Any user with these rights can configure the settings of hardware components and cause a denial of service and loss of availability of the components. It could lead to the loss of critical data.
For other security controls, read here on basics and type of security controls.
- Do not display the previous username.
Displaying information about users will help the attacker enumerate valid usernames and facilitate password guessing attacks.
- Set machine inactivity limit
To lock the system, always set an inactivity or session timeout limit (900 seconds or less).
- Configure message for users attempting login
Displaying a warning message before logon will notify the users of the consequences of attempting any malicious activity to gain access.
- Prompt users to change passwords before expiration
Users should be prompted and reminded that their password will expire soon.
- Do not display network selection UI
Network selection should not be displayed on the logon screen so that unauthorised users cannot disconnect the system from the network.
- Turn off the app and toast notifications on the lock screen
App and toast notifications should be turned off so that they do not display sensitive information.
- Turn off picture password sign-in
Picture passwords increase the likelihood of an attacker login into the system as this is easier to guess/observe than a complex password.
- Turn off convenience PIN sign-in
Pin code sign-in should be disabled because a smaller pin is easily guessable than a complex password.
- Do not display the password reveal button.
This reduces the risk of someone shoulder surfing and seeing the user’s password.
- Do not display administrative accounts on elevation
Users should not see a list of valid administrative accounts, as it will make it easier for a malicious user to perform password guessing attacks with valid usernames.
Secure communication protocols
- Use SFTP instead of FTP
To secure your server, Secure File Transfer Protocol (SFTP) or file transfer protocol secure (FTP S) should be used for all file transfers so that sensitive or critical data is not sent in cleartext.
Use SSH instead of the telnet protocol
While connecting to any system to get a command-line interface, Secure Shell Protocol (SSH) should be used. This uses the secure socket layer (SSL) to encrypt all commands and data sent rather than sending data in cleartext. Use of secure communication channels couldn’t be underestimated for the security of critical data.
- Use secure email protocols such as POP3S, IMAPS, SMTPS
Using POP3S, IMAPS or SMTPS secures the email protocols with transport layer security (TLS) or secure socket layer (SSL). These measures protect against malicious interception or modification to provide online security.
- Uses HTTPS instead of HTTP for all web applications that deal with user input
Using HTTPS secures the data transmitted by the web application by encrypting it using Secure Socket Layer (SSL) certificates. This ensures that no sensitive data such as passwords or financial information is leaked or manipulated. TLS or SSL certificates are essentially encryption-based Internet security protocols used for the purpose of ensuring privacy, user authentication and data integrity for Internet-based communications between two endpoints.
- Configure automatic updates
If the operating system allows, You should configure automatic updates to install the latest patches to protect the system from security vulnerabilities. Vulnerable software are often the easiest opportunity for attackers. During COVID, NSA released the list of most exploited vulnerabilities in the well-known products that led to remote code execution or say direct access to servers exposed on the Internet. This is an obvious reason why vulnerable software are a quick route to internal networks.
- Regularly check for Operating System (OS) updates.
You should regularly check the server for any available updates, and You should implement critical patches immediately.
Network access for Windows servers
- Disallow anonymous SID/Name translation
A user can enumerate administrator accounts or authorized accounts and use them in a password guessing attack if this is enabled.
- Do not allow anonymous enumeration of SAM accounts and shares
If this is enabled, an unauthorised user can list account names and shared resources and use this information as password guessing attacks.
- Do not allow storage of passwords and credentials for network authentication.
If this is allowed, passwords will be stored in the cache and can be used by malicious code for unauthorised access.
- Do not let Everyone permissions apply to anonymous users
If this is enabled, an unauthorised user can list account names and shared resources and use this information as password guessing attacks.
- Do not assign any value to Shares that One can access anonymously
If any value is assigned, any network user will access it, resulting in information leakage.
User account controls
All operating systems
- Ensure proper access privileges are granted
You should grant access on the principle of least privilege. User access to directories, networks, files, and other resources should be granted as per their requirements and monitored.
- Ensure proper access to the file system is granted
Users should be granted read, write and execution rights on the relevant file systems as per their user role.
- Display prompt for the elevation for administrators
This setting ensures that a prompt is displayed when any privileged operation is performed from an administrative user or authorized accounts.
- Deny elevation for standard users
For all standard / normal users, applications should not run with elevated or admin privileges.
- Detect application installations and prompt for elevation
This setting will ensure that no programs are installed automatically without displaying a prompt and notifying the user about the installation.
Linux server security
- Use the root account only when required.
The root user account should not be used for daily activities but should only be used on a need basis. All excessive privileges should be revoked once a task is complete
- Use SUDO to grant users root-level privileges.
To secure your server, never assign root-level privileges to any users for standard tasks. Normal users should not be granted root privileges, and instead, they use the SUDO utility to perform privileged actions.
Cyphere also provides secure configuration reviews for Linux.
Controls for endpoint solutions (Anti-virus / IDS / IPS)
- Turn on real-time behavioural monitoring
Any host-based security solutions such as antivirus software, intrusion prevention system or intrusion detection systems enable real-time monitoring so threats can be detected and treated in real-time, and the risk of infections is decreased.
- Prevent users from accessing known malicious websites
This will help stop users from visiting dangerous websites that may host phishing scams or exploits, malware etc. Malicious traffic can be distinguished from legit traffic though not 100% fool proof method with the use of host based endpoint protection.
- Conduct regular scanning
Ensure complete scanning of the server regularly to ensure no malware is installed.
- Scan all removable drives
You should scan all removable media immediately to reduce the advent of malware in the network.
- Turn on email scanning.
You should scan attachments of incoming emails to make sure there are no malicious attachments.
- Prevent users from modifying settings
Users should not be allowed to change the settings of any security solution.
- Turn on protection from Potentially Unwanted Applications (PUA)
Enable this setting to prevent users from installing malicious applications.
Windows server firewall
- Turn on the Firewall state
Always turn on the built-in windows firewall and create relevant rules.
- Block all inbound connections that do not match firewall rules
One should block all incoming connections other than the allowed ones to reduce remote attacks from a hacker.
- Allow outbound connections that do not match firewall rules
Outgoing connections other than the defined ones should be allowed, as blocking all connections will result in many prompts and disturb the user.
- Configure firewall Logging Size limit (KB)
The firewall should record all events, and it should have a sufficient log files size based on the traffic/bandwidth processed by the device.
You can also use Host-based IDS or Network DIS to ensure intrusion attempts are identified, blocked and log files are collected for further analysis.
Consider firewall security assessments regularly to improve the security posture of your perimeter or cloud assets.
Let’s answer a quiz about secure connections. A core authentication server is exposed to the internet and is connected to sensitive services. How can you restrict connections to secure the server from getting compromised by a hacker?
It would be using either or all of these choices: firewall, bastion host and access control list.
- Firewall – A firewall can restrict unnecessary traffic to the authentication server by filtering unauthorised traffic, blocking ping floods and other noise such as bots, script kiddies looking for vulnerable web servers or other opportunities. Firewalls can be hardware, software or cloud-based.
- Bastion Host – A bastion host is also known as a jump box, a system used as the first entry point allowing connectivity to users on the Internet. Once a user has successfully authenticated to the bastion host, You can access internal networks or the underlying systems. This is standard procedure as part of a multi-layered or defence depth approach implementation for vendors, third parties or employees working remotely.
- An access control list – Access control list (ACL) based measures refer to a rule book based on certain criteria that grant or deny/restrict access.
Logon / Logoff
- Success and failure of account lockouts events
All events such as failed login attempts, violations, repeated login attempts that report a user’s account is locked out should be logged and monitored.
- Successful account logoff events
All successful attempts of a user logging off should be logged and monitored.
- Success and failure of account login events
All successful and unsuccessful attempts of a user logging in should be logged and monitored. This can be useful when finding brute force and other password guessing attacks.
- Success and failure of accessing removable storage
All attempts to access files on a removable storage device should be logged to ensure no sensitive data is leaked via USBs.
- Success and failure of using elevated privileges
All attempts of using elevated privileges on a system should be logged.
- Success and failure of all other system events
You should capture system events such as logs from the firewall to ensure it is working as expected.
- Track changes made to files
Record changes made to sensitive files by comparing two versions of the same file. This will ensure that no unauthorised changes are made.
- Monitoring and auditing all services running on the server
Periodic auditing of running will ensure that no unused service is used on the system. This will reduce the footprint for an attacker.
Internet communication management
- Turn off downloading of drivers over HTTP
Do not allow users to download drivers as they may download compromised files containing malware.
- Turn off printing over HTTP
Since HTTP is a cleartext protocol, all information transferred can be intercepted and leaked to an attacker.
- Turn off “Publish to Web” for files and folders.
Users may unintentionally or intentionally publish sensitive content to the public network, exposing sensitive information to unauthorised users.
- Do not allow network connectivity during sleep mode
Disabling this setting will ensure that the system is not accessible to any attacker when it is left unattended. Restrict access to any functions that could lead to change in configuration or system state.
- Enable password is required when a system wakes from sleep mode
This setting will ensure that unattended servers are protected from unauthorised use because the server would not be accessible without login credentials.
NTP server configuration
- Enable NTP Client
You should configure a reliable and accurate NTP server on all servers that serve as a synchronised clock for all systems.
For configuring a local NTP server, read this article.
- Do not allow the use of the camera on the device
Cameras can introduce security risks in sensitive environments and should be disabled.
- Turn off location
It is not wise to share the server’s physical location via GPS or other location-tracking from a security perspective, so this setting should be disabled.
- Do not allow users to share files within the network
Users could accidentally share data with unauthorised users on the network. This setting should be disabled so that You can reduce unintentional data leakage.
Managing unattended systems
- Enable screen savers
If a user forgets to lock their system when they leave, a screen saver should be enabled to protect against unauthorised access.
- Set screen saver timeout
Screen saver timeout should be configured (300 seconds or more).
- Password protect the screen savers.
It would be best if you implemented a timed password-protected screen saver to protect unattended systems from hijacking.
- Restrict users from installing software
The only use of authorised software should be allowed, and standard users should not perform installations.
- Disable always install with privileges
Windows servers disable this functionality so malicious users cannot exploit it by installing malicious software or performing unauthorised activities.
Remote desktop configurations for Windows server
- Do not allow drive redirection
This will allow the remote desktop to access data from the local machine. Malicious software on a compromised system would directly access the local computer.
- Do not allow Plug and Play device redirection.
It would help if you disallowed plug and Play devices like flash drives to reduce the chances of data exfiltration.
Where possible, try to restrict the exposure of internal services such as RDP, SMB, File/Print sharing services to internal or VPN networks only. Similarly, private services such as database control panel, and management interfaces should be limited to secure networks.
- Always prompt users for passwords upon connection
Users should always be asked for login credentials, even for stored sessions, to restrict access by unauthorised users.
Session timeout limits
- Set time limit for active but idle Remote Desktop Services sessions
Configure the time limit to 15 minutes or less to prevent RDP from tying up resources for long periods of time.
- Set a time limit for disconnected sessions
This setting is important to ensure all inactive and disconnected sessions are terminated properly. Configure the time limit to 15 minutes or less.
- Disable SMBv1 server and clients
Do not use SMB version 1 and clients as these have been deprecated and contain many known security vulnerabilities.
- Disable the use of unencrypted passwords when connecting to third-party SMB servers
If this setting is not disabled, passwords are transmitted in clear text across the network to the SMB server (SMB ports in specific), leading to credential leakage. Only allow such services over VPN (Virtual Private Network) usage if required. As a security best practice, do not expose internal services on the Internet.
- Disable direct root login to SSH server
As the root is a default username in Linux distributions, it is easy for attackers to assume that the root user will exist for SSH server connections. This gives an attacker a valid username to perform password guessing attacks, and hence the root user should be disabled.
- Remove passwords in favour of SSH keys based authentication.
Consider key based authenticated opposed to passwords based authentication. You should remove passwords or passphrases from SSH keys. Private keys should be stored in a secure manner especially away from file servers, and shared repositories.
- Use a port other than the default port.
Using custom ports other than the default port 22 for SSH may add obfuscation. Do not take this as a foolproof method, but helps in reducing unnecessary login attempts and probing events while reviewing log files and monitoring events.
- Disable all unused open ports
All open ports not used by OS and installed components should be closed to reduce the opportunities for an attacker. Open ports add to multiple attack vectors based on running services, increasing the network footprint.
- Disable all unused services
All unnecesasry services should be stopped on the server so that an attacker cannot leverage and exploit them.
- Hide open ports from external entities
If an attacker scans the server’s IP address, he should not be able to enumerate the services running on the server based on open ports. The status of the ports should return as filtered or closed rather than open.
- Maintain regular backups.
Regularly take backups of the server to ensure that no data is lost during automated backup jobs or manual processing.
- Secure store backup files.
Backup files should be stored in a secure manner and not on production servers. If any backup file is leaked, the hacker will gain access to all the data stored on the server.
- Periodically restore and test backups.
Test the backup files by restoring them periodically to check if the backup files maintained are working correctly. This process must include thorough backup testing including data recovery exercises after data breach.
Use of Virtual Private Network (VPN)
- Do not expose servers to the internet
Servers should not be exposed on the public internet because it increases the security risk as more attackers can target the server. Instead, a VPN (Virtual Private Network) should be used to access the servers. The use of Virtual Private Networks (VPNs) is a secure practice to extend your private network to establish isolated communication channels across the Internet or public networks to ensure smoother access for staff or vendors working within the same organisation. Virtual Private Networks (VPNs) are private networks that Internet protocol address space (32-bit address space that provides 4,294,967,296 IPv4 unique IP addresses).
Web server security
The following tips cover security tips for web application servers or web server hosting content for websites and applications.
- Sanitise and filter user-supplied input.
Your developers must be aware of secure practices. A web application with exploitable opportunities may lead to underlying web server access. User input should not be trusted as it may contain malicious payloads. Input should be sanitised to remove all unwanted characters.
- Ensure file upload functionality only allows legitimate files
Using insecure file uploads, an attacker can upload malicious code to the web application servers, uploading remote shells and compromising the entire server. Files and their contents should be scanned before saving them to disk or making them available for further processing.
- Secure administration panels with IP address safelisting
IP safe listing should ensure that only legitimate known users are accessing the admin panels.
- Use a web application firewall (WAF) where necessary
A WAF should be used for public-facing applications to protect the web application and web server from incoming attacks.
- Do not store sensitive files in the document root.
Sensitive files should not be stored in the document root folder because an attacker might access them, leading to information leakage.
- Do not trust HTTP headers.
HTTP headers such as Host and Referrer headers can be forged and thus should not be trusted while making logic decisions.
- Use POST requests for data submission.
Because URLs get logged in various places, including third-party websites, all confidential organizational data submitted should be through POST requests to avoid information leakage.
- Validate all user input supplied on the server-side
An attacker can circumvent client-side validation, so all user input should be validated and checked on the server-side.
- Specify file permissions when creating files
If the web application handles file creation, then file and folder permissions should be set properly based on the principle of least privilege.
- Implement proper error handling
Proper error handling should be configured on the server so that information such as stack traces, database queries or other sensitive information is not displayed.
- Do not trust cookie values for session management.
Since a user can manipulate cookie values, cookies should not be used as the only mechanism for session management because they can be changed.
- Disable dangerous PHP functions
Dangerous PHP functions such as eval() and include() should not be used. These functions can allow attacks to carry out malicious activities. Our PHP security checklist is a useful guide if you want to read it in detail.
- Log and monitor web traffic and requests for unusual activity
All activities performed on the web application should be logged and reviewed periodically to ensure that no malicious incidents occur.
The above list is brief and covers a high-level list of website security tips. For an extensive website security checklist, see How to secure your site.
As highlighted above, there are many recommendations for securing a server. You should implement these security measures during the initial setup of the server and perform continuous or periodic validations, such as a build and configuration review and penetration testing. Additionally, make sure that if there is no automated way for monitoring servers, design scheduled security checks while following our roadmap in this article on protecting assets!
In the modern world, we have to be vigilant about our security. The servers that store and transmit data are a prime target for malicious actors looking to steal sensitive information or cause damage.
Get in touch for a virtual coffee.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.