Before any server is deployed at Milligan University, certain security baselines must be in place to ensure the security of the server. Misconfiguration of a server results in vulnerability to malware, hacking, and rootkits. Server administrators must take steps to secure their systems against these types of malicious activities to protect the University’s data and users. The steps in this baseline standard are the minimum security measures for any Milligan University server. Additional hardening may be needed depending on the function of the server and the sensitivity of the content on the server.
Server Security Baseline
This content is summarized from NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations and NIST 800-123 Guide to General Server Security.
Basic Security Steps Overview
Plan the installation and deployment of the operating system (OS) and other components for the server.
- Install, configure, and secure the underlying OS
- Install, configure, and secure the server software
- For servers that host content, such as Web servers (Web pages), database servers (databases), and directory servers (directories), ensure that the content is properly secured. This is highly dependent on the type of server and the type of content, so it is outside the scope of this publication to provide recommendations for content security.
- Employ appropriate network protection mechanisms (e.g., firewall, packet filtering router, and proxy). Choosing the mechanisms for a particular situation depends on several factors, including the location of the server’s clients (e.g., Internet, internal, internal and remote access), the location of the server on the network, the types of services offered by the server, and the types of threats against the server.
- Employ secure administration and maintenance processes, including application of patches and upgrades, monitoring of logs, backups of data and OS, and periodic security testing.
A. Installation and Deployment Planning – General Server Considerations
During the planning stages of server and system deployment, it is critical to consider security from the beginning. The following items are important to consider, and will make the process of employing security controls more efficient:
- Identify the purpose(s) of the server.
- Identify the network services and protocols that will be provided on the server. Some examples include HTTP, FTP, SMTP, NFS, and TCP/IP.
- Identify any network service software, both client and server to be installed on the server and any other support servers.
- Identify the users or categories of users of the server and any support hosts.
- Determine the privileges that each category of user will have on the server and support hosts.
- Determine how the server will be managed (e.g., locally, remotely from the internal network, remotely from external networks).
- Decide if and how users will be authenticated and how authentication data will be protected.
- Determine how appropriate access to information resources will be enforced.
- Determine which server applications meet the organization’s requirements. Consider servers that may offer greater security, albeit with less functionality in some instances.
- Work closely with manufacturer(s) in the planning stage.
B. Operating System Considerations
Often the choice of server application may determine the server OS choice, however in general an OS should be selected that provides:
- Ability to granularly restrict administrative or root level activities to authorized users only.
- Ability to granularly control access to data on the server.
- Ability to disable unnecessary network services that may be built into the OS or server software.
- Ability to control access to various forms of executable programs, such as Common Gateway Interface (CGI) scripts and server plug-ins for Web servers, if applicable.
- Ability to log appropriate server activities to detect intrusions and attempted intrusions.
- Provision of a host-based firewall capability to restrict both incoming and outgoing traffic.
- Support for strong authentication protocols and encryption algorithms.
C. Physical Location Considerations
Considering the location of the server is very important for security. Due to the sensitive data that they may contain, it is critical that servers are in secure physical environments. When planning for this location, consider the following:
- Appropriate physical security protection mechanisms for the server and its networking components, including locks, card reader access, security guards, and physical intrusion detection systems (e.g., motion sensors, cameras).
- Appropriate environmental controls so that the necessary humidity and temperature are maintained, and the possible need for redundant controls.
- Backup power sources and how long power can be provided.
- Appropriate fire containment equipment that will minimize damage to equipment that would not otherwise be impacted by the fire.
- Redundant network connections and redundant data center locations for high availability systems.
- Protection from potential natural disasters that may exist in the server location.
D. Installation and Deployment Planning – Server Operating System Security
Many security issues can be avoided if the underlying OS on a server is configured appropriately. Although the specific techniques for securing different OSs vary greatly, this guide includes procedures that are applicable to most common systems.
E. Installation and Deployment Planning – Patch and Upgrade Operating System
After OS installation, the following items are important to adequately detect and correct vulnerabilities that may exist on an installed server OS:
- Create, document, and implement a patching process.
- Identify vulnerabilities and applicable patches.
- Mitigate vulnerabilities temporarily if needed and if feasible until patches are available, tested, and installed.
- Install permanent fixes (patches, upgrades, etc.).
- New or unpatched servers should be protected during the patching process. The following steps should be taken when preparing a server for deployment
- Keep the servers disconnected from networks or connect them only to an isolated “build” network until all patches have been transferred to the servers through out-of-band means (e.g., CDs) and installed, and the other configuration steps listed in this section have been performed.
- Place the servers on a virtual local area network (VLAN) 16 or other network segment that severely restricts what actions the hosts on it can perform and what communications can reach the hosts – only allowing those events that are necessary for patching and configuring the hosts. Do not transfer the hosts to regular network segments until all the configuration steps listed in this section have been performed.
F. Hardening and Securely Configuring the OS
Remove or disable unnecessary services, applications, and network protocols.
The following provide some examples of what services, applications, and protocols can be removed/disabled if they are not being utilized:
- File and printer sharing services (e.g., Windows Network Basic Input/Output System [NetBIOS] file and printer sharing, Network File System [NFS], FTP).
- Wireless networking services.
- Remote control and remote access programs, particularly those that do not strongly encrypt their communications (e.g., Telnet).
- Directory services (e.g., Lightweight Directory Access Protocol [LDAP], Network Information System [NIS]).
- Web servers and services.
- Email services (e.g., SMTP).
- Language compilers and libraries.
- System development tools.
- System and network management tools and utilities, including Simple Network Management Protocol (SNMP).
Completely removing unnecessary services is preferable to simply disabling them. It can enhance the security of the server in the following ways:
- Other services cannot be compromised and used to attack the host or impair the services of the server. Each service added to a host increases the risk of compromise for that host because each service is another possible avenue of access for an attacker. Less is more secure in this case.
- Other services may have defects or may be incompatible with the server itself. By removing or disabling them, they should not affect the server and should potentially improve its availability.
- The host can be configured to better suit the requirements of the particular service. Different services might require different hardware and software configurations, which could lead to unnecessary vulnerabilities or negatively affect performance.
- By reducing services, the number of logs and log entries is reduced; therefore, detecting unexpected behavior becomes easier.
G. Configure OS User Authentication
The following steps are recommended to ensure that appropriate user authentication is in place:
- Remove or Disable Unneeded Default Accounts – The default configuration of the OS often includes guest accounts (with and without passwords), administrator or root level accounts, and accounts associated with local and network services. The names and passwords for those accounts are well known. Remove (whenever possible) or disable unnecessary accounts to eliminate their use by attackers, including guest on computers containing sensitive information. For default accounts that need to be retained, including guest accounts, severely restrict access to the accounts, including changing the names (where possible and particularly for administrator or root level accounts) and passwords to be consistent with the password policy.
- Disable Non-Interactive Accounts – Disable accounts (and the associated passwords) that need to exist but do not require an interactive login. For Unix systems, disable the login shell or provide a login shell with NULL functionality (e.g., /bin/false).
- Create the User Groups – Assign users to the appropriate groups. Then assign rights to the groups. This approach is preferable to assigning rights to individuals, which becomes unwieldy with large numbers of users.
- Create the User Accounts – The deployment plan identifies who will be authorized to use each computer and its services. Create only the necessary accounts. Permit the use of shared accounts only when no viable alternatives exist. Have ordinary user accounts for server administrators that are also users of the server.
- Configure Automated Time Synchronization – Some authentication protocols, such as Kerberos, will not function if the time differential between the client host and the authenticating server is significant, so servers using such protocols should be configured to automatically synchronize system time with a reliable time server. Typically, the time server is internal to the organization and uses the Network Time Protocol (NTP) for synchronization; publicly available NTP servers are also available on the Internet.
- Check the Password Policy – Set account passwords appropriately, according to the details outlined in the policy.
- Configure Computers to Prevent Password Guessing – If provided by the OS, configure the computer to increase the period between login attempts with each unsuccessful attempt. An alternative would be denying login for a period after a set number of failed attempts.
H. Install Additional Security Controls
OS’s often do not include all necessary security controls to adequately protect a server system. In these situations, administrators may need to utilize additional software to provide these controls. The following list provides some examples:
- Anti-malware software, including antivirus software, anti-spyware software, and rootkit detectors.
- Host-based intrusion detection and prevention software (IDPS).
- Host-based firewalls.
- Patch management or vulnerability management software.
- Disk encryption technologies.
I. Securely Installing Software
The following steps should be performed when installing the server software on the system:
- Install the server software either on a dedicated host or on a dedicated guest OS if virtualization is being employed.
- Apply any patches or upgrades to correct for known vulnerabilities in the server software.
- Create a dedicated physical disk or logical partition (separate from OS and server application) for server data, if applicable.
- Remove or disable all services installed by the server application but not required (e.g., gopher, FTP, HTTP, remote administration).
- Remove or disable all unneeded default user accounts created by the server installation.
- Remove all manufacturers’ documentation from the server.
- Remove all example or test files from the server, including sample content, scripts, and executable code.
- Remove all unneeded compilers.
- Apply the appropriate security template or hardening script to the server.
- For external-facing servers, reconfigure service banners not to report the server and OS type and version, if possible.
- Configure warning banners for all services that support such banners.
- Configure each network service to listen for client connections on only the necessary TCP and UDP ports, if possible.
J. Configure Software Access Controls
The typical files to which access should be controlled are as follows:
- Application software and configuration files.
- Files related directly to security mechanisms, including password hash files.
- Server log and audit files.
- System software and configuration files.
- Server content files. It is also important to limit the files which can be accessed by the service processes. The following should be enforced with access controls:
- Service processes are configured to run as a user with a strictly limited set of privileges (i.e., not running as root, administrator, or equivalent).
- Service processes can only write to server content files and directories if necessary.
- Temporary files created by the server software are restricted to a specified and appropriately protected subdirectory (if possible). Access to these temporary files is limited to the server processes that created the files (if possible).
K. Configure Server Resource Constraints
To mitigate potential effects of certain DoS attacks, the server should be configured to limit the amount of OS resources consumed. This can include the following:
- Installing server content on a different hard drive or logical partition than the OS and server software.
- Placing limits on the amount of hard drive space dedicated for uploads, if uploads are allowed to the server. Uploads should also be placed on a separate partition if possible.
- Ensure that files uploaded to the server are not readable by the server until some process is used to screen them, preventing malware or attack tools.
- Configuring the maximum number of server processes and/or network connections that should be allowed on the server.