UNH Server Best Practices

In keeping with existing UNH and USNH policies, it is the duty of server administrators to maintain servers in a secure fashion. Maintaining each part of the network environment is a crucial step toward the goal of keeping that environment healthy and as secure as possible and furthers a defense-in-depth security strategy.

Server administrators are charged with safeguarding: 1) the server they manage; 2) the data that the server stores; 3) the users of their server; and 4) the network the server resides on and shares with other information systems.

The first question server administrators need to ask themselves is: do I need to build, maintain, and administer my own server? Might I be able to provide the services needed through a centralized or contracted service? If so, perhaps it is worth considering the possibility that a contracted service might be a better solution in the long-term. Even beyond offloading the day-to-day maintenance issues, server administrators may be able to get help with the legal aspects of data management if servers are managed by UNH IT.

The Checklist

Below is a simple check-list of areas that server administrators should consider when building and maintaining a server. This guide can assist in maintaining not just the 'drivers and wires' portion of a server, but it can also assist in administering the population that accesses a server an administrator is responsible for.

  • Proper configuration on the base operating system.
  • Regular updating/patching of operating system and network accessing applications.
  • Installation and maintenance of viable protective software.
  • Proper over-sight of user accounts.
  • Compliance with all applicable regulations regarding the data stored on, or transmitted through, the server.
  • Data Protection
  • Regular Log Review
  • Proper care taken to the physical security and access of the server.

Section I - The Operating System

Most server operating systems have some form of auto-configuration utility available. Chef, Puppet and Ansible are all configuration management tools available for Linux operating systems. System Center Configuration Manager (SCCM) and Windows PowerShell Desired State Configuration (DSC) is available for Windows Server operating systems. UNH-IT can accommodate SCCM central configuration through their pre-existing SCCM instance. Please contact IT via the IT Service Desk for information.

Beyond using canned tools, server administrators should research hardening server operating systems through other means. Steps to take during this process  include removing unnecessary services, applications and network protocols. Administrators should also configure operating system user authentication and resource controls appropriately. The Center for Internet Security (CIS) Benchmarks, available free of charge, are industry-best Benchmark configuration baselines that server administrators should strive to comply with when configuring a server.

Section II - Updating and Patching

Most operating systems allow for some form of automated patching; some allow for automated downloading of patches for your review before installation. Make best use of patch notification and/or automation as it pertains to your server.

Application patching can be a much trickier task, as many do not have automated patching or notification. It is essential that server administrators regularly check for updates to any software which accesses remotely stored resources, or provides remote users access to locally stored resources.

UNH IT offers update management servers for Windows operating systems through SCCM. UNH also performs regular vulnerability scanning that can detect out of date, vulnerable software running on your server. Please contact IT via the IT Service Desk for information.

Section III - Protective Software

All common operating systems offer some form of protective software. Anti-virus is available for any platform, as well as host-based intrusion detection, file integrity scanners, host-based firewalls, etc. Considering your options and using the appropriate measures can go a long way toward protecting your system. Many people are wary of the over-head of always-on protections like anti-virus, but consider that most packages can be configured to only monitor segments of a drive and can also be regularly scheduled. Impact for most measures can be mitigated, at least to a degree.

Anti-Malware Software:

Anti-virus, anti-spyware, and rootkit detectors protect the local operating system from malware and may be able to eradicate any infections that occur.  While anti-malware software is not a one-stop shop for defending your server from malicious software,  it is an effective measure for filtering known attacks. Most operating systems offer some form of anti-malware software. UNH has licensed software for some operating systems. You can read more at www.virus.unh.edu.

Host-Based Firewalls:

Host-based firewalls are an important defense-in-depth component that provide certain capabilities most network-based firewalls cannot provide. Most operating systems come with some form of host-based firewall build into the operating system. Windows Firewall and IPChains for Linux are examples of host-based firewalls server administrators should consider configuring and enabling.

Host-Based Intrusion Detection and Prevention Software (HIDPS)

HIDPS is software that helps to detect and prevent attacks against servers, including denial of service (DoS) attacks. Another useful tool in this software family is a file integrity monitor (FIM) that monitors critical system files for changes. There are various HIDPS options available for all operating systems, including safe, open-source options.

Section IV - User Authentication

Maintaining secure accounts procedures and ensuring access is only granted to legitimate authenticated users is a critical step in securing a server. The following are areas to consider when addressing account security:

Removing and Disabling Unneeded Default Accounts

Guest, Administrator, and Root level accounts are almost always included and enabled on server operating systems, with and without passwords. The names and passwords for these accounts are well-known by malicious actors and can easily guessed. Changing the name of these accounts and configuring the password to be more secure is highly recommended.

Remember to always change all default passwords configured on your server.

Password Policies

Always ensure you require a password for every account. For tips on using strong passwords, see the SANS OUCH! Newsletter on passphrases from April 2017: https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201704_en.pdf

More information on good password practices can be found in the UNH IT Knowledge Base article here: https://www.unh.edu/it/kb/article/good-security-practices-to-adopt-at-work-school-and-at-home.html

Configure Role-Based Access Control

Create user-groups and assign required roles and privileges to the groups. Then, assign user accounts to the respective user-group. Never use shared-accounts and only create accounts or provision access when access is required. Configure ordinary user accounts (standard user accounts) for server administrators that are also users of the server so that privileged account use is limited.

Section V – Server Software

This process mirrors the process described in Section I – Securing the OS. The same principles applied in Section I apply to any software installed on a server. Other considerations include:

  • Any unnecessary services, applications, or scripts that are installed during software installation should be removed immediately after the process is complete
  • Immediately apply any patches or upgrades once software is installed
  • Remove or disable all services installed that are not required for the software to function
  • Remove manufacturer documentation from the server
  • Remove any default user accounts that are not necessary

The Center for Internet Security has secure hardening benchmarks for common server software that should be utilized during software configuration stages when available.

Section VI - Physical Security

When thinking about a server’s physical security, there are two main areas to consider: the environmental controls and access controls protecting the server.

Environmental Controls

Consider supplying regulated power to the server. In the event that the main power supply is lost, an uninterrupted power supply (UPS) can be used as a fail-safe to ensure the data on the server is not destroyed due to a loss of power. Controls that can protect the server during a fire or flood, for example, should also be put in place to protect the physical hardware. This includes both detection and prevention controls. Be sure to supply air conditioning to prevent overheating and adequate air-flow around the server. The server environment should be reasonably free of dust.

Access Controls

Access to the room where the server is stored should be limited. The server should be behind a locked door. Unlocking mechanisms with auditing capabilities are highly recommended so that a record of who accessed the server room and when it was accessed, can be easily generated. Visitors should be required to sign-in and should not be left unattended. Cameras that monitor the areas are highly encouraged as well.

Section VII - Data Protection

In a server environment, protecting data is what most of the previous steps are about. There are additional controls server administrators should, and sometimes must, implement to adequately protect data.

Backups

Backing up data stored on servers is critical. There are many mechanisms and techniques for implementing this control. Things to consider include:

  1. How regularly are backups performed?
  2. Where are backups stored?
  3. If they are physically stored at an offsite location, is the location secure?
  4. Have the backups been tested to ensure data can be restored?
  5. Is the data subject to any data retention policy?

There are service level agreements available for backup services from IT. Please contact IT via the IT Service Desk for information.

Section VIII - Log Review

Regular review of server logs is a critical part of administration. Often times, logs can provide early signs of problems. Both security problems and technology problems can be often be dealt with before excessive damage is done by making log review a regular practice. There are also tools that can monitor logs for suspicious activity, something that all server administrators might want to consider.

Section IX - Regulatory Compliance

The University holds a good deal of data that is covered by any number of State and Federal regulations including FERPA, HIPAA, GLBA, etc. Be certain your data handling practices are in compliance with the regulations governing any data stored, accessed, managed, or processed by your server.

UNH and USNH Policies

Additional Resources

(Revision 8 AUG 2017 by S. Descoteaux)  

Custom Fields
  • Author: UNH Information Security Services
  • Department: Information Security Services
Attached Files
There are no attachments for this article.
Related Articles RSS Feed
System Center 2012 Endpoint Protection for Mac Usage Instructions
Viewed 1592 times since Wed, Aug 12, 2015
The Fake Speeding Ticket Scam - What Will Hackers Think of Next?
Viewed 604 times since Mon, Apr 4, 2016
Antivirus Software for Windows
Viewed 5044 times since Wed, Aug 12, 2015
Using Facebook, Google or other Social Login Services
Viewed 506 times since Fri, Aug 26, 2016
How to Determine if Your Computer is Vulnerable to WannaCry or Petya Ransomware
Viewed 341 times since Tue, Jun 27, 2017
ESI: Electronically Stored Information Procedures
Viewed 1120 times since Wed, Apr 29, 2015
Tips for Keeping Your Devices Secure
Viewed 114 times since Fri, Aug 4, 2017
FAQs- System Center 2012 Endpoint Protection, Microsoft Security Essentials, and Windows Defender
Viewed 2602 times since Wed, Aug 12, 2015
Microsoft Security Essentials and Windows Defender Usage
Viewed 4081 times since Wed, Aug 12, 2015
What’s the Deal with Publicly Posted Credentials?
Viewed 190 times since Thu, Jun 29, 2017
MENU