UNH Server Best Practices
In keeping with existing UNH and USNH policies, it is the duty of server administrators to maintain servers in a secure fashion. Maintaining each part of the network environment is a crucial step toward the goal of keeping that environment healthy and as secure as possible and furthers a defense-in-depth security strategy.
Server administrators are charged with safeguarding: 1) the server they manage; 2) the data that the server stores; 3) the users of their server; and 4) the network the server resides on and shares with other information systems.
The first question server administrators need to ask themselves is: do I need to build, maintain, and administer my own server? Might I be able to provide the services needed through a centralized or contracted service? If so, perhaps it is worth considering the possibility that a contracted service might be a better solution in the long-term. Even beyond offloading the day-to-day maintenance issues, server administrators may be able to get help with the legal aspects of data management if servers are managed by UNH IT.
Below is a simple check-list of areas that server administrators should consider when building and maintaining a server. This guide can assist in maintaining not just the 'drivers and wires' portion of a server, but it can also assist in administering the population that accesses a server an administrator is responsible for.
- Proper configuration on the base operating system.
- Regular updating/patching of operating system and network accessing applications.
- Installation and maintenance of viable protective software.
- Proper over-sight of user accounts.
- Compliance with all applicable regulations regarding the data stored on, or transmitted through, the server.
- Data Protection
- Regular Log Review
- Proper care taken to the physical security and access of the server.
Section I - The Operating System
Most server operating systems have some form of auto-configuration utility available. Chef, Puppet and Ansible are all configuration management tools available for Linux operating systems. System Center Configuration Manager (SCCM) and Windows PowerShell Desired State Configuration (DSC) is available for Windows Server operating systems. UNH-IT can accommodate SCCM central configuration through their pre-existing SCCM instance. Please contact IT via the IT Service Desk for information.
Beyond using canned tools, server administrators should research hardening server operating systems through other means. Steps to take during this process include removing unnecessary services, applications and network protocols. Administrators should also configure operating system user authentication and resource controls appropriately. The Center for Internet Security (CIS) Benchmarks, available free of charge, are industry-best Benchmark configuration baselines that server administrators should strive to comply with when configuring a server.
Section II - Updating and Patching
Most operating systems allow for some form of automated patching; some allow for automated downloading of patches for your review before installation. Make best use of patch notification and/or automation as it pertains to your server.
Application patching can be a much trickier task, as many do not have automated patching or notification. It is essential that server administrators regularly check for updates to any software which accesses remotely stored resources, or provides remote users access to locally stored resources.
UNH IT offers update management servers for Windows operating systems through SCCM. UNH also performs regular vulnerability scanning that can detect out of date, vulnerable software running on your server. Please contact IT via the IT Service Desk for information.
Section III - Protective Software
All common operating systems offer some form of protective software. Anti-virus is available for any platform, as well as host-based intrusion detection, file integrity scanners, host-based firewalls, etc. Considering your options and using the appropriate measures can go a long way toward protecting your system. Many people are wary of the over-head of always-on protections like anti-virus, but consider that most packages can be configured to only monitor segments of a drive and can also be regularly scheduled. Impact for most measures can be mitigated, at least to a degree.
Anti-virus, anti-spyware, and rootkit detectors protect the local operating system from malware and may be able to eradicate any infections that occur. While anti-malware software is not a one-stop shop for defending your server from malicious software, it is an effective measure for filtering known attacks. Most operating systems offer some form of anti-malware software. UNH has licensed software for some operating systems. You can read more at https://www.unh.edu/it/kb/article/unh-campus-virus-protection.html.
Host-based firewalls are an important defense-in-depth component that provide certain capabilities most network-based firewalls cannot provide. Most operating systems come with some form of host-based firewall build into the operating system. Windows Firewall and IPChains for Linux are examples of host-based firewalls server administrators should consider configuring and enabling.
Host-Based Intrusion Detection and Prevention Software (HIDPS)
HIDPS is software that helps to detect and prevent attacks against servers, including denial of service (DoS) attacks. Another useful tool in this software family is a file integrity monitor (FIM) that monitors critical system files for changes. There are various HIDPS options available for all operating systems, including safe, open-source options.
Section IV - User Authentication
Maintaining secure accounts procedures and ensuring access is only granted to legitimate authenticated users is a critical step in securing a server. The following are areas to consider when addressing account security:
Removing and Disabling Unneeded Default Accounts
Guest, Administrator, and Root level accounts are almost always included and enabled on server operating systems, with and without passwords. The names and passwords for these accounts are well-known by malicious actors and can easily guessed. Changing the name of these accounts and configuring the password to be more secure is highly recommended.
Remember to always change all default passwords configured on your server.
Always ensure you require a password for every account. For tips on using strong passwords, see the SANS OUCH! Newsletter on passphrases from April 2017: https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201704_en.pdf
More information on good password practices can be found in the UNH IT Knowledge Base article here: https://www.unh.edu/it/kb/article/good-security-practices-to-adopt-at-work-school-and-at-home.html
Configure Role-Based Access Control
Create user-groups and assign required roles and privileges to the groups. Then, assign user accounts to the respective user-group. Never use shared-accounts and only create accounts or provision access when access is required. Configure ordinary user accounts (standard user accounts) for server administrators that are also users of the server so that privileged account use is limited.
Section V – Server Software
This process mirrors the process described in Section I – Securing the OS. The same principles applied in Section I apply to any software installed on a server. Other considerations include:
- Any unnecessary services, applications, or scripts that are installed during software installation should be removed immediately after the process is complete
- Immediately apply any patches or upgrades once software is installed
- Remove or disable all services installed that are not required for the software to function
- Remove manufacturer documentation from the server
- Remove any default user accounts that are not necessary
The Center for Internet Security has secure hardening benchmarks for common server software that should be utilized during software configuration stages when available.
Section VI - Physical Security
When thinking about a server’s physical security, there are two main areas to consider: the environmental controls and access controls protecting the server.
Consider supplying regulated power to the server. In the event that the main power supply is lost, an uninterrupted power supply (UPS) can be used as a fail-safe to ensure the data on the server is not destroyed due to a loss of power. Controls that can protect the server during a fire or flood, for example, should also be put in place to protect the physical hardware. This includes both detection and prevention controls. Be sure to supply air conditioning to prevent overheating and adequate air-flow around the server. The server environment should be reasonably free of dust.
Access to the room where the server is stored should be limited. The server should be behind a locked door. Unlocking mechanisms with auditing capabilities are highly recommended so that a record of who accessed the server room and when it was accessed, can be easily generated. Visitors should be required to sign-in and should not be left unattended. Cameras that monitor the areas are highly encouraged as well.
Section VII - Data Protection
In a server environment, protecting data is what most of the previous steps are about. There are additional controls server administrators should, and sometimes must, implement to adequately protect data.
Backing up data stored on servers is critical. There are many mechanisms and techniques for implementing this control. Things to consider include:
- How regularly are backups performed?
- Where are backups stored?
- If they are physically stored at an offsite location, is the location secure?
- Have the backups been tested to ensure data can be restored?
- Is the data subject to any data retention policy?
There are service level agreements available for backup services from IT. Please contact IT via the IT Service Desk for information.
Section VIII - Log Review
Regular review of server logs is a critical part of administration. Often times, logs can provide early signs of problems. Both security problems and technology problems can be often be dealt with before excessive damage is done by making log review a regular practice. There are also tools that can monitor logs for suspicious activity, something that all server administrators might want to consider.
Section IX - Regulatory Compliance
The University holds a good deal of data that is covered by any number of State and Federal regulations including FERPA, HIPAA, GLBA, etc. Be certain your data handling practices are in compliance with the regulations governing any data stored, accessed, managed, or processed by your server.
UNH and USNH Policies
- NIST Computer Security Division Special Publications - 800 Series
- Center for Internet Security Benchmarks
- US-CERT (Computer Emergency Readiness Team) Tech-Tips
- Microsoft Security Resources
(Revision 8 AUG 2017 by S. Descoteaux)