In keeping with existing UNH and USNH policies, it is the duty of server administrators to maintain servers in a secure fashion. Maintaining each part of the network environment is a crucial step toward the goal of keeping that environment healthy and as secure as possible and furthers a defense-in-depth security strategy.
Server administrators are charged with safeguarding: 1) the server they manage; 2) the data that the server stores; 3) the users of their server; and 4) the network the server resides on and shares with other information systems.
The first question server administrators need to ask themselves is: do I need to build, maintain, and administer my own server? Might I be able to provide the services needed through a centralized or contracted service? If so, perhaps it is worth considering the possibility that a contracted service might be a better solution in the long-term. Even beyond offloading the day-to-day maintenance issues, server administrators may be able to get help with the legal aspects of data management if servers are managed by UNH IT.
Below is a simple check-list of areas that server administrators should consider when building and maintaining a server. This guide can assist in maintaining not just the 'drivers and wires' portion of a server, but it can also assist in administering the population that accesses a server an administrator is responsible for.
Most server operating systems have some form of auto-configuration utility available. Chef, Puppet and Ansible are all configuration management tools available for Linux operating systems. System Center Configuration Manager (SCCM) and Windows PowerShell Desired State Configuration (DSC) is available for Windows Server operating systems. UNH-IT can accommodate SCCM central configuration through their pre-existing SCCM instance. Please contact IT via the IT Service Desk for information.
Beyond using canned tools, server administrators should research hardening server operating systems through other means. Steps to take during this process include removing unnecessary services, applications and network protocols. Administrators should also configure operating system user authentication and resource controls appropriately. The Center for Internet Security (CIS) Benchmarks, available free of charge, are industry-best Benchmark configuration baselines that server administrators should strive to comply with when configuring a server.
Most operating systems allow for some form of automated patching; some allow for automated downloading of patches for your review before installation. Make best use of patch notification and/or automation as it pertains to your server.
Application patching can be a much trickier task, as many do not have automated patching or notification. It is essential that server administrators regularly check for updates to any software which accesses remotely stored resources, or provides remote users access to locally stored resources.
UNH IT offers update management servers for Windows operating systems through SCCM. UNH also performs regular vulnerability scanning that can detect out of date, vulnerable software running on your server. Please contact IT via the IT Service Desk for information.
All common operating systems offer some form of protective software. Anti-virus is available for any platform, as well as host-based intrusion detection, file integrity scanners, host-based firewalls, etc. Considering your options and using the appropriate measures can go a long way toward protecting your system. Many people are wary of the over-head of always-on protections like anti-virus, but consider that most packages can be configured to only monitor segments of a drive and can also be regularly scheduled. Impact for most measures can be mitigated, at least to a degree.
Anti-virus, anti-spyware, and rootkit detectors protect the local operating system from malware and may be able to eradicate any infections that occur. While anti-malware software is not a one-stop shop for defending your server from malicious software, it is an effective measure for filtering known attacks. Most operating systems offer some form of anti-malware software. UNH has licensed software for some operating systems. You can read more at https://www.unh.edu/it/kb/article/unh-campus-virus-protection.html.
Host-based firewalls are an important defense-in-depth component that provide certain capabilities most network-based firewalls cannot provide. Most operating systems come with some form of host-based firewall build into the operating system. Windows Firewall and IPChains for Linux are examples of host-based firewalls server administrators should consider configuring and enabling.
HIDPS is software that helps to detect and prevent attacks against servers, including denial of service (DoS) attacks. Another useful tool in this software family is a file integrity monitor (FIM) that monitors critical system files for changes. There are various HIDPS options available for all operating systems, including safe, open-source options.
Maintaining secure accounts procedures and ensuring access is only granted to legitimate authenticated users is a critical step in securing a server. The following are areas to consider when addressing account security:
Guest, Administrator, and Root level accounts are almost always included and enabled on server operating systems, with and without passwords. The names and passwords for these accounts are well-known by malicious actors and can easily guessed. Changing the name of these accounts and configuring the password to be more secure is highly recommended.
Remember to always change all default passwords configured on your server.
Always ensure you require a password for every account. For tips on using strong passwords, see the SANS OUCH! Newsletter on passphrases from April 2017: https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201704_en.pdf
More information on good password practices can be found in the UNH IT Knowledge Base article here: https://www.unh.edu/it/kb/article/good-security-practices-to-adopt-at-work-school-and-at-home.html
Create user-groups and assign required roles and privileges to the groups. Then, assign user accounts to the respective user-group. Never use shared-accounts and only create accounts or provision access when access is required. Configure ordinary user accounts (standard user accounts) for server administrators that are also users of the server so that privileged account use is limited.
This process mirrors the process described in Section I – Securing the OS. The same principles applied in Section I apply to any software installed on a server. Other considerations include:
The Center for Internet Security has secure hardening benchmarks for common server software that should be utilized during software configuration stages when available.
When thinking about a server’s physical security, there are two main areas to consider: the environmental controls and access controls protecting the server.
Consider supplying regulated power to the server. In the event that the main power supply is lost, an uninterrupted power supply (UPS) can be used as a fail-safe to ensure the data on the server is not destroyed due to a loss of power. Controls that can protect the server during a fire or flood, for example, should also be put in place to protect the physical hardware. This includes both detection and prevention controls. Be sure to supply air conditioning to prevent overheating and adequate air-flow around the server. The server environment should be reasonably free of dust.
Access to the room where the server is stored should be limited. The server should be behind a locked door. Unlocking mechanisms with auditing capabilities are highly recommended so that a record of who accessed the server room and when it was accessed, can be easily generated. Visitors should be required to sign-in and should not be left unattended. Cameras that monitor the areas are highly encouraged as well.
In a server environment, protecting data is what most of the previous steps are about. There are additional controls server administrators should, and sometimes must, implement to adequately protect data.
Backing up data stored on servers is critical. There are many mechanisms and techniques for implementing this control. Things to consider include:
There are service level agreements available for backup services from IT. Please contact IT via the IT Service Desk for information.
Regular review of server logs is a critical part of administration. Often times, logs can provide early signs of problems. Both security problems and technology problems can be often be dealt with before excessive damage is done by making log review a regular practice. There are also tools that can monitor logs for suspicious activity, something that all server administrators might want to consider.
The University holds a good deal of data that is covered by any number of State and Federal regulations including FERPA, HIPAA, GLBA, etc. Be certain your data handling practices are in compliance with the regulations governing any data stored, accessed, managed, or processed by your server.
(Revision 8 AUG 2017 by S. Descoteaux)
Article ID: 327
Created On: Fri, Jun 12, 2015 at 10:01 AM
Last Updated On: Tue, Jul 17, 2018 at 3:38 PM
Online URL: https://www.unh.edu/it/kb/article/unh-server-best-practices.html