Server Security Information

For any operating system, it is important to follow server security information the general guidelines. The actual details used to implement these guidelines may vary slightly, but the ideas are the same regardless of the operating system. If followed, these will go a long way toward securing a computer. A server is any computer which processes requests for data or services from another networked computer. These services include, but are not limited to, HTML, print sharing, file sharing, database, application serving and so forth. Workstation operating systems such as NT or Unix/Linux can be configured in such a way as to act as a server.

Physical Security
All servers must be secured at all times to prevent theft and loss of critical data. They must be protected behind rooms that require access using biometrics or card swipe device. Room keys may be temporary used until one of the approved methods mentioned is obtained.

If the room can be accessed by anyone other than the system administrator, the console should remain locked when not in use. (Keep in mind that besides having administrative access if the server were physically stolen the thief would have access to whatever data reside on the system.)

Keys to servers must be secured and stored away from server to prevent unauthorized personnel from tampering with device. Physical access to servers must be limited to system administrators or those with the responsibility to maintain the server.

While not a security concern, a room housing a server should have environment controls such as temperature, humidity and power conditioning/backup systems.

Server Accounts Security
A server should be configured with unique user accounts for each administrator as opposed to a single account which is shared by all administrators. Passwords should use a combination of ASCII character types and be of ample length to protect against the abundance of password cracking utilities available today. Password entry should be encrypted.

Lock or remove all unnecessary accounts. All servers should authenticate all system users. Guest accounts on servers must be disabled. System administrators must use complex passwords and must change their password frequently.

Utilize strong passwords to ensure that only authorized users can access the system. Passwords must be changed when someone leaves that has access to servers. All passwords must follow:

• Minimum eight characters in length
• Not be a dictionary work
• Must not be related to the individual such as spouse or kids names or dates
• Do not write passwords down anywhere
• Change passwords every 45 days or less
• Do not include passwords in any electronic mail message

Antivirus Software
All servers must be running the latest version of anti-virus software. Systems administrators will ensure that:

• Software runs at startup
• Updates are installed automatically as they are made available
• System scan for viruses is run at least once a month

Remote Access
Use of remote access software like PCAnyware is not authorized on servers systems. Access to servers is limited to encrypted remote logins using VPN. No Telnet access is allowed. Remote administration should be done only with secure session software such as SSH. All unnecessary software services should be disabled on the server. The greater the number of services running on a server, the more open it is to attack. Security patches should be kept up to date.

Encrypted Authentication
All servers should use only encrypted authentication mechanisms. Services such as FTP, SNMP, POP and IMAP must be replaced by their encrypted equivalents. All sensitive data used or stored on a server must be protected the following:

• Encrypt sensitive and confidential information where appropriate.
• Monitor printers used to produce sensitive and confidential information.
• Overwrite sensitive files on fixed disks, floppy disks, or cartridges

Host-based Firewall/Intrusion Prevention Systems
For best protection, recommend use of host-based firewall and intrusion prevention systems. The current McAfee product under MEEC comes with a limited firewall and IPS capability. The use of HIPS technology will reduce need to patch servers.

• Install and configure a packet filtering utility such as TCP wrappers or a software or hardware firewall to protect individual services.
• The rules should reflect the acceptable use and security policies that have been defined for the computer.
• Operating system filters that deny or permit certain traffic should be used if available (e.g., most Unix and recent Windows versions).
• Periodically review the filters for inappropriate or unneeded access.
• Restrict access to services, where prudent. Limit access to databases to specific IP addresses

Unnecessary Services
Servers must run only necessary services. All non-critical services must be disabled and vulnerabilities eliminated.

• Each computer should only provide services needed for its role in an organization.
• Make sure to configure all installed software, disable all unused features and be sure to limit the availability of any features that are enabled.
• Disable Telnet and FTP. Use SSH instead.
• Unless using network management tools, turn off SNMP. If SNMP is enabled, change the default community name and set permissions. Be sure to delete the public community string, if software allows you to do this or at least change the default settings.
• Use of name services caching is okay, but do not run a name server.

Backups
All servers must be backed up at least weekly to tape and the copies stored. Additional copies may be stored at another location for quick retrieval.

Maintain physical security
Locate the server in a secure location with documentation of who has access.

• Use Uninterruptible Power Supply (UPS) for servers and other essential peripheral equipment (e.g., monitors KVM switches, etc.).
• Locate servers in a climate-controlled environment (e.g., dedicated air conditioning with in-room temperature controls).
• Consider basic fire suppression services/options (e.g., extinguishers, sprinklers, etc.).
• Utilize “keyboard locking” software or password protected screen savers to prevent keyboard activity.