Backup
The server is the central hub and will often store everyone's data, including customer data. Set up automated backups via tapes, NAS, SAN or through a backup application which pushes data to a cloud server for offsite storage.
Use a VPN or jump server
A VPN gives you another layer of authentication and encryption to administer the server. Jump servers are another idea. VPN in and then use a jump server to skip to internal resources which are not directly exposed.
Do not use unsupported operating systems
If you do, patches and support may not exist. Think Windows Server 2003, 2008, 2012, and soon to be 2016. The same applies to Linux as well.
Patch it up
Updates can close off a good chunk of vulnerabilities, so keep on top of them by checking for updates weekly or automating it. If you are cautious, then test off patches for core O/S and software on a test server to reduce the risk of bricking a production server. Firmware should be looked at as well.
Disable the guest account
This is especially included in Windows Server & 10/11 and provides a login with typically no password needed. Try to rename it and disable or set a password.
Remove unwanted roles/features/software
The more roles, features, or 3rd party software, the greater the attack surface. Review what is installed and remove what is not needed; i.e., if the server is not a web server, it unlikely needs IIS or Apache.
Run a vulnerability scanner
The number of add-ons, services and software installed within any operating system makes it difficult to know what is secure and what could be exploited remotely. Vulnerability scanners can check the software, registry, default credentials, cryptography, and services to see what is vulnerable and how it can be fixed. This should be a frequent scan, not something done only once a year.
Use the integrated firewall
Windows Server comes with one by default and has pre-inbuilt rules, and Linux flavours use UFW (Uncomplicated Firewall) or IP Tables (more techy). If you are running a web server, then 80/443 should be open, and for a mail server, 25/80/443. Rules should be strict for both inbound and outbound. 22 (SSH) and 3389 (RDP) should be whitelisted to administrator IP ranges. Segmentation should also be considered, but this is done outside of the server’s configuration.
Change the default username
Any hacker or automated method will go after the administrator, and often on AWS (Amazon Web Services). Disable it and create a new one which does not sound like ‘admin’ or ‘administrator’. Create an account which cannot be guessed and set a strong password. You can even set password lockouts, but be careful with this function, as it can cause a DoS attack. Two-factor authentication is, of course, a must.
Use an IPS (intrusion prevention system)
Think of this as network antimalware which covers all of the devices under it, server or desktop. This can be configured on the server or better in the hardware realm and tweaks based on your server types & software installed.
Disable IPv6
IPv6 is not new, and its uptake is not great. If you use IPv4, then do not enable IPv6.
Enable SELinux
This one is Linux only as the name suggests and was originally created by Red Hat & NSA. This free module enhances access control greatly.
Use NTP (network time protocol)
This one is more for logging and authentication. NTP uses port 123/UDP to keep your server clock precise based on external time servers.
Install antimalware
Windows Server comes with a basic one, and Microsoft sells their enterprise product, which has great ratings. Of course, you can use 3rd party for all O/S flavours and consider EDR/MDR/XDR rather than a bog-standard cheap one.
Harden AD (Active Directory)
Microsoft AD has been around for decades and contains all of your groups, users and computers. It is every hacker’s dream to go after it and make themselves a domain admin. Harden it as a priority.
Encrypt the HDD/SDD
Most server operating systems offer drive-encrypt, which stops someone from viewing the contents of the drive if it is lost or stolen. Data centres may have good security but are not perfect. BitLocker can assist with Windows Server.
Logs
Windows and Linux server operating systems will log a bunch of stuff by default, but what happens if someone trashes the server? The logs will not be retrievable potentially. Use syslog or an SIEM to store the logs centrally and have them exported automatically more than once an hour.
SSH security
Secure shell is the core way of administering Linux servers and is not GUI-based like RDP
- Consider changing the port to something besides 22/TCP – not a massive defence, but a small hurdle
- Do not use a default account
- Either use key-based authentication (keep the file safe & password protect it) or a password; if using the latter, ensure the username is not guessable and the password is kickass. Key-based is arguably better but has some cons
- Disable root login, and once logged in, elevate the session
- Remove old, less secure protocols by editing /etc/ssh/sshd_config
- Enable Fail2ban which automatically blocks failed IP address attempts
- Use UFW or IP Tables to filter to only admin IP ranges
Secure RDP
Remote Desktop Protocol is the main way to administer a Windows Server rather than using 3rd party software.
- Disable RDP if not used
- Use a non-standard and non-guessable username
- Use a strong password, not Adminuser352 but sP'TE:#>bRX(6CrJ}!h32@
- Like the above, use a firewall to control who can connect to 3389/TCP
- Use two-factor authentication, of course
- Consider changing the port to something besides 3389/TCP – not a massive defence, but a small hurdle
- NLA – enable Network Level Authentication
- TLS– enable Transport Layer Security
- FIPS – set the encryption strength to maximum and FIPS
- Groups – RDP can be controlled by a group. Only give it to a few users
- Lockout – setting a lock-out policy of ten attempts is a good idea, but be careful
- Certificates – change to a non-self-signed TLS cert