Why hardening server

For well known applications, such as SQL Server, security guidelines are available from the vendor. Check with your application vendor for their current security baselines. For custom developed and in-house applications, an application penetration test is a good starting point to identify any vulnerabilities or misconfigurations that need to be addressed. Cyber-criminals assume that organisation will not learn a lesson from the first Read more.

The September Patch Tuesday security bundle from Microsoft fixes 60 vulnerabilities including some rated as Critical and a zero-day vulnerability under active attack affecting Microsoft Office. Pass the hash is a technique used to steal credentials and enable lateral movement within a target network.

In Windows networks, the challenge-response model used by NTLM security is abused to enable a malicious user to Read more. The Zerologon vulnerability is a Read more. Microsoft starts the year with their first patch Tuesday bundle of security fixes targeting 10 Critical vulnerabilities include a zero-day being exploited in Windows Defender. Next Previous. What is server hardening?

Articles , Infrastructure 31 March, 7. Contents 1 What is the attack surface 2 Create configuration standards to ensure a consistent approach 3 How separating server roles improves security 4 How vulnerability scans can help server hardening 5 Server hardening checklist. Subscribe to our monthly cybersecurity newsletter.

We hate spam as much as you do. Department of Defense's Cyber Strategy Report :. Competitors deterred from engaging the United States and our allies in an armed conflict are using cyberspace operations to steal our technology, disrupt our government and commerce, challenge our democratic processes, and threaten our critical infrastructure. As such, many companies supporting and selling servers and workstations to the DoD are turning to advanced system hardening tools and best practices to improve the security of their servers and other computer systems, oftentimes as a prerequisite for doing business with the DoD.

In this blog post, we'll discuss system hardening, its importance, the types of system hardening, how system hardening is achieved, and more. By the end, you should know what steps to take to begin or expand upon your system hardening processes and procedures. Graphic: System hardening involves reducing a server's or workstation's attack surface. System hardening is the process of securing a server or computer system by minimizing its attack surface, or surface of vulnerability, and potential attack vectors.

Part of the system hardening elimination process involves deleting or disabling needless system applications, permissions, ports, user accounts, and other features so that attackers have fewer opportunities to gain access to a mission-critical or critical-infrastructure computer system's sensitive information.

But at its core, system hardening is a method for protecting a system against attacks perpetrated by cybercriminals. Now you know why system hardening exists, but you might be wondering about its practical purpose and why businesses and organizations implement system hardening practices. The basic purpose of implementing system hardening techniques and practices is to simply minimize the number of potential entryways an attacker could use to access your system and to do so from inception.

This is oftentimes referred to as following a secure-by-design philosophy. Graphic: There are a few different types of system hardening, but they're all interrelated. Server hardening is a general system hardening process that involves securing the data, ports, components, functions, and permissions of a server using advanced security measures at the hardware, firmware, and software layers. If you have any questions or suggestions for the server hardening website, please feel free to send an email to john serverhardening.

That is exactly how server hardening impacts server security. Hardened servers are more resistant to security issues than non-hardened servers. Much of the applications and system software that is now developed is intended for use on the Internet, and for connections to the Internet. Server Hardening , probably one of the most important tasks to be handled on your servers, becomes more understandable when you realize all the risks involved.

Make sure RDP is only accessible by authorized users. By default, all administrators can use RDP once it is enabled on the server. Additional people can join the Remote Desktop Users group for access without becoming administrators.

Telnet should never be used at all, as it passes information in plain text and is woefully insecure in several ways. Same goes for FTP. Windows server has a set of default services that start automatically and run in the background. Many of these are required for the OS to function, but some are not and should be disabled if not in use. Following the same logic as the firewall, we want to minimize the attack surface of the server by disabling everything other than primary functionality.

Older versions of MS server have more unneeded services than newer, so carefully check any or ! Important services should be set to start automatically so that the server can recover without human interaction after failure. For more complex applications, take advantage of the Automatic Delayed Start option to give other services a chance to get going before launching intensive application services.

You can also set up service dependencies in which a service will wait for another service or set of services to successfully start before starting. Dependencies also allow you to stop and start an entire chain at once, which can be helpful when timing is important. Finally, every service runs in the security context of a specific user.

This configuration may work most of the time, but for application and user services, best practice dictates setting up service specific accounts, either locally or in AD, to handle these services with the minimum amount of access necessary. This keeps malicious actors who have compromised an application from extending that compromise into other areas of the server or domain.

Microsoft provides best practices analyzers based on role and server version that can help you further harden your systems by scanning and making recommendations. Although User Account Control UAC can get annoying, it serves the important purpose of abstracting executables from the security context of the logged in user. This prevents malware from running in the background and malicious websites from launching installers or other code.

Leave UAC on whenever possible. The tips in this guide help secure the Windows operating system, but every application you run should be hardened as well. Common Microsoft server applications such as MSSQL and Exchange have specific security mechanisms that can help protect them against attacks like ransomware such as WannaCry , be sure to research and tweak each application for maximum resilience. Finally, you need to make sure that your logs and monitoring are configured and capturing the data you want so that in the event of a problem, you can quickly find what you need and remediate it.

Logging works differently depending on whether your server is part of a domain. Domain logons are processed by domain controllers, and as such, they have the audit logs for that activity, not the local system. Check the max size of your logs and scope them to an appropriate size. Log defaults are almost always far too small to monitor complex production applications. As such, disk space should be allocated during server builds for logging, especially for applications like MS Exchange.

Consider a centralized log management solution if handling logs individually on servers gets overwhelming. Like a syslog server in the Linux world, a centralized event viewer for Windows servers can help speed up troubleshooting and remediation times for medium to large environments.

Establish a performance baseline and set up notification thresholds for important metrics. Whether you use the built-in Windows performance monitor, or a third party solution that uses a client or SNMP to gather data, you need to be gathering performance info on every server. Things like available disk space, processor and memory use, network activity and even temperature should be constantly analyzed and recorded so anomalies can be easily identified and dealt with.

This step is often skipped over due to the hectic nature of production schedules, but in the long run it will pay dividends because troubleshooting without established baselines is basically shooting in the dark. Benchmarks from CIS cover network security hardening for cloud platforms such as Microsoft Azure as well as application security policy for software such as Microsoft SharePoint, along with database hardening for Microsoft SQL Server, among others.

Never attempt to harden web servers in use as this can affect your production workloads, with unpredictable disruptions, so instead, provision fresh servers for hardening, then migrate your applications after hardening and fully testing the setup. A good first step when hardening a Windows web server involves patching the server with the latest service packs from Microsoft before moving on to securing your web server software such as Microsoft IIS, Apache, PHP, or Nginx.

Harden system access and configure network traffic controls, including setting minimum password length, configure Windows Firewall, which allows you to implement functionality similar to iptables using traffic policy, set up a hardware firewall if one is available, and configure your audit policy as well as log settings. Eliminate potential backdoors that can be used by an attacker, starting at the firmware level, by ensuring your servers have the latest BIOS firmware that is hardened against firmware attacks, all the way to IP address rules for limiting unauthorized access, and uninstalling unused services or unnecessary software.

Make sure all file system volumes use the NTFS filesystem, and configure file permissions to limit user permission to least privilege access. You should also install anti-virus software as part of your standard server security configuration, ideally with daily updates and real-time protection. To really secure your servers against the most common attacks, you must adopt something of the hacker mindset yourself, which means scanning for potential vulnerabilities from the viewpoint of how a malicious attacker might look for an opening.

Inevitably, the largest hacks tend to occur when servers have poor or incorrect access control permissions, ranging from lax file system permissions to network and device permissions.

To reduce exposure through access control, set group policy and permissions to the minimum privileges acceptable, and consider implementing strict protocols such as 2 Factor Authentication as well as zero trust privilege to ensure resources are only accessed by authenticated actors.

Other common areas of vulnerability include social engineering and servers running with unpatched software, for which your team should undergo regular cybersecurity training and you should be regularly testing and applying the most recent security patches for software running on your servers. These can be attractive targets for exploits.