Tactical Server Hardening Checklist for Windows and Linux Security
Server hardening is the identification of security vulnerabilities in your Linux or Windows servers in order to configure changes and other remediation steps required to reduce these vulnerabilities. Server hardening involves applying the principles of system hardening to servers specifically.
The goal of server hardening is to make your server a more difficult target for hackers, thereby protecting your operations and saving you money in the long run. However, server hardening has the added advantage of improving your organization’s compliance with industry and state information security regulations.
Your server hardening process starts with a checklist that outlines the steps you should take to protect your Windows or Linux server against common security threats. These steps are based on guidelines developed by cybersecurity experts and codified by bodies such as the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). These server hardening checklist items are broad strokes that apply to Windows, Linux, and other types of servers. If you want a detailed breakdown, the NIST and CIS benchmarks have the resources you need.
1. Account Policies
User accounts are identities created to allow authenticated access to a server or related system. Different user accounts have different levels of access to core functions of the server, with administrator accounts having the highest level of access. Therefore, enforcing a strong password policy for these accounts is necessary to maintain security. This policy should include recommendations for a minimum password length, password complexity, account lockout duration, and maximum password age.
In addition to the password policies, managing how users log in to access server resources is also essential. Security hardening measures here should include restrictions on where users can log in from and enforcing two-factor authentication. You should also delete guest accounts and unused accounts.
Key Server Hardening Checklist Questions:
- Do you have an established password policy?
- Do you have controls in place for managing where and how users log in to access server resources?
- Do you regularly delete guest and unused accounts?
2. Updates and Patches
Your server hardening checklist should include a plan for installing software patches and updates. Vendors often release them to repair recently discovered security vulnerabilities and improve performance, hence their importance to server security. If possible, run your updates on a test installation to ensure that they will not cause problems before applying them to your live environment.
Configuring automatic updates for your operating system and other software components as part of your checklist will keep you updated with the latest patches and software fixes. For example, Microsoft regularly releases hotfixes and updates for its Windows servers, and the same goes for most Linux-based server operating systems. You should also configure third-party software running on your servers to receive and install updates automatically.
Key Server Security Checklist Questions to Ensure Proper Configuration and Patching:
- Have you configured automatic updates for your server operating system?
- Did you also set up automatic updates for third-party applications running on your servers?
- Do you run each update on a test server to check for problems before pushing it to your production servers?
3. User Rights Management
Everyone who needs access to applications and resources managed by your server needs an account, but not everyone needs complete access to all server resources. That’s why account management is an essential part of your server hardening checklist.
Restrict access to administrator-level accounts and only assign users just enough privileges to their accounts to enable them to do their jobs. You can manage this from a domain controller by creating user groups for multiple accounts with similar privileges. Access to file systems and other resources will be assigned to the groups rather than individual accounts.
Key Server Hardening Questions for User Permissions Management:
- Do you use a group policy or similar tools to manage user privileges?
- What restrictions have you put in place for access to administrator-level accounts?
4. Network Security
Your network firewall is your first line of defense against all external attacks, so make sure it is enabled and set it up to block all inbound traffic by default. Then only allow incoming network traffic based on an analysis of what is necessary for your operations. Windows Firewall is a decent enough tool for accomplishing this, but a physical firewall offers better protection by separating traffic management from the server.
If remote access to your server via remote desktop protocol (RDP) is required, ensure you have the highest level of encryption enabled for this. For users connecting to their accounts or programs running on the server from external locations, you can set up a virtual private network (VPN) to secure their access over the Internet.
Key Server Hardening Checklist Questions for Windows and Linux System Administrators:
- Is your firewall configured to block all incoming traffic except what is necessary?
- Do you use a VPN for all remote connections and logins to your server?
- Do you encrypt your remote desktop connections?
5. Antivirus & Software Security
Antivirus and anti-malware programs protect your systems by actively scanning for malicious software and removing them when detected. Make sure you have one installed and configured to run regular scans on your server. Also, configure your antivirus software to update its virus definition database as frequently as possible, as this will keep your server protected from the latest identified viruses and malware.
For those putting together a Windows hardening checklist, ensure you have User Account Control (UAC) to manage the level of access that third-party programs have to system resources and data. Check this off your server hardening list for blocking malicious software that runs in the background.
Key Antivirus and Anti-Malware Hardening Checklist Items:
- Do you have antivirus and anti-malware software installed on your servers?
- Do your antivirus applications get updates and scan your server automatically?
- Do you have User Account Control enabled on your Windows servers?
6. General Security Settings
Your server operating system probably comes with several services and features that are unnecessary for your working environment. Add to your hardening checklist to disable these unnecessary services and uninstall all unused applications in order to significantly reduce the risk of your attackers compromising your Windows or Linux server through a vulnerability in one or more of them.
In addition to security measures to restrict unauthorized physical access to your servers, you can also disable support for external storage devices like USB drives which are popular attack vectors for hackers who may have physical access to your servers.
Key Checklist Questions for Physical Server Security:
- Have you removed/disabled all unnecessary software and services on your server?
- Do you have USB devices disabled in the security settings for your server?
- What kind of measures do you have for restricting physical access to your servers?
7. Backups & Recovery
Your server hardening checklist would not be complete without a proper backup and recovery plan. Backups can protect your servers from data loss, ransomware attacks, and other disaster-level events that affect information security.
Whether you choose an onsite, remote, or cloud-based backup solution, ensure that the backup process is automated and continuous.
Key Checklist Items for Backups and Recovery:
- How often do you backup your server?
- Are your backups automated?
- Where are your backups stored?
- How many backups do you have?
8. Audit Policies and Documentation
Enabling logging and monitoring for all system events will help build a repository of information necessary for performing system audits. System audits involve reviewing server activities using event logs to identify the source of a problem or security threat. Therefore, creating an audit policy that specifies the kind of system activities you should log, the duration of these event logs, and how they are backed up is essential for hardening your server security.
In addition to this, you should maintain documentation for all your security settings, policies, and system configurations. This documentation is an essential part of your disaster recovery plans and should be updated whenever you change your security configuration.
Log Management and Systems Monitoring Items for Your Hardening Checklist:
- Do you log your server activities?
- How often do you review your event logs?
- Do you document changes to your server configuration?
Use This Checklist to Get Started on Hardening Your Windows or Linux Server Today
The role of servers in today’s business operations cannot be overstated. Incorporating a server hardening checklist into your risk management processes will ensure the safety of one of the most critical components of your IT infrastructure.
Do You Want to Know What Other Cybersecurity Risks Your Business Needs to be Aware of? Grab a Copy of Liquid Web’s Security Infrastructure Checklist for SMBs.
Marho is a Community Support agent at The Events Calendar and enjoys helping people discover how information technology can provide great solutions to their everyday problems. His career in IT can clearly be traced to his love for all things science fiction.
Keep up to date with the latest Hosting news.