Your IT department should be a sanctuary! Keep it safe.
Attacks will happen and they are increasingly complex to defend against. However, most security breaches occur because IT is not covering the basics. You will never be 100% secure, but there are some good practices to harden your server, reduce your threat surface area, and ultimately make those attacks as hard as possible.
1: Patch your servers’ operating systems
Operating Systems (OS) today can be kept current against the majority of known vulnerabilities by continually patching them as new patches become available from the OS distributer. Your OS has many different components, each one represents a small and unique threat surface. Your SSL library, your SSH server, and many more. Your OS vendor knows this and is in the business of reducing their threat surface area by continually finding and removing vulnerabilities. [This post contains a breakout of some tips specific to OS patching.]
2: Patch applications and plug-ins
Similar to operating systems, applications are also generally kept current against vulnerabilities using patches released by their creators. Nobody is more familiar with an application than the vendor who created it, and they are constantly releasing fixes as vulnerabilities become known. But patching the applications isn’t enough since many have a rich set of plug-ins that are widely used and are often not well tested for security vulnerabilities before they are released. A good place to track application and OS vulnerabilities is here.
3: Patch drivers, BIOS, IPMI, & other firmware & middleware
The underlying BIOS layer and other firmware elements of most servers go unpatched, and every system probably has at least one exploitable known BIOS vulnerability. Outdated firmware and BIOS on a server can be exploited (‘Rootkitted’) in such a way that malicious code can be masked and stay invisible to anyone trying to monitor the processes running on the server. The BIOS itself can have its authenticity verified with digital signatures which are extremely difficult to counterfeit, which makes malicious modifications easily preventable. Check out a posting by Legbacore on the topic.
4: Set firewall rules
The on-host firewall in most Operating Systems can be configured to monitor and restrict traffic using firewall rules defined, and enforced, within the OS. This contrasts with an off-host, or network-based firewall, which enforces traffic outside of the context of a server from a separate firewall appliance. Using both forms of firewalls is an effective way to minimize the communications threat surface, and increasingly important since phishing attacks and exploiting unpatched computers make it all-too-easy to bypass the network firewall. Your systems should not be able to talk to other systems if they are not authorized to do so.
5: Log transactions
All activity by servers and their apps can be logged, which is a very effective way to determine what actually happened in the event of a breach or compromise. This logging activity can take place either on the host itself, or off-host, generally using a proxy, which is described below. Although logging does not necessarily reduce your threat surface in real-time, it is critical for the long term identification and closure of relevant vulnerabilities in your environment.
6: Proxy traffic off-host
Traffic to and from a server can be run through a proxy, meaning that all of its traffic in and out goes through a checkpoint that runs in a different place than the server being proxied. This separation is important because if the server gets hacked or otherwise compromised, this can be detected by the proxy since it will be running in a different place. This makes a proxy useful for logging the activity of a server for review and detection of anomalies. It is also useful because it allows the internal network structure to be kept private from the network address translation (NAT).
7: Maintain administrator hygiene
This principle revolves more around attention paid to overarching privilege model – who has access to what – than it does around a specific IT implementation for your server. It is critical that there are guidelines and process in place regarding who has access to what level of visibility and control within an organization, and that this is adhered to and continually updated. Administrator’s access credentials are extremely valuable and, if compromised, can be exploited by malicious actors with relative ease.
8: Maintain identity and password hygiene
Similar to the point about admin hygiene above, most forms of access are derived from credentials consisting of an identity and a password. Overall security posture can be improved with a few best practices around these credentials. First and foremost, it is important for each user to have a unique password for privileged systems, and to change passwords frequently. Check out this article and its sequel for more detailed conversation around this point.
9: Out-of-band and lights-out management
Servers are often not nearby, either they are in a different city or the administrator is mobile, and using IPMI is attractive model for remote management. However, it is a voodoo art to using it without exposing the system to a multitude of unwanted security exposures. Take a look at Dan Farmer’s paper on it.
10: Measurement of hardware
Hardware can be modified if physical access is obtained, and this can give malicious actors the ability to insert various types of passive monitoring, active remote access, and other methods of exploiting the server. The most effective way to prevent this from happening is to initiate a measured boot sequence when the server boots, and if there are any deviations from the original measurement of the hardware, preventing boot completion. This original measurement must be kept off-host in order to prevent tampering or spoofing and to compartmentalize the enforcement of the security from the server being secured.
These best practices can go a long way towards hardening the server platforms running in your infrastructure. If you’re interested in deeper thought around this topic, download our white paper outlining Hyper-Secured Infrastructure.