Checklist for Securing & Hardening your Server Environment

Table of contents
No headers

This general security checklist can serve as a starting point for organizations to improve the security of their servers and environment. As the technology behind cyber security is always evolving, it is important to regularly maintain and upgrade their security systems.

Manage Server Access

  • Don't forget physical server security
  • Manage access to your servers
    • only allow trusted personnel
    • keep staff informed/trained


Minimize the External Footprint


Patch Vulnerabilities

  • Keep Browsers & Plugins updated
  • Update the OS & other applications


Minimize Attack Surface

  • Minimize unnecessary software on your servers
  • Install on a Windows Server Core
  • Remove unnecessary operating system components
  • Unnecessary services should be disabled
  • Component/Feature Management - Add what you need, remove what you don't

 

Know What's Happening

  • Audit access permissions & access changes
  • Maintain server logging
    • Mirror logs to a separate log server
  • Scans/Audits of the server - check for malware/hacks

 

Establish Communications

Minimize User Access Permissions

  • Group permissions by role
  • Limit user account access
  • Elevated access should only be on an as-needed basis
  • Delete unnecessary OS users


Further Hardening / Protecting Credentials

  • Keep Security applications updated
  • Use very strong passwords, especially for Administrative passwords
  • Change passwords periodically and do not reuse them
  • Change regular account names from 'admin' or 'guest'
  • Lock accounts after too many login failures. These could be illegitimate attempts to gain access.
    • Note: be careful with setting LDAP/AD directories lockout policies, as some configurations could become lockout-prone/problematic.


Backup Plans

  • Maintain proper backups
  • Use non-elevated account privileges where possible


Prevent Time Drift

  • Keep server clock in-sync

 
Harden Remote Sessions

  • Secure and monitor SSH
    • Change the port from default
    • Disable elevated privileges where possible
    • Use non-elevated account privileges where possible

 

 

References:

Tag page
You must login to post a comment.