Hi Neung,
The following basic steps are necessary to secure the OS and can be found in chapter 4 of NIST SP 800-123 for details;
Patch and update the OS
Harden and configure the OS to address security adequately
Install and configure additional security controls, if needed
Test the security of the OS to ensure that the previous steps adequately addressed all security issues.
The combined result of these steps should be a reasonable level of protection for the server’s OS.
In my experience, system administrators tend to the default passwords. Even if the passwords are changed they are common dictionary words and these passwords are shared by multiple personnel as usually a server would have a single admin account.
As an IT Auditor, how do you know the host hardening methodology/checklist used by system administrators during implementation of a new system is correct?
Hi Akshay,
Host hardening provides various types of protection of any system including physical level, OS level or host level. For example, OS hardening compose of some activities including configuring OS securely, updating, creating rules and policies to enable information security management, and removing or disabling unnecessary application and services. IT auditors should compare organizations’ hardening practices with organizations’ policies to ensure they compliant with the policy requirements.
Hello,
An excellent question, and one that was actually well covered in the NIST 800-123 publication titled “Guide to General Server Security”. In general, services, applications and network protocols that are not actively used to conduct business or in any key processes are seen as an unnecessary risk due to the fact that they can potentially be turned against the company as attack vectors by people with ill-intentions. It should also be noted that every additional service, application and network protocol the organization is willing to take on has its own risk environment that needs to be considered, and sometimes the benefit they provide to the company won’t outweigh the costs associated with securing them.
I couldn’t guess exactly because I feel this is quite scenario based. Certainly disk size, power, and purpose would all come into play. Then there is also the purpose of the server and how it communicates with the other information assets in the organization.
Hi Innocent,
Interface testing is used to ensure that separately developed software modules properly exchange data. Interface testing is a type of software testing which ensures communication between two different software systems is done in a right way. Software modules are tested to make sure that they meet Interface specifications and they exchange data properly.
One real example I experienced was a server set up with the wrong RAID settings. The server OS was configures on logical drive 1 which was configured using RAID-0 which allows for fast speeds and max storage but provides no parity or ability to restore if a drive fails. Logical drive 2 was set up in raid-5 which allows for a RAID array to rebuild itself if a hard drive fails. In my case logical drive 1 failed and the OS was unable to be restored onto the server which was a licensing server that engineers connected to and they couldn’t work. We ended up having to rebuild the whole server from back ups rather that just be able to put a new drive in the server and allow it to rebuild itself. Logical drive 1 should have been built in Raid 5.
Great example. Be an IT auditor. It made me aware of the need for temporary backup and restore assistance when a drive fails. You also need to pay attention to the ability of the logical drive to rebuild all RAID.
Patching is crucial but should not be the only method of security. Some patches can possibly have an adverse effect on a system and should not always be implemented right away without testing, so businesses should consider adding another layer of security in addition to host hardening.
Great question, I think that virtualization of servers allows for a more efficient use of resources but the virtual server itself still needs to be set up with the same settings as if you had dedicated actual hardware to the server. In addition you need to also properly configure the hypervisor to ensure the server works securely.
Virtual Machines seem safe for me. Although they could be copied without any permission, as long as you set a password in the virtual machine, they cannot access your vm. And if you want to share your vm to others, it will also be easy as it is just a file. It is really convenient and safe from my perspective.
What are the good OS security baselines that you would recommend to client to apply?
Hi Neung,
The following basic steps are necessary to secure the OS and can be found in chapter 4 of NIST SP 800-123 for details;
Patch and update the OS
Harden and configure the OS to address security adequately
Install and configure additional security controls, if needed
Test the security of the OS to ensure that the previous steps adequately addressed all security issues.
The combined result of these steps should be a reasonable level of protection for the server’s OS.
What do you think is the common mistake admins make while trying to secure servers?
In my experience, system administrators tend to the default passwords. Even if the passwords are changed they are common dictionary words and these passwords are shared by multiple personnel as usually a server would have a single admin account.
As an IT Auditor, how do you know the host hardening methodology/checklist used by system administrators during implementation of a new system is correct?
Hi Akshay,
Host hardening provides various types of protection of any system including physical level, OS level or host level. For example, OS hardening compose of some activities including configuring OS securely, updating, creating rules and policies to enable information security management, and removing or disabling unnecessary application and services. IT auditors should compare organizations’ hardening practices with organizations’ policies to ensure they compliant with the policy requirements.
Why do unnecessary services, applications and network protocols represent as security vulnerability?
Hello,
An excellent question, and one that was actually well covered in the NIST 800-123 publication titled “Guide to General Server Security”. In general, services, applications and network protocols that are not actively used to conduct business or in any key processes are seen as an unnecessary risk due to the fact that they can potentially be turned against the company as attack vectors by people with ill-intentions. It should also be noted that every additional service, application and network protocol the organization is willing to take on has its own risk environment that needs to be considered, and sometimes the benefit they provide to the company won’t outweigh the costs associated with securing them.
What is the biggest factor a company should consider when planning to deploy a server?
I couldn’t guess exactly because I feel this is quite scenario based. Certainly disk size, power, and purpose would all come into play. Then there is also the purpose of the server and how it communicates with the other information assets in the organization.
What type of testing is used to ensure that separately developed software modules properly exchange data and how is it done?
Hi Innocent,
Interface testing is used to ensure that separately developed software modules properly exchange data. Interface testing is a type of software testing which ensures communication between two different software systems is done in a right way. Software modules are tested to make sure that they meet Interface specifications and they exchange data properly.
What are some common server setup problems? Can you provide some real cases?
One real example I experienced was a server set up with the wrong RAID settings. The server OS was configures on logical drive 1 which was configured using RAID-0 which allows for fast speeds and max storage but provides no parity or ability to restore if a drive fails. Logical drive 2 was set up in raid-5 which allows for a RAID array to rebuild itself if a hard drive fails. In my case logical drive 1 failed and the OS was unable to be restored onto the server which was a licensing server that engineers connected to and they couldn’t work. We ended up having to rebuild the whole server from back ups rather that just be able to put a new drive in the server and allow it to rebuild itself. Logical drive 1 should have been built in Raid 5.
Great example. Be an IT auditor. It made me aware of the need for temporary backup and restore assistance when a drive fails. You also need to pay attention to the ability of the logical drive to rebuild all RAID.
Do you believe patching alone is an efficient security tool?
Patching is crucial but should not be the only method of security. Some patches can possibly have an adverse effect on a system and should not always be implemented right away without testing, so businesses should consider adding another layer of security in addition to host hardening.
Do you think virtualizing servers can make them more secure?
Great question, I think that virtualization of servers allows for a more efficient use of resources but the virtual server itself still needs to be set up with the same settings as if you had dedicated actual hardware to the server. In addition you need to also properly configure the hypervisor to ensure the server works securely.
Other than host-based, what are some other types of controls that can be used to protect a server?
In my classes and internships, I have used many virtual machines. How do you all feel about using virtual machines and the security of them?
Virtual Machines seem safe for me. Although they could be copied without any permission, as long as you set a password in the virtual machine, they cannot access your vm. And if you want to share your vm to others, it will also be easy as it is just a file. It is really convenient and safe from my perspective.
What examples of inwardly-facing servers can you think of should apply the NIST 800-123 guidelines?
How can I make sure that the newly installed system can be hardened properly by current guidelines?