NIST 800-123 Guide to General Server Security addresses how to plan security aspects among server and application and provides appropriate safeguards to secure server operating system and server software. One key point which I picked from this standard is about securing the sever operating systems. I listed some controls which I think company should establish following safeguard controls;
– Regularly update patches and OS
– Remove unnecessary services, applications and network protocols. With out this, hackers can gain advantages of these vulnerabilities and access to the network.
– Establishing user authentication: Remove or disable default user accounts, disable inactive user accounts, and create user group
– Establishing password policies including password length, complexity, aging, minimum use, and maximum use
Securing an OS is crucial for any computer user. I think you did a nice job outlining some basic, but very important, controls that all users should have established on their PCs. Removing default services, apps, and network protocols is definitely something that not many common users tend to consider when operating a new system, yet it is something that can be detrimental to their systems and servers.
The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function. The major point taken from this reading is the importance of the planning process as related to securing servers. NIST recommends state that “Organizations are more likely to make decisions about configuring hosts appropriately and consistently if they begin by developing and using a detailed, well-designed deployment plan. Developing such a plan enables organizations to make informed tradeoff decisions between usability and performance, and risk.” It’s also important to note that server security problems can be traced form lack of planning or management controls.
Good points, Percy. Also, the NIST 800 123 document explained in details the need for organizations to maintain a test or development server for their most important servers, According to the NIST guideline, the test server can be located on an internal network segment (intranet) where it can be fully protected by the firm’s perimeter network defenses. This is necessary because having a test server provides a platform to test new patches and service packs before application on the production server, and it gives the server administrator a platform to develop and test new content and applications .
This special edition of NIST gives us brief introduction to the activities involving securing and maintaining server security in an enterprise environment. I was intrigued by the relative involvement of organizations towards human resources department for securing a server. Due to inadequate efforts by organizations for recognizing the human expertise needed in securing servers, many a times employees are over worked leaving the environment insecure. This document emphasizes on considering the staffing requirements as early as the Risk Assessment stage of servers. The 3 recommendations are evaluating the required personnel, required skill set and plans for arranging personnel if needed. It is important to note that as threat environment for IT servers keep on changing with evolution of technology, similarly the staff handling these sensitive information systems should be assessed and additional training should be provided to acquire the requisite skills.
Hi Akshay,
I agree with you that employees/personnel can be a self destruct button as regards to protecting a server if they are not well trained, monitored and skilled enough perform their duties. As said, employees are the greatest risk to systems.
The purpose of this document is to provide fundamental activities for securing and maintaining the servers, including recommendations for selecting, implementing and maintaining the required security controls. To summarize basic steps in initiating a new server:
• Plan the installation and deployment of the operating system and all components of the server.
• Identify server roles- what kinds of information will it store, and what services will it provide.
• Identify the network services-HTTP, SMTP, FTP, etc.
• Identify network service software to be installed on client and support server.
• Identify the users of the servers.
• Determine the privileged user groups.
• Determine the way that server will be managed- managed locally, remotely from internal networks or remotely from external networks.
• Determine authentication method-how users will be authenticated.
• Decide which server application meets required security controls and your needs.
Hi Zeynep,
Thank you for summarizing the important steps to establish a new server. Overall, I think that identification is the most important because it is the foundation of everything that organization have to ensure that they properly identify server roles, network services, and privilege user groups. Without this, organization might not able to analyse appropriate risk analysis.
One key thing to remember from this document is that before you decide whether to test the production server or a similarly configured non-production server; ensure that testing to the production server will not cause denial of service. Secondly, if testing could expose people’s PII, the organizations should consider performing the testing on non-production server that holds a false version of people’s PII.
Also, organizations need to maintain a test or development server for their most important servers, and this can be located on an internal network segment (intranet) where it can be fully protected by the firm’s perimeter network defenses. This is necessary because having a test server provides a platform to test new patches and service packs before application on the production server, it gives the server administrator a platform to develop and test new content and applications and/or test configuration settings before applying them to production servers.
Hi Innocent, nice reply! I like how you addressed the often forgotten part of the SDLC cycle that is testing. I always say in my internship to plan for double the amount for planning and testing. most of the testing I do on a system is first with a “non-prod” version of the system with “non-prod” or test data. This will ensure that no personal data is lost in the testing process. And yes, I absolutely agree that the test environment needs to be close to the center of the organization’s system. In my internship, the test environment is the first to get updates so we know which part of the system it will break.
Good observation on the importance of test environment in an organization. Most of the times patches are not applied to critical systems because these patches cannot be tested on duplicate systems and hence there is uncertainty over the functioning of the systems after patching. And secondly as you mentioned, test data should be used and not actual production data, while performing testing and as an IT Auditor, we should seek assurances and evidences from the development group that this practice is followed.
One of my key takeaways from 800-123 was how crucial initial planning of a server deployment is. There are a number of questions that need to be asked before a server can just be deployed onto the network. Planning a server deployment with security in mind allows an organization to weigh the trade offs between usability, performance, and risk. Section 3.1 covers a number of key planning factors that assist in a secure deployment, if these questions are asked and properly answered then it makes life much easier in the future. Another section I think is crucial to maintaining a secure network is having a test server. Having a test server can provide a space that allows you to see how new patches or changes interact with your existing environment. This can prevent you from accidentally ddos’ing your self or allows you to apply a new patch and do a vulnerability test. Overall a test server should be maintained so you never accidentally break your production environment.
Hey Chris, nice response! I agree with you that planning is one of, if not, the most important steps along the SDLC of a server. Servers are essentially the backbone of an organization and securing them is imperative. I like how you mentioned/analyzed the tradeoffs that a company has to face on the daily to ensure that the decisions their making are in the best interest of the organizations and their countless stakeholders. It’s very important and I’m glad you mentioned that!
The NIST 800-123 general server security guide shows how the server’s infrastructure and requirements can meet the security protocol. When the server is created and used, the server needs some control and proper setup to protect the server itself, for example, to plan the installation and deployment of the server’s operating system (OS) and other components, proper firewall setup and log management and maintenance.
Yes, Han. It is necessary to protect the server operating system by updating patches and OS regularly. eliminating unnecessary services, applications and network protocols, establishing user authentication, disabling default user accounts or inactive accounts, and by creating user group. Also, it is important to establish strong password policies.
After reading through the NIST 800-123 publication, which emphasizes the need and certified methods used to secure outwardly-facing publicly accessible servers and some inwardly-facing servers such as web or infrastructure management servers respectively, I found myself overwhelmed with the intricacies of securing server software. While there are many similarities in the way the document describes the method to secure the operating system and the method to secure the server software, the securing of server software also requires that you are knowledgeable of the security configuration of the operating system in order to ensure that you are assigning appropriately strict permissions for users, adding an additional layer of considerations that need to be made. One thing I did find quite interesting that I had previously not considered in regards to server software security is the limiting the amount of data able to be uploaded through the server and mandatory screening of uploaded content to the server prior to the server reading it and making it accessible to other users.
A key takeaway I received from this reading is that there’s a specific set of procedures done to detect and mitigate vulnerabilities found in a newly installed OS or upgrade.
These procedures include:
-Create, document, and implement a patching process
-Identify vulnerabilities and applicable patches
-Mitigate vulnerabilities temporarily if needed and if feasible (until patches are available, tested, and installed)
-Install permanent fixes (patches, upgrades, etc.)
Hello,
After glancing through your takeaways from reading the NIST 800-123 publication titled “Guide to General Server Security”, I felt more grounded in my own takeaways from reading that particular section of the document as well. It really helped to see your summarization of many of the more important procedures for securing fresh operating systems, since the ability to summarize what you’ve read shows a true understanding of the content.
A key takeaway I received from this reading is that there’s a specific set of procedures done to detect and mitigate vulnerabilities found in a newly installed OS or upgrade.
These procedures include:
-Create, document, and implement a patching process
-Identify vulnerabilities and applicable patches
-Mitigate vulnerabilities temporarily if needed and if feasible; in the case when patches are available, tested, and installed
-Install permanent fixes ; such as patches, upgrades, etc.
NIST 800-123 is a very detailed guideline and best practices how to handle server and make them more secure. Policies, patches, tests, documentation, and backup. The later should follow the rule of 3:
Have at least three copies of your data. Store the copies on at least two different media types. Keep at least one of those copies offsite.
I would add that having at least 6 months to a year of backup for important data.
Yes, you’re right. It is important to store backup data from servers in different locations. There is also a need for parallel server hosts to prevent the server in use from accidentally terminating the service. This ensures business continuity.
Having backup is very important. Obtaining multiple different sources of back up ensure the security of if one backup isn’t accessible, another one is.
One key takeaway from NIST 800-123 was what information should be included to create an effective system security plan. Generally, SSPs should include:
– System Identification
Includes information like: key points of contact for the system, system purpose, level of sensitivity, system environment (network environment, placement on the network, and relationship with other systems).
– Controls
Management Controls – focus on security and risk
Operational Controls – implemented by people (specialists); rely on management and technical controls
Technical Controls – mechanisms used by the system; provide automated protection, detect security violations, and support application/data security requirement. Always requires operational considerations and must align with organization security plan.
The information system owner is responsible for the definition of parameters, functions, and security requirements. SSPs should be viewed as a way to understand the process in effectively securing a system.
Below are five of the steps for ensuring the security of a server:
1. Plan the installation and deployment of the operating system (OS) and other components for the
server.
2. Install, configure, and secure the underlying OS.
3. Install, configure, and secure the server software.
4. For servers that host content, such as Web servers (Web pages), database servers (databases), and
directory servers (directories), ensure that the content is properly secured.
5. Employ appropriate network protection mechanisms (e.g., firewall, packet filtering router, and
proxy).
6. Employ secure administration and maintenance processes, including application of patches and
upgrades, monitoring of logs, backups of data and OS, and periodic security testing.
Us auditors, will focus on 5 and 6 of these processes. This is interesting because even after the OS and hardware are set up there is more to be done. Including monitoring and maintenance. Aspects that are often forgotten.
The key takeaway for me is about how the planning part affect other steps. First of all, we need to identify the purposes of the server as why we need and how we are going to use it. After identifying, we need to assign the suitable personnel so that the human resource and be maximized. Also, having good management practices will also make some of the steps easier to process and the server can be built more fast and safe.
NIST 800-123 Guide to General Server Security addresses how to plan security aspects among server and application and provides appropriate safeguards to secure server operating system and server software. One key point which I picked from this standard is about securing the sever operating systems. I listed some controls which I think company should establish following safeguard controls;
– Regularly update patches and OS
– Remove unnecessary services, applications and network protocols. With out this, hackers can gain advantages of these vulnerabilities and access to the network.
– Establishing user authentication: Remove or disable default user accounts, disable inactive user accounts, and create user group
– Establishing password policies including password length, complexity, aging, minimum use, and maximum use
Securing an OS is crucial for any computer user. I think you did a nice job outlining some basic, but very important, controls that all users should have established on their PCs. Removing default services, apps, and network protocols is definitely something that not many common users tend to consider when operating a new system, yet it is something that can be detrimental to their systems and servers.
The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function. The major point taken from this reading is the importance of the planning process as related to securing servers. NIST recommends state that “Organizations are more likely to make decisions about configuring hosts appropriately and consistently if they begin by developing and using a detailed, well-designed deployment plan. Developing such a plan enables organizations to make informed tradeoff decisions between usability and performance, and risk.” It’s also important to note that server security problems can be traced form lack of planning or management controls.
Good points, Percy. Also, the NIST 800 123 document explained in details the need for organizations to maintain a test or development server for their most important servers, According to the NIST guideline, the test server can be located on an internal network segment (intranet) where it can be fully protected by the firm’s perimeter network defenses. This is necessary because having a test server provides a platform to test new patches and service packs before application on the production server, and it gives the server administrator a platform to develop and test new content and applications .
This special edition of NIST gives us brief introduction to the activities involving securing and maintaining server security in an enterprise environment. I was intrigued by the relative involvement of organizations towards human resources department for securing a server. Due to inadequate efforts by organizations for recognizing the human expertise needed in securing servers, many a times employees are over worked leaving the environment insecure. This document emphasizes on considering the staffing requirements as early as the Risk Assessment stage of servers. The 3 recommendations are evaluating the required personnel, required skill set and plans for arranging personnel if needed. It is important to note that as threat environment for IT servers keep on changing with evolution of technology, similarly the staff handling these sensitive information systems should be assessed and additional training should be provided to acquire the requisite skills.
Hi Akshay,
I agree with you that employees/personnel can be a self destruct button as regards to protecting a server if they are not well trained, monitored and skilled enough perform their duties. As said, employees are the greatest risk to systems.
The purpose of this document is to provide fundamental activities for securing and maintaining the servers, including recommendations for selecting, implementing and maintaining the required security controls. To summarize basic steps in initiating a new server:
• Plan the installation and deployment of the operating system and all components of the server.
• Identify server roles- what kinds of information will it store, and what services will it provide.
• Identify the network services-HTTP, SMTP, FTP, etc.
• Identify network service software to be installed on client and support server.
• Identify the users of the servers.
• Determine the privileged user groups.
• Determine the way that server will be managed- managed locally, remotely from internal networks or remotely from external networks.
• Determine authentication method-how users will be authenticated.
• Decide which server application meets required security controls and your needs.
Hi Zeynep,
Thank you for summarizing the important steps to establish a new server. Overall, I think that identification is the most important because it is the foundation of everything that organization have to ensure that they properly identify server roles, network services, and privilege user groups. Without this, organization might not able to analyse appropriate risk analysis.
One key thing to remember from this document is that before you decide whether to test the production server or a similarly configured non-production server; ensure that testing to the production server will not cause denial of service. Secondly, if testing could expose people’s PII, the organizations should consider performing the testing on non-production server that holds a false version of people’s PII.
Also, organizations need to maintain a test or development server for their most important servers, and this can be located on an internal network segment (intranet) where it can be fully protected by the firm’s perimeter network defenses. This is necessary because having a test server provides a platform to test new patches and service packs before application on the production server, it gives the server administrator a platform to develop and test new content and applications and/or test configuration settings before applying them to production servers.
Hi Innocent, nice reply! I like how you addressed the often forgotten part of the SDLC cycle that is testing. I always say in my internship to plan for double the amount for planning and testing. most of the testing I do on a system is first with a “non-prod” version of the system with “non-prod” or test data. This will ensure that no personal data is lost in the testing process. And yes, I absolutely agree that the test environment needs to be close to the center of the organization’s system. In my internship, the test environment is the first to get updates so we know which part of the system it will break.
Hello Ugo,
Good observation on the importance of test environment in an organization. Most of the times patches are not applied to critical systems because these patches cannot be tested on duplicate systems and hence there is uncertainty over the functioning of the systems after patching. And secondly as you mentioned, test data should be used and not actual production data, while performing testing and as an IT Auditor, we should seek assurances and evidences from the development group that this practice is followed.
One of my key takeaways from 800-123 was how crucial initial planning of a server deployment is. There are a number of questions that need to be asked before a server can just be deployed onto the network. Planning a server deployment with security in mind allows an organization to weigh the trade offs between usability, performance, and risk. Section 3.1 covers a number of key planning factors that assist in a secure deployment, if these questions are asked and properly answered then it makes life much easier in the future. Another section I think is crucial to maintaining a secure network is having a test server. Having a test server can provide a space that allows you to see how new patches or changes interact with your existing environment. This can prevent you from accidentally ddos’ing your self or allows you to apply a new patch and do a vulnerability test. Overall a test server should be maintained so you never accidentally break your production environment.
Hey Chris, nice response! I agree with you that planning is one of, if not, the most important steps along the SDLC of a server. Servers are essentially the backbone of an organization and securing them is imperative. I like how you mentioned/analyzed the tradeoffs that a company has to face on the daily to ensure that the decisions their making are in the best interest of the organizations and their countless stakeholders. It’s very important and I’m glad you mentioned that!
The NIST 800-123 general server security guide shows how the server’s infrastructure and requirements can meet the security protocol. When the server is created and used, the server needs some control and proper setup to protect the server itself, for example, to plan the installation and deployment of the server’s operating system (OS) and other components, proper firewall setup and log management and maintenance.
Yes, Han. It is necessary to protect the server operating system by updating patches and OS regularly. eliminating unnecessary services, applications and network protocols, establishing user authentication, disabling default user accounts or inactive accounts, and by creating user group. Also, it is important to establish strong password policies.
Hi Junjie,
As you have said, server needs some control and proper setup, which means the planning prior to the control and setup is also really critical.
After reading through the NIST 800-123 publication, which emphasizes the need and certified methods used to secure outwardly-facing publicly accessible servers and some inwardly-facing servers such as web or infrastructure management servers respectively, I found myself overwhelmed with the intricacies of securing server software. While there are many similarities in the way the document describes the method to secure the operating system and the method to secure the server software, the securing of server software also requires that you are knowledgeable of the security configuration of the operating system in order to ensure that you are assigning appropriately strict permissions for users, adding an additional layer of considerations that need to be made. One thing I did find quite interesting that I had previously not considered in regards to server software security is the limiting the amount of data able to be uploaded through the server and mandatory screening of uploaded content to the server prior to the server reading it and making it accessible to other users.
A key takeaway I received from this reading is that there’s a specific set of procedures done to detect and mitigate vulnerabilities found in a newly installed OS or upgrade.
These procedures include:
-Create, document, and implement a patching process
-Identify vulnerabilities and applicable patches
-Mitigate vulnerabilities temporarily if needed and if feasible (until patches are available, tested, and installed)
-Install permanent fixes (patches, upgrades, etc.)
Hello,
After glancing through your takeaways from reading the NIST 800-123 publication titled “Guide to General Server Security”, I felt more grounded in my own takeaways from reading that particular section of the document as well. It really helped to see your summarization of many of the more important procedures for securing fresh operating systems, since the ability to summarize what you’ve read shows a true understanding of the content.
A key takeaway I received from this reading is that there’s a specific set of procedures done to detect and mitigate vulnerabilities found in a newly installed OS or upgrade.
These procedures include:
-Create, document, and implement a patching process
-Identify vulnerabilities and applicable patches
-Mitigate vulnerabilities temporarily if needed and if feasible; in the case when patches are available, tested, and installed
-Install permanent fixes ; such as patches, upgrades, etc.
NIST 800-123 is a very detailed guideline and best practices how to handle server and make them more secure. Policies, patches, tests, documentation, and backup. The later should follow the rule of 3:
Have at least three copies of your data. Store the copies on at least two different media types. Keep at least one of those copies offsite.
I would add that having at least 6 months to a year of backup for important data.
Yes, you’re right. It is important to store backup data from servers in different locations. There is also a need for parallel server hosts to prevent the server in use from accidentally terminating the service. This ensures business continuity.
Hi Joseph,
Having backup is very important. Obtaining multiple different sources of back up ensure the security of if one backup isn’t accessible, another one is.
Best,
Natalie
One key takeaway from NIST 800-123 was what information should be included to create an effective system security plan. Generally, SSPs should include:
– System Identification
Includes information like: key points of contact for the system, system purpose, level of sensitivity, system environment (network environment, placement on the network, and relationship with other systems).
– Controls
Management Controls – focus on security and risk
Operational Controls – implemented by people (specialists); rely on management and technical controls
Technical Controls – mechanisms used by the system; provide automated protection, detect security violations, and support application/data security requirement. Always requires operational considerations and must align with organization security plan.
The information system owner is responsible for the definition of parameters, functions, and security requirements. SSPs should be viewed as a way to understand the process in effectively securing a system.
Below are five of the steps for ensuring the security of a server:
1. Plan the installation and deployment of the operating system (OS) and other components for the
server.
2. Install, configure, and secure the underlying OS.
3. Install, configure, and secure the server software.
4. For servers that host content, such as Web servers (Web pages), database servers (databases), and
directory servers (directories), ensure that the content is properly secured.
5. Employ appropriate network protection mechanisms (e.g., firewall, packet filtering router, and
proxy).
6. Employ secure administration and maintenance processes, including application of patches and
upgrades, monitoring of logs, backups of data and OS, and periodic security testing.
Us auditors, will focus on 5 and 6 of these processes. This is interesting because even after the OS and hardware are set up there is more to be done. Including monitoring and maintenance. Aspects that are often forgotten.
The key takeaway for me is about how the planning part affect other steps. First of all, we need to identify the purposes of the server as why we need and how we are going to use it. After identifying, we need to assign the suitable personnel so that the human resource and be maximized. Also, having good management practices will also make some of the steps easier to process and the server can be built more fast and safe.