Under this section 5 securing the server software, the guideline suggests hardening the server by removing any superfluous accounts services, ports, default settings and any manufacturer documentation automatically added during server software installation. These steps are necessary since attackers often prey on how complacent system administrators were during system installation. Removing any unnecessary services reduces the attack surface and mitigates any risks associated with that service. The suggestions in this guideline are effective and when used with other security practices, the help achieve a high level of system security.
Hi Humbert,
In addition, the NIST 800 123 documentation details the need for an organization to maintain a test or development server for its most important servers. According to NIST guidelines, the test server can be located on an Intranet segment and is fully protected by the company’s peripheral network defenses. This is necessary because having a test server provides a platform to test new patches and Service packs before applying them on the production server, and provides a platform for server administrators to develop and test new content and applications.
The server is the service equipment that the enterprise website cannot do without. Still, while using the server, there are also some negative effects, such as the independent server’s security problem. It is also a critical task to ensure the security of website servers in the enterprise.
The website server character permission assignment is set to the lowest. One person cannot do the use the website server. It requires multiple people to work together. In the face of different operations, we should also assign different permissions. When assigning permissions, it should be controlled within the operation’s minimum range to reduce the website server’s damage.
According to the server’s characteristics, the security measures are flexibly used to develop the network, and high-end languages, databases, and scripting languages are required. While ensuring the network server’s security, the scripting language version used should be updated in time to avoid loopholes. Secondly, the parameters should be adopted to distinguish the differences. Generally, a network server is set up on the intranet, and a firewall needs to be set up. The firewall can be set on the top of the router to improve the safety factor.
The NIST 800-123 General Server Security Guide describes how to plan for security between a server and an application, and provides appropriate safeguards to protect the server operating system and server software. I think the company should follow the following safeguards control measures:
– Regularly update patches and operating systems.
– Remove unnecessary services, applications, and network protocols. In addition, hackers can exploit these vulnerabilities and gain access to the network.
– Set up user authentication: delete or disable default user account, disable inactive user account, and create user group.
– Establish password policies, including password length, complexity, duration, minimum and maximum usage.
Hi Wenyao,
At times the basic steps happen to be the Achilles tendon when it comes to matters security in a given host environment. As the guideline suggests, security professionals need to ensure that all server defaults are changed and documentations instances removed from the production system. Given access, attackers can easily use them to perpetrate an attack and compromise the network systems.
Hi Wenyao, I agree with you views, especially about Operating systems in servers require timely maintenance including patching vulnerabilities and updating the operating systems that fix security bugs and vulnerabilities. Any known vulnerabilities an OS has should be corrected before using it to host a server or otherwise exposing it to untrusted users. Administrators should make sure that the servers, particularly new ones, are adequately protected during the patching process. hardening of OS is critical for successful information security.
The server security planning is highly related to the organization’s general information system security posture, IT and system security staff will play different role in the server planning, implementation, and administration. The Chief Information Officer provides direction and advisory services for the protection of information systems for the entire organization and ensures that the organization’s security posture is adequate. The Information Systems Security Program Managers (ISSPM) oversee the implementation of and compliance with the standards, rules, and regulations specified in the organization’s security policy. Information Systems Security Officers (ISSO) will monitoring all aspects of information security within a specific organizational entity. They ensure that the organization’s information security practices comply with organizational and departmental policies, standards, and procedures. Server administrators are system architects responsible for the overall design, implementation, and maintenance of a server. Network administrators are responsible for the overall design, implementation, and maintenance of a network. Security administrators are dedicated to performing information security functions for servers and other hosts, as well as networks.
Hi Xinyi,
This guideline offers clear definitions of what needs to be done to achieve an acceptable level of security for a server/host environment. As you mentioned, clearly defined roles is a major step in ensuring optimum security as everyone involved needs to know and understand what is required of them in terms of securing the host.
Hi Xinyi,
I like that many of the server security issues you’re talking about are due to poor planning and poor management control. Sometimes the servers we see shouldn’t even exist, because they’re copies of something else. Some people will start their own servers to do something, instead of using the company’s servers and so on, rather than queuing. This kind of behavior must be squeezed out of the organization, and policy/management control can do it.
This is a good article, a good summary of the server configuration and security. I particularly like section 4 and the information provided to protect the operating system. We also mentioned patching, configuring strong authentication, and host enhancement. I’m glad to see that we’ve learned and read so much about applications in this guide. My main harvest is so much real start and policy. Whether it is a password policy or a set of rules designed to continuously test and maintain the security of the server and its environment, these rules need to be implemented and followed to ensure that the secure operating system always hosts the server. Second, all of this must be an ongoing effort to constantly review, test, and respond to new threats as they evolve. We have heard that many vulnerabilities are due to weak passwords or untimely / lack of security fixes, both of which are directly related to the security of the operating system.
Section 6 of this article talks about maintaining the security of the server. After deploying a server, administrations need to maintain its security continuously. The general recommendations for securely administering servers is handling and analyzing log files, performing regular server backups, recovering from server compromises, testing server security regularly, and performing remote administration securely. One of the methods I would like to mention is logging. Logging involves capturing the correct data and then monitoring the logs. Logs can be used to detect failed and successful intrusion attempts and to initiate alerts when further investigation is required. Organizations should use a tool to actively monitor logs to identify and alert on security issues. This article mentions about SIEM software that can be used for centralized logging which can perform automated log file analysis as well. Another important point is to backup and archive the log files regularly.
Hi Priyanka, I agree with your point. maintaining server security is very important. The system administration should run server backups from time to time and make patches updated from time to time to prevent any vulnerabilities.
The one key point I want to discuss how the importance of patches and upgrade the operating system. When Microsoft releases a new patch, it means that Microsoft has identified some vulnerabilities that need to be updated into individual systems. The administrators should ensure that their operating system is up to date. If not, the servers are inadequately protected for maintaining daily activities securely, and the hackers will take this advantage to attack their systems. Although we understand that it is important to keep our systems is patched and upgrade on a timely basis, many organizations often ignore this essential action. Especially, one of our case studies, Maersk, kept using the discontinued supporting system, Windows 2000 server, and then it was attacked by NotPetya ransomware. In order to secure the operating system, the organizations make sure their systems are fully patched and configured securely so that they mitigate the risk as possible as they do.
Hi Cami, I agree with you that Microsoft releases patches in order to repair vulnerabilities within the system. System vulnerabilities refer to flaws or errors in the logic design of application software or operating system software, which are used by criminals to attack or control the entire computer through network implantation of Trojan horses, viruses to steal important data and information in your computer. Even destroy your system. These vulnerabilities need to be fixed to prevent unnecessary losses.
I think an important factor in assessing server security is to properly test out the system to make sure it actually works. An organization could put together an expensive server that would protect the company in theory, but if they don’t test it out, it could potentially not work and cost the organization greatly. A key part of penetration testing is to test human response to attack indications. Human’s are often the greatest variable to overcome, so this is a very important step. Other benefits of penetration testing include using tools and methods commonly used by attackers, verification of if vulnerabilities are present and how to exploit them, and demonstrating that a threat isn’t theoretical.
The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function. The The types of servers include outward-facing publicly accessible servers, such as web and email services, and a wide range of inward-facing servers. This document discusses the need to secure servers and provides recommendations for selecting, implementing, and maintaining the necessary security controls.
The key takeaway from this document is the basic server security steps,
1. Plan the installation and deployment of the operating system (OS) and other components for the server
2. install, configure, and secure the underlying OS
3. Install, configure, and secure the server software.
4. For servers that host content, such as Web servers (Web pages), database servers (databases), and directory servers (directories), ensure that the content is properly secured
5. Employ appropriate network protection mechanisms
6. Employ secure administration and maintenance processes
These steps and practices are designed to assist organizations in installing, configuring, and maintaining secure servers and help mitigate the risks associated with servers.
When an organization deploys a server, there should be a standard process to secure it from threat actors before exposing it externally to the network and placed for public access. Prior to deployment, the implementation team should know what version of software is being deployed on the server. With this knowledge, the team can research if there are any known vulnerabilities by using a vulnerability database such as the National Vulnerability Data and if there are ways to mitigate or resolve the vulnerability. Additionally, there are common hardening strategies that need to occur as well. One practice is to disable all services that are not required by the server application. For example, if it is a web server, only have port 80 and 443 open. Another practice is to remove or disable unneeded default user accounts and change default credentials. There are much more, but all are important in reducing the attack surface.
Hi, Anthony. Yes, you are right. You pointed out several significant factors in how an organization deploys its server. These essentials will help the organization mitigate some serious risks. When it finishes the implementation of deploying the server, it should keep tracking and monitoring the system version updated and patched, so it can reduce some vulnerabilities occur.
The bulleted items in NIST SP 800-123 are guidelines all organizations must take toward hardening their servers. I also recommend everyone does the same with their home computer. Removing unnecessary software from the system will help reduce the amount of resources being used. Those resources could then be used to run the software or application that it is intended for without any issue with competing resources. Everyone should update and maintain their OS patches to make sure they are protected against the latest threats. The logging should also be enabled in case there is any need to investigate the events on the system.
Hi Johnathan, I agree with your takeaways, removing unnecessary software and patches are ways we can harden our system. Removing unnecessary installed programs can help your PCs save storage and also cut down on processing power. A big root cause of many attacks we’ve learned is lack of patching. To adequately protect our systems from known and undisclosed threats, manufacturer updates and patching are simple steps we can do to protect our system.
I learned that hardening for this Special Publication is defined as performing the following steps: removing unnecessary services, applications and network protocols, configuring OS user authentication and configuring the resource controls appropriately. In specific high-security situations that the OS should be configured to operate as a bastion host where the host is configured with the least functionality possible .
I agree with your assessment, especially with removing unnecessary services. Often times, services run in the background that are not conducive to the operation of the server, and could slow it down, or worse, open the server to vulnerabilities that could be malicious.
I learned a good hardened system depends on many technological factors, good management, and also good system security planning. Having a system security plan helps improve the protection of the information system resources. Plans help adequately protect information assets are the top level management involved such as the managers and information owners. They are the users that will have the most implications and st backs if the system is compromised.
The system security plan should have a combination of system identification and controls in place intended to meet the protection requirements of the information system. The system identification requires that the plan contain “key points of contact for the system, the purpose of the system, the sensitivity level of the system, and the environment in which the system is deployed, including the network environment, the system’s placement on the network, and the system’s relationships with other systems”. The plan should have control measures in place or planned that can meet the protection requirements of the information system. That includes operational controls, management controls, and technical controls.
This reading outlines the importance of patch management on servers and best practices for overall machine and operating system hardening. It makes note of testing all patches before installing them on production servers as the can inadvertently cause unexpected problems with the server or any legacy software running on it. It goes into ideas such as removing or disabling unnecessary services and applications. Services are often used by attackers as a form of persistence and special care should be taken to ensure they are hardened or removed if not being used. Removing unused services are reduces the amount of logs generated on the machine. It is also important to make sure that services should not be running with an elevated or super user account unless absolutely necessary. This is very important to take note of as should a vulnerable service gets exploited the attacker will not immediately have administrative privileges on the machine.
I think the best way to perform patch management for organizations is to automate as this provides significant time savings as patch management can be time consuming and there is always a risk of some systems being patched while other being left out. It is effective to schedule scans on a daily or weekly basis to analyze the environment and deploy all critical patches. Another important point is to test the patches before deploying them as not testing can cause problems if not applied properly.
The most important function of a Server Administrator is to maintain the integrity of the data on the server. To protect the availability of data on the server regular backup needs to be performed to ensure the data is saved. There are multiple methods of backing up data. A full backup is the simplest form of backup, which contains all of the folders and files that you selected to be backed up. A full backup is also the easiest type of backup to restore, because it only requires a single backup file set to be restored. Incremental backups allow for substantial storage space savings as they only back up files that have been created or changed since the last full or Incremental backup. Incremental backups are also faster, thus requiring a shorter backup window. Differential backups fall somewhere in between Full and Incremental backups. A Differential backup means you essentially have a cumulative backup of all changes made since the last full backup. This means that Differential backups are larger in size than Incremental backups, because they are more like a rolled up version of all of the Incremental backups done since the last Full backup.
The one thing that I learned in this document is the steps of recovering from a security compromise. A server administrator should follow the organization’s policies and procedures for incident handing, and the incident response team should be contacted for guidance before the organization takes any action after a suspected or confirmed security compromise. The first step is to report the incident to the organization’s computer incident response capability. Secondly. Isolate the compromised systems or take other steps to contain the attack so that additional information can be collected. The third step should be consult expeditiously, as appropriate, with management, legal counsel, and law enforcement. The fourth step is to investigate similar hosts to determine if the attacker also has compromised other systems. Analyze the intrusion, including, The current state of the server, starting with the most ephemeral data, modifications made to the server’s software and configuration, modifications made to the data, tools or data left behind by the attacker, and system intrusion detection and firewall log files.
This too caught my eye. As always anyone in Risk is looking for the best method to recover from a security breach. I always find it interesting that the PR group isn’t ever directly mentioned in these scenarios, but every company I have worked at has Public Relations on speed dial to see how they can spin the situation so it’s less damaging to the company. Honestly, Legal and PR are the two first numbers on the contact list.
Operating systems in servers require timely maintenance including patching vulnerabilities and updating the operating systems that fix security bugs and vulnerabilities. Any known vulnerabilities an OS has should be corrected before using it to host a server or otherwise exposing it to untrusted users. Administrators should make sure that the servers, particularly new ones, are adequately protected during the patching process. hardening of OS is critical for successful information security.
I agreed with your takeaways. Patching does require a lot of time and resources due to the extensive testing and just the seer amount of patches being released. Due to this, organization’s must prioritize which are the most important patches to mitigate risk. With that being said, even smaller patches should eventually be applied to ensure the best security.
I found the section on server, Network and Security Administrators important as these are the people that we provide the keys to the machine with. They are able to do more than almost anyone, they can review anything and provide access to anyone. These positions are the first line of defense before the attack even tries to touch the actual system. They place policies, create guidelines and help employees understand why they do the things they do and how it benefits the company as a whole. In addition, they analyze threats that come in and use that information to devise better defenses versus future attacks.
NIST 800-123 highlights key points to consider when securing servers. Like many of these publications, NIST 800-123 establishes the basic need of having a Security Policy in place prior to beginning this process. It is important to conduct the following steps with the company vision and mission in mind to maintain the context in place. Each section covers an area of these basic steps:
Section 4 describes the installation, configuration and security of the Operating System.
Section 5 covers the same but at the server software level. It also goes over different types of servers and what is in the scope of the guideline.
Section 6 describes the recommended administration and maintenance processes such as patches, upgrades, monitoring etc.
Hi, Vanessa, I agree with your key points of this document. This document discusses the need to secure servers and provides recommendations for selecting, implementing, and maintaining the necessary security controls. And this document introduce 6 basic server security steps to assist organizations in installing, configuring, and maintaining secure servers and help mitigate the risks associated with servers.
Web requests and responses are based on HTTP, which is a stateless protocol. So in order to preserve a user’s state across multiple requests, we need a tool that helps us record and identify each request and other information requested. So, we need session management! The basic methods of session management include hidden fields, cookies, and URL rewriting. The latter two are used more frequently. Customers need a session ID to identify themselves. Just like the ID number of each of us. For the first request from the customer, the container generates a unique session ID and returns it to the user accordingly. The customer sends back the session ID in a subsequent request. When the container sees the ID, it finds a matching session and associates that session with the request. The way to store session IDs is through cookies! Cookie is stored in the client and sent back to the client by the server in response. After each request, the cookie will be added to the request. The session exists on the server and stores information from the session in an HttpSession object as an attribute. When called, you simply call the appropriate attribute from the HttpSession object.
Under this section 5 securing the server software, the guideline suggests hardening the server by removing any superfluous accounts services, ports, default settings and any manufacturer documentation automatically added during server software installation. These steps are necessary since attackers often prey on how complacent system administrators were during system installation. Removing any unnecessary services reduces the attack surface and mitigates any risks associated with that service. The suggestions in this guideline are effective and when used with other security practices, the help achieve a high level of system security.
Hi Humbert,
In addition, the NIST 800 123 documentation details the need for an organization to maintain a test or development server for its most important servers. According to NIST guidelines, the test server can be located on an Intranet segment and is fully protected by the company’s peripheral network defenses. This is necessary because having a test server provides a platform to test new patches and Service packs before applying them on the production server, and provides a platform for server administrators to develop and test new content and applications.
The server is the service equipment that the enterprise website cannot do without. Still, while using the server, there are also some negative effects, such as the independent server’s security problem. It is also a critical task to ensure the security of website servers in the enterprise.
The website server character permission assignment is set to the lowest. One person cannot do the use the website server. It requires multiple people to work together. In the face of different operations, we should also assign different permissions. When assigning permissions, it should be controlled within the operation’s minimum range to reduce the website server’s damage.
According to the server’s characteristics, the security measures are flexibly used to develop the network, and high-end languages, databases, and scripting languages are required. While ensuring the network server’s security, the scripting language version used should be updated in time to avoid loopholes. Secondly, the parameters should be adopted to distinguish the differences. Generally, a network server is set up on the intranet, and a firewall needs to be set up. The firewall can be set on the top of the router to improve the safety factor.
The NIST 800-123 General Server Security Guide describes how to plan for security between a server and an application, and provides appropriate safeguards to protect the server operating system and server software. I think the company should follow the following safeguards control measures:
– Regularly update patches and operating systems.
– Remove unnecessary services, applications, and network protocols. In addition, hackers can exploit these vulnerabilities and gain access to the network.
– Set up user authentication: delete or disable default user account, disable inactive user account, and create user group.
– Establish password policies, including password length, complexity, duration, minimum and maximum usage.
Hi Wenyao,
At times the basic steps happen to be the Achilles tendon when it comes to matters security in a given host environment. As the guideline suggests, security professionals need to ensure that all server defaults are changed and documentations instances removed from the production system. Given access, attackers can easily use them to perpetrate an attack and compromise the network systems.
Hi Wenyao, I agree with you views, especially about Operating systems in servers require timely maintenance including patching vulnerabilities and updating the operating systems that fix security bugs and vulnerabilities. Any known vulnerabilities an OS has should be corrected before using it to host a server or otherwise exposing it to untrusted users. Administrators should make sure that the servers, particularly new ones, are adequately protected during the patching process. hardening of OS is critical for successful information security.
The server security planning is highly related to the organization’s general information system security posture, IT and system security staff will play different role in the server planning, implementation, and administration. The Chief Information Officer provides direction and advisory services for the protection of information systems for the entire organization and ensures that the organization’s security posture is adequate. The Information Systems Security Program Managers (ISSPM) oversee the implementation of and compliance with the standards, rules, and regulations specified in the organization’s security policy. Information Systems Security Officers (ISSO) will monitoring all aspects of information security within a specific organizational entity. They ensure that the organization’s information security practices comply with organizational and departmental policies, standards, and procedures. Server administrators are system architects responsible for the overall design, implementation, and maintenance of a server. Network administrators are responsible for the overall design, implementation, and maintenance of a network. Security administrators are dedicated to performing information security functions for servers and other hosts, as well as networks.
Hi Xinyi,
This guideline offers clear definitions of what needs to be done to achieve an acceptable level of security for a server/host environment. As you mentioned, clearly defined roles is a major step in ensuring optimum security as everyone involved needs to know and understand what is required of them in terms of securing the host.
Hi Xinyi,
I like that many of the server security issues you’re talking about are due to poor planning and poor management control. Sometimes the servers we see shouldn’t even exist, because they’re copies of something else. Some people will start their own servers to do something, instead of using the company’s servers and so on, rather than queuing. This kind of behavior must be squeezed out of the organization, and policy/management control can do it.
This is a good article, a good summary of the server configuration and security. I particularly like section 4 and the information provided to protect the operating system. We also mentioned patching, configuring strong authentication, and host enhancement. I’m glad to see that we’ve learned and read so much about applications in this guide. My main harvest is so much real start and policy. Whether it is a password policy or a set of rules designed to continuously test and maintain the security of the server and its environment, these rules need to be implemented and followed to ensure that the secure operating system always hosts the server. Second, all of this must be an ongoing effort to constantly review, test, and respond to new threats as they evolve. We have heard that many vulnerabilities are due to weak passwords or untimely / lack of security fixes, both of which are directly related to the security of the operating system.
Section 6 of this article talks about maintaining the security of the server. After deploying a server, administrations need to maintain its security continuously. The general recommendations for securely administering servers is handling and analyzing log files, performing regular server backups, recovering from server compromises, testing server security regularly, and performing remote administration securely. One of the methods I would like to mention is logging. Logging involves capturing the correct data and then monitoring the logs. Logs can be used to detect failed and successful intrusion attempts and to initiate alerts when further investigation is required. Organizations should use a tool to actively monitor logs to identify and alert on security issues. This article mentions about SIEM software that can be used for centralized logging which can perform automated log file analysis as well. Another important point is to backup and archive the log files regularly.
Hi Priyanka, I agree with your point. maintaining server security is very important. The system administration should run server backups from time to time and make patches updated from time to time to prevent any vulnerabilities.
The one key point I want to discuss how the importance of patches and upgrade the operating system. When Microsoft releases a new patch, it means that Microsoft has identified some vulnerabilities that need to be updated into individual systems. The administrators should ensure that their operating system is up to date. If not, the servers are inadequately protected for maintaining daily activities securely, and the hackers will take this advantage to attack their systems. Although we understand that it is important to keep our systems is patched and upgrade on a timely basis, many organizations often ignore this essential action. Especially, one of our case studies, Maersk, kept using the discontinued supporting system, Windows 2000 server, and then it was attacked by NotPetya ransomware. In order to secure the operating system, the organizations make sure their systems are fully patched and configured securely so that they mitigate the risk as possible as they do.
Hi Cami, I agree with you that Microsoft releases patches in order to repair vulnerabilities within the system. System vulnerabilities refer to flaws or errors in the logic design of application software or operating system software, which are used by criminals to attack or control the entire computer through network implantation of Trojan horses, viruses to steal important data and information in your computer. Even destroy your system. These vulnerabilities need to be fixed to prevent unnecessary losses.
I think an important factor in assessing server security is to properly test out the system to make sure it actually works. An organization could put together an expensive server that would protect the company in theory, but if they don’t test it out, it could potentially not work and cost the organization greatly. A key part of penetration testing is to test human response to attack indications. Human’s are often the greatest variable to overcome, so this is a very important step. Other benefits of penetration testing include using tools and methods commonly used by attackers, verification of if vulnerabilities are present and how to exploit them, and demonstrating that a threat isn’t theoretical.
The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function. The The types of servers include outward-facing publicly accessible servers, such as web and email services, and a wide range of inward-facing servers. This document discusses the need to secure servers and provides recommendations for selecting, implementing, and maintaining the necessary security controls.
The key takeaway from this document is the basic server security steps,
1. Plan the installation and deployment of the operating system (OS) and other components for the server
2. install, configure, and secure the underlying OS
3. Install, configure, and secure the server software.
4. For servers that host content, such as Web servers (Web pages), database servers (databases), and directory servers (directories), ensure that the content is properly secured
5. Employ appropriate network protection mechanisms
6. Employ secure administration and maintenance processes
These steps and practices are designed to assist organizations in installing, configuring, and maintaining secure servers and help mitigate the risks associated with servers.
When an organization deploys a server, there should be a standard process to secure it from threat actors before exposing it externally to the network and placed for public access. Prior to deployment, the implementation team should know what version of software is being deployed on the server. With this knowledge, the team can research if there are any known vulnerabilities by using a vulnerability database such as the National Vulnerability Data and if there are ways to mitigate or resolve the vulnerability. Additionally, there are common hardening strategies that need to occur as well. One practice is to disable all services that are not required by the server application. For example, if it is a web server, only have port 80 and 443 open. Another practice is to remove or disable unneeded default user accounts and change default credentials. There are much more, but all are important in reducing the attack surface.
Hi, Anthony. Yes, you are right. You pointed out several significant factors in how an organization deploys its server. These essentials will help the organization mitigate some serious risks. When it finishes the implementation of deploying the server, it should keep tracking and monitoring the system version updated and patched, so it can reduce some vulnerabilities occur.
The bulleted items in NIST SP 800-123 are guidelines all organizations must take toward hardening their servers. I also recommend everyone does the same with their home computer. Removing unnecessary software from the system will help reduce the amount of resources being used. Those resources could then be used to run the software or application that it is intended for without any issue with competing resources. Everyone should update and maintain their OS patches to make sure they are protected against the latest threats. The logging should also be enabled in case there is any need to investigate the events on the system.
Hi Johnathan, I agree with your takeaways, removing unnecessary software and patches are ways we can harden our system. Removing unnecessary installed programs can help your PCs save storage and also cut down on processing power. A big root cause of many attacks we’ve learned is lack of patching. To adequately protect our systems from known and undisclosed threats, manufacturer updates and patching are simple steps we can do to protect our system.
I learned that hardening for this Special Publication is defined as performing the following steps: removing unnecessary services, applications and network protocols, configuring OS user authentication and configuring the resource controls appropriately. In specific high-security situations that the OS should be configured to operate as a bastion host where the host is configured with the least functionality possible .
Hi Heather,
I agree with your assessment, especially with removing unnecessary services. Often times, services run in the background that are not conducive to the operation of the server, and could slow it down, or worse, open the server to vulnerabilities that could be malicious.
I learned a good hardened system depends on many technological factors, good management, and also good system security planning. Having a system security plan helps improve the protection of the information system resources. Plans help adequately protect information assets are the top level management involved such as the managers and information owners. They are the users that will have the most implications and st backs if the system is compromised.
The system security plan should have a combination of system identification and controls in place intended to meet the protection requirements of the information system. The system identification requires that the plan contain “key points of contact for the system, the purpose of the system, the sensitivity level of the system, and the environment in which the system is deployed, including the network environment, the system’s placement on the network, and the system’s relationships with other systems”. The plan should have control measures in place or planned that can meet the protection requirements of the information system. That includes operational controls, management controls, and technical controls.
This reading outlines the importance of patch management on servers and best practices for overall machine and operating system hardening. It makes note of testing all patches before installing them on production servers as the can inadvertently cause unexpected problems with the server or any legacy software running on it. It goes into ideas such as removing or disabling unnecessary services and applications. Services are often used by attackers as a form of persistence and special care should be taken to ensure they are hardened or removed if not being used. Removing unused services are reduces the amount of logs generated on the machine. It is also important to make sure that services should not be running with an elevated or super user account unless absolutely necessary. This is very important to take note of as should a vulnerable service gets exploited the attacker will not immediately have administrative privileges on the machine.
Hi Anthony,
I think the best way to perform patch management for organizations is to automate as this provides significant time savings as patch management can be time consuming and there is always a risk of some systems being patched while other being left out. It is effective to schedule scans on a daily or weekly basis to analyze the environment and deploy all critical patches. Another important point is to test the patches before deploying them as not testing can cause problems if not applied properly.
The most important function of a Server Administrator is to maintain the integrity of the data on the server. To protect the availability of data on the server regular backup needs to be performed to ensure the data is saved. There are multiple methods of backing up data. A full backup is the simplest form of backup, which contains all of the folders and files that you selected to be backed up. A full backup is also the easiest type of backup to restore, because it only requires a single backup file set to be restored. Incremental backups allow for substantial storage space savings as they only back up files that have been created or changed since the last full or Incremental backup. Incremental backups are also faster, thus requiring a shorter backup window. Differential backups fall somewhere in between Full and Incremental backups. A Differential backup means you essentially have a cumulative backup of all changes made since the last full backup. This means that Differential backups are larger in size than Incremental backups, because they are more like a rolled up version of all of the Incremental backups done since the last Full backup.
The one thing that I learned in this document is the steps of recovering from a security compromise. A server administrator should follow the organization’s policies and procedures for incident handing, and the incident response team should be contacted for guidance before the organization takes any action after a suspected or confirmed security compromise. The first step is to report the incident to the organization’s computer incident response capability. Secondly. Isolate the compromised systems or take other steps to contain the attack so that additional information can be collected. The third step should be consult expeditiously, as appropriate, with management, legal counsel, and law enforcement. The fourth step is to investigate similar hosts to determine if the attacker also has compromised other systems. Analyze the intrusion, including, The current state of the server, starting with the most ephemeral data, modifications made to the server’s software and configuration, modifications made to the data, tools or data left behind by the attacker, and system intrusion detection and firewall log files.
This too caught my eye. As always anyone in Risk is looking for the best method to recover from a security breach. I always find it interesting that the PR group isn’t ever directly mentioned in these scenarios, but every company I have worked at has Public Relations on speed dial to see how they can spin the situation so it’s less damaging to the company. Honestly, Legal and PR are the two first numbers on the contact list.
Operating systems in servers require timely maintenance including patching vulnerabilities and updating the operating systems that fix security bugs and vulnerabilities. Any known vulnerabilities an OS has should be corrected before using it to host a server or otherwise exposing it to untrusted users. Administrators should make sure that the servers, particularly new ones, are adequately protected during the patching process. hardening of OS is critical for successful information security.
Hi Price,
I agreed with your takeaways. Patching does require a lot of time and resources due to the extensive testing and just the seer amount of patches being released. Due to this, organization’s must prioritize which are the most important patches to mitigate risk. With that being said, even smaller patches should eventually be applied to ensure the best security.
I found the section on server, Network and Security Administrators important as these are the people that we provide the keys to the machine with. They are able to do more than almost anyone, they can review anything and provide access to anyone. These positions are the first line of defense before the attack even tries to touch the actual system. They place policies, create guidelines and help employees understand why they do the things they do and how it benefits the company as a whole. In addition, they analyze threats that come in and use that information to devise better defenses versus future attacks.
NIST 800-123 highlights key points to consider when securing servers. Like many of these publications, NIST 800-123 establishes the basic need of having a Security Policy in place prior to beginning this process. It is important to conduct the following steps with the company vision and mission in mind to maintain the context in place. Each section covers an area of these basic steps:
Section 4 describes the installation, configuration and security of the Operating System.
Section 5 covers the same but at the server software level. It also goes over different types of servers and what is in the scope of the guideline.
Section 6 describes the recommended administration and maintenance processes such as patches, upgrades, monitoring etc.
Hi, Vanessa, I agree with your key points of this document. This document discusses the need to secure servers and provides recommendations for selecting, implementing, and maintaining the necessary security controls. And this document introduce 6 basic server security steps to assist organizations in installing, configuring, and maintaining secure servers and help mitigate the risks associated with servers.
Web requests and responses are based on HTTP, which is a stateless protocol. So in order to preserve a user’s state across multiple requests, we need a tool that helps us record and identify each request and other information requested. So, we need session management! The basic methods of session management include hidden fields, cookies, and URL rewriting. The latter two are used more frequently. Customers need a session ID to identify themselves. Just like the ID number of each of us. For the first request from the customer, the container generates a unique session ID and returns it to the user accordingly. The customer sends back the session ID in a subsequent request. When the container sees the ID, it finds a matching session and associates that session with the request. The way to store session IDs is through cookies! Cookie is stored in the client and sent back to the client by the server in response. After each request, the cookie will be added to the request. The session exists on the server and stores information from the session in an HttpSession object as an attribute. When called, you simply call the appropriate attribute from the HttpSession object.