Servers are a critical I.T. asset for organizations as they store a wealth of sensitive information, making them prime targets for attackers. NIST SP 800-123 helps organizations understand server threats and provides businesses guidance on ensuring servers maintain a security baseline. One of NIST’s key server hardening recommendations is configuring appropriate OS User Authentication. The number of organizations that neglect to disable unneeded default accounts such as guest accounts is staggering. Additionally, system administrators need to practice secure installation of server software for example removing publicly exposed server documentation. Attackers will look for these documents to fingerprint the system (ex. robot.txt, php.info, index.html) and then will try default accounts associated with that particular server to gain entry. Given the prevalence of these low-level attacks, I would agree with the recommendations provided by NIST because implementing simple actions like securely installing the server software and removing default accounts can increase an organization’s defensive posture.
Hello Kelly,
This guideline offers clearer answers of what determines to be done to achieve an acceptable level of security for a server/host environment. As being explained, clearly defined roles are a major key in ensuring optimum security as everyone involved needs to know and understand what is required of them in terms of securing the host hardening on the system.
Providing routine maintenance on a server is crucial to keeping it hardened and secure. To achieve this, organizations need to implement regular planning and management controls, as a lack of either tends to be the main weakness in server security. In both deployment and maintenance, organizations often forget the human resource aspects required, such as types of personnel required, skills and training required, and individual and collective requirements. Next, organizations need to ensure that both the server operating system and server application are configured and managed to meet the security requirements of the organization. These guidelines, along with many others detailed in this document, can help organizations commit to continued maintenance and security of servers.
Excellent point, The NIST SP 800-123 Guide to General Server Security contains NIST recommendations on securing your servers. It offers general advice and guideline on how you should approach this mission. Regulations such as HIPAA, HITRUST, CMMC, and others rely on those recommendations, demanding organizations to enforce and comply with the guide.
Many security issues can be avoided if the underlying operating system of the server is configured correctly. Each organization needs to configure its servers according to its security requirements. The techniques used to protect different types of operating systems can vary widely. NIST publishes generic procedures related to most operating systems. After planning and installing an operating system, NIST provides three issues to address when configuring a server operating system:
Remove or disable unnecessary services, applications, and network protocols.
Configure OS and User Authentication
Configure Resource Control Appropriately
The reading outlines three requirements that influence the contents to a server data backup policy. This includes legal, mission, and organizational requirements.
Laws, regulations, and litigation will influence legal requirements. Contractual, accepted practices, and the criticality of data to organizations can influence the mission requirements. Finally, organizational guidelines can also influence the backup policy.
The backup policy should go over the purpose, affected parties, covered servers, and backup frequency for the policy, It should also define key terms and legal requirements.
In order to secure a server operating system, many security issues can be avoided by patching and updating the OS, harden and configure the OS to address security adequately, install and configure additional security controls if applicable, test the security of the oS to ensure the previous steps adequately addressed all security issues needed.
Additionally, the article mentions several server security principles to keep in mind such as simplicity, fail safe (If something fails, the system should be secure), complete mediation (firewalls, content filters), open design, separation of privilege (role should be separate as such, a system administrator vs. a database administrator), least privilege, least common mechanism (single process implemented without granting the same function to other parts of the system), defense in depth, work factor, compromise recording (recordings and at least 3 years of logs should be kept), and psychological acceptability.
Great call out that server security requires a host of best practices in addition to ensuring secure installation of the operating system’s software. In particular, I would emphasis the importance of enabling logs and properly storing logs. Logs not only assist with post-breach investigations but they can also help security professionals detect pre-attack activities and hopefully reduce the impact of a successful atack.
One key point I took from this document is that security should be taken into consideration at the beginning of every project, this is usually installation and deployment (section 3.1 of the document). When you are identifying the purpose of the servers, what items will be stored on the servers, where they will be located you are increasing you are maximizing security and minimizing cost. Having worked with many system administrators I have learned it is crucial to understand what can be deployed at the beginning and what can be deployed later on. This saves time and money and allows you to plan the security requirements for all of the servers and services involved.
I found the article to be so interesting about the Security practices always begins with management and the policies they would come up. I certainly believe that it’s absolutely essential that roles and responsibilities for server security are clearly formulated elsewhere in policies pack. Hence, there must also be policies and procedures being established to enable proper and realistic change management, risk assessment, BC/DR planning, and training to be undertaken.
One of the difficulties in those determinations is accountability and how to account for becomes a bigger challenge at all times. On the face of it, Policies are nice, but if they are not implemented and no one is held responsible and accountable for them, then they do not appear to have better outlook in its quest to solve problems. In that regard, it’s up to management to decide those who monitor compliance with policies and what the penalty for non-compliance i
One of the takeaways from this reading for me was that organizations should carefully plan and address the security aspects of the deployment of the server, because it is much more difficult to address security once deployment and implementation have occurred.
It seems obvious and simple that security should be carefully considered from the initial planning stage, but this takeaway made me think of the possibilities that could happen if an organization did not follow this guideline.
From a business perspective, security is usually low on the list of priorities, and it’s possible that organizations may push the deployment of a server “just to get it out there” and then add the security later. However, this risks compromising the server (and possibly other things) if this were to occur.
Another point the reading made was that organizations tend to underestimate the manpower needed to support server deployment and maintenance, which could lead to other issues.
Like all things, planning is a necessary and important step.
Some of the basic server security principles include the following concepts. First, simplicity is key when designing systems as complexity can unnecessarily create security holes. Systems should also be able to fail safe, meaning that if an issue occurs, the security controls will still have value despite the system losing functionality over security. Another concept is that of open design, where security is not reflected by the secrecy of the system design, as this is a form of security through obscurity which is quite ineffective. It is also important to consider the Work Factor, or the amount of work it would take for a threat actor to compromise the security of a system compared to the value realized in doing so.
I agree with you that the system needs to be failsafe. A system can ensure that its security controls remain valuable in the event of a problem. On the other hand, maintain secure configuration, security testing, log monitoring, and backup of data and operating system files by applying appropriate patches and upgrades.
Regardless of security policy goals, we cannot wholly ignore the three cardinal essential security requirements, i.e., confidentiality, integrity, and availability which all work dependent on one another. For example, confidentiality is needed to protect passwords.
Proper management practices are critical to operating and maintaining a secure server. To ensure a secure server and supporting network infrastructure. Organizations should implement appropriate security management practices and controls when maintaining and operating secure servers. For risk assessment and management, standardized software configuration that satisfies the information system security policy. Also conduct safety awareness training. Prepare contingency plans, operational continuity and disaster recovery plans in advance to prepare for disasters in advance.
I thought it was smart that you mentioned contingency plans and continuity/recovery after disaster. With todays increasing cybercrime and financial loss per incident, it is more likely than ever that a breach will happen, and having proper contingency plans in place may reduce the financial loss in comparison to a breach with poor response.
One main point that I took from NIST SP 800-123 is that the operating system on a server must be installed and configured correctly, or else even a server with correctly installed and configured server software will still be unsecure. For example, an Apache web server that is correctly installed and configured on top of a Centos operating system that is not properly hardened could still be exposed to vulnerabilities that could grant attackers access to the server. This could grant attackers access to the traffic directed to the web server, the content that it is hosts, elevation of privilege within the network, and access to other systems within the network (or even outside of it).
Hi Mike, thanks for the post. I completely agree. An information system/server can have every top-tier control out there; but if it is not properly managed, it is nowhere near useful. This is why system administrators need to effectively update and manage servers.
The purpose of the NIST SP 800-123 is provide an organization an understanding of the security of the server and how to implement those security controls.
The NIST SP 800-123 includes different sections to secure the server including Server Security Planning, Securing the Server Operating Systems, Securing the Server Software, and Maintaining the Security of the Server. This document addresses the common server including the Unix, Linux, and Windows. This document also includes the high-level of steps that could be taken to secure the servers, security planning of the server, the overview of the securing the server’s operating system, how to securely install and configure the server software, and recommendation on maintaining the security server.
Some key points in this reading pertaining to server hardening include the following: install the minimum amount of services required to a server in order to minimize the attack surface as much as possible. In addition, servers should be constantly patched and upgraded to remove as many vulnerabilities as possible. Any unnecessary scripts/programs installed by the server installation program as soon as possible. Server access and authentication controls should also be configured, in addition to server resource controls.
Server security focuses on protecting data and resources held on the servers. It comprises tools and techniques that help prevent intrusions, hacking, and other malicious actions. Server security measures vary and are typically implemented in layers.
Server Security Best Practices include the under listed:
1. Regular upgrades to the software and the operating system
2. Computer to File Backups
3. Access Limitations to files
4. SSL Certificate installation
5. Using Virtual Private Networks (Private Networking)
6. Server Password Security
7. Firewall Protection.
Windows Server Security is the process whereby layers of protection are built into the Windows operating system to protect against breaches, block malicious attacks, and enhance the security of your virtual machines, applications, and data.
Kelly Sharadin says
Servers are a critical I.T. asset for organizations as they store a wealth of sensitive information, making them prime targets for attackers. NIST SP 800-123 helps organizations understand server threats and provides businesses guidance on ensuring servers maintain a security baseline. One of NIST’s key server hardening recommendations is configuring appropriate OS User Authentication. The number of organizations that neglect to disable unneeded default accounts such as guest accounts is staggering. Additionally, system administrators need to practice secure installation of server software for example removing publicly exposed server documentation. Attackers will look for these documents to fingerprint the system (ex. robot.txt, php.info, index.html) and then will try default accounts associated with that particular server to gain entry. Given the prevalence of these low-level attacks, I would agree with the recommendations provided by NIST because implementing simple actions like securely installing the server software and removing default accounts can increase an organization’s defensive posture.
kofi bonsu says
Hello Kelly,
This guideline offers clearer answers of what determines to be done to achieve an acceptable level of security for a server/host environment. As being explained, clearly defined roles are a major key in ensuring optimum security as everyone involved needs to know and understand what is required of them in terms of securing the host hardening on the system.
Patrick Jurgelewicz says
Providing routine maintenance on a server is crucial to keeping it hardened and secure. To achieve this, organizations need to implement regular planning and management controls, as a lack of either tends to be the main weakness in server security. In both deployment and maintenance, organizations often forget the human resource aspects required, such as types of personnel required, skills and training required, and individual and collective requirements. Next, organizations need to ensure that both the server operating system and server application are configured and managed to meet the security requirements of the organization. These guidelines, along with many others detailed in this document, can help organizations commit to continued maintenance and security of servers.
zijian ou says
Excellent point, The NIST SP 800-123 Guide to General Server Security contains NIST recommendations on securing your servers. It offers general advice and guideline on how you should approach this mission. Regulations such as HIPAA, HITRUST, CMMC, and others rely on those recommendations, demanding organizations to enforce and comply with the guide.
zijian ou says
Many security issues can be avoided if the underlying operating system of the server is configured correctly. Each organization needs to configure its servers according to its security requirements. The techniques used to protect different types of operating systems can vary widely. NIST publishes generic procedures related to most operating systems. After planning and installing an operating system, NIST provides three issues to address when configuring a server operating system:
Remove or disable unnecessary services, applications, and network protocols.
Configure OS and User Authentication
Configure Resource Control Appropriately
Madalyn Stiverson says
The reading outlines three requirements that influence the contents to a server data backup policy. This includes legal, mission, and organizational requirements.
Laws, regulations, and litigation will influence legal requirements. Contractual, accepted practices, and the criticality of data to organizations can influence the mission requirements. Finally, organizational guidelines can also influence the backup policy.
The backup policy should go over the purpose, affected parties, covered servers, and backup frequency for the policy, It should also define key terms and legal requirements.
Victoria Zak says
In order to secure a server operating system, many security issues can be avoided by patching and updating the OS, harden and configure the OS to address security adequately, install and configure additional security controls if applicable, test the security of the oS to ensure the previous steps adequately addressed all security issues needed.
Additionally, the article mentions several server security principles to keep in mind such as simplicity, fail safe (If something fails, the system should be secure), complete mediation (firewalls, content filters), open design, separation of privilege (role should be separate as such, a system administrator vs. a database administrator), least privilege, least common mechanism (single process implemented without granting the same function to other parts of the system), defense in depth, work factor, compromise recording (recordings and at least 3 years of logs should be kept), and psychological acceptability.
Kelly Sharadin says
Hi Victoria,
Great call out that server security requires a host of best practices in addition to ensuring secure installation of the operating system’s software. In particular, I would emphasis the importance of enabling logs and properly storing logs. Logs not only assist with post-breach investigations but they can also help security professionals detect pre-attack activities and hopefully reduce the impact of a successful atack.
Kelly
Dhaval Patel says
One key point I took from this document is that security should be taken into consideration at the beginning of every project, this is usually installation and deployment (section 3.1 of the document). When you are identifying the purpose of the servers, what items will be stored on the servers, where they will be located you are increasing you are maximizing security and minimizing cost. Having worked with many system administrators I have learned it is crucial to understand what can be deployed at the beginning and what can be deployed later on. This saves time and money and allows you to plan the security requirements for all of the servers and services involved.
kofi bonsu says
I found the article to be so interesting about the Security practices always begins with management and the policies they would come up. I certainly believe that it’s absolutely essential that roles and responsibilities for server security are clearly formulated elsewhere in policies pack. Hence, there must also be policies and procedures being established to enable proper and realistic change management, risk assessment, BC/DR planning, and training to be undertaken.
One of the difficulties in those determinations is accountability and how to account for becomes a bigger challenge at all times. On the face of it, Policies are nice, but if they are not implemented and no one is held responsible and accountable for them, then they do not appear to have better outlook in its quest to solve problems. In that regard, it’s up to management to decide those who monitor compliance with policies and what the penalty for non-compliance i
Andrew Nguyen says
One of the takeaways from this reading for me was that organizations should carefully plan and address the security aspects of the deployment of the server, because it is much more difficult to address security once deployment and implementation have occurred.
It seems obvious and simple that security should be carefully considered from the initial planning stage, but this takeaway made me think of the possibilities that could happen if an organization did not follow this guideline.
From a business perspective, security is usually low on the list of priorities, and it’s possible that organizations may push the deployment of a server “just to get it out there” and then add the security later. However, this risks compromising the server (and possibly other things) if this were to occur.
Another point the reading made was that organizations tend to underestimate the manpower needed to support server deployment and maintenance, which could lead to other issues.
Like all things, planning is a necessary and important step.
Antonio Cozza says
Some of the basic server security principles include the following concepts. First, simplicity is key when designing systems as complexity can unnecessarily create security holes. Systems should also be able to fail safe, meaning that if an issue occurs, the security controls will still have value despite the system losing functionality over security. Another concept is that of open design, where security is not reflected by the secrecy of the system design, as this is a form of security through obscurity which is quite ineffective. It is also important to consider the Work Factor, or the amount of work it would take for a threat actor to compromise the security of a system compared to the value realized in doing so.
Dan Xu says
Hi Antonio,
I agree with you that the system needs to be failsafe. A system can ensure that its security controls remain valuable in the event of a problem. On the other hand, maintain secure configuration, security testing, log monitoring, and backup of data and operating system files by applying appropriate patches and upgrades.
Olayinka Lucas says
Regardless of security policy goals, we cannot wholly ignore the three cardinal essential security requirements, i.e., confidentiality, integrity, and availability which all work dependent on one another. For example, confidentiality is needed to protect passwords.
Dan Xu says
Proper management practices are critical to operating and maintaining a secure server. To ensure a secure server and supporting network infrastructure. Organizations should implement appropriate security management practices and controls when maintaining and operating secure servers. For risk assessment and management, standardized software configuration that satisfies the information system security policy. Also conduct safety awareness training. Prepare contingency plans, operational continuity and disaster recovery plans in advance to prepare for disasters in advance.
Michael Jordan says
Dan,
I thought it was smart that you mentioned contingency plans and continuity/recovery after disaster. With todays increasing cybercrime and financial loss per incident, it is more likely than ever that a breach will happen, and having proper contingency plans in place may reduce the financial loss in comparison to a breach with poor response.
-Mike
Michael Jordan says
One main point that I took from NIST SP 800-123 is that the operating system on a server must be installed and configured correctly, or else even a server with correctly installed and configured server software will still be unsecure. For example, an Apache web server that is correctly installed and configured on top of a Centos operating system that is not properly hardened could still be exposed to vulnerabilities that could grant attackers access to the server. This could grant attackers access to the traffic directed to the web server, the content that it is hosts, elevation of privilege within the network, and access to other systems within the network (or even outside of it).
Lauren Deinhardt says
Hi Mike, thanks for the post. I completely agree. An information system/server can have every top-tier control out there; but if it is not properly managed, it is nowhere near useful. This is why system administrators need to effectively update and manage servers.
Vraj Patel says
The purpose of the NIST SP 800-123 is provide an organization an understanding of the security of the server and how to implement those security controls.
The NIST SP 800-123 includes different sections to secure the server including Server Security Planning, Securing the Server Operating Systems, Securing the Server Software, and Maintaining the Security of the Server. This document addresses the common server including the Unix, Linux, and Windows. This document also includes the high-level of steps that could be taken to secure the servers, security planning of the server, the overview of the securing the server’s operating system, how to securely install and configure the server software, and recommendation on maintaining the security server.
Lauren Deinhardt says
Some key points in this reading pertaining to server hardening include the following: install the minimum amount of services required to a server in order to minimize the attack surface as much as possible. In addition, servers should be constantly patched and upgraded to remove as many vulnerabilities as possible. Any unnecessary scripts/programs installed by the server installation program as soon as possible. Server access and authentication controls should also be configured, in addition to server resource controls.
Olayinka Lucas says
Server security focuses on protecting data and resources held on the servers. It comprises tools and techniques that help prevent intrusions, hacking, and other malicious actions. Server security measures vary and are typically implemented in layers.
Server Security Best Practices include the under listed:
1. Regular upgrades to the software and the operating system
2. Computer to File Backups
3. Access Limitations to files
4. SSL Certificate installation
5. Using Virtual Private Networks (Private Networking)
6. Server Password Security
7. Firewall Protection.
Windows Server Security is the process whereby layers of protection are built into the Windows operating system to protect against breaches, block malicious attacks, and enhance the security of your virtual machines, applications, and data.