Top 5 Tips for Hardening your Servers
Make the most of your Penetration Test
Perspective Risk’s Penetration Tester Tom Sherwood shows you how to make the most of your pen testing by taking care of some security basics yourself. Your testers’ time will be used to better effect and you’ll gain more from your investment.
Here we look at 5 ways you can carry out simple hardening of your servers.
1. Keep Your Servers’ Operating Systems Updated
Keeping your servers’ operating systems up to date is probably the most important step you can take to secure them. New vulnerabilities are identified and disclosed on an almost daily basis, the impacts of which include remote code execution or local privilege escalation.
2. Enforce The Use Of Strong Passwords
Enforcing the use of strong passwords across your infrastructure is a valuable control. It’s more challenging for attackers to guess passwords/crack hashes to gain unauthorised access to critical systems. Selecting passwords of 10 characters with a mixture of upper and lowercase letters, numbers and special characters is a good start.
Restricting common password terms such as ‘password’, ‘letmein’ and ‘welcome’ is advisable. It obliges users to comply with complexity requirements and prevents them from setting easily guessable passwords such as ‘Password1!’.
Supporting a strong password policy with a robust account lockout policy, which locks accounts after a small number of incorrect attempts, can stop password guessing attacks dead in their tracks.
In Windows the password and lockout policies can be set using the relevant sections within Group Policy, while in Linux the most common method is to adjust the configuration settings within the /etc/pam.d/common-password file, and the /etc/login.defs file.
3. Update or Remove Third Party Software
So, you’re updating your servers’ operating systems regularly and expediting critical patches, so all good on the patching front, right? Wrong.
Third party software, i.e. everything which isn’t the operating system, should also be kept up to date to avoid potential privilege escalation vulnerabilities. Key culprits tend to be alternative web browsers such as Mozilla Firefox and Google Chrome as well as other common software e.g. Adobe Reader, Microsoft Office and .Net Framework.
These software components are often found on servers as they were necessary for initial server setup and configuration. However, many have no place on a production server. Due to the complexity of maintaining third party software, the easiest solution is to remove any software not required for normal server operation. Having done so, all remaining third party software should be updated regularly to ensure it doesn’t become a liability.
Another approach to assist with third party software is to build all servers from a Gold Standard image. This way there is a known software set, and provisioning and patching processes are documented. All builds are consistent and kept up-to-date, with no nasty surprises later.
4. Leverage Local Protection Mechanisms – Fire-walling & Anti-Virus
In addition to estate wide controls such as patching, domain configuration and boundary fire-walling, local protection mechanisms are invaluable for providing a defence-in-depth approach.
Proper configuration of a host’s local firewall reduces the risks of unnecessary default services being exposed to the wider network. Even if your patching schedule has slipped a little, it will restrict an attacker’s access to key network services. Whilst not to be relied upon, this belt-and-braces approach can make all the difference between compromise and attacker frustration.
Widespread use of local anti-virus, with both engine and definitions kept up-to-date, together with perimeter controls such as web proxies and email filtering, helps prevent malicious code being introduced onto your servers. This will assist in countering automated threats such as viruses, Trojans and worms and hinder hackers’ attempts to leverage exploit code.
5. Advanced Configuration Hardening
These hardening measures are purposely generic and top level to help the widest audience possible. However, if you really want to harden your servers there’s no substitute for conducting platform specific hardening. Use a comprehensive guide such as the CIS Benchmark document which corresponds to the operating system you’re looking to harden.
Googling the name of your operating system followed by ‘CIS Benchmark’ should be enough to find the document you need.
For Windows servers, CIS Benchmarks guide you through a variety of hardening changes, centering on Windows Security Policy Settings, User Rights Assignments and Audit and Event Log Policy settings as well as password and lockout policy settings. Linux CIS Benchmarks are available for the most common distributions and cover file-system hardening, boot settings, password policy, TCP/IP stack hardening, SSH configuration hardening, and many other topics.
If you would like Perspective Risk to conduct your Pen Testing or need help with any aspect of your information security, you’re welcome to contact us.