A Complete Tactical Server Hardening Checklist

Servers are the backbone of most modern IT infrastructure. Whether virtual, physical, or some combination of both, server infrastructure provides the computing functionality necessary for business applications, Internet connections, and other related services. This functional importance makes servers a prime target for data breaches by malicious actors. 

Compromised servers have cost companies and governments millions of dollars, and the rate of attacks increases every year. 

The starting point for preventing these types of attackers from compromising your server infrastructure is with server hardening. Below is a comprehensive server hardening checklist to ensure you protect all areas of your server configuration.

What is Server Hardening?

Server hardening involves applying the principles of system hardening to servers specifically. This means identifying security vulnerabilities in your servers and making configuration changes and other remediation steps required to reduce these vulnerabilities.

The goal of server hardening is to make your server a more difficult target for hackers, thereby protecting your operations and saving you money in the long run. However, server hardening has the added advantage of improving your organization’s compliance with industry and state information security regulations.

Your server hardening process starts with a checklist that outlines the steps you should take to protect against common security threats. These steps are based on guidelines developed by cybersecurity experts and codified by bodies such as the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). 

These server hardening checklist items are broad strokes that apply to Windows, Linux, and other types of servers. If you want a detailed breakdown, the NIST and CIS benchmarks have the resources you need.

8-Step Server Hardening Checklist

1. Account Policies

User accounts are identities created to allow authenticated access to a server or related system. Different user accounts have different levels of access to core functions of the server, with administrator accounts having the highest level of access. Therefore, enforcing a strong password policy for these accounts is necessary to maintain security. This policy should include recommendations for a minimum password length, password complexity, account lockout duration, and maximum password age.

In addition to the password policies, managing how users log in to access server resources is also essential. Security hardening measures here should include restrictions on where users can log in from and enforcing two-factor authentication. You should also delete guest accounts and unused accounts.

Key Questions to Answer

• Do you have an established password policy?
• Do you have controls in place for managing where and how users log in to access server resources?
• Do you regularly delete guest and unused accounts?

2. Updates and Patches

Your server hardening checklist should include a plan for installing software patches and updates. Vendors often release them to repair recently discovered security vulnerabilities and improve performance, hence their importance to server security. If possible, run your updates on a test installation to ensure that they will not cause problems before applying them to your live environment.

Configuring automatic updates for your operating system and other software components will keep you updated with the latest patches and software fixes. For example, Microsoft regularly releases hotfixes and updates for its Windows servers, and the same goes for most Linux-based server operating systems. You should also configure third-party software running on your servers to receive and install updates automatically.

Key Questions to Answer

• Have you configured automatic updates for your server operating system?
• Did you also set up automatic updates for third-party applications running on your servers?
• Do you run each update on a test server to check for problems before pushing it to your production servers?

3. User Rights Management

Everyone who needs access to applications and resources managed by your server needs an account, but not everyone needs complete access to all server resources. That’s why account management is an essential part of your server hardening checklist.

Restrict access to administrator-level accounts and only assign users just enough privileges to their accounts to enable them to do their jobs. You can manage this from a domain controller by creating user groups for multiple accounts with similar privileges. Access to file systems and other resources will be assigned to the groups rather than individual accounts.

Key Questions to Answer

• Do you use a group policy or similar tools to manage user privileges?
• What restrictions have you put in place for access to administrator-level accounts?

4. Network Security

Your network firewall is your first line of defense against all external attacks, so make sure it is enabled and set it up to block all inbound traffic by default. Then only allow incoming network traffic based on an analysis of what is necessary for your operations. Windows Firewall is a decent enough tool for accomplishing this, but a physical firewall offers better protection by separating traffic management from the server.

If remote access to your server via remote desktop protocol (RDP) is required, ensure you have the highest level of encryption enabled for this. For users connecting to their accounts or programs running on the server from external locations, you can set up a virtual private network (VPN) to secure their access over the Internet.

Key Questions to Answer

• Is your firewall configured to block all incoming traffic except what is necessary?
• Do you use a VPN for all remote connections and logins to your server?
• Do you encrypt your remote desktop connections?

5. Antivirus & Software Security

Antivirus and anti-malware programs protect your systems by actively scanning for malicious software and removing them when detected. Make sure you have one installed and configured to run regular scans on your server. Also, configure your antivirus software to update its virus definition database as frequently as possible, as this will keep your server protected from the latest identified viruses and malware.

For Windows Server users, ensure you have User Account Control (UAC) to manage the level of access that third-party programs have to system resources and data. Check this off your server hardening list for blocking malicious software that runs in the background.

Key Questions to Answer

• Do you have antivirus and anti-malware software installed on your servers?
• Do your antivirus applications get updates and scan your server automatically?
• Do you have User Account Control enabled on your Windows servers?

6. General Security Settings

Your server operating system probably comes with several services and features that are unnecessary for your working environment. Disabling these unnecessary services and uninstalling all unused applications will significantly reduce the risk of your attackers compromising your server through a vulnerability in one or more of them.

In addition to security measures to restrict unauthorized physical access to your servers, you can also disable support for external storage devices like USB drives which are popular attack vectors for hackers who may have physical access to your servers.

Key Questions to Answer

• Have you removed/disabled all unnecessary software and services on your server?
• Do you have USB devices disabled in the security settings for your server?
• What kind of measures do you have for restricting physical access to your servers?

7. Backups & Recovery

Your server hardening checklist would not be complete without a proper backup and recovery plan. Backups can protect your servers from data loss, ransomware attacks, and other disaster-level events that affect information security.

Whether you choose an onsite, remote, or cloud-based backup solution, ensure that the backup process is automated and continuous.

Key Questions to Answer

• How often do you backup your server?
• Are your backups automated?
• Where are your backups stored?

8. Audit Policies and Documentation

Enabling logging and monitoring for all system events will help build a repository of information necessary for performing system audits. System audits involve reviewing server activities using event logs to identify the source of a problem or security threat. Therefore, creating an audit policy that specifies the kind of system activities you should log, the duration of these event logs, and how they are backed up is essential for hardening your server security.

In addition to this, you should maintain documentation for all your security settings, policies, and system configurations. This documentation is an essential part of your disaster recovery plans and should be updated whenever you change your security configuration.

Key Questions to Answer

• Do you log your server activities?
• How often do you review your event logs?
• Do you document changes to your server configuration?

Don’t Become Another Victim of Cyber Attacks

The role of servers in today’s business operations cannot be overstated. Incorporating a server hardening checklist into your risk management processes will ensure the safety of one of the most critical components of your IT infrastructure.

Do You Want to Know What Other Cybersecurity Risks Your Business Needs to be Aware of? Grab a Copy of Liquid Web’s Security Infrastructure Checklist for SMBs.