Download Server Security Policy

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
Document related concepts

Burroughs MCP wikipedia , lookup

OS/2 wikipedia , lookup

VS/9 wikipedia , lookup

Windows NT startup process wikipedia , lookup

Spring (operating system) wikipedia , lookup

Windows Server 2003 wikipedia , lookup

Security-focused operating system wikipedia , lookup

Unix security wikipedia , lookup

Transcript 
Server Security Policy
Webdunia Server Security Policy 2014
TABLE OF CONTENT
OVERVIEW ................................................................................................................... 3
1
1.1
INTENDED AUDIENCE ..................................................................................................... 3
2
SUPPORTED OPERATING PLATFORMS .................................................................................... 3
3
SERVER COMMISSIONING PROCESS ....................................................................................... 3
4
LINUX SECURITY POLICY .................................................................................................... 4
5
WINDOWS SECURITY POLICY .............................................................................................. 8
6
SERVER/DATA CENTRE CONSIDERATIONS .............................................................................. 13
6.1
6.2
6.3
REMOTE CONNECTION .................................................................................................. 13
EXTERNAL FIREWALL .................................................................................................... 13
MONITORING TOOLS.................................................................................................... 13
This document and the information contained herein are confidential to and the property of Webdunia (I) Pvt. Ltd. Unauthorized
access, copying and replication are prohibited. This document must not be copied in whole or part by any means, without the written
authorization of Webdunia (India) Pvt. Ltd. This document should be used only for intended purpose only.
2
Webdunia Server Security Policy 2014
1 Overview
The document is intended to share the policies/procedures followed for the security of Linux & Windows
servers hosted/operated by Webdunia. It also provides the best practices implemented on servers while
installation, configuration and operations to prevent them from unauthorized access and malicious threats.
In addition, it defines essential commands and guidelines used to tune up and manage overall server
commissioning process at Webdunia.
1.1 Intended Audience



System Administrator at Webdunia
Server Operations Team at Webdunia
Prospective Clients and Stakeholders
2 Supported Operating Platforms
Primarily following Operating Systems used at Webdunia:

Linux Platforms:
o
o

CentOS 4,5,6
Ubuntu 12.04
Windows Platforms:
o
o
o
Windows Server 2012
Windows Server 2008
Windows Server 2003
3 Server Commissioning Process





3
Discovery/Requirement Gathering
New Server Procurement and Commissioning
Installations:
o Hardware
o Software
o Applications
Deployment (Staging, Testing and Production Environment)
Maintenance & Optimizations
o Monitoring
o Updates
Webdunia Server Security Policy 2014
The diagram below shows the server commissioning process followed at Webdunia:
The section below defines the security steps performed on Linux and Windows servers to prevent hackers
from obtaining unwanted access.
4 Linux Security Policy

General Processes













4
Encrypt authentication information transmitted over the network such as passwords.
Minimize the amount of software installed and running in order to minimize vulnerability.
Use security-enhancing software and tools whenever available (e.g., SELinux and Iptables).
Run each network service on a separate server whenever possible.
Maintain user accounts. Create a password policy. Delete unused user accounts.
Review system and application logs on a routine basis. Send logs to a dedicated log server.
Never log in directly as root, unless absolutely necessary.
Keep the system updated with latest security patches.
Stop and disable unwanted services.
Use SUDO to limit ROOT access.
Maintain a firewall policy. Scan for viruses and other malware!
Configure SSL/TLS if using FTP. Check files permission across file systems.
Take timely backups of important files and keep them in safety vault, remote site or offsite
for Disasters recovery.
Webdunia Server Security Policy 2014

Physical System Security
Configure BIOS to disable booting from CDs/DVDs, Floppies, External Devices, and set a password to
protect these settings. Next, set a password for the GRUB boot-loader. It prevents users from
entering single user mode or changing settings at boot time.

Disk Partitions and Mounting
During initial installation, ensure that file systems with user-writeable directories such as /home,
/tmp, /var/tmp are mounted on separate partitions. Ensure that third party applications should be
installed on separate file systems under /opt.

Use Secure Shell (SSH)
SSH is a secure protocol that uses encryption technology during communication with server. Never
login directly as root unless necessary. Use “sudo” to execute commands. sudo are specified
in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor.
It is also recommended to change default SSH 22 port number with some other higher level port
number. Open main SSH configuration file and make some parameters to restrict users to access.
# vi /etc/ssh/sshd_config

Keep System Up to Date
Keep system updated with latest releases patches, security fixes and kernel when it is available.
# yum updates
# yum check-update

Disable Unnecessary Services
Avoid installing useless packages. Find and remove or disable unwanted services from the server to
minimize vulnerability. Use chkconfig command to disable all unwanted network services from the
system.

Check Listening Network Ports
With the help of netstat networking command view all open ports and associated programs.

Lockdown Cron Jobs
Cron has its own built in feature, where it allows to specify who may, and who may not want to run
jobs. This is controlled by the use of files called /etc/cron.allow and/etc/cron.deny.
5
Webdunia Server Security Policy 2014
To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add
incron.allow file. To disable all users from using cron, add the ‘ALL‘ line to cron.deny file.
# echo ALL >>/etc/cron.deny

Disable USB Stick to Detect
Restrict users from using USB stick in systems to protect and secure data from stealing. Create a file
/etc/modprobe.d/no-usb and adding below line will not detect USB storage.
install usb-storage /bin/true

Turn on SELinux
Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in
the kernel. Disabling SELinux means removing security mechanism from the system
SELinux provides three basic modes of operations:
1. Enforcing: This is default mode which enables and enforces the SELinux security policy on
the machine.
2. Permissive: In this mode, SELinux will not enforce the security policy on the system, only
warn and log actions. This mode is very useful in term of troubleshooting SELinux related
issues.
3. Disabled: SELinux is turned off.
View current status of SELinux mode from the command line using ‘system-config-selinux‘,
‘getenforce‘ or ‘sestatus‘ commands.

Remove KDE/GNOME Desktops
There is no need to run X Window desktops like KDE or GNOME on dedicated LAMP server. Remove
or disable them to increase security of server and performance.
To disable open the file /etc/inittab and set run level to 3.

Turn Off IPv6
If you are not using an IPv6 protocol, then disable it because most of the applications or policies not
required IPv6 protocol and currently it does not required on the server. Go to network configuration
file and add followings lines to disable it.
# vi /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no
6
Webdunia Server Security Policy 2014

Enable Iptables (Firewall)
It’s highly recommended to enable Linux firewall to secure unauthorized access of servers. Apply
rules in iptablesto filters incoming, outgoing and forwarding packets. Specify source/destination
address to allow and deny in specific udp/tcp port number.

Monitor User Activities
Collect the information of each user activities and processes consumed by them and analyze in case
of any performance/security issues. There are two useful tools called psacct and acct are used for
monitoring user activities and processes on a system. These tools runs in a system background and
continuously tracks each user activity on a system and resources consumed by services such
as Apache, MySQL, SSH, FTP, etc.

Review Logs Regularly
Move logs in dedicated log serve. This may prevents intruders to easily modify local logs. Below are
the Common Linux default log files name and their usage:
/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.

Keep /boot as read-only
Linux kernel and its related files are in /boot directory which is by default as read-write. Changing it
to read-only reduces the risk of unauthorized modification of critical boot files.
To do this, open /etc/fstab file.
Add following line at the bottom, save and close it.
LABEL=/boot /boot ext2 defaults,ro 1 2
Note: Need to reset the change to read-write, if required to upgrade the kernel in future.

NIC Bonding
There are two types of mode in NIC bonding, need to mention in bonding interface.
mode=0 – Round Robin
mode=1 – Active and Backup
7
Webdunia Server Security Policy 2014
NIC Bonding helps to avoid single point of failure. In NIC bonding, we bond two or more Network
Ethernet Cards together and make one single virtual Interface where we can assign IP address to talk
with other servers. Network will be available in case of one NIC Card is down or unavailable due to
any reason.
5 Windows Security Policy
Windows Server 2003 and 2008 hardening process followed at Webdunia:

Generic Processes











Install latest service packs and hotfixes from Microsoft.
Enable automatic notification of patch availability.
Configure Audit policy and event Log Settings.
Disable or uninstall unused services and users.
Ensure all volumes are using the NTFS file system.
Use the Internet Connection Firewall or other methods to limit connections to the server.
Configure file system and registry permissions.
Install and enable anti-virus software.
Install software to check the integrity of critical operating system files.
If RDP is utilized, set RDP connection encryption level to high.
Configure Security Policy
The first step in securing the 2003/2008 server is to configure a security policy. In order to configure
a security policy, use the SCW (Security Configuration Wizard) which can be installed through “add
and remove windows components”. The SCW detects ports and services, and configures registry and
audit settings according to the servers “role” or installed applications.
8
Webdunia Server Security Policy 2014
By using the SCW in Windows Server2008, you can:




Disable unneeded services based on the server role.
Remove unused firewall rules and constrain existing firewall rules.
Define restricted audit policies.
Disable or Delete Unnecessary Accounts, Applications or Roles
Block the unused ports, protocols and by disabling services that are not required. During installation
by default the Administrator, Guest and Help Assistant are created.
As a security expertise the administrator account should be disabled to make it more difficult for an
attacker to gain access. Both Guest and Help Assistant accounts should be disabled at all times.

Configure Firewall
Windows server comes with a phenomenal built in firewall called the Windows Firewall with
Advanced Security. As a security best practice, all servers should have its own host based firewall.
9
Webdunia Server Security Policy 2014

Disable Unnecessary Shares
Unnecessary shares create a threat to critical servers. So it is necessary to disable the unnecessary
shares. This can be done using the following command: Net share
This will display a list of all shares on the server. If there is a need to use a share, system and security
administrators should configure the share as a hidden share and harden all NTFS and Share
permissions.
C:\Documents and Settings>net share
Share name Resource
Remark
------------------------------------------------------------------------------ADMIN$
C:\WINDOWS Remote Admin
C$
C:\
Default share
IPC$
Remote IPC

Configure Encryption
Windows Server 2008 provides a built in whole disk encryption feature called BitLocker Drive
Encryption (BitLocker) which protects the operating system and data stored on the disk. To install
BitLocker, select it in Server Manager or type the following at a command prompt:
C:\ServerManagerCmd -install BitLocker –restart

Updates and Patches
Administrators should periodically check the websites for updates. Windows Server Update Services
(WSUS) provides a software update service for Microsoft Windows operating systems and other
Microsoft software.

Antivirus and Network Access Point (NAP)
Windows Server 2008 comes with a Network Access Protection(NAP) which helps to defense against
viruses from spreading out into the network. It uses a set of policies which cleans the affected
machines and when they are healthy, permits them access to parts of the production network. NAP
consists of client server technology which scans and identifies machines that don't have the latest
virus signatures, service packs or security patches.

Least Privilege
Most of the security threats are often caused by high privileges bared by accounts. Server services
should not be configured using enterprise wide administrator accounts. Script Logic Cloak is a
product which enhances the Windows NT File System (NTFS) by providing increased security, more
accurate audits. For Least Privilege: Download Script Logic Cloak and install in your windows 2008
server which enhance the Windows NT file system Security.
10
Webdunia Server Security Policy 2014

Disable Automatic Services
All the services that were set to automatic startup should be disabled. Disabling these services can
limit attack surface area which can prevent or limit exploitation of the server. For Disable Automatic
services Go to: Start --> run --> Services.msc --> Disable unneeded services

Disable Remote Registry
This service allows registry access to authenticated remote users. Even though this is blocked by the
firewall and ACLs this service should be turned off if you have no reason to allow remote registry
access.

Windows Error Reporting Service
Windows Error Reporting (WER) is a set of Windows technologies that capture software crash data
and support end-user reporting of crash information. Through Winqual services, software and
hardware vendors can access reports in order to analyze and respond to these problems. WER
technologies are implemented in Windows XP, Windows Server 2003, and later

Enable Web Management Service (Configure IIS)
Configure IIS (Internet Information Services) settings and services.

Server Monitoring
Server Monitoring with Dell Open Manage Server Administrator and device manager as below:
11
Webdunia Server Security Policy 2014
12
Webdunia Server Security Policy 2014
6 Server/Data Centre Considerations
To connect and working remotely following security protocols has been used:
6.1 Remote Connection

VPN (Virtual Private Networks)
VPN provides a secure way to access network resources over the Internet or other public or
private networks and allows connecting to a remote network.

Secure Shell (SSH)
The Secure Shell (SSH) protocol allows data transfer by routing the traffic from remote
fileservers through an encrypted channel.

Remote Desktop Protocol (RDP)
RDP by Microsoft is used to connect to another computer over a network connection.
6.2 External Firewall
Hardware Firewall (Cisco)
6.3 Monitoring Tools
Following tools are used for monitoring of hosts, applications and server services:


13
Nagios
MRTG
Shell Script
Related documents
Firewall Configuration
Firewall Configuration
Enable / Disable Light Version
Enable / Disable Light Version
PDF Data Sheet - Operator Interface Technology
PDF Data Sheet - Operator Interface Technology
Lecture 15 Designing Trusted Operating Systems Thierry Sans
Lecture 15 Designing Trusted Operating Systems Thierry Sans
HOMEWORK 6 Exercise 1. (a) Let X be a Bernoulli random variable
HOMEWORK 6 Exercise 1. (a) Let X be a Bernoulli random variable
Part II. Project Information, to be completed by the proposer (Faculty
Part II. Project Information, to be completed by the proposer (Faculty
A probability argument that lays the foundation for the Monte Carlo
A probability argument that lays the foundation for the Monte Carlo
Lecture 23 - Stony Brook AMS
Lecture 23 - Stony Brook AMS
Document 62752
Document 62752
Citrix Application Firewall
Citrix Application Firewall
firewall_audit - Cisco Support Community
firewall_audit - Cisco Support Community
Proof of the Law of Large Numbers in the Case of Finite Variance
Proof of the Law of Large Numbers in the Case of Finite Variance
SELinux For Dummies - LinuxFest Northwest 2015
SELinux For Dummies - LinuxFest Northwest 2015
Guide to the Secure Configuration of Red Hat Enterprise Linux 5
Guide to the Secure Configuration of Red Hat Enterprise Linux 5
CLI Reference for FortiOS 5.0
CLI Reference for FortiOS 5.0