Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Server Security Policy Webdunia Server Security Policy 2014 TABLE OF CONTENT OVERVIEW ................................................................................................................... 3 1 1.1 INTENDED AUDIENCE ..................................................................................................... 3 2 SUPPORTED OPERATING PLATFORMS .................................................................................... 3 3 SERVER COMMISSIONING PROCESS ....................................................................................... 3 4 LINUX SECURITY POLICY .................................................................................................... 4 5 WINDOWS SECURITY POLICY .............................................................................................. 8 6 SERVER/DATA CENTRE CONSIDERATIONS .............................................................................. 13 6.1 6.2 6.3 REMOTE CONNECTION .................................................................................................. 13 EXTERNAL FIREWALL .................................................................................................... 13 MONITORING TOOLS.................................................................................................... 13 This document and the information contained herein are confidential to and the property of Webdunia (I) Pvt. Ltd. Unauthorized access, copying and replication are prohibited. This document must not be copied in whole or part by any means, without the written authorization of Webdunia (India) Pvt. Ltd. This document should be used only for intended purpose only. 2 Webdunia Server Security Policy 2014 1 Overview The document is intended to share the policies/procedures followed for the security of Linux & Windows servers hosted/operated by Webdunia. It also provides the best practices implemented on servers while installation, configuration and operations to prevent them from unauthorized access and malicious threats. In addition, it defines essential commands and guidelines used to tune up and manage overall server commissioning process at Webdunia. 1.1 Intended Audience System Administrator at Webdunia Server Operations Team at Webdunia Prospective Clients and Stakeholders 2 Supported Operating Platforms Primarily following Operating Systems used at Webdunia: Linux Platforms: o o CentOS 4,5,6 Ubuntu 12.04 Windows Platforms: o o o Windows Server 2012 Windows Server 2008 Windows Server 2003 3 Server Commissioning Process 3 Discovery/Requirement Gathering New Server Procurement and Commissioning Installations: o Hardware o Software o Applications Deployment (Staging, Testing and Production Environment) Maintenance & Optimizations o Monitoring o Updates Webdunia Server Security Policy 2014 The diagram below shows the server commissioning process followed at Webdunia: The section below defines the security steps performed on Linux and Windows servers to prevent hackers from obtaining unwanted access. 4 Linux Security Policy General Processes 4 Encrypt authentication information transmitted over the network such as passwords. Minimize the amount of software installed and running in order to minimize vulnerability. Use security-enhancing software and tools whenever available (e.g., SELinux and Iptables). Run each network service on a separate server whenever possible. Maintain user accounts. Create a password policy. Delete unused user accounts. Review system and application logs on a routine basis. Send logs to a dedicated log server. Never log in directly as root, unless absolutely necessary. Keep the system updated with latest security patches. Stop and disable unwanted services. Use SUDO to limit ROOT access. Maintain a firewall policy. Scan for viruses and other malware! Configure SSL/TLS if using FTP. Check files permission across file systems. Take timely backups of important files and keep them in safety vault, remote site or offsite for Disasters recovery. Webdunia Server Security Policy 2014 Physical System Security Configure BIOS to disable booting from CDs/DVDs, Floppies, External Devices, and set a password to protect these settings. Next, set a password for the GRUB boot-loader. It prevents users from entering single user mode or changing settings at boot time. Disk Partitions and Mounting During initial installation, ensure that file systems with user-writeable directories such as /home, /tmp, /var/tmp are mounted on separate partitions. Ensure that third party applications should be installed on separate file systems under /opt. Use Secure Shell (SSH) SSH is a secure protocol that uses encryption technology during communication with server. Never login directly as root unless necessary. Use “sudo” to execute commands. sudo are specified in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor. It is also recommended to change default SSH 22 port number with some other higher level port number. Open main SSH configuration file and make some parameters to restrict users to access. # vi /etc/ssh/sshd_config Keep System Up to Date Keep system updated with latest releases patches, security fixes and kernel when it is available. # yum updates # yum check-update Disable Unnecessary Services Avoid installing useless packages. Find and remove or disable unwanted services from the server to minimize vulnerability. Use chkconfig command to disable all unwanted network services from the system. Check Listening Network Ports With the help of netstat networking command view all open ports and associated programs. Lockdown Cron Jobs Cron has its own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and/etc/cron.deny. 5 Webdunia Server Security Policy 2014 To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add incron.allow file. To disable all users from using cron, add the ‘ALL‘ line to cron.deny file. # echo ALL >>/etc/cron.deny Disable USB Stick to Detect Restrict users from using USB stick in systems to protect and secure data from stealing. Create a file /etc/modprobe.d/no-usb and adding below line will not detect USB storage. install usb-storage /bin/true Turn on SELinux Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system SELinux provides three basic modes of operations: 1. Enforcing: This is default mode which enables and enforces the SELinux security policy on the machine. 2. Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues. 3. Disabled: SELinux is turned off. View current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands. Remove KDE/GNOME Desktops There is no need to run X Window desktops like KDE or GNOME on dedicated LAMP server. Remove or disable them to increase security of server and performance. To disable open the file /etc/inittab and set run level to 3. Turn Off IPv6 If you are not using an IPv6 protocol, then disable it because most of the applications or policies not required IPv6 protocol and currently it does not required on the server. Go to network configuration file and add followings lines to disable it. # vi /etc/sysconfig/network NETWORKING_IPV6=no IPV6INIT=no 6 Webdunia Server Security Policy 2014 Enable Iptables (Firewall) It’s highly recommended to enable Linux firewall to secure unauthorized access of servers. Apply rules in iptablesto filters incoming, outgoing and forwarding packets. Specify source/destination address to allow and deny in specific udp/tcp port number. Monitor User Activities Collect the information of each user activities and processes consumed by them and analyze in case of any performance/security issues. There are two useful tools called psacct and acct are used for monitoring user activities and processes on a system. These tools runs in a system background and continuously tracks each user activity on a system and resources consumed by services such as Apache, MySQL, SSH, FTP, etc. Review Logs Regularly Move logs in dedicated log serve. This may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage: /var/log/message – Where whole system logs or current activity logs are available. /var/log/auth.log – Authentication logs. /var/log/kern.log – Kernel logs. /var/log/cron.log – Crond logs (cron job). /var/log/maillog – Mail server logs. /var/log/boot.log – System boot log. /var/log/mysqld.log – MySQL database server log file. /var/log/secure – Authentication log. /var/log/utmp or /var/log/wtmp : Login records file. /var/log/yum.log: Yum log files. Keep /boot as read-only Linux kernel and its related files are in /boot directory which is by default as read-write. Changing it to read-only reduces the risk of unauthorized modification of critical boot files. To do this, open /etc/fstab file. Add following line at the bottom, save and close it. LABEL=/boot /boot ext2 defaults,ro 1 2 Note: Need to reset the change to read-write, if required to upgrade the kernel in future. NIC Bonding There are two types of mode in NIC bonding, need to mention in bonding interface. mode=0 – Round Robin mode=1 – Active and Backup 7 Webdunia Server Security Policy 2014 NIC Bonding helps to avoid single point of failure. In NIC bonding, we bond two or more Network Ethernet Cards together and make one single virtual Interface where we can assign IP address to talk with other servers. Network will be available in case of one NIC Card is down or unavailable due to any reason. 5 Windows Security Policy Windows Server 2003 and 2008 hardening process followed at Webdunia: Generic Processes Install latest service packs and hotfixes from Microsoft. Enable automatic notification of patch availability. Configure Audit policy and event Log Settings. Disable or uninstall unused services and users. Ensure all volumes are using the NTFS file system. Use the Internet Connection Firewall or other methods to limit connections to the server. Configure file system and registry permissions. Install and enable anti-virus software. Install software to check the integrity of critical operating system files. If RDP is utilized, set RDP connection encryption level to high. Configure Security Policy The first step in securing the 2003/2008 server is to configure a security policy. In order to configure a security policy, use the SCW (Security Configuration Wizard) which can be installed through “add and remove windows components”. The SCW detects ports and services, and configures registry and audit settings according to the servers “role” or installed applications. 8 Webdunia Server Security Policy 2014 By using the SCW in Windows Server2008, you can: Disable unneeded services based on the server role. Remove unused firewall rules and constrain existing firewall rules. Define restricted audit policies. Disable or Delete Unnecessary Accounts, Applications or Roles Block the unused ports, protocols and by disabling services that are not required. During installation by default the Administrator, Guest and Help Assistant are created. As a security expertise the administrator account should be disabled to make it more difficult for an attacker to gain access. Both Guest and Help Assistant accounts should be disabled at all times. Configure Firewall Windows server comes with a phenomenal built in firewall called the Windows Firewall with Advanced Security. As a security best practice, all servers should have its own host based firewall. 9 Webdunia Server Security Policy 2014 Disable Unnecessary Shares Unnecessary shares create a threat to critical servers. So it is necessary to disable the unnecessary shares. This can be done using the following command: Net share This will display a list of all shares on the server. If there is a need to use a share, system and security administrators should configure the share as a hidden share and harden all NTFS and Share permissions. C:\Documents and Settings>net share Share name Resource Remark ------------------------------------------------------------------------------ADMIN$ C:\WINDOWS Remote Admin C$ C:\ Default share IPC$ Remote IPC Configure Encryption Windows Server 2008 provides a built in whole disk encryption feature called BitLocker Drive Encryption (BitLocker) which protects the operating system and data stored on the disk. To install BitLocker, select it in Server Manager or type the following at a command prompt: C:\ServerManagerCmd -install BitLocker –restart Updates and Patches Administrators should periodically check the websites for updates. Windows Server Update Services (WSUS) provides a software update service for Microsoft Windows operating systems and other Microsoft software. Antivirus and Network Access Point (NAP) Windows Server 2008 comes with a Network Access Protection(NAP) which helps to defense against viruses from spreading out into the network. It uses a set of policies which cleans the affected machines and when they are healthy, permits them access to parts of the production network. NAP consists of client server technology which scans and identifies machines that don't have the latest virus signatures, service packs or security patches. Least Privilege Most of the security threats are often caused by high privileges bared by accounts. Server services should not be configured using enterprise wide administrator accounts. Script Logic Cloak is a product which enhances the Windows NT File System (NTFS) by providing increased security, more accurate audits. For Least Privilege: Download Script Logic Cloak and install in your windows 2008 server which enhance the Windows NT file system Security. 10 Webdunia Server Security Policy 2014 Disable Automatic Services All the services that were set to automatic startup should be disabled. Disabling these services can limit attack surface area which can prevent or limit exploitation of the server. For Disable Automatic services Go to: Start --> run --> Services.msc --> Disable unneeded services Disable Remote Registry This service allows registry access to authenticated remote users. Even though this is blocked by the firewall and ACLs this service should be turned off if you have no reason to allow remote registry access. Windows Error Reporting Service Windows Error Reporting (WER) is a set of Windows technologies that capture software crash data and support end-user reporting of crash information. Through Winqual services, software and hardware vendors can access reports in order to analyze and respond to these problems. WER technologies are implemented in Windows XP, Windows Server 2003, and later Enable Web Management Service (Configure IIS) Configure IIS (Internet Information Services) settings and services. Server Monitoring Server Monitoring with Dell Open Manage Server Administrator and device manager as below: 11 Webdunia Server Security Policy 2014 12 Webdunia Server Security Policy 2014 6 Server/Data Centre Considerations To connect and working remotely following security protocols has been used: 6.1 Remote Connection VPN (Virtual Private Networks) VPN provides a secure way to access network resources over the Internet or other public or private networks and allows connecting to a remote network. Secure Shell (SSH) The Secure Shell (SSH) protocol allows data transfer by routing the traffic from remote fileservers through an encrypted channel. Remote Desktop Protocol (RDP) RDP by Microsoft is used to connect to another computer over a network connection. 6.2 External Firewall Hardware Firewall (Cisco) 6.3 Monitoring Tools Following tools are used for monitoring of hosts, applications and server services: 13 Nagios MRTG Shell Script