Place a poorly secured server on the Internet and the question is not, “Will be hacked?” But, simply, “When?”
Fortunately, there are a number of tips and tools that can dramatically improve the security on any network-attached server.
“It really comes down to doing a risk/benefit analysis,” says Dr. Steve Beaty, chair of the department of mathematical and computer sciences at Metropolitan State College of Denver.
While the more valuable your company’s data, the more effort you should put into securing your firm’s network servers, a few general principles apply to all businesses. The following four areas will help you to maintain a server on the network and still be able to sleep at night.
It might sound obvious, but it’s important to ensure your server’s built-in firewall is running and that you are also using at least one level of network firewall. This may be something as simple as a firewall on the router attached to the server. Placing a server on a network without a firewall is like leaving the front door wide open. Don’t be surprised if you discover that unwanted visitors have wandered in.
Once the firewall is running, the next step is to turn off every port you don’t need. If you are not using the port, you don’t need it open on the firewall. Running a Web server? Then close down those file-sharing, printing, and Web conferencing ports used for internal communications.
“You should be very suspicious of any opened port,” says Beaty.
Getting the firewall running is only a start. A critical step is “hardening” the system. This is the process of trimming the machine of every piece of software it doesn’t need to complete its assigned task.
“Every single piece of software is going to have an exploit. You want to reduce the machine down to the necessities,” says Beaty.
This means removing software from the server box. If, for example, the machine is an e-mail server, then delete all office productivity applications, the Web browser, even games and utilities. In short, everything that does not specifically support the server’s role should be moved from its location on the network to a safer place internally.
Beaty suggests dedicating servers to specific tasks to better ensure the maximum hardening for each box.
Once you’ve firewalled and hardened your server, the next step is to check your work for any unknown leaks and weak spots. Software audit tools provide detailed analysis of just how tight you’ve sealed up your box. The Center for Internet Security, for example, provides a number of free auditing tools for a wide variety of platforms. And Beaty also recommends the Tiger security tools for Unix servers.
Running the Nessus Vulnerability Scanner is a must. This free tool checks for open ports, lists specific exploits and vulnerabilities, and even runs some exploits in an attempt to ferret out weakness in the server set-up.
Once the system is secure and running smoothly, keeping the machine under control and free of worms, viruses, and renegade processes requires an ongoing plan of maintenance.
Serious maintenance starts with running intrusion detection software, such as the Open Source Snort. Snort monitors server activity and helps flag suspicious events.
Beaty also likes tools such as Tripwire, a program that provides a quick method for determining whether the base code has changed, such as by some undetected hacker trying to install malevolent code.
Routinely running Nessus also helps sniff out weakness before the bad guys do.
Installing updates and patches to the system can create issues with other software running on the machine. Still, Beaty suggests that keeping the patches on the server operating system up to date is a good idea for dealing with the some of the most obvious flaws.
Finally, he emphasizes what might be the single most important tip when it comes to server security:
“In addition to keeping machines patched, you need to keep people patched,” he says. “Staying up to date through e-mail lists, magazines, and other forms of education will keep you on your toes. Without up-to-date information on the risks and hottest exploits, no one can hope to keep their server free from Internet bad guys.”