Wednesday, March 7, 2012

How can you make a server completely secure?

What are all the steps involved in completely locking down a server so that is completely secure. I understand uncrackable is an impossibility. But to the best of our abilities, how do we make it as hard as it can be to do so?How can you make a server completely secure?
The only completely secure system is disconnected from any networks and is kept behind a locked door. Preferably protected by a heavily armed guard.



Hardening a server against most threats will depend upon the OS as well as the app(s) running on it. Here are a few guidelines to get started.



1. One app per server. Putting a database on a web server is just asking for trouble.



2. Lock down ALL ports (inbound AND outbound) other than those absolutely necessary for the function that the server performs.



3. Use hardened passwords for anything but read-only access. As long as the OS will allow or at least 25 characters. Random letters, numbers, and characters only; never any dictionary words. (And skip the l33t$. Hackers know them too!)



4. Stay on top of OS and app patches. Daily!



5. Monitor logs frequently (several times a day) looking for suspicious activity.



6. Lock out accounts after a very limited number of tries, generally no more than 3 or 4. Set so that a human admin must reset them, and make sure the human is well trained on social engineering attack methodologies to keep the Kevin Mitnicks at bay.



7. Disable ALL unnecessary services.



8. Put all Internet facing servers in a DMZ, preferrably on their own subnet with no routing between subnets.



9. NEVER install routing services (such as MS RRAS) on a multi-homed DMZ server. EVER!



10. In a Windows environment, NEVER make a DMZ server a member of an AD domain or forest, especially one outside of the DMZ.



11. Consider hiring a penetration tester to attempt to hack into your systems. Follow his or her instructions on hardening your systems against any vulnerabilities that they find.



12. Consider installing an intrusion detection system and an intrusion prevention system. Set it to a "nervous" alert level until you are comfortable with what constitutes normal "background chatter" and what is indicative of something worthy of closer attention.How can you make a server completely secure?
Dig a huge hole, place the server in the hole, and fill the hole with cement.



There is no such thing as a server being completely secure, unless its unplugged and buried in cement.

No comments:

Post a Comment