Server Security, The Ten Commandments
In many organizations, they’re the most unsung of heroes. Quietly whirring away in their rack, hosting your web site, running your email, storing your data. Yet please spare a thought for your servers. Without them, your business would not be a business. And it’s not as if they’re living in the safest of worlds these days.
Here are ten things you can do to help keep them secure:
1. Beware infection!
When your shiny new baby is still a shiny new baby, don’t expose it to the cruel world just yet. Install the software through a CD or DVD. Then configure it and load any patches before you even think about going online. And don’t forget server backup, just in case your system catches a cold.
2. Secure your borders.
Believe it, they have ways of making you cough up your data! Install security software like firewalls, anti-virus and anti-spyware programs before you go on the Net. Intrusion detection and prevention software is a very good idea too.
3. Access denied!
Make it a rule to only grant passwords and access privileges to the, well, privileged. Remember that admin and guest accounts are wide open to hackers, so rename and re-password them, then use admin as little as possible. Remove unused accounts, too, grant new ones sparingly and never, ever share.
4. Keep It Simple S****D!
Web servers should really not be running multiple applications. It makes them a sitting duck for hackers, as well as susceptible to annoying software incompatibilities. As the received wisdom maintains, go for 1 app, 1 server. And don’t hang on to anything not related to the program, like system development tools.
5. Clean up after yourself.
Installing new software leaves a mess – sample files, scripts, codes, directories, that sort of thing. Delete them, end of.
6. The Nun will be READY at 12 Midnight!
Passwords have moved beyond the traditional ‘one over the eight’ now. Or two over. In fact, make it 12 characters min. And…
Do rotate case, use numbers, use shift characters, change passwords after 42 days max, generally use your imagination
Don’t use text speak, misspellings, foreign words, slang, recycle, add numbers to old passwords, use pets’/kids’ names, birthdays, etc.
7. Frisk the guests!
Inspect uploaded files and put them on a separate drive, or at least partition them. Cap their disk space, too.
8. 3 strikes and you’re out!
Consider locking out accounts after, say, 3 unsuccessful attempts to access in 30 minutes. However, realize it can be legit – like you’ve never forgotten your front door key!
9. Use your loaf!
Sorry, your log. It’s the first and best evidence of unauthorized access, or attempts. You can even it use as evidence in court, if it comes to that. While if you really can’t face the hassle, configure your log to a minimum of information. Make sure you archive logs regularly, though, and examine them for patterns. If you’re being targeted, they won’t just go away so don’t take it too lightly.
10. Create a patchwork quilt.
Patch quickly and regularly. If you can, set your OS and application to download patches automatically, but don’t install them this way as you may want to test first.
So these, then, are our Ten Commandments for server security. And remember, security is for life, not just for Xmas. Think on-going, not one-off. It may seem a hassle, but it’s a molehill compared to the mountain of trouble the hackers could give you. And the game keeps changing, so don’t rest on your laurels. Don’t be left taking a knife to a gunfight.