Information has been one of the most crucial assets of all the corporations. As more and more information starts getting stored in digital format, the onus has come to servers to deliver data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service. This makes it mandatory for organizations to exercise proper server security and utility assessment to make sure that it is used only for the right service and right purpose.
Server Hardening from a trusted provider offers an excellent means by which an organization can baseline its current security posture, identify threats and weaknesses. It provides not only the basis for a security action plan, but also compelling events, due diligence and partner interface protocols necessary to establish security as a key corporate initiative. Torrid’s IS-COE server hardening services provide the best security portfolio to its clients using its intellectual capital and expertise.
Objectives of the entire exercise
Implementing the Torrid’s Information Security, Centre of Excellence (IS-COE) standard server hardening templates enables the following objectives to be achieved:
- Enhancing the hosts to achieve the three basic objectives of security (CIA): Confidentiality, Integrity and Availability.
- Application of fully defined, repeatable and highly secure build process for various operating systems and applications to achieve the above objectives and provide increased levels of security.
- Managing the security controls by – fixing vulnerabilities, applying least privilege needed to complete the task, separating privileges, applying least common mechanism and making the system highly defensive and fail safely.
Approach & Methodology
The implementation of each standard server hardening template requires following tasks to be completed:
- Customization of the server hardening activity template to meet the client’s operating system and also to reflect the client’s current security policies and procedures.
- Implementation and testing of the template.
- Handover of templates and comprehensive setting guide.
Basic server security steps include:
- Planning the installation
- Install, configure, and secure the OS
- Install, configure, and secure the server software
- Test the security
Installation and Deployment Planning
In the installation and deployment planning we will
- The purpose of the server
- The services provided by the server
- Network service software client and server
- Types of different roles of the server
- Privileges and categories for user
- Server Management Strategy
- Users and their authentication methodology
- Access enforcement strategy
Securing the Operating System
Steps to follow after planning installation and deployment of the OS are as follows:
1. Patch and update the OS
- Identify vulnerabilities
- Mitigate if necessary
- Patch servers in isolation
- Test patches before applying (depends upon availability of test environment)
2. Harden and configure the OS
- Disable and remove unnecessary services or applications
- Configure user authentication
- Configure resource controls
3. Install and configure additional security controls
- Host based firewalls to block unwanted open ports
- Host based intrusion detection (HIDS) system
- Patch management software
- File Integrity Check
4. Test the security of OS
Securing the Server Software
Basic steps to follow after planning installation and deployment of the Server Software are as follows:
1. Secure Installationa. Install and patch the server software in a secure location b. Clean the installation(remove anything you don’t need) c. Harden and Configure d. Apply templates e. Change ports or locations
2. Configuring Access Controls
a. Control access to:
- Application software and configuration files
- Security files
- Server logs
- System software and configuration files
- Application content and uploads
b. Run the server with limited privileges
- Not root or administrator
- Limit write permission
- No access to server temp files
3. Server Resource Constraints
a. Prevent DOS attacks. Limit resources
- Install content on a different drive
- Limit upload space and file size
- Store log files separately
- Limit processes
- Limit memory
- Limit connection time
b. User Access Restrictions
- Grant individual accounts and access
- Encrypt authentication
- IP restrict
Test the Security
After the successful installation and deployment, security of the servers is tested by performing a further analysis of the servers.
- Identify the threats facing your organization’s information assets so that you can quantify your information risk and provide adequate information security expenditure.
- Reduce your organization’s IT security costs and provide a better return on IT security investment (ROSI) by identifying and resolving vulnerabilities and weak configurations. These may be known vulnerabilities in the underlying technologies or weakness in the design or implementation.
- Server Hardening is a complex process that involves many actions to mitigate the risk of being hacked.
The deliverables are as follows:
- Torrid’s IS-COE standard server hardening templates fully implemented on each server, customized as necessary.
- Setting guide – comprehensive.
- Full knowledge transfer to client’s engineers.
Trackback from your site.