The NIST SP 800-123 Guide to General Server Security contains NIST recommendations on how to secure your servers. It offers general advice and guideline on how you should approach this mission. Regulations such as HIPAA, HITRUST, CMMC, and many others rely on those recommendations, demanding organizations to enforce and comply with the guide.
This article will present parts of the NIST SP 200-123 Guide to General Server Security, focusing on:
Basic Steps in Initiating a New Server:
Plan the installation and deployment of the operating system (OS) and other components for the server:
* Categorize server’s role- what information will it store, what services will be provided by the server etc.
* Identify the network services that will be provided on the server- HTTP, FTP, SMTP, NFS, etc.
* Identify any network service software to be installed on the server- both for server, client, and support servers.
* Identify who’s the user of the server and the support hosts.
* Determine the privileges required for each group of users will have on the server and the support host.
* Determine whether the server will be managed locally, remotely from internal networks, or remotely from external networks.
* Decide how users will be authenticated and how the authenticated data will be protected.
* Determine which server application meets your requirements. Consider preferring greater security even at the cost of less functionality in some cases.
* Choose an OS that will allow you to:
1. Granularly restrict administrative or root level activities to authorized users only.
2. Granularly control access to data on the server.
3. Control OS’s configurations and disable services that may be built into the software.
4. Log server activities for the detection of intrusions.
5. Use a host-based firewall capability to restrict incoming and outgoing traffic.
6. Support strong authentication protocols and encryption algorithms.
Hardening and Securely Configuring the OS:
Many security issues can be avoided if the server’s underlying OS is configured appropriately. Each organization needs to configure its servers as reflected by its security requirements. The techniques for securing different types of OSs’ can vary greatly. NIST published generic procedures relevant to most OS. After planning and installing the OS, NIST offers 3 issues that need to be addressed when configuring server OS:
Remove or disable unnecessary services, applications, and network protocols:
The ideal state will be to install the minimal OS configuration and then add, remove, or disable services, applications, and network protocols. Removing unnecessary components is better than just disabling them. Only disabling will allow an attacker with the right access to change the settings and enable the object. Human errors might also end up in configuration drifts and exposing the organization to unnecessary vulnerabilities.
Removing or disabling unnecessary services will improve your server security in several ways:
* Each service added to the host increases the risk of leveraging it accessing and compromising the server. When it comes to functionality versus security, less is more.
* Removing services may even improve the server’s availability in cases of defective or incompatible services.
* Reducing services will lead to a reduction in the number of logs and log entries. Therefore, detecting suspicious behavior becomes easier.
Consider the required state of the following services and applications:
* File and printer sharing services such as NetBIOS file and printer sharing, NFS, FTP.
* Wireless networking services.
* Remote control and remote access programs, especially those without strong encryption in their communication such as Telnet.
* Directory services such as LDAP and NIS.
* Web servers and services.
* Email services such as SMTP.
* Language compilers and libraries.
* System development tools.
* System and network management tools and utilities such as SNMP.
Configure OS and User Authentication:
Users who can access the server may range from a few authorized employees to the entire Internet community. To control access to the server, the server administrator should configure the OS to authenticate the users by requiring proof that the user can perform the actions he intends to perform. Enforcing authentication methods involves configuring parts of the OS, firmware, and applications on the server.
To ensure the appropriate user authentication is in place, take the following steps:
* Remove or Disable Unneeded Default Accounts– OS default configuration can include guest accounts, administrator or root-level accounts. For machines containing sensitive information, it is recommended to disable access to guest accounts. In addition, allow access to accounts associated with local and network services that really need this access. Accounts that need to access the server needs to protect the access to their account by changing name (don’t leave the default ‘Administrator’ name) and applying the organizational password policy.
* Disable Non-Interactive Accounts- Disable accounts (and the associated passwords) that need to exist but do not require an interactive login.
* Create the User Groups- assigning individual accounts it’s required rights is complex once the number of users is too big to control. The solution to this challenge is to assign users to different groups and assign the required rights to the group.
* Create the User Accounts– Create only necessary accounts and permit the use of shared accounts only when there is no better option. Server administrators should also have an ordinary user account if they are also one of the server’s users.
* Configure Automated Time Synchronization- un-synchronized time zones between the client host and the authenticating server can lead to several authentication protocols (such as Kerberos) stopping functioning. In order to prevent it, you must configure the server to automatically synchronize the system time with a reliable time server. Typically, the time server is internal to the organization and uses the Network Time Protocol for synchronization.
* Check the Organization’s Password Policy– organization’s password policy should include references regarding password minimal length; a mix of characters required (complexity); how often it needs to be changed (aging); whether users can reuse a password; who’s allowed to change or reset a password. This should also include any kind of proof before initiating a change; how passwords should be stored. Passwords shouldn’t be stored unencrypted on the server. In addition, administrators should have different passwords for their server administrator account and for their other administrator’s accounts.
* Configure Computers to Prevent Password Guessing- automated password guessing tools (network sniffers) allows unauthorized users to gain access relatively easily. There are two options to cope with those tools. The first is to configure the OS to increase the period between login attempts every time there’s a failure in the login. If you can’t use this method, the second option is to deny login after a limited number of failed attempts. In case of multiple failures, the account then will lock for a period of time or until a user with appropriate authority reactivates it. It is important to note that implementing this recommendation may prevent some attacks, but can also lead to a Denial of Service condition. An attacker can use failed login attempts to prevent user access. The risk of DoS using this method is greater if the server is externally accessible in case the attacker knows or guesses the account name.
In any case, all failed login attempts, whether via the network or console, should be logged. If the server doesn’t need to be administrated remotely, it is recommended to disable the option to log in from the network for the administrators or root-level accounts.
* Install and Configure Other Security Mechanisms to Strengthen Authentication- servers containing sensitive information should strengthen authentication methods using biometrics, smart cards, client/server certificates, or one-time password systems.
Organizations should implement the latest authentication and encryption technologies, such as SSL/TLS, SSH or virtual private networks while using IPsec or SSL/TLS to protect the passwords when communicating untrusted networks. Using those methods wile reduce the likelihood of man-in-the-middle and spoofing attacks.
Configure Resource Control Appropriately:
You can specify access privileges for files, directories, devices, and other computational resources. Here are some examples of how a server administrator can reduce security breaches:
* Denying read access to files and directories helps to protect the confidentiality of information.
* Denying write (modify) access can help protect the integrity of information.
* Limiting the execution of system-related tools to authorized system administrators can prevent configuration drifts. It can also restrict the attacker’s ability to use those tools to attack the server or other hosts in the network.
These are the most basics issues one should consider in order to protect a server. The practical part of each step includes hundreds of specific actions affecting each object in the server OS. Building the right policy and then enforcing it is a rather demanding and complex task. Special resources should be invested into it both in money, time, and human knowledge. Furthermore, this is an endless process as the infrastructure and security recommendations constantly change. Automating server hardening is mandatory to really achieve a secure baseline. CHS by CalCom is the perfect solution for this painful issue. CHS will transform your hardening project to be effortless while ensuring that your servers are constantly hardened regarding the dynamic nature of the infrastructure.