Information Technology Security Office

Click here to download this Word document.

Guidelines for securing servers


Windows
  • Turn off telnet, terminal services, universal plug and play device host.
  • Disable the guest account.
  • Every attempt should be made to remove Guest, Everyone, and ANONYMOUS LOGON from the user rights lists.
  • Do not allow Everyone permissions to apply to anonymous users.
  • Evaluate the services running on your server and disable any that are not necessary.
  • Disable or delete unused users.
  • Configure User Rights to be as secure as possible. Use principle of least privilege.
  • Do not use administrator for logging in. Use the “runas” command.
  • Use a firewall or other methods to limit connections to the server.
  • Ensure all volumes are using the NTFS file system.
  • Install and enable anti-virus software.
  • Configure anti-virus software to update daily.
  • Install and enable anti-spyware software.
  • Configure anti-spyware software to update daily.
  • Configure a screen-saver to lock the console's screen automatically if the host is left unattended.
  • If the machine is not physically secured against unauthorized tampering, set a BIOS/firmware password to prevent alterations in system startup settings.

Unix/Linux
  • Use a firewall or other methods to limit connections to the server.
  • Install and enable anti-virus software.
  • Evaluate the services running on your server and disable any that are not necessary.
  • Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.
    • Check in /etc/sudoers to see who has sudo rights.
    • Check in /etc/groups to see what groups your users belong to.
    • Check in /etc/passwd and/or /etc/shadow for blank passwords.
    • Check the strength of users’ passwords with tools such as John the Ripper.
    • Consider using a simple dictionary for easily guessed passwords.
    • Develop a procedure to report and remediate easily guessed passwords.
  • Disable any xinetd services you do not absolutely require.
  • Configure TCP wrappers for access control.
  • Edit /etc/hosts.deny to include this entry as the first uncommented line in the file: ALL:ALL
  • Ensure /etc/hosts.allow is edited appropriately to allow the administrator(s) to connect.
  • Unless “r” commands (i.e., rsh, rlogin) are required, remove or empty the file /etc/hosts.equiv.
  • If “r” commands are required, consider replacing them with a secure alternative such as SSH.
  • Verify that you have disabled any unnecessary startup scripts under /etc, /etc/rc*.d, or /etc/init.d (or startup script directory for your system) and disabled any unneeded services from starting in these scripts.

Other links to help secure your server:

Links:
Center of Internet Security
Ask Leo
Optimize XP Services
Basic Security Practices for Web Applications
Best Practices for Securability
Security Configuration Wizard for Windows Server 2003