Servers take many forms today. Virtually all network connected devices are able to publish some network service for consumption by clients. Even smartphones fall into this category. For the purposes of this guidance, we will limit ourselves to both physical and virtual computers and appliances that are not designed for single-user access. This includes computers attached to or embedded within devices to the extent that their configuration can be adjusted.
A security program is built around 5 steps.
You can’t secure what you can’t identify. Identification starts with inventory. The Office of the CIO has established a standard template to account for assets. These will eventually be rolled up to get a campus-wide picture of investments in hardware and virtual systems. The inventory should also be used for virtual servers. The type of hardware can be replaced with a notation like VMware or some other hypervisor. Server environments deployed in cloud providers like AWS, Azure, and GCP should be cataloged, as well. You can find the template in Microsoft Excel format here:
Identification doesn’t stop with basic inventory, however. Departments should keep a record of information about each server that includes the following points:
- Administration contacts
- Purpose of server
- Operational dependencies on or from other servers/services
- Details of software installed including
- Operating system and version
- Web server or other middleware
- Network configuration
- Security configuration including access management
- Backup procedures
- Change log
- Patching history
- Decommissioning plans
Maintenance of this information need not be onerous. It can be kept in a notebook, an Excel spreadsheet, or a text document. It must be available to anyone with a need to interact with the server for some administrative function. Additional information about inventories can be found at https://security.ucsb.edu/faculty-staff/inventories
Protection starts with system build. At the University of California, BFB IS-3 is the overarching policy applicable to information technology of all kinds whether for research, academia, or administration. The Minimum System Standard is referenced by IS-3 as the minimum set of controls that must be in place for all servers and other types of computing devices. Departments must build and maintain their servers according to the Minimum Security Standard that can be found here:
Servers must be physically and logically secure. Hardware devices should be in properly secured rooms or data centers. They require adequate power and cooling. Logical (virtual) servers must be properly secured as well. Administrative credentials should be tightly controlled and access to virtual servers and to host configuration of guest servers must be limited to knowledgeable staff. Mistakes in administering host servers, whether physical or in the cloud, can have devastating consequences to the guest systems where the work gets done.
Remember that servers should run anti-malware solutions. They are not just for PC’s anymore. Even Linux servers that interact with PCs should run anti-malware to prevent the server from spreading malware between different clients. Department IT staff have access to Sophos licenses that run on Windows and Linux
The key to secure server administration is reducing the attack surface by turning off unused services. A server should not respond to any port that is not hosting an intended operating service. If you aren’t using file or printer sharing, turn it off. If you’re not using SNMP, turn it off. If you’re not hosting a web server, turn the service off. Don’t let your site be profiled by displaying a generic Apache or IIS page.
Protection ends only when the server is decommissioned. For hardware, this also means safe disposal. Securely wipe or destroy storage media. Information about secure destruction of hard drives is at http://www.ets.ucsb.edu/services/hard-drive-destruction-service.
Bad things happen to good servers. Audit logs provide a way to determine what happened and when. In the event of a security incident, examination of logs is a key task to determine if information was compromised, either by access, removal, or tampering. Logs should be configured according to the logging standard. For servers hosting sensitive information, logs should be examined periodically either manually or using automated tools.
Respond and Recover
Good backup plans are essential. Increasingly use cases demand always-on availability which leads to data replication and automatic failover. RAID storage systems can prevent loss from single drive failure. In many cases, however, backups are required. Regardless of the backup strategy chosen, it must be tested. Verify that tapes or replicated files or databases are accessible and have correct information. Ensure that backups meet disaster recovery requirements including off-site replication or storage.