ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Your servers are your business. That is a fact in the 21st century. And your servers can make or break your business. Well maintained servers can drive your business forward and bring in revenue. Poorly managed servers can mean lost business, data, or customer information, and that can be crippling if not outright fatal to a company.
Because of the critical role they play, confidential organizational data and information stored on your servers is extremely valuable. There is a popular saying, “data is the new oil.” Or gold, take your pick.
If you’re not sure how to secure your servers, or if you’re not sure you have covered all the bases, this article will offer some of the security tips that you can use to secure your servers.
12 Tips for Server Security
Keep the Software and OS Updated
In server security, keeping on top of software and operating system-related security fixes is essential. System hacks and compromises frequently occur due to unpatched software. Usually software vendors push out notifications to customers of updates, and you should not delay. Server software is extensively tested before release, although you might want to test for compatibility issues with your own environment. Patch management tools can help, as can vulnerability scanning tools and others that look for security weaknesses.
Automate and Use AI Whenever Possible
To err is human and the majority of major server outages have been caused by human mistakes. And people are overloaded and may miss things. To perform function one, allow for automation wherever possible. Most systems support the automatic downloading and installation of patches, for instance, and there is a growing list of AI products to monitor, protect, and upgrade your system.
Use Virtual Private Networks
Private networks are based on Internet Protocol address space. A VPN is said to be private because no Internet Protocol packets addressed are transmitted via a public network.
A VPN will allow you to create a connection between different computer devices located in different places. It lets you carry out operations on your servers in a secure manner.
You can exchange information with other servers on the same account without compromises from outside. To ensure that your server is safe, you should set up a Virtual Private Network.
Consider Zero Trust Networks
One of the weaknesses of firewalls and VPNs is that they don’t prevent internal movement. Once a hacker has breached your walls, they pretty much have free movement throughout the network. That’s where Zero Trust Networks come in. As their name implies, Zero Trust Networks don’t allow a user or device to be trusted to access anything until proven otherwise. This is known as a “least privilege” approach, which requires rigorous access controls to everything.
Encrypt Everything
No data should move around your servers unencrypted. Secure Socket Layer certificates are security protocols that guard the communication between two systems over the Internet. Well, the same holds true for your internal systems. With SSL certificates, only the intended recipient will have the key to decrypt the information.
When connecting to a remote server, use the SSH (Secure Shell) to encrypt all data transmitted in the exchange. Use SSH Keys to authenticate an SSH server using a pair instead of the more easily broken password, using RSA 2048-bit encryption.
To transfer files between servers, use the File Transfer Protocol Secure (FTPS). It encrypts data files and your authentication information.
Finally, require connections from outside the firewall to use a virtual private network (VPN). VPNs use their own private networks with a private IP to establish isolated communication channels between servers.
Don’t Just Use Standard Firewalls
Firewalls are a must-have to ensure that your servers are safe but there are more firewalls than just on-premises firewalls. There are also managed security service providers (MSSPs) who provide a managed firewall service for your network. Depending on the extent of the service agreement, the MSSP may perform firewall installation, application control and web content filtering, as they assist in determining which applications and web content (URLS) to block. They will also help manage patching and updates. There are literally 100 MSSPs to choose from.
Change Defaults
The default account in most systems is the root account, which is what hackers target. So get rid of it. Ditto for an account named admin. Don’t use obvious account names on your network.
You can increase server security by reducing the so-called attack vector, which is the process of running the bare minimum services needed to operate. The server versions of Windows and Linux come with a myriad of services, which you should turn off if they are not needed.
Wi-Fi access ports default to broadcasting their identity, so if you are in range, your endpoint device will see it. Go into the access port and turn off broadcasting, so anyone who wants to use it will have to know the access point’s actual name. And don’t use the default name from the manufacturer.
Create Multi-Server or Virtual Environments
Isolation is one of the best types of server protection you can have because if one server is compromised, the hacker is locked into that one server. For example, it is standard practice to separate the database servers from the web application servers.
Full separation would require having dedicated metal servers that do not share any components with other servers. That means more hardware, which can add up. Instead, virtualization can serve as an isolation environment.
Having isolated execution environments in a data center allows what is called Separation of Duties (SoD). SoD operates on the principle of “Least Privilege,” which essentially means that users should not have more privileges than needed to complete their daily task. To protect and secure the system and the data, a hierarchy of users must be established, each with his or her own user ID and with permissions as minimal as possible.
If you cannot afford or do not require full isolation with dedicated server components, you can also choose to isolate execution environments, otherwise known as virtual machines and containers.
Also, the newest server processors from Intel and AMD have specialized VM encryption so as to isolate a VM from the others. Therefore, if one VM is compromised, the hacker cannot get to the others.
Do Passwords Right
Passwords are always a security problem because people are so sloppy with them. They use the same ones everywhere or use simple, easily guessed passwords like “password,” “abcde,” or “123456.” You might as well not have any passwords at all.
Make it a requirement for passwords to contain a mix of upper AND lower case letters, numbers, and symbols. Force password changes at regular intervals, with old passwords banned after one use.
Close Hidden Open Ports
Attacks can come through open ports that you don’t even realize are open. Therefore, don’t assume you know every port; that’s impossible to keep in your head. Ports that aren’t absolutely essential should be closed. Windows Server and Linux share a common command, called netstat, which can be used to determine which ports are listening while also revealing the details of connections that may currently be available.
- Information for all ports — “netstat -s”
- List all TCP ports — “netstat -at”
- List all UDP ports — “netstat -au”
- All open listening ports — “netstat -l”
Do Backups Frequently and Properly
In 2009, a server full of flight simulation files was hacked and its contents destroyed. The site was spread across two servers and used each other for backup; server A backed up to server B, and server B was backed up to server A. The result was everything was lost.
Don’t be like that site. Not only do you need to do regularly scheduled backups but they should be to offsite locations outside of your network. Offsite backups are necessary, especially for ransomware attacks, where you can just wipe the infected drive and restore it.
Also consider disaster recovery as a service (DRaaS), one of the many as-a-service offerings, which offers backup through a cloud computing model. It is provided by many on-premises vendors as well as cloud service providers.
Whether you have automated backup jobs or do them manually, make sure to test the backups. This should include sanity checks in which administrators or even end users verify that data recovery is coherent.
Perform Regular and Frequent Security Audits
Without regular audits, it’s impossible to know where problems might exist or how they can be addressed to ensure that your server remains fully protected. Check your logs for suspicious or unusual activity. Check for software, OS, and hardware firmware updates. Check system performance. Oftentimes hackers cause a spike in system activity, and unusual drive or CPU or network traffic might be the sign. Servers are not deploy-and-forget, they must be constantly checked.
