‌Recommended server security settings

An organisation’s servers provide a wide variety of services to internal and external users, and many servers also store or process sensitive information for the organisation.  Servers are frequently targeted by attackers because of the value of their data and services. Because of this you should be aware of  data protection rights and the responsibilities of those who hold and process that data. ( You will find more information here )   Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment.

The following recommendations are meant as a guide to secure servers.
Please note: IT Services also provide Systems adminsitrators a course on  how to secure your servers in the Linux and Windows enviroments.  Click here to register your interest.

Recommendations for hardening Linux servers     

  •     Apply latest patches and configure automatic security updates.Linux_icon
  •     Disable root login (use sudo) and do not use generic accounts.
  •     Enforce the use of strong passwords (10 characters using mixed case letter, numbers and symbols).
  •     Configure I.P tables and restrict access to open ports.
  •     Configure free Fail2ban software – Prevents brute force ssh attacks (and more).
  •     Configure the server to use UCD's Protected Domain Names Services (DNS): &
  •     Remove unnecessary services and protocols (Telnet, SMB, NFS, KDE/GNOME, Browsers, etc)
  •     Use SSL for all websites. This is a requirement for any website that requires authentication. Details on how to obtain free SSL certificates can be found here.
  •     Request security@ucd.ie to setup Outpost24 weekly vulnerability scan.

A Linux hardening checklist can be found in UCD Linux Server Security Checklist‌

Recommended tips for hardening Windows servers                                           ‌Windows_icon2

  •     Only use supported operating systems and applications. Microsoft no longer supports XP and Windows 2003, 2008 (Jan 2020) & 2008 R2 (Jan 2020)
  •     Set Windows patches to automatically install - Make sure users log out of the server each evening so that Windows patches can be applied.
  •     Make sure that all application patches are kept up to date. E.g Java, Sql_server, Oracle, adobe, etc
  •     Install Microsoft Enhanced Mitigation Experience Toolkit “EMET” to defend against cyberattacks.
  •     Create a strong password policy.  Run “Secpol.msc" and edit “Account lockout policy”.
    •         Set a minimum password length of 10 and enable password complexity requirements.
  •     Configure an intrusion prevention policy. Run "Secpol.msc" and edit “Account lockout policy”.
    •         Set accounts to lockout for period of time (min 10 minutes) after a small number of failed login attempts (5) and reset account lockout counter to the same period as lockout (e.g 10 minutes).
  •     Install Anti-Virus and remember to check it at least once a week to ensure that it is running, updating and review the last full AV scan results.
  •     Enable system\event logging.
  •     Check that the server Firewall is turned on and filterers are setup to protect open ports and programs.
    •         Please contact Security UCD Networks if you need to know UCD specific I.P address ranges .
  •     Use the local firewall to restrict Remote Desktop Access to only the UCD network (or preferably your own network) and use the UCD VPN if remote access is required.
  •     Configure the server to use UCD's Protected Domain Names Services (DNS): & 
  •     Disable or uninstall all unnecessary Windows services and features e.g print service, file and printer sharing, netbios, etc
  •     Remove or disable all Internet browsers (Windows feature > disable IE) or if absolutely required enable IE with enhanced security configuration.
  •     To protect against phishing (and malware) attackes never access email on server and remove all email clients.
  •     Enable user account control (UAC) so that system changes require administrator level permissions.
  •     Check that only approved users can access the server and that they only have the minimum privileges necessary. Do not use generic accounts and remove unnecessary accounts such as guest.
  •     Restrict remote desktop access to only the UCD network or UCD VPN.
  •     Use SSL for all websites. This is a requirement for any website that requires authentication. Details on how to obtain free SSL certificates can be found here.
  •     Do not collect or process credit card payments on any server without contacting security@ucd.ie in advance.
  •     Run Microsoft baseline security analyser to check security setting.
  •     Once you have applied the above hardening recommendations then contact Security@ucd.ie for free vulnerability scan.

 A Windows hardening checklist can be found in UCD Windows Server Security Checklist‌

You can find more details on server security at Center for Internet Security (CIS) who provide security standards documation for numerious application and Operating Systems here