‌Recommended server security settings

An organisation’s servers provide a wide variety of services to internal and external users, and many servers also store or process sensitive information for the organisation.  Servers are frequently targeted by attackers because of the value of their data and services. Because of this you should be aware of  data protection rights and the responsibilities of those who hold and process that data. ( You will find more information here )   Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment.

The following recommendations are meant as a guide to secure servers. Please review NIST Guide to General Server Security prior to deploying any University Server. 


Please note: IT Services also provide Systems adminsitrators a course on  how to secure your servers in the Linux and Windows enviroments.  Email ResearchIT@ucd.ie for details on the next scheduled course.

Top Tips for Protecting Linux servers         

  1. Only use supported versions of Linux and applications. 
  2. Apply latest patches and configure automatic security updates.Linux_icon
  3. Install Anti-Virus Software with on access scanning enabled.
  4. Enable audit logging for all components.
  5. Configure Intrusion Detection and Prevention (IDPS) System to detect, prevent and automatically notify administrators to security events. e.g OSSECFail2banWeb Application Firewall, etc.
  6. Disable root login (use sudo) and do not use generic accounts.
  7. Enforce the use of strong passwords (10 characters using mixed case letter, numbers and symbols).
  8. Configure I.P tables and restrict access to open ports. e.g restrict SSH access to local networks and University VPN.
  9. Configure the server to use UCD's Protected Domain Names Services (DNS): 137.43.116.19 & 137.43.116.17
  10. Remove unnecessary services and protocols (Telnet, SMB, NFS, KDE/GNOME, Browsers, etc)
  11. Use SSL for all websites. This is a requirement for any website that requires authentication. Details on how to obtain free SSL certificates can be found here.
  12. Request a free vulnerability assessment of the server by contacting the IT Helpdesk. 
  13. If the server is accessible from outside UCD's network, please ensure that it is secured in line with NIST Guidelines on Securing Public Web Servers.

Linux hardening checklist can be found in UCD Linux Server Security Checklist‌

Top Tips for Protecting Windows servers                                           ‌Windows_icon2

  1. Use a fully supported version of Windows Server. 
  2. Apply latest patches and configure automatic security updates.
  3. Ensure that all application patches are kept up to date. E.g Java, Sql_server, Oracle, adobe, etc
  4. Install Anti-Virus Software with on access scanning enabled.
  5. Configure Intrusion Detection and Prevention (IDPS) System to detect, prevent and automatically notify administrators to security events. e.g OSSECWeb Application Firewall, etc.
  6. Enable system\event audit logging.
  7. Enable Windows Firewall and configure filterers to limit access to open ports and programs e.g restrict RDP to local networks and UCD's VPN.
  8. Enable a strong password policy.  Run “Secpol.msc" and edit “Account lockout policy”.
    • Set a minimum password length of 10 and enable password complexity requirements.
    • Configure an intrusion prevention policy. 
    • Set accounts to lockout for period of time (min 10 minutes) after a small number of failed login attempts (5) and reset account lockout counter to the same period as lockout (e.g 10 minutes).
  9. Configure the server to use UCD's Protected Domain Names Services (DNS): 137.43.116.19 & 137.43.116.17.
  10. Disable or uninstall all unnecessary Windows services and features e.g print service, file and printer sharing, netbios, etc.
  11. Remove or disable all Internet browsers (Windows feature > disable IE) or if absolutely required enable IE with enhanced security configuration.
  12. To protect against phishing (and malware) attackes never access email on server and remove all email clients.
  13. Enable user account control (UAC) so that system changes require administrator level permissions.
  14. Check that only approved users can access the server and that they only have the minimum privileges necessary. Do not use generic accounts and remove unnecessary accounts such as guest.
  15. Use SSL for all websites. This is a requirement for any website that requires authentication. Details on how to obtain free SSL certificates can be found here.
  16. Request a free vulnerability assessment of the server by contacting the IT Helpdesk. 
  17. If the server is accessible from outside UCD's network, please ensure that it is secured in line with NIST Guidelines on Securing Public Web Servers.

Windows hardening checklist can be found in UCD Windows Server Security Checklist‌

You can find more details on server security at Center for Internet Security (CIS) who provide security standards documation for numerious application and Operating Systems here