Network Security

1
Server Hardening Best Practices

Module 7 SERVER HARDENING BEST PRACTICES

At the end of this chapter, students will:

1. Be familiarize to common practices that should be follow to harden or
secure different types of servers on the network.
2. Learn about common techniques to reduce risks in environments that
use different types of technologies.

MITIGATING SYSTEM AND NETWORK SECURITY THREATS

SERVER HARDENING BEST PRACTICES

All Servers

Before we discuss about the popular types of serves and some common steps
to secure the servers, we will illiterate first some of the steps that should be follow
and implemented with all the servers.
1. Harden your servers so that only needed software and services are
installed on the system.
2. Once you have hardened your system, make sure that patched the system
and applications that runs on it.
3. After patching the system, be sure to configure any policies such as
password policies and account lockout policy and enable auditing on the
system.
4. Be sure to check your user accounts. You must disable unnecessary
accounts and set strong passwords on remaining accounts. Renaming the
default account names to something that are not easy to guess is also a
security best practice. Like for example, you change the name of the
account Administrator to NET12345.

HTTP Servers
For the web servers, you must apply all the concepts stated in the previous “All
Servers” section, but also follow some few extra steps.
1. First make sure web servers are placed in a demilitarized zone or DMZ—a
part between the outside and an internal firewall. The web server should
always be hardened so that there will be no extra software or user accounts
exist on your server.
2. Always disable unnecessary features of the web server that are not going
to be used. For example, if your web site is just using a static HTML pages,
then make sure to disable all active content features such as ASP and
server-side that includes on the web server. Microsoft’s IIS gives you a
Course Module
 screen where you can control and manage which add-ons or so-called
extensions are allowed or not. See Figure 1 below.

Figure 1 Disabling web server extensions in IIS

3. If the web server cannot be accessed by the public, then make sure that you
also disable anonymous access that allows anyone to access the server and
enable authentication on the server. If you are working with confidential
data, make sure to secure the web traffic with Secure Sockets Layer or SSL.

DNS Servers
To harden DNS server, you
must apply all the steps from the
preceding “All Servers” segment. In
addition, you should also limit the Zone
transfers on your DNS server. Zone
transfers occur when the main DNS
server sends the DNS data to the
secondary DNS server. If a hacker gains
the DNS data by doing a zone transfer,
then they will probably know the IP
addresses used by your systems.
In the properties of your DNS
server, you must see a selection where
you can limit which systems can obtain
zone transfers from your DNS server.
You typically would want to make sure
only your DNS servers are registered
here. Figure 2 show how to limit zone
transfers on a Microsoft DNS server.
Figure 2 Controlling DNS zone transfers
You can also block TCP 53 which is
the port used by zone transfers at your
 Network Security
3
Server Hardening Best Practices

firewall so that somebody outside the network cannot do zone transfers. This may not be an
option if you have a secondary DNS server at different location across the Internet.

DHCP Servers
You can secure your DHCP servers by following all the hardening techniques
discussed in the “All Servers” section. But you can also apply some additional steps,
like when you create a scope (IP addresses for the DHCP to give out), you can just
create enough addresses for what is needed and required on your network. Let say
for example, if you have 20 devices that need an IP addresses, you should create a
scope that provides only 20 addresses. The main benefit of this is if an any
unauthorized individual tries connecting to your network (device 21st), then there
will be no available IP addresses in the scope for the DHCP server to give to that
specific device. The outcome is the system will not be able to communicate on the
network meaning, it cannot have any access to your network.
Aside from limiting the number of IP Addresses registered on your server, you
can also implement address reservations where each of the 20 addresses you created
in the scope has a MAC address linked with it. The benefit of this is that each address
will be assigned only to the network card that has the MAC address linked with it.

SMTP Servers and FTP Servers

You should apply the hardening techniques discussed in the “All Servers”
section for both SMTP servers and FTP servers, but you should also take further
security practices.
1. When working with SMTP servers, ensure that you are protecting the
server with a firewall and always open the TCP port 25 which allow the
SMTP server to pass through the firewall and reach the server.
2. You also need to ensure that SMTP relaying is disabled on the SMTP server.
This SMTP relaying is the idea that your SMTP server forwards any SMTP
message that are not destined for it onto the destination server. Relaying
is a bad thing because a hacker can send spam messages to your server
then forwards to the destination address. From the receiver’s point of
view, your server is just doing the spamming.
3. With FTP servers, see to it that you just limit who can upload files to the
FTP server and you might allow only files to be downloaded from the
server.
4. You also should decide if anonymous access is allowed or not to the FTP
server or whether you are going to force people to authenticate first to the
server before gaining access to it. If you want force authentication, make
sure that you do it in a secure way.

Mitigate Risks in Static Environments

In this sector you will learn about common techniques to lower down the risks in
environments that use different types of technologies. In order to reduce risks, you must
recognize the technologies and their related security risks.

Course Module
Understanding Environments
The main challenge with mitigating security threats is the wealth of different
products and technologies used by organizations nowadays. As a security personnel,
you need to create or at least recommend on, how to make a secure environment for
each of these technologies:

▪ SCADA or Supervisory Control And Data Acquisition

It is a special system used in industrial environments and
settings to monitor their operations. An example of this is in a
manufacturing plant. Physical security is a significant part of your
security in such an environment as any altering with any of the SCADA
components can cause the monitoring and alarms to malfunction.

▪ Embedded (Printer, Smart TV, HVAC control)

Watching in devices that do have an embedded component that
could possibly create risks. It includes any device connected to the
network like smart TV or printer but watch for devices with Bluetooth
technology as well and implement hardening practices with such
devices.

▪ Android
Mobile devices are the standard today and it is important to
understand how to secure those devices running the Android operating
system. Make sure to understand how to auto-lock the device,
implement device encryption, enable GPS tracking, and disable
unnecessary features on your devices.

▪ iOS
Apple devices like iPhones and iPads run an iOS operating
system. Just like what you need to secure the Android devices, you must
also take a look at implementing the same procedures with the iOS.
Make sure to understand how to auto-lock the device, implement
device encryption, enable GPS tracking, and disable unnecessary
features on your devices.

▪ Mainframe
There is no difference in mainframe environments from any
other environment and you should always not forget to place some
focus on security to protect it. Make sure to control who have access to
the mainframe environment by implementing firewalls and also access
control lists.

▪ Game consoles
Gaming systems nowadays like Xbox and PS3 are now full-
fledged multimedia systems that are connected to the Internet. Be sure
to look at hardening techniques on these systems and update them
regularly.
 Network Security
5
Server Hardening Best Practices

Course Module
References and Supplementary Materials
Online Supplementary Reading Materials

1. How to mitigate security risks in static environments;

https://www.examcollection.com/certification-training/security-plus-how-to-
mitigate-security-risks-in-static-environments.html; February 2020
2. Windows Server Hardening Checklist;
https://www.netwrix.com/windows_server_hardening_checklist.html; February 2020
3. What is a DNS Server?; https://www.cloudflare.com/learning/dns/what-is-a-dns-
server/; February 2020