D-PE-FN-23 Server Security

Server Security Detailed Explanation

Server security ensures that a server is protected from physical threats, cyberattacks, unauthorized access, and data loss. Maintaining strong security measures helps safeguard sensitive information and critical systems.

Physical Security

Protecting the physical hardware of a server is the first step in server security.

1. Access Control:

   • Use biometric systems (e.g., fingerprint or retina scanners) or keycard access to ensure only authorized personnel can enter the server room.
   • Example: A data center with biometric locks ensures no unauthorized person can tamper with the servers.

2. Surveillance:

   • Install cameras in and around the server room for continuous monitoring.
   • Example: Motion-detection cameras can alert staff of any suspicious activity.

3. Power Outage Prevention:

   • Use Uninterruptible Power Supplies (UPS) to provide temporary power during outages.
   • Example: In case of a blackout, the UPS keeps the server running long enough for an orderly shutdown or transition to a generator.

Network Security

Servers are often the target of cyberattacks. Securing the network is critical to protect data and maintain availability.

1. Firewalls

• What They Do:
  • Firewalls act as a barrier between the server and external networks. They filter incoming and outgoing traffic based on predefined rules.
• Access Control Lists (ACLs):
  • ACLs specify which IP addresses or types of traffic are allowed or denied.
  • Example: Block traffic from unknown countries while allowing internal company traffic.

2. IDS/IPS

• Intrusion Detection System (IDS):
  • Monitors the network for suspicious activity and generates alerts.
  • Example: An IDS might detect a brute-force attack (repeated login attempts) and notify the administrator.
• Intrusion Prevention System (IPS):
  • Takes IDS a step further by actively blocking malicious traffic.
  • Example: If an IPS detects a SQL injection attempt, it automatically blocks the request.

3. Encryption

Encryption ensures that data remains confidential during transmission and storage.

1. Transport Layer Encryption (TLS/SSL):
   • Encrypts data sent over the network to prevent interception.
   • Example: HTTPS websites use SSL/TLS to secure data between the client and server.
2. Storage Layer Encryption:
   • Protects stored data with encryption tools like BitLocker or VeraCrypt.
   • Example: Even if someone steals a hard drive, the encrypted data remains unreadable.

User Management

Controlling who can access the server and what they can do is essential to security.

1. Strong Password Policies:

   • Require complex passwords with a mix of letters, numbers, and symbols.
   • Example: Enforce password rotation every 90 days and disallow reuse of old passwords.

2. Multi-Factor Authentication (MFA):

   • Adds an extra layer of security by requiring a second form of verification, like a one-time password (OTP) or fingerprint.
   • Example: Logging into a server requires both a password and a code sent to the user's phone.

3. Principle of Least Privilege (PLP):

   • Give users the minimum level of access necessary to perform their job.
   • Example: A junior employee only needs read access to certain files, while an administrator requires full permissions.

Data Protection

Ensuring data integrity and availability is a critical aspect of server security.

1. Backup

Backups protect against data loss due to hardware failure, ransomware, or natural disasters.

• Online Backup:
  • Store backups on NAS (Network-Attached Storage) devices or in the cloud.
  • Example: Use Amazon S3 or Google Cloud to store backups securely.
• Offline Backup:
  • Use tape libraries or external drives disconnected from the network.
  • Example: Keep a weekly offline backup in a secure, offsite location.

2. Disaster Recovery

Having a clear disaster recovery plan ensures quick restoration of services after an incident.

• Develop a Recovery Plan:
  • Define steps for restoring systems, including contact lists, restoration timelines, and resource requirements.
  • Example: After a ransomware attack, follow a detailed recovery procedure to restore the server from backups.
• Regular Testing:
  • Periodically test backups to ensure they are usable and restore data as expected.
  • Example: Simulate a data loss event and recover critical files to verify the process.

Best Practices for Server Security

1. Monitor Continuously:

   • Use monitoring tools to detect unusual behavior or performance issues in real time.
   • Example: Use tools like Splunk to track login attempts or unauthorized file changes.

2. Update Regularly:

   • Patch all software, including the operating system, firmware, and applications, to close security vulnerabilities.

3. Use Secure Configurations:

   • Disable unused ports and services to reduce the attack surface.
   • Example: If the server doesn’t need FTP, ensure the FTP service is turned off.

4. Implement Logging and Auditing:

   • Maintain logs of all server activities for auditing and forensic analysis.
   • Example: Use tools to record login times, IP addresses, and changes made by users.

Securing a server involves a combination of physical protection, strong network defenses, effective user access controls, and robust data protection strategies. By following these best practices, you can significantly reduce the risk of breaches and downtime.

Server Security (Additional Content)

1. Server Hardening

Server hardening refers to the process of securing a server by reducing its attack surface, disabling unnecessary services, and applying security best practices to minimize vulnerabilities.

Disabling Unnecessary Services

• Many operating systems enable certain services by default that are not necessary for the server’s workload.
• Unnecessary services can introduce security risks if they have unpatched vulnerabilities or weak configurations.

Common services to disable (unless required for business needs):

• Telnet (port 23): An outdated and insecure remote login service (should be replaced with SSH).
• FTP (port 21): Sends data in plain text (should be replaced with SFTP or FTPS).
• SNMP (Simple Network Management Protocol) (port 161): Can expose server configuration details if not properly secured.

Best Practices:

• Audit running services with:
  • Linux: systemctl list-units --type=service
  • Windows: Get-Service (PowerShell)
• Disable unnecessary services:
  • Linux: systemctl disable <service_name>
  • Windows: Disable-Service -Name "<service_name>"

Example:
A web server only requires HTTP(S), MySQL, and SSH but has FTP and Telnet enabled by default. The administrator disables these unnecessary services to reduce security risks.

Host-Based Firewall Configuration

In addition to network firewalls, host-based firewalls help restrict access to specific services on a per-server basis.

• Linux Firewalls:
  • iptables: A rule-based packet filtering system.
  • firewalld: A more modern firewall tool that supports zones and runtime rules.
  • ufw (Uncomplicated Firewall): A simpler firewall commonly used on Ubuntu.

Example: Restrict SSH Access in Linux (iptables)

iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

This rule only allows SSH connections from the local network (192.168.1.0/24) and blocks all other SSH requests.

• Windows Firewall:
  • Windows Defender Firewall allows configuring inbound and outbound rules.
  • Example: Allow RDP (port 3389) only for specific IP addresses.

Example:
An IT security team restricts remote desktop access (RDP) to only corporate VPN users to prevent brute-force attacks.

2. Zero Trust Security Model

The Zero Trust Model assumes that no user, device, or system should be automatically trusted. Every access request must be verified.

Key Principles of Zero Trust

1. Default Deny Policy:

• All access is denied by default.
• Only explicitly approved users and services can access specific resources.

2. Granular Access Control:

• Users should only have access to the resources they need (Role-Based Access Control - RBAC).
• Example: A developer should not have access to finance databases.

3. Continuous Authentication & Monitoring:

• MFA (Multi-Factor Authentication) is required for all administrative actions.
• Behavior-based access controls detect anomalies, such as:
  • Multiple failed login attempts from different locations.
  • A user suddenly accessing sensitive files they normally don’t.

Example:
A company implements Zero Trust policies where:

• Administrators must use MFA + VPN to access internal servers.
• Each department has isolated access via RBAC and network segmentation.

3. DDoS Protection (Distributed Denial-of-Service Protection)

DDoS attacks attempt to overwhelm a server or network with excessive traffic, rendering services unavailable.

Types of DDoS Attacks

1. Network-layer attacks (Volumetric Attacks)

• Overloads the server's bandwidth using UDP floods, ICMP floods.
• Example: An attacker sends gigabits of traffic per second to consume all available bandwidth.

2. Application-layer attacks

• Targets the web application itself (e.g., HTTP floods).
• Example: Bots continuously send HTTP GET requests to a login page, making the service unresponsive.

DDoS Mitigation Strategies

• Traffic Scrubbing Services (e.g., Cloudflare, AWS Shield, Akamai Kona)

  • Routes traffic through filtering networks to remove malicious requests.

• Rate Limiting

  • Restricts how many requests a user can send per second.
  • Example: Limit a user to 10 API requests per second.

• CDN-based Protection

  • Content Delivery Networks (CDNs) distribute traffic across multiple locations, reducing the load on a single server.

Example:
A banking website under DDoS attack enables Cloudflare’s Web Application Firewall (WAF) to block high-frequency requests and uses rate limiting to prevent abuse.

4. Server Security Compliance & Auditing

Organizations that handle sensitive data must comply with legal and regulatory security standards.

Key Compliance Standards

1. ISO 27001 (Information Security Management Standard)

• Global security standard that defines risk management and best practices.

2. GDPR (General Data Protection Regulation)

• Applies to companies handling EU citizens’ data.
• Requires data encryption, access controls, and privacy policies.

3. HIPAA (Health Insurance Portability and Accountability Act)

• Applies to healthcare organizations.
• Requires patient data encryption and audit logging.

Auditing & Log Management

• Audit Trails: Keep track of server logins, data modifications, and administrative actions.
• Log Retention Policies:
  • Financial data: 7 years
  • Healthcare data (HIPAA): 6 years
  • Standard IT logs: 3–12 months

Example:
A hospital must comply with HIPAA, meaning:

• All patient data is encrypted at rest and in transit.
• User activity logs are stored for at least 7 years.
• Unauthorized access attempts trigger automatic alerts.