Securing Our Servers
By Shawn Stubbs, Technology Consultant
Here at Frequency Foundry, we take data security seriously. With all the news about government hacking and security breaches, we want to take a step back and discuss the reality of keeping a server secure. I would like to highlight some basic precautions to ensure your systems are prepared securely. These principles apply to any device, not just servers.
First thing’s first, use a real password and create unique passwords for every site and system you access. Don’t share your password with anyone. I know this sounds like the most basic advice and I’m sure you have heard it a million times before, but simply put– this is how most systems or accounts become compromised.
How can I keep track of the hundreds of logins to all the websites and systems I access, you ask? Get yourself a proper password manager. A password protected excel sheet is not good enough. Password managers use one way encrypted hashed and salted databases. I won’t get into the technical details at this time. This prevents people who may gain access to your password database from being able to reverse the file to view the text. Password managers range from free open source to paid systems often used by large corporations. Just for the record, I am not affiliated with any of these companies. Here are a few recommendations.
KeePass is a free open source program you can install on your personal machine or on a USB stick. It’s a little light on features but it’s a great tool for anyone from a beginner to senior systems administrator who wants to take security seriously. You simply add entries for your servers or sites with your username and have it generate a unique password for each site.
LastPass is my personal favorite password manager. It has all the basic password manager features KeyPass has, but also offers some great benefits to make your online life easy. LastPass has browser plugins for all modern browsers that auto fill your login; you can install it on multiple machines, including smartphones, for seamless transitions between your different devices.
Dashlane is the latest password manager I have been testing. It has some really nice features like “zoning” that lets you have a business section and personal section to your passwords. Its auto-login features are fast and seamless. It also has a full desktop client that lets you locally manage your logins.
Pick one and use it. Seriously.
Next up, let’s talk about my server philosophy. A server should run exactly the software it needs to complete its task, nothing more and nothing less. Every piece of software on a server is a potential vulnerability so the fewer things installed, the fewer things you need to manage. A great example of this is the recent dll vulnerabilities found in Notepad++. System administrators around the globe would say it’s just a text editor and it’s handy to have locally installed, but we found out that it had zero-day exploit that government agencies were leveraging to gain access to systems. The vulnerability has since been patched but a system that did not have it installed in the first place would inherently be more secure.
Install your tools on your local machine and use a secure transfer method to move the edited files to the server. Https, sftp or something similar. The same philosophy applies to server roles. If your server doesn’t need to run the DNS role, don’t install it. That’s just one more thing you have to secure and update. If I’m setting up a server that needs to run SQL it will only have SQL installed and the other basic tools that are required for security and monitoring. This makes my job much easier when I scan to see if any ports are open on the system.
Speaking of ports, use them or close them. If you aren’t SSHing into your windows machines make sure that port is closed. You can hide your ports in a non-standard rage such as bumping 3389 to some random high port like 5566 but don’t count on it to keep your computer safe. Run a routine audit on your machines, scan the open ports and compare the results to what is running on the machine. If you find an open port that isn’t part of the software known to be running on that machine, investigate. I use everyone’s favorite network scanning tool Nmap to routinely audit my servers to make sure no suspicious ports are open. There are windows ports of Nmap if you just want to do basic scanning through a GUI.
New exploits and vulnerabilities are being discovered every day. Software companies these days are much better than they were in the past about securing their software. All the big players are constantly rolling out security patches for everything from OS updates to apps on your smartphone. You can automate these patches whenever possible but just make sure it gets done.
Windows updates can be automated pretty easily on everything from your home machine to servers using SCCM. I know the constant popups for windows updates on your laptops are annoying, but set it and forget it. Microsoft has been very reliable with its patches in recent years so have your machine wake up at 2 a.m., download your updates and reboot.
For servers, set up a patching cycle that runs on your test environment first, then schedule your outage and keep up to date on those patches. Vulnerabilities in recent years has been found on everything from DNS to RDP to HTTPS. Don’t forget about all of your applications. See the example of Notepad++ above where a vulnerability was found on a Tuesday and by Thursday a new patch was released. Software developers take security seriously and so should we all.