Recommendations for Securing a Server Connected to Internet

In Brief

Security measures are behavioural, organisational or technical measures seeking to ensure the confidentiality, integrity and availability of an asset. Security measures seek to reduce the vulnerabilities exploited by threats and thereby lower the impacts. They are defined during the risk treatment phase in the risk management process.

Security Measures

• It is strongly recommended to regularly update the operating system as well as the server applications. The exploitation of these technical vulnerabilities may cause the corruption of the server operation or the theft or destruction of files, and potentially the hijacking of data flows. Draft and enforce a sectoral policy on System development and maintenance – Management of technical vulnerabilities.
• It is strongly recommended to restrict the functionality of the server to this sole task and not to host any other application on the same virtual or physical server.
• It is strongly recommended to segment the network and place the server in a DMZ. Access to the server should come through a firewall and ideally via an IDS/IPS. Draft and enforce a sectoral policy on access control – External connections and Separation of networks.
• It is strongly recommended to incorporate the server into the backup plan. Draft and enforce a sectoral policy on operational and telecommunication management. Draft and enforce a sectoral policy relating to Operational and communications aspects – Data backup.
• It is strongly recommended to implement strong authentication for any access to the entity from the exterior. Draft and enforce a sectoral policy on access control – Access control policy and Access rights management and Connection procedures and External connections.
• It is recommended to impose a certain password strength for users, as well as for the administrator account. Draft and enforce a sectoral policy on access control – Password management.
• It is strongly recommended to introduce a logging system if one is not in place by default. Furthermore, it is clearly important to be able to access the content of the log files. Because of this, the use of aggregation and analysis tools, and even alert tools, for the log file is very useful. This logging should comply with data privacy laws – and laws on workplace monitoring (see CNPD site).
• It is strongly recommended to protect this server against malicious software (malware). Anti-virus software should be regularly updated in order to recognise and remove the latest malicious code. Draft and enforce a sectoral policy on Operational and communications aspects – Protection against malware.
• For servers classified as important or vital, it is worth signing a maintenance agreement with an intervention period to suit the server classification level. (Draft and enforce a sectoral policy on Physical and environmental security – Maintenance.)
• For servers classified as important or vital, it is strongly recommended to use an uninterruptible power supply to guarantee electrical security. Draft and enforce a sectoral policy on Physical and environmental security – Electrical equipment safety.
• It is strongly recommended to secure physical access to the server only to people who hold access rights. Draft and enforce a sectoral policy on Physical and environmental security – Physical security perimeter and Rules within the perimeter.
• In the event of disposal of the server, it is strongly recommended to physically destroy the hard disks (using crushers or degausser). Draft and enforce a sectoral policy on Physical and environmental security – Disposal and reuse of equipment.
• Document the most significant actions performed on the server (backup, shutdown, start-up, etc.). Draft and enforce a sectoral policy on Operational aspects and communications – Documented procedures.