After initially uninstalling the server, administrators need to maintain its security continuously. This section provides general recommendations for secure server management. Key functions include managing and analysing log files, performing regular server backups, recovering server crashes, frequent server security checks, and performing remote backup management. Security setting guidelines and checklists are publicly available on most OS and server software; many of these documents contain OS and server-specific security recommendations. Other repair tasks discussed in the previous sections, and thus not repeated here, include testing and using OS and server pads and updates, maintaining secure OS configuration and server software, and maintaining additional security controls for the server.
Server monitoring services are dime and twelve. You receive an alert when a service (HTTP, SMTP, etc.) is down. But is that enough for you to keep your server safe and secure? What if your server is at risk of a new software bug, or what if someone tries to force you to compromise your password? You wouldn’t want to know, and do? Therefore, Server Security Monitoring is so important. With this document we will explore how you can always monitor your server for security events to prevent security issues, and not just react to it when something bad happens.
Logging
Capturing accurate data from the log and monitoring those logs closely is essential. Network and system logs are important, especially system logs in encrypted connections, where network monitoring is not working properly. Server software may provide additional log data associated with server-specific events.
Logging is common and effective, and many server managers devote their time to doing tasks that they consider to be the most important or most urgent. However, multiple log files are the only record of suspicious behaviour. Enabling access to information allows logs to be used to detect failed and successful login attempts and to launch warning methods when further investigation is required. Procedures and tools must be in place to process and analyse log files and to update warning notifications.
Selecting and using specific server software determines what actions the server administrator should perform to establish the login setting.
Automated Log File Analysis Tools
Many servers receive significant amounts of traffic, and log files quickly become dynamic. Default log analysis tools should be installed to reduce load on server administrators. These tools analyse the entries in the server log file and identify suspicious and unusual activity. Some organizations use SIEM software for mid-term logging, which can also perform automatic log file analysis. Many commercial and public domain tools are also available to support general analysis of certain types of server logs.
The automated log analyst should report any suspicious activity to the responsible server manager or team to respond to a security incident as soon as possible for a follow-up investigation. Some organizations may wish to use two or more log analysts, which will reduce the risk of losing the attacker or other important events in the log files.
Server Backup Procedures
One of the most important tasks of a server administrator is to maintain the integrity of the data on the server. This is important because servers are often some of the most exposed and important hosts in an organizational network. The server administrator needs to perform a server backup for several reasons. The server may fail due to malicious or unintentional action or hardware or software failure. In addition, Federal agencies and many other organizations are governed by the rules for storing and storing server data. Server data should also be backed up for regular cache and legal and financial reasons.
Server Data Backup Policies
All organizations need to create a server data backup policy. Three key factors influence the content of this policy:
- Legal requirements
- Mission requirements
- Organizational guidelines and policies
Server Backup Types
Three main types of archive copies are available: full, growing, and varied. Full backups include OS, applications, and data stored on the server (i.e., an image of every piece of data stored on the server database). The advantage of a full backup is that it is easy to restore the entire server (e.g., configuration, level of backup, data) that was in it during the backup. The downside of full backups is that they take a lot of time and resources to perform. Increasing backups reduce the impact of backups by making a backup copy only of data changed from the previous backup copy (full or growing).
Different backups reduce the number of cached copy sets that must be accessed to restore configuration by backing up all changed data from full backup. However, the copy of each separate repository increases as time passes over the full backup, which requires more time to process and maintain than the mounting backup. Typically, full backups are done several times (each week to a month or when a significant change occurs), and growing or different backups are done regularly (daily to weekly).
Maintain a Test Server
Most organizations will probably want to maintain a test or upgrade server for their most important servers, at least. Ideally, this server should have computer hardware and software such as production or live server and be part of an internal network (intranet) where it can be fully protected by organizational network protections. While the cost of maintaining an additional server may not be significant, having a test server offers many benefits:
- Provides a platform for testing new patches and service packages before applying to the production server.
- Provides a platform for development for the server administrator to develop and test new content and applications.
- Provides a platform to test configuration settings before using them on production servers.
- Software is important for development and testing but that may indicate an unsafe security risk on the production server can be installed on the development server (e.g., software integrators).
Recovering From a Security Compromise
Most organizations end up experiencing successful downsizing of one or more hosts in their network. Organizations should formulate and document the policies and procedures required for effective intervention. Response procedures should specify the actions required to respond to a successful server compatibility with the appropriate sequence of these actions (sequence can be critical). Many organizations already have a dedicated incident response team, which should be contacted immediately if there is any suspicion or confirmation of an agreement. In addition, the organization may wish to ensure that some of its employees are knowledgeable in the field of computer and network forensics.
The server administrator must follow the organization’s policies and procedures for handling the incident, and the incident response team should be contacted for guidance before the organization can take action after suspicious or guaranteed security compromises.
Security Testing Servers
Periodic server security checks are essential. Apart from periodic testing, there is no guarantee that the current security measures are in place or that the protection used by the server administrator is effective as advertised. Although there are a variety of safety assessment strategies, risk scans are very common. Risk scanning helps the server administrator to identify the risk and ensure that the existing security measures are in place.
Vulnerability Scanning
Vulnerability scanners are automated tools used to identify risks and poor preparation of hosts. Many risk scanners also provide information on minimizing the risks identified. Risk scanners try to identify the risk to the scanned agents. Vulnerable scanners can assist in identifying outdated software versions, lost episodes, or system upgrades, and may ensure compliance or deviation from organizational security policies. To achieve this, at-risk scanners identify OS, server software, and other large software applications that run on users and compare them to the vulnerabilities known to their vulnerability websites.
Organizations should also consider using more than one risk scanner. As discussed earlier, no scanner can detect all known risks; However, using two scanners often increases the amount of risk detected. It is a common practice to use one commercial scanner and one free scanner. Network-based and host-based scanners are available free of charge or for a fee.
Penetration Testing
Penetration testing is “security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation”. The purpose of the entry test is to use system defence (especially human response to attack indicators) using standard tools and techniques developed by attackers. This test is highly recommended for complex or sensitive servers.
Remotely Administering a Server
Remote control of the server should only be allowed after careful consideration of the risks. The risk of allowing remote management varies greatly depending on the location of the server in the network. On a server located behind a firewall, remote management can be done securely compared to an internal network, but not without additional risk. Remote management should not normally be allowed on the host outside the organization’s network unless it is done on an organization-controlled computer with the organization’s remote access solution, such as a VPN.
Kanoo Elite guarantees that you will never miss an important warning. With an in-depth integration into monitoring tools, tickets, and chat, we help you apply alerts, filter noise, and let you know using multiple channels, providing the information you need to get your team started quickly. We help you track everything related to notifications and events, by using powerful reporting and statistics to identify the source of most notices, your team’s performance in approving and resolving, and how the workload is still distributed. Kanoo Elite, with its years of experience in providing Security and Enhancing Security Frameworks, is the only stopper to help achieve Server Protection Posting.
