Print this Page
4.6 Ops
04. Server Hardening
Close this Page

1. Server Hardening:
1. Every server in every rack is configured to do one and only one job in a safe and secure way - a technique called "hardening".   Hardening means that security is built into the hardware and system software at every layer.   This is not just desirable, it is mandated to automaticall resist the hundreds of attacks that take place every day.

2. BIOS:
1. Hardening begins at the BIOS level because if an agency was to physically get hold of a server, they may otherwise be able to hack the machine from its BIOS.
2. Disable the machines ability to boot from anything other than its encrypted hard disk.
3. Disable all USB ports and media ports - no external device is permitted.
4. Assign a long and unique password to the BIOS so nobody can change the settings.

3. Hard Disk:
1. Hardening means the hard disk cannot be taken out and put in a different machine to be read.
2. The hard disk is fully encrypted with a long and unique password.
3. The hard disk is partitioned so programs and data can be in their own partitions.
4. The root directory is locked so it cannot be changed by malware.
5. Owner and User permissions are assigned and set to require authentication for every service.
6. Disable everything not needed like USB ports.

4. Operating System:
1. Hardening means that expert hackers must not be able to gain access via a vulnerability.
2. Remove and disable most services such as printing - very few services are actually needed to do one job.
3. Close all ports and open just the port that is needed.
4. Enable SSH secure working but change its port from 22 to some random port like 1234.
5. Disable remote root access.
6. Disable all other users except the one approved (Eliza) user.
7. Prevent all configuration files from being changed by any other user.
8. Enforce security on all services - nothing changes - patches are disabled.

5. Network:
1. Hardening means that servers are connected to servers in a rack that means most servers cannot be attacked from the Internet.
2. Disable IP forwarding.
3. Disable redirects and send package redirects.
4. Disable bad error message protection - criminals attack error handing services.

6. Passwords:
1. Hardening means exceptionally good documentation with thousands and thousands of long and complex passwords.
2. Enable a strong password policy with a minimum length of 24 and typical length of 32 characters.
3. Enable password encryption using SHA512 or SHA2048.
4. Enable an extra layer of encryption using little known methods.
5. Enable silent deny after four attempts for 20 hours.

7. Permissions:
1. Hardening means that one IP locked root administrator and one IP locked user account are used.
2. Disable system accounts for non-root user.
3. Root administration can only be accepted from the local bastion server and no other machine.

8. Simplify:
1. Hardening means using a lot less services than is available.
2. Core dumps must be disabled and programs removed to prevent memory with encryption keys from being viewed.
3. Error handling serves no purpose because the machine must operate without any interuption for up to two years.
4. Display drivers can be removed. Audio drivers can be removed.
5. A normal Microsoft Windows computer may normally operate with hundreds of active programs running - 90% must be removed to make the machine safe and secure.

9. Application Stack:
1. Hardening means that one application program with one line of code must exist in the domain root folder.
2. A few other directive files must also exist to tell search engines to go away.
3. The criminal has one and only one program to attack - only one program needs to keep safe and secure.

Document Control:
1. Document Title: Server Hardening.
2. Reference: 164604.
3. Keywords: Server, Hardining, Security, Configuration.
4. Description: Every server is locked down to do one and only one job.
5. Privacy: Shared with all approved people.
6. Issued: 11 Nov 2016.
7. Edition: 1.2.