Your business runs on servers. Without your DNS server, your users wouldn’t be able to connect to online resources. Without your proxy servers, your local networks would be visible across the public internet. Without your database servers, your organization wouldn’t be able to execute the queries that enable them to make data-driven decisions. Since servers are critical to business operations, threat actors value them. Whether seeking to steal the sensitive data stored in database servers or disrupt operations by flooding your DNS server, malicious actors know that server attacks can help them achieve their objectives.
Knowing how to implement server security and monitor for suspicious activity is critical to your organization’s data protection and compliance goals.
What is server security?
Server security is the combination of hardware and software controls that protect servers and the sensitive data they store from unauthorized access, theft, or manipulation.
The three fundamental security requirements for servers are:
- Access controls: requiring users to create a strong password and limiting access according to the principle of least privilege
- Patch management: regularly checking for and installing security updates for operating systems and applications so attackers can’t exploit vulnerabilities
- Firewalls/network security: controlling, monitoring, and analyzing inbound and outbound traffic to identify and block suspicious activity
Why is securing servers important?
Since your servers store and manage critical data and applications, they are essential to business operations. Prioritizing server security is business critical for several reasons:
- Protecting sensitive data: Servers store non-public information (NPI) like corporate financial information, bank account data, medical records, names, birth dates, social security numbers, and intellectual property.
- Preventing downtime: Server attacks can cause system outages that lead to expensive business disruption.
- Protecting reputation: News reports about data breaches undermine customer trust and loyalty, leading to churn.
- Compliance violations: Data breaches can lead to penalties arising from non-compliance with data protection laws like the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).
What are common server security issues?
Having a basic understanding of the common server security issues enables you to put risk mitigation controls in place.
Default admin passwords
Since most server manufacturers have their manuals online, malicious actors can easily know or guess the default administrative password.
Weak passwords
Threat actors often deploy credential-based attacks, like brute force or dictionary attacks, against servers to exploit poor password hygiene.
Known vulnerabilities
Malicious actors regularly exploit servers’ known vulnerabilities. For example, in January 2023, more than 60,000 Microsoft Exchange servers remained vulnerable to the ProxyNotShell vulnerability that attackers could use to escalate privileges on compromised servers.
Misconfigured access controls
Internal users with too much access can view or edit sensitive data, leading to a data breach.
Misconfigured firewalls
Misconfigurations can create gaps in network monitoring that fail to identify or block unauthorized traffic from outside your company’s network.
Malware and Viruses
Threat actors often deploy malware or viruses on servers for various reasons. Malware can be used to transmit sensitive data to the attackers’ command and control (C2) server. Malicious actors also deploy malware or viruses to use servers as part of botnets that enable them to facilitate distributed denial of service (DDoS) attacks.
Steps to securing the server
To mitigate security and privacy risks, you should implement controls that allow you to protect against the most common server security issues.
Secure the connection
To protect sensitive information, you need to create secure network connectivity that includes:
- Using properly conifigured, valid SSL/TLS certificates to encrypt the connection
- Limiting network communications to necessary connections only
- Implementing multi-factor authentication (MFA) for server login
- Using a virtual private network (VPN) or proxy server to encrypt data-in-transit
Configure the firewall
When configuring your firewall, you should make sure that you:
- Restrict access to the server’s network ports and protocols
- Configure default settings to block all incoming traffic
- Require strong, complex passwords for login credentials
- Regularly check for and install security updates for the firewall’s software
Establish patch management policy
Since attackers look for vulnerabilities to exploit, establishing and enforcing a patch management policy for servers is a critical security control. When establishing the patch management processes, you should:
- Have an inventory of all servers
- Regularly scan networks for vulnerabilities
- Establish a schedule for updating operating systems, applications, firmware, drivers, and hypervisors
- Prioritize identified vulnerabilities based on various factors, including how easily attackers can exploit them, how long they’ve been known, and whether the server accesses the public internet
Disable or remove unnecessary services
Each service running on the server expands your attack surface. For example, some system servers that you can disable on a Windows server include:
- Distributed link tracking client
- Distributed transaction coordinator
- IP helper
- Network list service
- Network location awareness
- Remote access auto connection manager
- SSDP discovery
- Telephony
Logging and Monitoring Server Events
By logging and monitoring server events, you can maintain uptime and reduce security risks.
For example, logging and monitoring enables you to:
- Detect suspicious activity that may indicate a security incident
- Identify performance issues that can indicate a security incident
- Investigate a security incident
- Comply with data protection laws that require logging
Some best practices for monitoring server security include:
- Using a centralized log management platform for monitoring multiple servers to save time and reduce human error risks.
- Defining key events and metrics for monitoring, like CPU usage, memory usage, network traffic, and authentication events.
- Storing log files on a different server to keep attackers from tampering with them
- Creating high-fidelity alerts for specific events, like too many failed logins
Graylog Security: Monitoring Server Security
Built on the Graylog Platform, Graylog Security gives you the features and functionality of a SIEM while eliminating the complexity and reducing costs. With our easy to deploy and use solution, you get the combined power of centralized log management, data enrichment and normalization, correlation, threat detection, incident investigation, anomaly detection, and reporting. Our high-fidelity alerts enable you to reduce alert fatigue so that you can focus on the most meaningful activities in your environment, ultimately reducing data breach risks. Our lightning-fast search means that you can get the answers you need when you need them.
With Graylog Security’s prebuilt content, you don’t have to worry about choosing the server log data you want because we do it for you. Graylog Illuminate content packs automate the visualization, management, and correlation of your log data, eliminating the manual processes for building dashboards and setting a
