Server Security Checklist | Process Street Server Security Checklist – Process Street

Introduction:

Securing each one of your servers is an important step towards total network security, and you should take some time to consider whether or not you're doing the best job you can to cover all your bases and keep your servers as secure as possible.

It can be difficult to keep track of all of that information; doing all of the research required to stay up to date with the latest best practice protocols, compliance regulations, and security threats is no small task.

What's more, many organizations have poor processes in place when it comes to server security, and very few of them even consider that server security is a process which should be maintained and iterated upon.

Worry not - we've made this checklist to catch all of the common doubts and problems that you might have when considering your process for server security; you can even customize this checklist template to suit your specific needs with our editor.

Without further ado, let's get right to it.

Server identification:

Record basic details

Kicking off the server security checklist, you need to input some details about the server setup and the person who's doing it. 

Just make sure to fill in all of the form fields below.

Physical security:

Ensure the server location is secure

Securing the actual physical location of the server is one of most important parts of any server security process - that's why it's first in this checklist. 

The concept is simple - just like virtual access, physical access must be as secure as possible.

We've outlined the steps in the sub-checklist below:

  • 1
    Make sure keys to the server room are kept secure
  • 2
    Keep a record of everyone who has access to the server room
  • 3
    Test the server room and locker keys
  • 4
    Be sure that as few people as functionally possible have copies of these keys

Patching and server maintenance:

Update service packs and patches

Updating in Ubuntu is as simple as running a command-line application.

Just open the terminal and enter this command:

 sudo apt update && sudo apt upgrade

After updates have finished downloading and have all been applied, make sure to perform a system reset to apply any changes.

Event logs:

Check event log monitoring is properly configured

Event logging is extremely important for accountability - so that you can check which users did what during any given security incident.

Almost all actions on the server should be logged, from user login times and access points, to file transfers, website access, configuration changes and application executions.

The tasks are outlined in the sub-checklist below; check off each one as you progress and state your opinion on the current event log monitoring process with the drop-down form field.

  • 1
    Check that all user account logins are being recorded
  • 2
    Check that all system configuration changes are being recorded
  • 3
    Check that shut down mode is enabled for sensitive event log alerts
  • 4
    Check that all event log data is being securely backed up

Evaluate event log monitoring process

If you feel that the current process for event log monitoring is inadequate, then you should provide feedback in this task. 

Perhaps certain data was omitted from the logs; or you couldn't access the backup files; or maybe you believe a different strategy would be more effective within the current organization setup - whatever it is, record your thoughts in the form field below.

Check remote access logs

Remote access logs must be reviewed regularly to ensure that only those with relevant privileges are accessing the server remotely.

Unusual remote access activity could be a sign of malicious actors attempting to access your server.

Keep watch for any users logging on under suspicious circumstances, such as signing into the system despite already being in the office working, or accessing the server during the middle of the night.

Investigate remote access activity

Any suspicious activity you notice in your remote access logs should be flagged and followed up with accordingly.

This might involve contacting the account owner and asking them about the incident and checking to see what kind of activity was happening at that time.

Check off all the sub-tasks in the sub-checklist below to make sure any suspicious activity is investigated accordingly.

  • 1
    Suspicious activity is flagged and documented
  • 2
    Suspected account privileges temporarily frozen
  • 3
    Check what data they were accessing at that time
  • 4
    Check their alibi at the time of the incident
  • 5
    Ask the owner of the account about the incident
  • 6
    Preventative action taken to ensure data/account security

System integrity control:

Evaluate server configuration control process

Next, make sure that there is a process in place for changing system configurations.

If that process already exists, you should consider whether or not it's adequate, and how you might improve upon it.

  • 1
    Evaluate whether current change control process is adequate
  • 2
    Consider whether or not it could be improved

Revise server configuration control process

If you feel the current server configuration control process could be updated, you should suggest some improvements in the form field below.

Limit changes to start-up processes

Regular users should not be able to tamper with start-up processes, such as antivirus software and certain server scripts. 

Complete the sub-checklist tasks below, checking each item off as you go.

  • 1
    Ensure start-up processes are configured correctly
  • 2
    Remove unnecessary startup processes
  • 3
    Ensure regular users cannot change system startup configuration

Remove unused software and services

Linux recognizes which packages it has installed that aren’t being used or depended upon; just run this command in the terminal:

 sudo apt autoremove --purge

Anti-virus and anti-malware:

Run a full system anti-virus scan

Launch whatever antivirus or antimalware tools you have installed and run a full system scan. 

The steps are outlined below; follow and check each one off as you complete the sub-task.

  • 1
    Launch your antivirus software control panel
  • 2
    Start a full system scan
  • 3
    Isolate and quarantine threats detected

Configure server firewall

Review your firewall security settings and make sure everything is properly configured.

Check that all filters are enabled, as well as alerts, traffic log analysis, and user permit rules.

Review the sub-checklist below and be sure that you've done each task.

  • 1
    Check anti-spoofing filters
  • 2
    Check system administrator alert settings
  • 3
    Check user permit rules
  • 4
    Check system traffic log analysis

Authentication and access controls:

Enforce strong authentication for all admins

Now you need to configure two-factor authentication for all users with root or administrator system privileges. Users that have been recently granted these privileges will need to be reminded to activate 2FA.

You can use the Admin Control Panel in Google Apps to see who has 2FA enabled wthin your organization.

Follow the sub-checklist below to check whether there are users who aren't 2FA activated yet.

  • 1
    Sign in to your Google Admin console
  • 2
    Click "Reports"
  • 3
    Click "Security"

Check if there are admin or root users who don't have 2FA enabled and record what you find below.

Send a reminder to activate strong authentication

For any new admin or root users, you can send a friendly reminder email about how and why they should enable 2FA.

Lucky for you, this checklist contains a pre-formatted email for issuing a 2FA reminder, auto-filled with the relevant details to make your life easier. 

Before sending this off, make sure you set the deadline date for 2FA activation.

All that's left for you to do is input the emails of the users who need to be reminded, then once everything looks good, hit "Send".

Remove inactive user accounts

Simply put, you will need to disable or remove all user accounts that haven't been active in the last 3 months.

On Linux systems, you can run this simple command in the terminal to see a list of active users from the past 90 days.

lastlog -b 90

After you've reviewed this list, run the following command to print the output to a text file and disable all the user accounts listed:

lastlog -b 90 | tail -n+2 | grep -v 'Never log' | awk '{print $1}' | tee -a ~/usermod-L.log | xargs -I{} usermod -L {}

Review administrator access

Make sure that membership to both the admin and superadmin group is restricted to as few users as possible without causing any problems. 

It's common for sysadmins to be the ones holding admin rights in this kind of scenario, but be sure to double check exactly who in the organization does or doesn't require admin privileges.

  • 1
    Consider who does not need admin or superadmin privileges
  • 2
    Consult with them about why they might need these privileges
  • 3
    Make changes to admin or superadmin accounts as necessary

Backups and restore points:

Check server data is being routinely backed up

Make sure server data is being completely backed up on a regular basis. Ideally, this process will already be automated, so it may just be a case of checking everything is working as it should be.

All critical systems data should be included in the backup process, and you should be backing up the data in at least three separate locations to ensure fault tolerance and contingency against accidents and unexpected damage.

The process for securely backing up your data is as follows:

  • 1
    Check backup logs to ensure regular backups are being created
  • 2
    Back up server data onto local drive
  • 3
    Back up server data onto secondary local drive
  • 4
    Ensure secondary drive is stored at a secure separate location
  • 5
    Back up server data to a cloud-based storage

Perform a test recovery from a backup image

After making sure everything is being backed up regularly, it's part of security best practice to test that your recovery images are working as expected.

  • 1
    Take three of the most recent backup images
  • 2
    Attempt to access data from all three backup images

Once you've tested the recovery images, record what you observe in the form field below.

Review your backup process

If there are problems with the test images, then you should perform extensive testing to get to the route of the problem.

This may include re-making and re-testing system-wide backup images or switching the backup process that's currently in use to a new one.

  • 1
    Troubleshoot the whole backup process
  • 2
    Evaluate what might have caused the problem
  • 3
    Test alternative solutions to the problem at hand
  • 4
    Update your backup process accordingly

Risk management:

Check for hardware replacement and retirement

Last but not least, the hardware.

Neglecting the machines your server systems are running on will inevitably affect performance in a bad way, and unexpected downtime or drive failures pose potential security liabilities. It's worth keeping on top of things with regular maintenance checks.

Check out our Server Maintenance Checklist for the complete process, but the least you can do is check and replace any damaged or precariously aged drives in your RAID setup to ensure that byzantine fault tolerance doesn't fail on you.

  • 1
    Check for old or faulty local storage drives
  • 2
    Remove old or faulty drives
  • 3
    Install compatible replacement drives

Once you've made sure all the server's hardware is up to scratch, you're done with this checklist.

Sources:

Sign up for a FREE account and
search thousands of checklists in our library.

Sign up for a FREE account and search thousands of checklists in our library.