Hardening Network Servers
Copyright 2021, Faulkner Information Services. All
Publication Date: 2103
Report Type: TUTORIAL
To protect enterprise networks from attacks, network servers
(specifically, network server operating systems) can be hardened, that is,
rendered more resistant to unauthorized access and manipulation. To harden
a server, an IT administrator must, at the very least, remove unnecessary
services, applications, and network protocols; enforce strong user
authentication; and establish appropriate resource controls. There are
also many other steps that can be taken, especially for servers with
- Executive Summary
- Current View
- Web Links
- Related Reports
[return to top of
An important action that an organization can take to protect its critical
networked assets is to “harden” servers.
|Automated Patch Management Tutorial
|Microsoft Windows Server Product
Hardening consists of closing those openings within the operating system
that hackers could penetrate. Some hardening steps include closing unused
ports, disabling unused services, and installing tested and approved
vendor patches. In addition, a hardening policy should be a part of
enterprise-wide policies and procedures to keep the network secure.
Before starting the process, administrators need to assess the impact of
hardening on server operating systems and the network. Today, hackers
threaten not only to network servers, but also to virtual servers, cloud
computing services, and server clusters. Additionally, remote users,
threats caused by flawed software or hardware, installation of untested
patches, and inadequate physical security all pose unique risks. With
these considerations in mind, the step-by-step hardening process can
Some recommendations to harden servers against risks include installing
servers behind a firewall, monitoring patches and logs, and developing an
enterprise security policy for the organization. Table 1 provides a brief
overview of a hardening action plan.
| Disable unused network services on the
|To eliminate security exposures related
to unused and unneeded software.
|Identify and remove unnecessary
|To mitigate flawed, untested, and
|Implement a strong user account policy.
|To mitigate the possibility of username
and password hacking.
|Keep the server behind a firewall.
|To provide a barrier between hackers and
| Install monitoring and intrusion
|To continuously safeguard against and
thwart suspicious or improper network activity.
| Regularly monitor logs and vendor
|To detect and respond to server security
To promptly test and install relevant security patches.
|Run a vulnerability scan on the host.
|To detect and remove open ports and
|Audit for standards and regulatory
|To comply with information security and
privacy regulations where applicable.
[return to top of
Many common security problems can be avoided by hardening servers before
they are exposed to a network. Hardening is a process that helps protect
servers from hacker attacks.
Hardening starts with locking down vulnerable default configurations
during the installation of a server operating system. For instance,
Microsoft recommends first ensuring the following when hardening Windows
- “The base install of all operating system and post-operating system
software comes from a trusted source.
- “Servers are only connected to a completely trusted network during the
install and hardening processes.
- “The base install includes all current service packs and is reasonably
current with regard to post-service pack updates.
- “After the base install finishes, you must update the target servers.”1
But hardening is also an ongoing process. One source of change is that
operating systems evolve, adding new features and opening novel
vulnerabilities. For example, Windows 2019 Server includes new security
capabilities and configuration parameters.2 To effectively
harden any particular server, administrators must understand in detail its
configuration options and how they interact with the technology
environment in which the server resides.
When an operating system is breached or holes are discovered, patches are
released by vendors and sometimes by third parties. The patching process
- Has the patch release been timely?
- Has the patch been tested by the vendor or a qualified third party?
- Does an organization have a policy regarding applying patches?
The handling of default configurations and patches is only part of the
process. New and existing servers are audited and hardened too, as
- A new server is built with a known secure operating environment and is
audited for compliance with a baseline security guideline, and any
deviations are fixed by applying operating system patches, removing
network services, and installing other known secure utility software.
- An existing computer system is audited for common security
vulnerabilities, and the uncovered vulnerabilities are fixed by applying
operating system patches, removing network services, and installing
other utility software.
Server hardening also involves many tasks at both the host and network
- Securing the network infrastructure
- Securing the server’s operating system
- Securing applications
- Running frequent vulnerability scans on the host
- Developing a disaster recovery and backup strategy
- Installing and using monitoring tools
As depicted in Figure 1, when a network server is secured, various secure
configurations and settings need to be separated into categories to ensure
that all gaps are closed. With this approach, when, for example, new
software is installed onto servers, an evaluation of the impact on all
security settings can be considered for all critical points. For instance,
if the software creates new accounts, it may impact existing secure
services or add services by default. These should be evaluated for overall
impact on the system and the network.
Figure 1. Server Security Categories
When preparing for network server hardening, organizations should
consider the following.
Patches and Updates
Patching and updating a network server’s software is the first step
toward securing the server.
Shares. Shares can include storage resources, individual
files, virtual folders, printers, and similar items that have been made
sharable on a network. Share-level security provides access control to a
shared resource based on a password or other access mechanism. Basic
share-level security (i.e., making the password or access pathway well
known) provides far less protection than resource-associated user-level
security, which specifies who or what can access those resources.
Services. The service set is determined by the server
role and the applications it hosts.
Accounts. The number of accounts accessible from a
server should be restricted to the necessary set of service and user
accounts. Many off-the-shelf systems include weak or open account policies
with many accounts that lack passwords or have weak passwords.
Files and Directories. Critical system files and
directories are frequently accessible to all users, regardless of
privilege. This poses a threat from both hackers and from uneducated
novices who may make changes unwittingly.
Registry or Configuration Files. On Windows-based
systems, many security related settings are maintained in the registry.
Active Directory group policies and account configurations are also
critical parts of hardening, as demonstrated in the recent massive attacks
against SolarWinds software.3
On Linux, UNIX, or other systems, they may be maintained as files in
Network devices themselves, such as routers, can also be the target of
hardening efforts, a process that is beyond the scope of this report.4
But network considerations are also involved in the hardening of servers.
In particular, organizations must consider protocols and ports.
Protocols. Many of the services included on stock or
retail systems are network protocols that are unnecessary or unused
and thus present opportunities for security breaches.
Ports. Services running on a server listen on specific
ports to serve incoming requests. All open ports on a server must be
discovered or previously known and audited regularly to ensure that an
insecure service is not listening and available for communication. In the
worst-case scenario, a listening port is detected that was not opened by
an administrator, i.e., an application or other intruder gained sufficient
access to allow the port to open.
[return to top of
Hardening network servers is a continuous process. IT and security
specialists must always be vigilant to ensure that once a server is
hardened, it remains so. In particular, these specialists should focus
on mitigating common threats ranging from hacker attacks to vandalism and
theft targeting server hardware.
Remote users have the capability to access network resources, including
print servers that are often configured outside of a firewall. In
addition, remote users may lose their laptops or PDAs; in the wrong hands,
these could jeopardize a network along with any information residing on
the portable systems.
An important focus for hardening Windows systems is the Remote Desktop
Connection protocol (formerly RDP or Terminal Services Client).
Organizations may not be able to avoid using this protocol, as it is
needed to provide remote connectivity, but they can limit access to only
authorized users who connect via a VPN rather than the public Internet.5
Software Interactions and Changes
Introducing system and software changes is a continuing challenge;
servers must be hardened to ensure that appropriate services and ports are
active or disabled, not only to prevent hacking but also to allow
existing systems to function properly. If the “new” hardening slows or
stops business critical functions, the result could be as serious as a
Effective patches are invaluable to fix security flaws. But vendors are
sometimes slow to release them, causing third parties to provide a quick
fix with a “rogue” patch. Whether vendor-supplied or rogue, patches
have been known to have flaws or to inadvertently introduce errors. With
vendor patches, one size does not fit all–it is impossible for vendors to
supply a single patch that meets the requirements of millions of unique
configurations. Even a vendor-tested patch may need some tailoring before
approval at an individual site. This is just one more reason that
deploying untested patches to a production environment is risky.
If a disgruntled employee has physical access to a system, he or she can
remove the hard drive or boot from removable media to gain access to data
and applications. In the worst-case scenario, the user may steal the
entire machine itself, reconfigure it, and return it as a highly
[return to top of
The process of server hardening will continue to expand to accommodate
virtual servers. Many datacenters are overcrowded, hosting dozens of
servers connected by miles of cable. Often, these servers are
single-purpose systems, meeting the needs of a single operating system,
information system, user application, or user community. As such,
servers are sometimes under-utilized and over-resourced, considering the
requirements they place on power utilization, air conditioning, floor
space, and IT support services.
To help reduce the size of the enterprise server farm and thus improve
server utilization, many enterprises are embracing server virtualization,
a technique that divides a physical server into multiple virtual servers
(called virtual machines). Server virtualization enables enterprises
to do the following:
- Use fewer physical servers
- Lower server-related power and air conditioning costs
- Recover datacenter floor space normally allocated to server hardware
- Shorten the server data backup process
- Improve server reliability, availability, and serviceability
- Lessen the demand for IT support services
- Decrease the total cost of server ownership
Just as physical servers demand hardening, so do their virtual machine
counterparts. One attempt to address this need comes from the Center for
Internet Security (CIS), which offers hardened Linux and Window images on
the cloud services marketplaces of AWS, Azure, Google, and Oracle.6
These images can be deployed across the cloud services an organization
uses, with the intent of providing security from the initial deployment,
based on CIS “benchmark standards.”
[return to top of
Hardening is not simply a technical procedure. It is also about adopting
an approach that considers personnel and procedures. “Implement one
hardening aspect at a time and then test all server and application
functionality,” says security consultant Thomas Jung.7 “Your
cadence should be to harden, test, harden, test, etc.” He also recommends
that organizations document all changes as they’re made, so that the
history of configurations is available for reference.
Before following the specific guidance below, an organization should
analyze all of its security needs and create a plan that considers
hardening as part of a full, well-coordinated effort.
Disable Unused Network Services on the Server
If a service is not running, it cannot be attacked. For example, if the
only job a server has is serving Web pages, make sure that mail, file, and
print services are disabled. By limiting the number of running services, a
server may also gain a performance increase as there will be fewer tasks
consuming CPU and memory resources. Many UNIX distributions come with
trivial services installed such as finger, echo, and ntalk. These are
unnecessary and should be disabled.
Common types of services and applications that should usually be removed
if not required (or disabled if they cannot be removed) include the
- File and printer sharing services
- Wireless networking services
- Directory services (e.g., Lightweight Directory Access Protocol
[LDAP], Network Information System [NIS])
- Web servers and services
- Email services (e.g., SMTP)
- Language compilers and libraries
- System development tools
- System and network management tools and utilities, including Simple
Network Management Protocol (SNMP)
- Guest accounts
- Unused accounts (e.g., of former employees)
- Unused daemons and utilities
- Remote login to root access
Keep the Server(s) Behind a Firewall
A firewall will help prevent attackers from gaining information about a
server and a network. A firewall can also add protection by
doing network address translation of IP addresses and by applying IP
filters or MAC address filters. Firewalls should not be treated as a
security panacea, however. They might not detect certain application-based
threats, and they will not prevent an insider from causing damage. When
developing a firewall plan, the firewall team should evaluate the set of
rules governing outside access to certain networks and servers; these
rules should be logically divided into a few categories based on
importance. The most important category would include rules that are
critical to running the organization. If hacker activity increases, for
example, the plan would indicate which categories were less important and
the associated access rules could be shut down. Figure 2 depicts a network
of hardened servers.
Figure 2. Hardening Network Servers
Install Intrusion Protection and Monitoring Tools
Intrusion prevention hardware and software can alert system
administrators when an unauthorized access attempt has begun. Depending on
the complexity and location of the intrusion protection system,
unauthorized accesses can also be redirected or dropped altogether and the
affected systems reconfigured to mitigate a second attack. System
administrators can install additional utilities to help automate the
scanning of log files. There are also utilities available to detect port
scans, Ethernet sniffing, or network mapping. These tools can assist in
the prevention of an attack.
Authenticate, Pick, and Enforce Strong Passwords and Use “Sudo” on UNIX
Authenticate and authorize users before granting access to any system,
application, or resource. Use software that forces users to pick strong
passwords that contain at least one non-alphanumeric character and a
capital letter. Modify the organization’s security policy to make users
change their passwords every few months. Users should not be able to
re-use the same password for at least five changes, for instance. If users
require any administrative privileges, ensure that those activities happen
through the use of the sudo utility on UNIX. Sudo can be configured
to record an audit trail of administrative commands and can enable an
administrator to setup a very granular access control list.
Develop a Comprehensive Security Policy for the Organization
An organization must make many choices when developing its security
policy. The policy should create a baseline of security for all of
the servers in the organization. Administrators must have a well-developed
policy for installing security patches and performing routine
maintenance. An organization must also have a well-developed disaster
recovery policy to recover from a serious situation. All original copies
of media should be retained in case the system needs to recover from an
attack. Restoring from backups could reintroduce a hacker’s backdoors. The
disaster recovery policy should include providing minimal information to
all users if a breach does occur. If a security measure fails, have a
“need-to-know” policy in place and only report sensitive details to those
who need to know.
An organization’s policy may be shaped by regulatory requirements. For
example, the PCI DSS requirement for credit and debit card systems says
the following about hardening: “Develop configuration standards for all
system components. Assure that these standards address all known security
vulnerabilities and are consistent with industry-accepted system hardening
Configure Resource Controls Appropriately
Controlling access to resources in a granular way can help close many
potential holes that a hacker could exploit. A useful way to make it
easier to assign resources is to designate one role for each server rather
than, for example, configuring a single server to be a database and Web
server.10 The configurations of a single-purpose device can be
set to provide only the access needed for its assigned functions.
Controlling the rights of IT staff members is also helpful, as giving all
members of the department the highest level of read and write permissions
creates a security risk. Roles can be created for IT staff members of
different statuses within the organization and for those with specific
responsibilities, limiting rights to what administrators need to do their
Regularly Monitor Logs and Vendor Patches
Administrators must stay on top of the many security issues that arise
daily and be quick to apply patches and fixes; updates can either be
handled manually or by automatic patch management software. For those
without automatic patch management, patches should be tested in a separate
area before installation. In addition, the system should be backed-up
before adding patches or making changes.
In addition to patch management software, third-party services are
available that will handle server and patch management. Monitoring system
logs is an important daily activity to identify whether a server has been
compromised or scanned. By analyzing logs, appropriate actions can be
taken to prevent future problems.
One piece of guidance from the University of Michigan’s Safe Computing
site is that it is important to make the audit log file larger so that the
results of additional monitoring can be stored.12
Run a Vulnerability Scan on the Host
Use a product like Tenable Network Security’s Nessus or the Open
Vulnerability Assessment Language (OVAL) to scan the server and ensure
that there are no surprise ports or services open. Nessus is an open
source project that can scan Windows, Mac, and UNIX machines remotely.
OVAL is an information security community effort to standardize how to
assess and report upon the machine state of computer systems. OVAL
includes a language to encode system details, and it includes an
assortment of content repositories held throughout the community.
Protect Physical Access to Servers
Servers should be kept in a secure, locked location, only accessed by
a few employees for daily maintenance via a perimeter access control
system. For those servers that need to be in more open areas, some types
of server chassis can also have locked cover plates to protect removable
media and storage devices or prevent the cover from being removed.
Harden Virtual Servers
Any enterprise practicing server virtualization should employ the same
security measures to protect virtual systems as it would for physical
Record each system’s configuration in a secure electronic file and,
perhaps, also a paper-based system. Documentation will provide quick
access to vital system information and configurations in the event of an
attack and will expedite evidence gathering and system recovery processes.
Educate End Users and IT Staff
As part of an overall security policy, educate users and administrators
on IT security concepts and the policies and procedures of the
organization. On a need-to-know basis, designated personnel should have
additional training on mitigation, attack response, and evidence gathering
policies and procedures.
Consider Manual vs. Automated Hardening
Hardening can be done manually or with the help of wizards and other
tools. IT administrators should make a strategic decision about which
approach to use (or whether to use both approaches in conjunction).
Automatic approaches are typically preferred. “Of course you could
[harden] manually,” says Chris Payne, Managing Director of IT company
Advanced Cyber Solutions, “however consider that the CIS benchmark
(universally hailed as the number one for secure build standards) for
Microsoft Windows Server 2016 stands at over 800 pages of configuration
changes. An unenviable task for anyone.”13
Follow Platform-Specific Guidance
Differences among operating systems and the underlying hardware on which
they run lead to critical differences in how hardening must be performed.
Much of the guidance that is available focuses on Windows systems,
but there is also published information about other platforms, such as
Linux systems14, Apache Web servers,15 and Windows
[return to top of
1 “Baseline Server Hardening.” Microsoft TechNet.
2 Paul Margiotis. “Hardening Your Windows Server in 2020.” Power
Admin. May 28, 2020.
3 Susan Bradley. “Tips to Harden Active Directory Against
SolarWinds-Type Attacks.” CSO. January 27, 2021.
4 For information about network device hardening, see, for
“Cisco Guide to Harden Cisco IOS Devices.” Cisco.
September 4, 2020.
5 “The Windows Server Hardening Checklist.” UpGuard.
February 15 , 2021.
6 “CIS Hardened Virtual Images.” Center for Internet Security
(retrieved March 14, 2021).
7 Thomas Jung. “Windows Server 2019 OS Hardening.”
March 23, 2020.
8 This list was compiled in part by referencing the following
“Securing Network Infrastructure
Devices.” US-CERT. June 30, 2020.
“What Is Server Hardening?” SecureTeam. March 31, 2020.
9 “Data Security Standard:
Requirements and Security Assessment Procedures. Version 3.2.1” PCI Security Standards Council. May 2018.
10 SecureTeam. “What Is Server Hardening?” SecureTeam.
March 31, 2020.
11 CloudBerry Lab. “Windows Server Hardening Checklist.” CloudBerry
Lab. July 18, 2018.
12 “Secure Your Active Directory Windows Server.” University
of Michigan: Safe Computing (retrieved March 15, 2021).
13 Chris Payne. “Five Reasons Why You Should Be Investing in
Automated System Hardening.” Advanced Cyber Solutions. August
14 For instance, see:
“Red Hat Enterprise Linux 8: Security
Hardening.” Red Hat. February 2, 2021.
15 For instance, see:
Protect Your Server from Attacks.” Hacker Noon. June 29, 2020.
16 For instance, see:
Checklist.” UpGuard. February 15 , 2021.
[return to top of
About the Author
[return to top of
Geoff Keston is the author of more than 250 articles
that help organizations find opportunities in business trends and
technology. He also works directly with clients to develop communications
strategies that improve processes and customer relationships. Mr. Keston
has worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.
[return to top of