• CONTACT US
• CLIENT LOGIN
• COMPANY
  • Company Overview
  • List of Locations
    • Western
      • Denver
      • Los Angeles
      • Orange County
      • Phoenix
      • Sacramento
      • San Diego
      • San Francisco Bay Area
      • Seattle
    • Central
      • Chicago
      • Dallas
      • Houston
      • Minneapolis
      • St. Louis
    • Eastern
      • Atlanta
      • Boston
      • Miami
      • New Jersey
      • New York
      • Philadelphia
      • Washington DC
  • Mission & Values
  • Management Team & Board
  • Careers
    • Careers Overview
    • Hiring Heroes
    • A Day in the Life
    • Job Opportunities
    • Benefits
    • Partner with Us
  • News and Press
  • Contact Us
  • Client Remote Support
• PARTNERS
  • All Covered Partnerships
  • Referral Partners
  • Technology Partners
  • I'm Interested!
• LEARNING CENTER
  • Learning Center Overview
  • Events
  • Newsletters
• SERVICES
  • Overview
  • Opting for All Covered
  • Our Approach
  • All Covered Care Overview
    • All Covered Care
      • Remote Monitoring
    • All Covered Security
    • All Covered Backup
    • All Covered Procurement
  • Enhancement Services Overview
    • Strategic Planning
    • Desktop Support
    • Staff Augmentation
    • Key Technologies
  • FAQs
  • IT Savings Calculator
• TECHNOLOGY
  • Technology Overview
  • IT Security
  • Mobility
  • Microsoft
    • MS Vista
    • MS Server Products
  • Connecting Remote Locations
  • Emerging Technologies
  • Topics on Technology
• BUSINESS CHALLENGES
  • Overview
  • Growing your Business
  • IT Strategic Planning
  • Increasing Productivity
  • Complying With Regulations
  • Coping with Changes
  • Business Continuity Planning
  • Client Case Studies
    • IT Services for Architects
    • IT Services for Construction
    • IT Services for Engineering
    • IT Services for Financial Services
    • IT Services for Legal
    • IT Services for Manufacturing
    • IT Services for Multi-Location
    • IT Services for Non-Profit

Server Operating Systems Security - Best Practices

Your SME Environment, Business Drivers & Security Management All Play A Role

Article from Processor Magazine by Will Kelly

Published November 23, 2007

According to Forrester Research, security managers are at their wits’ ends trying to keep their servers secure from the deluge of new vulnerabilities across all operating systems. Properly securing your server operating system doesn’t stop or start at the server; rather, it requires a holistic approach that encompasses your IT infrastructure and your small to midsized enterprise’s business drivers.

Know Your Environment

Bob Gaines, technical marketing manager for All Covered (www.allcovered.com), a Redwood Shores, Calif., consultancy focused on SMEs, advises a holistic approach to securing your server operating systems. He sees every environment as different and resists the view that there are best practices that apply across the board when it comes to server OS security. However, Gaines and All Covered’s consultants espouse that it’s important to assess the entire environment of your SME and determine your assets, risks, infrastructure strengths, weak points, intrusion prevention, and general risk management.

Another point to consider when analyzing your environment is to determine the availability needs of your SME. “How long can your organization be down if your servers are not available?” asks Gaines.

Develop A Patch Management Strategy

“Patch management is 99% of the battle,” says Gaines. He advises that you automate your patch management where and when possible using tools such as Microsoft’s Windows Server Update Services (www.microsoft.com).

Your patch management strategy needs to take into account the size of your IT staff. While an aggressive patching strategy may be appealing, it comes with support costs, especially when it comes to patching your servers. If you are running with a small IT staff, you may want to test new patches before applying them to your servers.

Apply Standard Management Practices

“The first thing data center/IT managers at small to midsized enterprises need to do is document processes and procedures for maintenance and security of their organizations’ servers, particularly for patch Tuesdays,” says John Ewing, network security specialist and CISSP in CDW’s professional services team (www.cdw.com). The simple point of such documentation is to establish a thorough routine of updating all security software and threat definitions, as well as maintaining the hardware platforms where security applications reside. Documenting inspection/update procedures enables continuity and transparency of the approach, regardless of staff absences or turnover. Be sure to include a quarterly review of the document itself, to adjust procedures appropriately based on experience and changes in the business or its environment.”

Such security templates are available from a number of Web resources so you don’t have to reinvent the wheel. “Data center/IT managers should evaluate these templates, determine which is most appropriate for their environment, and then adapt it to fit their unique needs,” says Ewing. And it’s OK to keep your security documentation to just the facts your data center requires.

Controlling server access is imperative. Ewing, Gaines, and Karl Wirth, director of security solutions for Red Hat (www.redhat.com), all stress the importance of controlling and periodically reviewing who has access to your SME’s servers, including directory rights, user accounts, guest accounts, file access, and physical access. “Also, don’t forget about backup systems and the access to them onsite and offsite,” notes Ewing.

Other security management options to explore include rotating passwords and two-factor authentication to your servers, says Wirth. He also points to open-source efforts such as freeipa.org as an effective way to govern access to your small to medium-sized enterprise’s Linux servers and overall IT infrastructure.

Clean Your Server

Run only what you need to run on your server. Wirth advises that you uninstall any services on the server not in use. Another tip Wirth recommends is dedicating one server to one task, meaning each server serves one task and one task only, such as application server or database server, as another method for securing your servers.

Leverage Security Features

When managers are implementing security features on a server, the process often requires a balance between usability and security because locking down a server too much can sometimes cause management tasks to go through unnecessary hoops.

Red Hat has been working with the open-source community to innovate on server security. Wirth advises turning on SE (Security Enhanced) Linux to lock down your Red Hat Enterprise Linux server. SE Linux compartmentalizes the server OS, enabling you to write policies to disable/enable access to server operating system features.

Audits, Trust & Segregation Of Duties

“In a typical small business, the owners have an IT person or vendor they trust and rely on to control the access and maintenance of the systems, but there should still be checks and balances in place to avoid vulnerability, fraud, or abuse of exclusive access,” says Ewing.

He adds, “In a smaller business . . . the owners should have external auditors check the systems’ security posture periodically. Alternatively, there are also software applications that scan systems and generate reports on their security status, but those also should be installed and accessed only by management or a trusted third party.”