Draft guidance for securing servers
- By William Jackson
- May 08, 2008
The National Institute of Standards and Technology is seeking comment on its draft guidelines for securing servers, released this week.
NIST Special Publication 800-123
, 'Guide to General Server Security,' makes recommendations for securing server operating systems and softwarein addition to maintaining a secure configuration with patches and software upgrades, security testing, log monitoring and backups of data and operating system files.
The document addresses common servers that use general operating systems and are deployed in outward- and inward-facing locations. The recommendations apply to a variety of typical servers, such as Web, e-mail, database, infrastructure management and file servers. Much of the content was derived from SP 800-44 Version 2, 'Guidelines on Securing Public Web Servers,' and SP 800-45 Version 2, 'Guidelines on Electronic Mail Security.'
Common security threats addressed include exploitation of software bugs to gain unauthorized access, denial-of-service attacks, exposure or corruption of sensitive data, unsecured transmission of data, use of a server breach to gain access to other network resources and use of a compromised server to launch attacks.
NIST recommended that security plans be considered from the initial planning stage because addressing security is more difficult after deployment. 'Organizations are more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan,' the document said. It also advised agencies to consider human resources required for deployment and operational phases, including training requirements.
To ensure the security of a server and the supporting network infrastructure, NIST recommends:
- Organizationwide information system security policy.
- Configuration/change control and management.
- Risk assessment and management.
- Standardized software configurations that satisfy the information system security policy.
- Security awareness and training.
- Contingency planning, continuity-of-operations and disaster recovery planning.
- Certification and accreditation.
In deployment server operating systems, default hardware and software configurations usually must be modified to achieve adequate security rather than maximum functionality and ease of use. 'Because manufacturers are not aware of each organization's security needs, each server administrator must configure new servers to reflect their organization's security requirements and reconfigure them as those requirements change,' NIST advised. 'Using security configuration guides or checklists can assist administrators in securing systems consistently and efficiently.'
Similar efforts are needed for server applications. 'The overarching principle is to install the minimal amount of services required and eliminate any known vulnerabilities through patches or upgrades,' the document said.
Comments on the draft should be e-mailed by June 13
, with the phrase "Comments SP 800-123" in the subject line.
William Jackson is a Maryland-based freelance writer.