[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Server Hardening

Posted on 2011-03-18
5
Medium Priority
?
541 Views
Last Modified: 2012-05-11
Above and beyond basic windows hardening, complex passwords, admin shares, strict ACL only granting access the admins, account lockout, prompt patching, disabling unnecessary services, physically securing the server, what else for general piece of mind is recommended for real high security servers in a windows domain (2003 functional).

Is there anything above and beyond that which will add a further layer of protection piece of mind that it is protected from malicious insiders? This server houses highly sensitive data, and runs MS-SQL Server, essentially acts as a data repository. As it stands I can ping every server in the domain, I can see them all in Explorer, but can’t see any accessible shares. I wondered if there’s anything that can be done to ultimately restrict access to that server above and beyond windows hardening, and if its worthwhile or overkill? If not overkill what could technically still be exploited if all best practice windows hardening is in place, is this were zero day vulnerabilities come into play, or something else?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 14

Assisted Solution

by:athomsfere
athomsfere earned 300 total points
ID: 35165144
You could put it on a separate VLAN so only authorized PCs and switches / routers can see the device. I am not sure if the amount of work required justifies the return however, as compromised trusted machines will still have the same access to it as they do now.
0
 
LVL 3

Author Comment

by:pma111
ID: 35165174
I was also wondering about the local firewall rules on the server itself, what do you think?
0
 
LVL 14

Expert Comment

by:athomsfere
ID: 35165284
You could look at something like HIPS, http://www.mcafee.com/us/products/host-ips-for-server.aspx

Server firewalls, I prefer a good hardware solution first, or another machine to act as a firewall.
0
 
LVL 1

Accepted Solution

by:
99star earned 352 total points
ID: 35165408


If securing  data is of paramount goal in my view you should also do the following apart from what has been said by you.

A Strong/rugged Fire Wall with strict polices enforced about what ports to open ( Follow Very Strictly )
if the server is not open on internet then it is very good - you can strictly enforce who all can access this server  ( Follow Very Strictly )

disable ping and  disable snmp if  possible ( work on telnet ipaddress <portopen> )

Backups are very necessary

an ideal solution will be to insert a key value ( haufman coding ) or do some more research based on you needs for not only data security but every row level security

another  ideal solution will be install an inbetween server and customized software which will retrieve data from secured server  based on rules which you want to enforce

ideas are infinite you will gain experience as and when you progress


Backups will at some point of time may fail ( or will fail when much needed )

I more to write put emphasis on keyvalue theory




 

0
 
LVL 2

Assisted Solution

by:Hapexamendios
Hapexamendios earned 348 total points
ID: 35167585
To add to the excellent suggestions so far:

Look at the NSA's guides just to confirm you've not missed any of the "standard" recommendations. It looks like you've covered a lot so I don't want to suggest examples at this stage as tehre are many :)

Consider using File Integrity Monitoring, either using an open-source package such as Tripwire or a proprietary product. We use Log Rhythm's agent for that - but that's because it fits with our logging solution and adds on easily. File Integrity Monitoring is probably your best bet if it's insider threat you intend to protect against.

Ensure physical access is extremely limited, and that a device firewall is in operation on the server (device firewall will block all attempts to plug in USB removable media or extra network cards on the server, bypassing your efforts).

Place an Intrusion Detection Sensor on the network - if you place it between the server and the firewall protecting it, it will be hard to manage bcause of your lockdown, but would let you know about anything going in there. Place it outside the network, sensing all traffic flowing over the firewall which protects your secure environment, and you'll have a lot more "noise" to deal with, but you'll find out about unsuccessful as well as successful attempt to access that server. You'll also be able to update its signatures mroe easily and regularly. Open-source options like Snort exist, plenty of proprietary options too such as Tipping Point or Sourcefire.

Lastly, and obvious but needs saying: lock down each of those devices which are allowed to connect, and especially any admin workstations allowed to connect to the SQL server. Compromising an admin machine allows an attacker to steal credentials if they are loaded in memory, and they can be used without having to crack any passwords.

Hope this is useful to you, and not ground you've already covered.

Peace,
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question