Risks and Mitigation in a Server Network
When building any kind of network, you need to make sure your system can deter and defend against external and internal threats. Here are three major areas of risk to consider, which I’m choosing to categorize as Physical, Software, and User.
One of the most popular stories in computer security is about an administrator who challenges another to break into their network. The two happen to be pals, so the challenger wins by walking into the other’s office, then walking out with a network server.
This is possible when we’re so used to interacting with our machines from a screen and keyboard, that we forget much of the content and services we see are physically located elsewhere. Lucky for us, safeguarding hardware is a fairly basic idea, even to non-techies.
Protection from theft before loss
- Secure rooms. Allow only authorized personnel to have access. Install security cameras.
- PC locks (e.g. Kensington Security Slot)
- Disable unused peripherals and ports. (e.g. USB ports are commonly disabled by editing the registry, but this is not a sure and safe method. Instead, look into Group Policy and Device Management.)
Protection from theft after loss
- Maintain data back-ups against climate and/or power failures
What do people generally do when under attack? They crouch. They hide. They make themselves smaller. This is all meant to make it harder for them to get hit. Computer security people would call this “reducing the attack surface.”
The average commercial computer is often filled with bloatware. Every spare program is like an extra arm or leg, an increase of the attack surface. Unused programs will get overlooked. They can get hijacked behind your back. You want as much awareness of what’s running on your system as possible. So clear away the things you don’t need. Give attackers less of an opening. Minimize the amount of monitoring you have to do.
Reduce attack surface
- All services and applications that are unnecessary should be disabled or uninstalled
- Enable User Account Control to prevent unauthorized software installations
A connected computer is a vulnerable computer. You know what the safest computer is? Powered off, unplugged from everything, and locked in a box. But we don’t do that cause then our sitting duck becomes a sitting hunk of junk. Instead, we protect our networked computers using firewalls. If your computer is on a network without a firewall, anyone can walk in. Firewalls are so important that Microsoft began including one with Windows XP and Server 2003.
Many brands of firewalls exist, but some general rules apply. The most basic one is to close unnecessary ports. This will vary by the needs of the user and machine.
- Learn your ports! There are tens of thousands, but some are more common than others (e.g. port 80 is used by the HTTP protocol, which manages web traffic; port 443 is HTTPS, which allows secure web access).
- Get to know your firewall, and research various brands. You can even use two or three different firewalls in a network; if a hacker can get through the first, they might not get through the second.
Choose Server Core
Server administrators should consider the Server Core edition of Windows Server 2012 R2 to make their systems lean and strong. Let’s take a look at some of the benefits.
- There’s less code that could be exploited and less updating required.
- It limits server roles. A server that’s a domain controller needs just a few things to run (i.e. global catalog, DNS server, and AD), but if you install everything and the kitchen sink, you increase the “attack surface” we talked about earlier.
- If you’ve the hardware to spare, keep server roles on separate machines to avoid having a single point of failure.
People are always going to be your weakest link. Hackers know this, which is why hacking doesn’t usually involve fancy computer magic. Most of it’s social engineering. The most common tactic, called “phishing”, is a well-placed phone call or email to someone who doesn’t possess a healthy dose of paranoia. This person can be tricked into revealing their passwords or inside information that jeopardizes network security. Let’s look at a few ways to minimize user risks.
Educate your users
- Warn against common social engineering tactics (e.g. Phishing).
- Explain Privilege Escalation: an intruder can use a compromised, low-level account and hop through a bunch of other accounts, slowly increasing their user privileges along the way, until they seize the administrator.
Follow best password practices
- Use unique passwords for each user (admins included).
- Use a combination of numbers, symbols, upper and lowercase letters.
- Enforce password length and complexity.
Restrict admin access
- Rename default admin account names. What are two things an attacker needs to log into an account? Username and password. When you leave the default as “administrator”, you’ve done 50% of the job for them.
- Limit the number of admins. This can thwart the aforementioned Privilege Escalation.
- Keep admin accounts strictly for maintenance, not general use. This means once you’re done doing admin things, log off. Don’t surf the web as the admin. Don’t play computer games as the admin. Don’t click buttons or open files you don’t recognize as the admin.
- Allow delegated admin privileges to expire. Admins can get busy. In a pinch, admins can temporarily make other users into admins. And set time limits. If you won’t set time limits, you’ll have to remember to remove delegated users from admin groups when tasks are completed.
Turn on / configure auditing
- Track accounts, log-ins, policy changes, object access, system events, etc.
- Event Viewer is an admin’s best friend for doing so, and it comes with Windows.
Last but not least
Understand that no one knows every risk and no one knows how to end risk. There’s a reason it’s called “mitigation”. You can only slow the bad guys down. Almost every benefit has its cost. New technologies introduce new vulnerabilities. A software update can easily create new bugs for every old one it fixes. Sometimes it’s safer not to upgrade. As security tools improve, hacking tools improve as well. Be flexible. Stay curious. And try to keep up.