Skip Navigation
York University Redefine the possible.
space Prospective students Current students Faculty & staff Alumni Visitors York crest
rule
Navigation Items Computing Connecting to the Internet Accounts Using Email Using the Internet Developing Webpages Software and Applications Using Campus Labs Telecommunications Instructional Technology Centre
 

Basic Server Security Checklist

Baseline System Security
All servers, no matter what the purpose, should pass this checklist of minimum baseline security precautions.

1. Are all available security patches installed?
Download and install patches off-line (burn to CD or USB memory) to prevent unpatched systems from being attacked.
Sources:
Microsoft Service Packs
Red Hat security updates
Debian Linux security Alerts
Solaris Patch bundles
IRIX security updates
AIX security updates
HP/UX patches
Mac OSX Security Updates

2. Are no more than the minimum required services operational?
Most operating systems ship with many frequently un-needed services enabled by default. This leaves a larger surface area for attack. Make sure that only the services really needed to do the job are running.
Resources:
Common UNIX Services to Disable
TCPview tool for detecting network services on Windows

3. Do all accounts have strong passwords (or are disabled)?
Weak passwords are still a major cause of system compromises. Many applications install system accounts for their use, typically with simple or even blank default passwords. Be careful to include application-level accounts in this step as well, such as web servers or database software.

4. Is access to network services limited to those networks which require access?
By default, most network services are available to anyone on the network. Most operating systems include built-in features to allow restricting this availability. Third-party firewall software can also be used.
Resouces:
General Utilities for UNIX Security (TCP-Wrappers, ipfilter, iptables, etc)
Restricting ports on Windows Server

5. Are access/event/audit logs being generated?
By default, some operating systems do little to no logging so it will be impossible to have any warning of unusual events such as attempts to break into the system.
Resources:
Windows Server Event Logging

6. Are strongly-encrypted remote login protocols being used exclusively?
Traditional network access programs such as telnet, FTP, HTTP are plain-text protocols and passwords will travel over the network completely unprotected. There are more recent alternatives that will work as well in almost every case, such as SSH which comes with nearly every UNIX distribution. Use HTTPS for web-based logins that need to be confidential.
SSH Client for Windows (instead of Telnet): PuTTy
SCP Client for Windows (instead of FTP): WinSCP

7. Is anti-virus software in use?
File servers in particular need this, even on UNIX systems where files will be shared with Windows systems. CNS provides anti-virus software to the York community free of charge.

8. Remember to avoid using server consoles for desktop-like functionality (web browsing, opening office documents, etc).
Web browsing and document handling are two very common vectors for intrusions/infections.

Application-Specific Notes for Additional Security
Microsoft IIS Web server: Microsoft IIS-Lockdown tool
Microsoft SQL 2000 Server security guide

Contact information
 General inquiries:  helpdesk@yorku.ca
Network and computer abuse reports:  abuse@yorku.ca

 
Y graphic
last modified:
[March 3, 2003]
graphic rule
Copyright 2002 © York University