We often treat servers like servers -- beastly boxes that don’t need traditional workstation-like security controls. I see this in my security assessments quite often. The reality is that Windows servers do need to have endpoint controls to ensure security is kept in check. Here are some common questions and answers regarding endpoint security for Windows servers:
I can’t afford to have my Windows servers go offline or crash due to patching or anti-virus
software. What’s the basis for the argument of locking down servers like they’re
The reality is many servers are workstations for network admins doing things such as Web browsing, file transfers, email and so on. Given the fact that servers house a good portion of a business’s information assets, the exploitation of missing patches via malware or targeted penetration via Metasploit or a similar tool is just as great, if not greater, than on workstations. Of any given group of unpatched Windows systems I come across, it’s almost always servers rather than workstations that present problems.
What malware protection is needed on servers?
I believe controls need to be just as tight in this area as they are on workstations. A solid anti-virus program is good for starters. Some complementary controls to protect against spyware would be nice. Ensure you’ve fine-tuned any real-time scanning exclusions for databases and similar applications to minimize any performance impact. Keep an eye out on advanced malware controls such as the offerings from Damballa and FireEye as well. These technologies can be very beneficial -- especially if you know or suspect the intruder to be “in the house”. Whitelisting technologies are gaining favor with me as well. Whitelisting can be beneficial -- and simpler -- on servers where you’re likely to run fewer applications and the configurations are a bit more standardized.
Do I need to use disk encryption on my servers?
If there are physical server risks, then the answer is yes. I come across plenty of Windows servers that are vulnerable to theft or abuse. Be it BitLocker or a third-party option, full-disk encryption is a great last line of defense. You can have all the controls in the world at the application, database and OS levels but one physical intrusion is all it takes to end up on the data breach list and making the headlines.
More on Windows Server security
Top Windows server hardening standards and guidelines
Windows server hardening: How much is enough?
Open forum: suggestions for server hardening
What hardening best practices are recommended for servers?
Your internal auditor or regulator has likely spelled security requirements out for you. If not, you’ve got to step back and determine what you’re trying to protect and then figure out how to go about doing so. NIST has a good resource for starters. I like Microsoft’s recommendations, especially when packaged and used with their Security Compliance Manager tool. There’s no one-size-fits-all solution for hardening Windows servers. Determin where risks are and use free resources available to you to create a best-fit for your own unique needs. For example audit logging could mean the world to one business but add minimal value to another. Ditto for password policies, remote access controls, encrypted network communication sessions and the like. So, understand your requirements and choose the security controls made available to us in the Windows OS and related applications to keep things in check.
Sure, Windows servers are more static in nature, but they have just as many -- if not more -- Windows-related risks as their workstation counterparts. Every situation is different. Just make sure you’re finding the flaws and locking things down where they count the most -- at the endpoint.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With over 23 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around minimizing information risks. You can reach Kevin through his websitewww.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him onLinkedIn.
This was first published in June 2012