Security recommendations for stations and servers
- KEEP YOUR OPERATING SYSTEM UP TO DATE
Update your operating system regularly and apply all released security patches as soon as possible.
- KEEP YOUR SOFTWARE UP TO DATE
Check the version of the installed software regularly. In case of outdated software, please update it to the extent possible. Versions of used add-ons, modules, or firmware devices may also be outdated.
- DO NOT USE UNSUPPORTED PRODUCTS
If possible, use only products (software and operating systems) for which security patches are available.
- VERIFY THE IDENTITY OF APPS AND FILES
Allow downloading only trusted applications and files (including scripts and DLL libraries). Use Device Guard, Applocker, or Software Restriction Policy (SRP) in a Windows environment.
- PROVIDE A CENTRALIZED EVENT LOGGING SYSTEM ON STATIONS AND SERVERS
Please enable it on both successful and unsuccessful event loggings. The centralized system should be time-synchronized across the network and be able to evaluate the logs immediately and automatically. We recommend storing event logs for a minimum of 18 months, depending on local circumstances and system importance.
- BACK UP IMPORTANT AND SENSITIVE DATA REGULARLY
These data can be web server content, databases, or service configuration. And don’t forget to regularly test whether backups are functional so potentially lost data can be recovered.
- USE ANTI-VIRUS AND SECURITY SOFTWARE
Also, use tools that prohibit the execution of dangerous applications (outside a defined list of privileged applications) or tools that help protect the system when regular security updates are unavailable.
- SET UEFI/BIOS PASSWORD
These passwords should be unique for every station with central password management.
- FORCE SECURE BOOT
Don’t forget to set the order of devices intended for system boot. Important as well is that the boot manager should only be accessible after entering the password.
- PROTECT YOURSELF AGAINST PASSWORD ATTACKS
Ensure the security of all services where users log in. You can do it by using, for example, fail2ban, functions designed for saving passwords (Argon2, bcrypt, scrypt, PBKDF2) or CAPTCHA.
- TO MANAGE SERVERS USING SSH, USE KEYS TO LOG IN, DISABLE PASSWORDS
To bind the key fingerprint to the server where it is used, use SSHFP records in DNS. Ideally, in combination with DNSSEC, which ensures the authenticity of the response containing the SSHFP record.
- PERFORM HARDENING SERVER APPLICATIONS CONFIGURATION
Server applications can be databases, web applications, CRM systems, accounting systems, HR systems, and other data storage systems.
- RESTRICT ACCESS TO SERVER MESSAGE BLOCK (SMB) AND NETBIOS
Do so on workstations and servers or wherever possible.
- ENSURE PHYSICAL SECURITY OF IT
That can, for example, mean ensuring the physical security of the server room and providing end stations with protective stickers preventing unauthorized HW modifications.
The advice listed is based on recommendations issued by The National Cyber and Information Security Agency.