Forwarded from: Elizabeth Lennon <elizabeth.lennon (at) nist.gov> ITL BULLETIN FOR OCTOBER 2008 KEEPING INFORMATION TECHNOLOGY (IT) SYSTEM SERVERS SECURE: A GENERAL GUIDE TO GOOD PRACTICES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology U.S. Department of Commerce Organizations rely on the servers in their IT networks to provide a wide variety of services to internal and external users, including email, database, infrastructure management, and file server functions. Servers are the software applications that make information available over the Internet and other networks. A file server, for example, provides file sharing services enabling users to access, modify, store, and delete files. A database server provides database services for web applications on web servers. Many servers also store or process sensitive information for the organization's internal users. Since their servers perform so many basic functions, organizations have a fundamental interest in implementing and maintaining secure server operations. The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) recently issued a new publication that addresses the general security issues related to typical organizational servers. NIST Special Publication (SP) 800-123, Guide to General Server Security: Recommendations of the National Institute of Standards and Technology Issued in July 2008, NIST SP 800-123, Guide to General Server Security: Recommendations of the National Institute of Standards and Technology, was written by Karen Scarfone and Wayne Jansen of NIST and by Miles Tracy of Federal Reserve Information Technology. The guide helps organizations select, implement, and maintain security controls for their servers, such as those that provide web and email services. The guide concentrates on needed activities for implementing and maintaining the security of servers that provide services over network communications as their main function. Topics covered in the guide include common server vulnerabilities and threats, and the different environments in which servers are deployed. Also discussed are requirements to protect servers, how those requirements can be categorized and how appropriate security controls can be determined. One section provides an overview of the basic steps that an organization should take to ensure the security of a server and explains the fundamental principles of server security. The focus of the guide is on general security issues for both servers that are accessible to the public and servers that provide internal services to the organization.s staff. These servers mostly use general operating systems such as UNIX, Linux, and Windows. Host servers that incidentally provide one or a few services for maintenance or accessibility purposes, such as a remote access service for remote troubleshooting, are not covered. Specific issues related to web servers, email servers, and other specialized servers are covered in other NIST publications, including NIST SP 800-44, Version 2, Guidelines on Securing Public Web Servers, and NIST SP 800-45, Version 2, Guidelines on Electronic Mail Security. See the More Information section at the end of this bulletin for details about these and other guides and standards. The appendices to the guide include a glossary of the terms and an explanation of the acronyms and abbreviations used in the publication. Another section of the appendices provides a list of NIST resources that help users to understand general server security. NIST SP 800-123 is available at http://csrc.nist.gov/publications/PubsSPs.html. Security of Servers Servers are frequently targeted for attack because of the value of their data and services, such as personally identifiable information that could be used in identity theft. Some of the common security threats to servers include: * Malicious attackers may exploit software bugs in the server or its underlying operating system to gain unauthorized access to the server; * Denial of service (DoS) attacks may be directed to the server or its supporting network infrastructure, denying or hindering valid users from making use of its services; * Sensitive information on the server may be read by unauthorized individuals or changed in an unauthorized manner; * Sensitive information transmitted unencrypted or weakly encrypted between the server and the client may be intercepted; * Malicious attackers may gain unauthorized access to resources elsewhere in the organization.s network via a successful attack on the server; and * Malicious attackers may attack other entities after compromising a server. These attacks can be launched directly, such as from the compromised host against an external server, or indirectly, such as through the placement of malicious content on the compromised server in order to exploit vulnerabilities in the clients of the users accessing the server. How to Install, Configure, and Maintain Secure Servers To implement and maintain secure servers, organizations should: * secure, install, and configure the underlying operating system; * secure, install, and configure the server software; and * maintain the secure configuration through application of appropriate patches and upgrades, security testing, monitoring of logs, and backups of data and operating system files. NIST recommends that organizations follow these guidelines for installing, configuring, and maintaining secure servers: * Carefully plan and address the security aspects of the deployment of a server. Because it is much more difficult to address security once deployment and implementation have occurred, security should be carefully considered from the initial planning stage. Organizations are more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan. Developing such a plan will support server administrators in making the inevitable trade-off decisions between usability, performance, and risk. Organizations often fail to consider the human resource requirements for both the deployment and operational phases of the server and supporting infrastructure, and should address the following points in their deployment plan: * the types of personnel required, such as system and server administrators, network administrators, and information systems security officers (ISSOs); * the skills and training required by assigned personnel; and * the individual level of effort required of specific staff members and the collective staffing or overall level of effort required of all staff members. * Implement appropriate security management practices and controls when maintaining and operating a secure server. Appropriate management practices are essential to operating and maintaining a secure server. Good security practices involve identifying an organization.s information system assets and developing, documenting, and implementing policies, standards, procedures, and guidelines that help to ensure the confidentiality, integrity, and availability of information system resources. Essential components for ensuring the security of servers and supporting network infrastructures include: * an organization-wide information system security policy; * configuration/change control and management; * risk assessment and management practices; * standardized software configurations that satisfy the organization.s information system security policy; * security awareness and training activities; * contingency planning, continuity of operations planning, and disaster recovery planning; and * certification and accreditation. * Ensure that the server operating system is deployed, configured, and managed to meet the security requirements of the organization. The first step in securing a server is securing the underlying operating system. Most commonly available servers operate on a general-purpose operating system. Many security issues can be avoided if the operating systems underlying the servers are configured appropriately. Default hardware and software configurations are often set by manufacturers to emphasize features, functions, and ease of use, at the expense of security. Because manufacturers are not aware of each organization.s security needs, server administrators must configure new servers to reflect their organization.s security requirements and reconfigure them as those requirements change. Using security configuration guides or checklists can assist administrators in securing servers consistently and efficiently. The following steps are important in securing an operating system: * patch and upgrade the operating system; * remove or disable unnecessary services, applications, and network protocols; * configure operating system user authentication; * configure resource controls; * install and configure additional security controls, if needed; and * perform security testing of the operating system * Ensure that the server application is deployed, configured, and managed to meet the security requirements of the organization. In many respects, the steps for the secure installation and configuration of the server application will be very similar to the steps for securing the server.s operating system. A fundamental principle for organizations is to install the minimal amount of services required and to eliminate any known vulnerabilities through patches or upgrades. Unnecessary applications, services, or scripts that may have been installed should be removed immediately after the installation process concludes. To secure the server application, organizations should: * patch and upgrade the server application; * remove or disable unnecessary services, applications, and sample content; * configure server user authentication and access controls; * configure server resource controls; and * test the security of the server application and the server content, if applicable. Many servers also use authentication and encryption technologies to restrict access to the server and to protect information transmitted between the server and its clients. Organizations should periodically examine the services and information accessible on the server and determine the necessary security requirements to protect the services and information. Organizations should also be prepared to implement stronger cryptographic techniques if weaknesses are identified in their servers. existing cryptographic technologies. For example, NIST has recommended that use of the Secure Hash Algorithm 1 (SHA-1) be phased out by 2010 in favor of SHA-224, SHA-256, and other larger, stronger hash functions. For information about federal requirements for the implementation of cryptographic techniques, see the More Information section at the end of this bulletin. * Commit to an ongoing process of maintaining the security of servers so as to ensure continued security. The maintenance of a secure server requires constant effort, resources, and vigilance on the part of an organization. Essential activities that support the secure administration of servers include: * configure, protect, and analyze log files on an ongoing and frequent basis; * back up critical information frequently; * establish and follow procedures for recovering from compromise; * test and apply patches in a timely manner; and * test security periodically. More Information Publications developed by NIST help information management and information security personnel in planning and implementing a comprehensive approach to information security. The general security of servers depends upon attention to basic issues such as security planning, certification and accreditation, risk management, categorization of systems, and use of security controls. Organizations can draw upon NIST standards and guidelines on these issues, including: FIPS 180-2, Secure Hash Standard, specifies four secure hash algorithms SHA-1, SHA-256, SHA-384, and SHA-512 - for computing a condensed representation of electronic data such as an electronic message. This standard has been proposed for revision. See the Federal Information Processing Standards (FIPS) tab on the web page noted below for more details. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, requires that agencies determine minimum security requirements after they have categorized their systems, and select an appropriate set of security controls to satisfy the minimum requirements. Security controls are specified in NIST SP 800-53. NIST SP 800-30, Risk Management Guide for Information Technology Systems, provides guidance to organizations in identifying the risks to their missions brought about by the use of information systems, assessing the risks, and taking steps to reduce the risks to an acceptable level. NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, recommends procedures for the security certification and accreditation of information systems. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, provides guidance in selecting, specifying, and tailoring security controls that will provide an appropriate level of security, based on the organization.s assessments of mission risk. NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, recommends assessment methods and procedures that can be used to determine if the security controls selected by the organization are implemented correctly, operating as intended, and meeting the security requirements of the organization. NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Controls Process, presents common criteria that organizations can use to prioritize security activities and ensure that identified corrective actions are incorporated into the capital planning process for cost-effective information security. NIST SP 800-100, Information Security Handbook: A Guide for Managers, reviews the components essential to establishing and implementing effective information security programs to help managers select and implement appropriate security controls. For information about specific server security issues, see: NIST SP 800-44, Version 2, Guidelines on Securing Public Web Servers, advises organizations on managing the secure operation of their web servers and their web browsers. NIST SP 800-45, Version 2, Guidelines on Electronic Mail Security, recommends security practices for designing, implementing, and operating email systems on public and private networks. NIST SP 800-81, Secure Domain Name System (DNS) Deployment Guide, explains the secure deployment of DNS services in an organization and provides practical guidance on securing each aspect of DNS based on analysis of the operating environment and associated threats. For information about NIST standards and guidelines that are listed above, as well as other security-related publications that support server security activities, see NIST.s web page: http://csrc.nist.gov/publications/index.html. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST, nor does it imply that the products mentioned are necessarily the best available for the purpose. ______________________________________________ Best Selling Security Books & More! Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.orgReceived on Wed Oct 29 2008 - 22:04:19 PDT
This archive was generated by hypermail 2.2.0 : Wed Oct 29 2008 - 22:21:36 PDT