5/9/2018 jiten.

fj2000's 12:29PM checklist | Process Street

jiten.fj2000's 12:29PM checklist

Created by jiten.fj2000 May 9 at 12:26PM
Completed by jiten.fj2000 May 9 at 12:29PM

Assignees

JF jiten.fj2000


Task Summary 0/56

1 Introduction

2 Server identification and location:

3 Record basic details

4 Note the date of completion

5 Obtain the signature of the server operator

6 Record the date of the next review schedule

7 Get the manager’s signature

8 Note the date of the manager's signature

9 Secure Network and Physical Environment:

10 Ensure a restricted access area

11 Check non-removable media configuration

12 Set up a restricted network environment

13 Ensure the correct banner display

14 Patching and Server Maintenance:

15 Check maintenance process documentation

16 Check vendor-supported OS and application patches

17 Check other operating systems or applications

18 Monitor the timetable for service packs and patch rollups

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 1/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

19 Ensure patch application integration

20 Check the inventory process for current patches

21 Ensure a solid patch installation monitoring process

22 Logging:

23 Verify real time server configuration

24 Document routine log monitoring

25 Ensure a monthly logging process review

26 Implement a log monitoring schedule

27 OS/application information configuration

28 Disable private information logging

29 Check for real time logging on a secured server

30 System Integrity Controls:

31 Limit changes to start-up procedures

32 Revise documentation of server control process

33 Disable unused services

34 Check your anti-virus software

35 Enable host firewall

36 Activate HIPS

37 Ensure that there is and authentication server

38 Activate hardware-based system integrity control

39 Vulnerability Assessment:

40 Check for the presence of pre-production assessments

41 Ensure the server has been scanned

42 File the configuration reports

43 Update the system configuration

44 Review system configuration vulnerability

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 2/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

45 Authorize ISO vulnerability scanners

46 Authentication and Access Control:

47 Review documentation on trust relationships

48 Modify all default passwords

49 Configure strong user authentication

50 Configure Data Access Control

51 Document the access authorization process

52 Activate Generic or persistent guest accounts

53 Backup, Restore, and Business Continuity:

54 Back up all critical data

55 Document backup files

56 Verify backup procedures

57 Verify offsite backups

58 Check backup media

59 Applications Administration:

60 Secure documentation of applications/modules

61 Check there is an application admin systems administrator

62 Risk Management System:

63 Ensure server registration

64 Check for hardware replacement and retirement

65 Check server administration

66 High Performance and Distributed Computing server participation

67 Sources:

68 Relevant Checklists:

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 3/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

1 Introduction

There is absolutely no question that if you are running a server, you must ensure that it is locked up tight against security
threats (http://www.csoonline.com/article/2130877/data-protection/data-protection-the-15-worst-data-security-breaches-
of-the-21st-century.html).

Hence why we here at Process Street (http://process.st/) came up with this server security checklist! Never again be afraid of
missing a potential entry point or vulnerability when deploying a new server, or when auditing
(https://www.process.st/checklist/sql-server-audit-checklist/) an existing one!

Let's get started with locking your servers down tightly.

 jiten.fj2000 checked a task "Introduction". May 9 at 12:26PM

 jiten.fj2000 unchecked a task "Introduction". May 9 at 12:26PM

2 Server identification and location:

3 Record basic details

Kicking off the server security checklist, you need to identify and record the server and its location. Do so by filling in the
form fields below.

Server ID

Server Location

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 4/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

 jiten.fj2000 checked a task "Record basic details". May 9 at 12:26PM

 jiten.fj2000 unchecked a task "Record basic details". May 9 at 12:26PM

4 Note the date of completion

Next, make sure that you take note of the date of completion. Once again, we have a b to make sure that you'll always
have this information handy.

Date of Completion

 Wed May 9 2018 at 12:31AM UTC

5 Obtain the signature of the server operator

Now you need to ensure that the server operator's signature is posted. Record a copy of this using the form field below.

Server Operator's Signature

6 Record the date of the next review schedule

Next, make sure that the date of the upcoming review schedule is recorded. Use the form field b

Upcoming Review Schedule

 Wed May 9 2018 at 12:31AM UTC

7 Get the manager’s signature

You're almost done with the server identification and location checks! Now you need to verify that the manager has signed
the checklist. Do so by recording their signature with the form field below.

Manager's Signature

8 Note the date of the manager's signature

The final step in this section is to verify that the date of signature is recorded. Once again, we have a form field set up and
ready to go for just this purpose.

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 5/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

Manager Signature Date

 Wed May 9 2018 at 12:31AM UTC

9 Secure Network and Physical Environment:

10 Ensure a restricted access area

The first true security server checklist measure is to ensure that the server has restricted access.

This could be done by checking that the server is secured in a locked file or in an area with restricted access.

11 Check non-removable media configuration

Next, make sure that all non-removable media is configured with the file systems and the access controls are activated.   
   

12 Set up a restricted network environment

Now you need to set up the server in an environment with appropriately restricted network access.

Note that this may have already been achieved, but if so you still need to check that this is the case.

13 Ensure the correct banner display

You also need to ensure that the trespassing banner is displayed at login.

14 Patching and Server Maintenance:

15 Check maintenance process documentation

Ongoing maintenance is a key aspect in any decent server security checklist, and so you must make sure that the
maintenance process is documented and followed.

If you do not have a set maintenance process, don't worry! We've got you covered with our very own server maintenance
checklist (https://www.process.st/checklist/server-maintenance-checklist/).

16 Check vendor-supported OS and application patches

Now it's time to check for vendor-supported operating systems and application patches.

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 6/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

These should always be available to RIT.

17 Check other operating systems or applications

Next, you should ensure that all other operating systems or applications have exception requests or approval.

Operating systems or applications that are no longer supported by the vendor (or an open source community) should
have a pending exception request or be approved by the ISO.

18 Monitor the timetable for service packs and patch rollups

Although your maintenance process should take care of this issue, you must at least check that patches and patch clusters
are routinely applied.

This step is primarily a check to ensure that your server has a reasonable timetable for routine application of patches and
patch clusters (service packs and patch rollups). If they are not being implemented, rectify this immediately.

19 Ensure patch application integration

The next step in the server security checklist is to ensure smooth patch application integration.

Check to verify that vendor patches, along with the patch application connected into a documented server maintenance
process, support the systems.  

20 Check the inventory process for current patches

Now you need to make sure that there is a process to inventory the current level of patches specific to this server.

21 Ensure a solid patch installation monitoring process

The final step to checking your patching and general server maintenance is to check in on your patch installation process.

Primarily, you should make sure that there is a process for monitoring patch installation failures, and that any such
failures are securely documented (and dealt with).

22 Logging:

23 Verify real time server configuration

Kicking off our logging section, you need to check to verify that the server is configured, with appropriate real-time
OS/application logging turned on.

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 7/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

24 Document routine log monitoring

Although this should already be being carried out, make sure that there is a documented process for routine log
monitoring and analysis.

25 Ensure a monthly logging process review

There's no point in logging various aspects of your server if you don't review them. Whilst you may not be reviewing them
right now, you must at least check that this is occurring frequently.

Reviews should be undertaken frequently to ensure the effectiveness of the server logging process - we would recommend
at least once per month. 

26 Implement a log monitoring schedule

Once again, although this should already be taking place, you need to make sure that there is a schedule for log
monitoring of the server.

27 OS/application information configuration

Ensure that logging has been configured to include at least 2 weeks of related OS/application information.  

 The logging elements include:

1 All authentication

2 Privilege escalation

3 User additions and deletions

4 Access control changes

5 Job schedule start-up

6 System integrity information

7 Log entries must be time and date stamped

28 Disable private information logging

Now ensure that all deliberate logging of private information, such as passwords, has been disabled.

29 Check for real time logging on a secured server

Logging needs to be reflected in real time and stored on another secure server, and so this is what you must check is
occurring.

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 8/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

30 System Integrity Controls:

31 Limit changes to start-up procedures

Onto the system integrity controls! Your system should be configured to limit changes to start-up procedures.

If this has not already been done, do so now.

32 Revise documentation of server control process

Next, make sure that there is a documented change control process for system configurations.

33 Disable unused services

This step is exactly what it says on the tin; you need to disable all unused services.

34 Check your anti-virus software

Next up, make sure that anti-virus software and definitions are existing and updated.

35 Enable host firewall

If you have not already, you need to install and enable the server with a host firewall.

Once again, although it is very likely that this step has already been completed, you need to at least check that everything
is above board and running as expected.

36 Activate HIPS

Now you need to check whether host-based intrusion prevention software (HIPS (http://en.wikipedia.org/wiki/Host-
based_intrusion_detection_system)) is activated. If not, activate it immediately.

37 Ensure that there is and authentication server

Next up in the server security checklist is to identify that there is an authentication server.

HIPS is needed for authentication servers, hence why the previous step was to activate the software.

38 Activate hardware-based system integrity control

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 9/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

Whilst this may not always be available, you need to activate hardware-based system integrity control. Use the
dropdown below to record the status of this step.

Hardware-Based System Integrity Control

Select an option

If this service is unavailable, you need to record that this is the case to prevent confusion down the line, hence why this
feature necessitates a dropdown whereas previous features do not; it is not always possible, but you need to record it if that
is the case.

39 Vulnerability Assessment:

40 Check for the presence of pre-production assessments

No server should move to production without either a pre-production configuration or vulnerability assessment, and so
here is where you must check for its existence.

Remember that both the server and its services must have these pre-production checks, so be sure not to forget either in
your checks.

41 Ensure the server has been scanned

Much like the pre-production checks, your server needs to have been scanned using an ISO-approved vulnerability
scanner - here is where you must check for past and upcoming scans. If your server is due a scan, carry this out now. 

Next Vulnerability Scan

 Wed May 9 2018 at 12:31AM UTC

The server needs to have been scanned with this before and after being transferred to production, along with regular
scans according to an ISO-specified schedule afterwards.

Even if a scan is not due, record the date of the next scan in the date form field above.

42 File the configuration reports

Next up in our list is to check that the configuration reports (or vulnerability assessment report) have been copied and
filed. This is primarily to ensure ease of access for any possible future reference by the ISO.

Config / Vulnerability Report Location

The copy of the configuration and/or vulnerability assessment report accomplished at initial server configuration should be
well documented - ideally by using the form field above.

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 10/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

43 Update the system configuration

Now you need to update the system's configuration! 

After vulnerabilities with the CVSS score results of 7 or greater are announced, the corresponding patches and/or
configurations are updated within one working day, so even if you're sure that you're up to date, it's worth a check.

44 Review system configuration vulnerability

If no CVSS (https://www.first.org/cvss)applies to a detected vulnerability then you need to make sure that is it
reviewed for remote exploitation.

45 Authorize ISO vulnerability scanners

The ISO must always be authorized to conduct vulnerability scanning for this server, and so now you must double
check that this is the case.

46 Authentication and Access Control:

47 Review documentation on trust relationships

Kicking off the authentication and access control section of our server security checklist is a review of all trust
relationships.

You need to identify and review all trust relationships, especially concerning the documentation of them. If something isn't
up to scratch or documented well, rectify this and carry on.

48 Modify all default passwords

Although this is another step which should have been done immediately following the server's setup, all manufacturer and
default passwords need to have been modified and you need to ensure this.

One of the worst things you can do when attempting to lock down a server's security is to leave the default passwords -
everyone and their grandmother will be able to guess them! Make sure that all passwords are also recorded somewhere
(even if it's pen and paper, though this is far from advisable).

49 Configure strong user authentication

Now you need to configure strong authentication for all users with root or administrator system privileges. Again, this
should be done immediately upon setup, but you should always check - better safe than sorry.

Refer to the ISO website for a list of strong authentication practices

(http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_tc_browse.htm?commid=45306).

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 11/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

50 Configure Data Access Control

Configure your Access Control to allow only authorized, authenticated access to the system and its applications and data.

51 Document the access authorization process

Next on our list is to make sure that there is a documented process for granting and removing authorized access.

This will not only ensure that there are no mistakes in the process, but it will also provide invaluable records should a
problem occur.

52 Activate Generic or persistent guest accounts

The final step in this authentication segment is to ensure that generic or persistent guest accounts allowing user
interactive logins have been activated.

53 Backup, Restore, and Business Continuity:

54 Back up all critical data

We can't say it enough; ensure that there is a backup of all Operationally Critical data!

55 Document backup files

Next, make sure that all servers with Operationally Critical data have documented back-ups, system and application
restoration (including configurations) and data restoration procedures to support business continuity and disaster
recovery planning.

56 Verify backup procedures

Make sure that backup procedures are verified at least monthly through automated verification, customer restores, or
through trial restores. Store the date of the next scheduled back in the form field below to avoid losing track!

Next Backup Procedure Verification

 Wed May 9 2018 at 12:31AM UTC

57 Verify offsite backups

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 12/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

Check to verify that backups are not being stored solely in the same building where the Operationally Critical data is
located. That way, in the event of an emergency you'll always have an offsite backup ready to go to help you get back on
your feet.

58 Check backup media

Make sure that backups have been made readily accessible and that backup media is compliant with the Portable
Media Security Standard.

Check to verify that the application administrator is responsible for application-specific aspects, ensuring that the
application is in compliance with the server standard where applicable.

59 Applications Administration:

60 Secure documentation of applications/modules

Check to verify that the applications/module administrator is responsible for ensuring the security of
applications/modules.

61 Check there is an application admin systems administrator

Make sure, for each application, the application owner identifies an application administrator systems administrator.
These administrators must be approved by their management.

62 Risk Management System:

63 Ensure server registration

Make sure that the server has network access and has been registered in an ISO-approved registration system.

64 Check for hardware replacement and retirement

Check to verify if any server storage media and/or devices containing RIT Confidential have been removed or replaced.
Record these changes in the form fields below.

Replaced Server Hardware

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 13/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

Retired Server Hardware

65 Check server administration

Make sure that all computers used to administer servers conform to the requirements for RIT-owned or computers as
stated in the Desktop and Portable Computer Security Standard.
(https://www.rit.edu/security/sites/rit.edu.security/files/Desktop%20Standard-%202014.pdf)

66 High Performance and Distributed Computing server participation

Finally, check to verify that the server participates in High Performance/Distributed Computing/Grid computing.

Congratulations! You've completed the server security checklist and can sit safe in the knowledge that your server's as safe
as safe can be.

67 Sources:

Taylor Armerding (https://twitter.com/tarmerding2) - The 15 worst data security breaches of the 21st Century
(http://www.csoonline.com/article/2130877/data-protection/data-protection-the-15-worst-data-security-breaches-of-the-
21st-century.html)

68 Relevant Checklists:

Inventory Management Process (https://www.process.st/checklist/inventory-management-process/)

Network Security Management (https://www.process.st/checklist/network-security-management/)

Client Data Backup Best Practices (https://www.process.st/checklist/client-data-backup-best-practices/)

Computer Maintenance Guide (https://www.process.st/checklist/computer-maintenance-guide/)

Server Setup Process (https://www.process.st/checklist/ubuntu-server-setup-process/)

Virtual Private Server Setup (https://www.process.st/checklist/virtual-private-server-setup/)

IT Support Process (https://www.process.st/checklist/it-support-process/)

Helpdesk Management (https://www.process.st/checklist/helpdesk-management/)

Server Maintenance Checklist (https://www.process.st/checklist/server-maintenance-checklist/)

Information Security Incident Response (https://www.process.st/checklist/information-security-incident-response/)

SQL Server Audit Checklist (https://www.process.st/checklist/sql-server-audit-checklist/)

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 14/15
5/9/2018 jiten.fj2000's 12:29PM checklist | Process Street

https://app.process.st/checklists/llnPDFHnjMS4K3Dpb8RPxw/print 15/15