S 3.101 General server
Description
Servers are IT systems that provide services to other IT systems (clients) in the network. They are typically operated in central, specially secured rooms, for example in server rooms or computer centres, and are not used as workstation computers. Various operating systems are available for servers, for example Unix and Linux, Microsoft Windows, and Novell Netware, among others. This module examines security aspects relevant to servers that are independent of the operating system used. There are separate modules for operating system-specific security aspects in the IT-Grundschutz Catalogues that should be applied in addition to this module to the corresponding servers. The security aspects relating specifically to the use of servers in networks are handled in module S 4.1 Heterogeneous networks.
Threat scenario
Like every IT system, a server is exposed to a wide variety of risks. In general, it is always true that the threat scenarios for individual computers also depend on the operational scenario, e.g. if they are used as a data server, terminal server, or authentication server, and that each of these individual threats also poses a threat to the overall system.
The following typical threats to the IT-Grundschutz of a server are assumed to exist:
Force Majeure
| T 1.1 | Loss of personnel |
| T 1.2 | Failure of the IT system |
Organisational Shortcomings
| T 2.7 | Unauthorised use of rights |
| T 2.9 | Poor adjustment to changes in the use of IT |
| T 2.36 | Inappropriate restriction of user environment |
Human Error
| T 3.2 | Negligent destruction of equipment or data |
| T 3.3 | Non-compliance with IT security measures |
| T 3.5 | Inadvertent damaging of cables |
| T 3.6 | Hazards posed by cleaning staff or outside staff |
| T 3.8 | Improper use of the IT system |
| T 3.9 | Improper IT system administration |
Technical Failure
| T 4.1 | Disruption of power supply |
| T 4.6 | Voltage fluctuations / overvoltage / undervoltage |
| T 4.7 | Defective data media |
| T 4.10 | Complexity of access possibilities to networked IT systems |
| T 4.13 | Loss of stored data |
| T 4.20 | Overloaded information systems |
| T 4.22 | Software vulnerabilities or errors |
| T 4.39 | Software design errors |
Deliberate Acts
| T 5.1 | Manipulation or destruction of equipment or accessories |
| T 5.2 | Manipulation of information or software |
| T 5.7 | Line tapping |
| T 5.9 | Unauthorised use of IT systems |
| T 5.18 | Systematic trying-out of passwords |
| T 5.19 | Abuse of user rights |
| T 5.20 | Misuse of administrator rights |
| T 5.21 | Trojan horses |
| T 5.23 | Malicious software |
| T 5.26 | Analysis of the message flow |
| T 5.40 | Monitoring rooms using computers equipped with microphones and cameras |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.75 | Overload due to incoming e-mails |
| T 5.85 | Loss of integrity of information that should be protected |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A series of safeguards need to be implemented to set up a server successfully, starting with the design and installation and continuing through operation of the server. Special emphasis should be placed in this case on the design and planning safeguards if the server will be installed as part of a new server-based network. However, if the server will be installed to expand an existing network, then the planning safeguards can often be limited to checking the new server for compatibility with the existing infrastructure. The safeguards for purchasing and operation of the server must be implemented in all cases, though. The steps to take to protect a server as well as the safeguards to consider in each step are listed in the following.
Planning and design
Before actually starting planning, it is necessary to define and/or analyse the general architecture of the network. The requirements for the operating systems (server and client) to be used result from this analysis. In particular, it is necessary to specify which tasks will be performed by the server to be installed. To specify these tasks, you must first describe the expected operational scenarios and define the purpose of the server.
If a new network will be built, then the first step is to plan the overall structure of the network, in which case questions such as which network topology should be implemented and relating to the degree of server centralisation (terminal server, "classic" client/server architecture, or using peer-to-peer functionality) must be answered. To answer these questions, refer to the safeguards in module S 1.9 Hardware and software management.
In the next step, the operating systems to be used at the server and client level are specified and, if necessary, specific versions of the operating systems are selected (e.g. Windows XP or Windows 2000, Linux or a proprietary version of Unix).
When building a new network, the detailed structure of the network must be planned since it is used as an exact technical basis for all following tasks. The number of servers and how they will interact must be defined. The purpose of each server and how each server will be used by the clients must be specified. Based on the availability requirements, the level of redundancy planned for the structures in the network must be specified. This also includes specifications necessary for the infrastructure (especially in terms of air conditioning and power supplies, see S 1.28 Local uninterruptible power supply). At the same time, a general security policy must be created (see S 2.316 Defining a security policy for a general server) that is then extended afterwards by adding system-specific security policies and detailed usage guidelines for the hardware and software in the network (see the modules for the corresponding server operating systems for more information).
Purchasing
In the next step, the software and any additional hardware needed is purchased. Based on the operational scenarios, the requirements for the products to be purchased must be formulated, and the products must be selected based on these requirements. The purchase of these products forms the basis for the tasks to be performed in the next step.
Implementation
The users and administrators have a very significant influence on the security of a server. Before actually putting the servers into operation for the first time, the users and administrators must be trained in the handling and use of the servers to be installed. Intensive training is especially recommended for administrators due to the complexity involved in planning and administration. The administrators should have detailed knowledge of the system after training in order to guarantee consistent and correct system administration. Users should be trained on the use of the security mechanisms available in particular. Refer to the safeguards in module S 1.13 Information security awareness and training.
Once the preliminary organisational and planning tasks have been completed, the server can be installed and put into operation. The following safeguards must be taken into account during installation and commissioning:
- Special care must be taken when installing and specifying the basic configuration of a server to avoid making mistakes right at the start that are hard to correct later. General information on installation and configuration can be found in S 2.318 Secure installation of an IT system and S 4.237 Secure basic configuration of IT systems.
In addition to the general safeguards described in this module, there are other more detailed safeguards to be implemented. The recommended safeguards can be found in the modules for the particular operating systems. - After the installation and basic configuration of the server, it may be necessary to configure higher-level administration structures. Among other things, the actual purpose of each server, for example if you plan to use it as a file server, print server, or in the case of thin clients, as a terminal server, also affects these configurations. Safeguard S 2.138 Structured data storage is especially important in this regard to guarantee the ability to monitor the operation of the server.
- After completing the installation and basic configuration of the server, the actual server software can be installed and configured. The installation and configuration steps necessary may differ significantly depending on the type and purpose of the software, and some of these steps are handled in separate modules. In general, it is recommended to follow the same approach for the installation and configuration of the server software as followed for the configuration of the operating system itself:
- Draw up an installation concept
- If several servers with a similar range of applications and configuration are to be installed, draw up a reference installation
- Installation, basic configuration and updating
- Testing
Detailed information on the security of various server applications can be found in the modules in Layer 5.
Operation
After the initial installation and a test operation phase, regular operations can be initiated. The following security aspects must be taken into account in this phase:
- Client/server networks change very frequently. Every time a change is made, it must be ensured that the security is not impaired after the change has been made. The detailed aspects to take into account when making changes are handled in the modules for the particular server operating system used. At the same time, it is necessary to ensure that the procedures for revoking authorisations and deleting data resources that are no longer needed are regulated so that no security gaps are opened through the use of obsolete structures. One of the most important aids in this regard is a comprehensive and efficient system administration that is based at all times on the current information on the state of the system and its permissions structure (see also S 4.24 Ensuring consistent system management and S 2.31 Documentation on authorised users and on rights profiles for more information).
- One method used in the framework of maintaining the security of a server is to monitor the system and its individual components. The safeguards related to monitoring can be found in S 4.93 Regular integrity checking, S 5.8 Regular security checks of the network. Data protection aspects play a particularly important role in this case. The security gaps often encountered in most client/server systems and the number of attacks directed precisely against these gaps require administrators to stay up-to-date at all times on the security status of the systems, to be fully informed of new threats (see S 2.35 Obtaining information on security weaknesses of the system), and to introduce countermeasures promptly (see also S 2.273 Prompt installation of security-relevant patches and updates for more information).
Disposal
A server cannot simply be switched off without prior notice. If a server needs to be withdrawn from operation, then the users must be informed in due time and a number of aspects need to be taken into account to prevent downtimes and losses of data. These aspects are described in S 2.320 Orderly withdrawal from operation of servers. If the services provided by the server will be migrated to another computer, then S 2.319 Migration of servers also needs to be taken into account.
When disposing of a server, it is also necessary to ensure that the hard disks do not contain any information requiring protection. It is not enough to just reformat the hard disks in this case, but instead the disks need to be completely overwritten at least once. It must be noted that the data stored on a hard disk is not removed by a logical delete operation, nor is it removed by reformatting the disk using the resources provided by the operating system installed, which means it is possible to reconstruct the data with suitable software, in many cases with little effort. Corresponding instructions can be found in S 2.13 Correct disposal of resources requiring protection, which is covered in the overall context of module S 1.1 Organisation, and in S 4.234 Orderly withdrawal from operation of IT systems and data media which is subsumed within module S 1.9 Hardware and software management.
The disposal of the server must be documented. Inventory lists and network plans must be updated, and if the disposal of a server results in structural changes to the IT system, then the security concept needs to be adapted accordingly.
Contingency Planning
Only regular and comprehensive data backups can reliably guarantee the ability to restore the availability of all data stored in case of malfunctions, hardware failures, or (intentional or unintentional) deletion. The necessary safeguards are described in module S 1.4 Data backup policy.
In addition to performing regular backups during operation, contingency planning also plays a particularly important role since this is the only way to reduce the damage resulting from an emergency. Information on contingency planning can be found in module S 1.3 Business continuity management. Contingency planning also includes planning how to handle security incidents, and this planning should be based on the safeguards in module S 1.8 Handling of security incidents. Some information on special aspects to take into account when planning for contingencies for a server are described in S 6.96 Contingency planning for a server.
It is assumed that the server will be installed in a server room (see module S 2.4 Server room), a server cabinet (see module S 2.7 Protective cabinets), or in a computer centre (see module S 2.9 Computer centre). The safeguards to be implemented for the server can be found in the corresponding operating system-specific modules. The same applies to the connected clients. The safeguards in module S 1.9 Hardware and software management always form the overall framework for the operation of server-based networks.
Furthermore, the following additional safeguards must be implemented:
Planning and design
| S 1.28 | (B) | Local uninterruptible power supply |
| S 2.314 | (Z) | Use of high-availability architectures for servers |
| S 2.315 | (A) | Planning the use of servers |
| S 2.316 | (A) | Defining a security policy for a general server |
| S 4.250 | (Z) | Selection of a central, network-based authentication service |
| S 4.432 | (A) | Secure configuration of server applications |
| S 5.10 | (A) | Restrictive granting of access rights |
| S 5.138 | (Z) | Usage of RADIUS servers |
Purchasing
| S 2.317 | (C) | Criteria for the procurement of servers |
Implementation
| S 2.32 | (Z) | Establishment of a restricted user environment |
| S 2.204 | (A) | Prevention of insecure network access |
| S 2.318 | (A) | Secure installation of an IT system |
| S 4.7 | (A) | Change of preset passwords |
| S 4.15 | (A) | Secure log-in |
| S 4.16 | (C) | Restriction on access to user IDs and/or terminals |
| S 4.17 | (A) | Blocking and erasure of unneeded accounts and terminals |
| S 4.40 | (C) | Preventing unauthorised use of computer microphones and cameras |
| S 4.97 | (Z) | One service per server |
| S 4.237 | (A) | Secure basic configuration of IT systems |
| S 4.305 | (B) | Use of storage restrictions (storage quotas) |
Operation
| S 2.22 | (Z) | Escrow of passwords |
| S 2.273 | (A) | Prompt installation of security-relevant patches and updates |
| S 4.24 | (A) | Ensuring consistent system management |
| S 4.93 | (Z) | Regular integrity checking |
| S 4.238 | (A) | Use of local packet filters |
| S 4.239 | (A) | Secure operation of a server |
| S 4.240 | (Z) | Setting up a testing environment for servers |
| S 5.8 | (B) | Regular security checks of the network |
| S 5.9 | (B) | Logging on the server |
Disposal
| S 2.319 | (C) | Migration of servers |
| S 2.320 | (A) | Orderly withdrawal from operation of servers |
Contingency Planning
| S 6.24 | (A) | Creating an emergency boot medium |
| S 6.96 | (A) | Contingency planning for a server |