S 3.101 General server

Logo Allgemeiner Server

Description

Servers are IT systems that provide services to other IT systems (clients) in the network. They are typically operated in central, specially secured rooms, for example in server rooms or computer centres, and are not used as workstation computers. Various operating systems are available for servers, for example Unix and Linux, Microsoft Windows, and Novell Netware, among others. This module examines security aspects relevant to servers that are independent of the operating system used. There are separate modules for operating system-specific security aspects in the IT-Grundschutz Catalogues that should be applied in addition to this module to the corresponding servers. The security aspects relating specifically to the use of servers in networks are handled in module S 4.1 Heterogeneous networks.

Threat scenario

Like every IT system, a server is exposed to a wide variety of risks. In general, it is always true that the threat scenarios for individual computers also depend on the operational scenario, e.g. if they are used as a data server, terminal server, or authentication server, and that each of these individual threats also poses a threat to the overall system.

The following typical threats to the IT-Grundschutz of a server are assumed to exist:

Force Majeure

T 1.1 Loss of personnel
T 1.2 Failure of the IT system

Organisational Shortcomings

T 2.7 Unauthorised use of rights
T 2.9 Poor adjustment to changes in the use of IT
T 2.36 Inappropriate restriction of user environment

Human Error

T 3.2 Negligent destruction of equipment or data
T 3.3 Non-compliance with IT security measures
T 3.5 Inadvertent damaging of cables
T 3.6 Hazards posed by cleaning staff or outside staff
T 3.8 Improper use of the IT system
T 3.9 Improper IT system administration

Technical Failure

T 4.1 Disruption of power supply
T 4.6 Voltage fluctuations / overvoltage / undervoltage
T 4.7 Defective data media
T 4.10 Complexity of access possibilities to networked IT systems
T 4.13 Loss of stored data
T 4.20 Overloaded information systems
T 4.22 Software vulnerabilities or errors
T 4.39 Software design errors

Deliberate Acts

T 5.1 Manipulation or destruction of equipment or accessories
T 5.2 Manipulation of information or software
T 5.7 Line tapping
T 5.9 Unauthorised use of IT systems
T 5.18 Systematic trying-out of passwords
T 5.19 Abuse of user rights
T 5.20 Misuse of administrator rights
T 5.21 Trojan horses
T 5.23 Malicious software
T 5.26 Analysis of the message flow
T 5.40 Monitoring rooms using computers equipped with microphones and cameras
T 5.71 Loss of confidentiality of classified information
T 5.75 Overload due to incoming e-mails
T 5.85 Loss of integrity of information that should be protected

Method recommendation

To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.

A series of safeguards need to be implemented to set up a server successfully, starting with the design and installation and continuing through operation of the server. Special emphasis should be placed in this case on the design and planning safeguards if the server will be installed as part of a new server-based network. However, if the server will be installed to expand an existing network, then the planning safeguards can often be limited to checking the new server for compatibility with the existing infrastructure. The safeguards for purchasing and operation of the server must be implemented in all cases, though. The steps to take to protect a server as well as the safeguards to consider in each step are listed in the following.

Planning and design

Before actually starting planning, it is necessary to define and/or analyse the general architecture of the network. The requirements for the operating systems (server and client) to be used result from this analysis. In particular, it is necessary to specify which tasks will be performed by the server to be installed. To specify these tasks, you must first describe the expected operational scenarios and define the purpose of the server.

If a new network will be built, then the first step is to plan the overall structure of the network, in which case questions such as which network topology should be implemented and relating to the degree of server centralisation (terminal server, "classic" client/server architecture, or using peer-to-peer functionality) must be answered. To answer these questions, refer to the safeguards in module S 1.9 Hardware and software management.

In the next step, the operating systems to be used at the server and client level are specified and, if necessary, specific versions of the operating systems are selected (e.g. Windows XP or Windows 2000, Linux or a proprietary version of Unix).

When building a new network, the detailed structure of the network must be planned since it is used as an exact technical basis for all following tasks. The number of servers and how they will interact must be defined. The purpose of each server and how each server will be used by the clients must be specified. Based on the availability requirements, the level of redundancy planned for the structures in the network must be specified. This also includes specifications necessary for the infrastructure (especially in terms of air conditioning and power supplies, see S 1.28 Local uninterruptible power supply). At the same time, a general security policy must be created (see S 2.316 Defining a security policy for a general server) that is then extended afterwards by adding system-specific security policies and detailed usage guidelines for the hardware and software in the network (see the modules for the corresponding server operating systems for more information).

Purchasing

In the next step, the software and any additional hardware needed is purchased. Based on the operational scenarios, the requirements for the products to be purchased must be formulated, and the products must be selected based on these requirements. The purchase of these products forms the basis for the tasks to be performed in the next step.

Implementation

The users and administrators have a very significant influence on the security of a server. Before actually putting the servers into operation for the first time, the users and administrators must be trained in the handling and use of the servers to be installed. Intensive training is especially recommended for administrators due to the complexity involved in planning and administration. The administrators should have detailed knowledge of the system after training in order to guarantee consistent and correct system administration. Users should be trained on the use of the security mechanisms available in particular. Refer to the safeguards in module S 1.13 Information security awareness and training.

Once the preliminary organisational and planning tasks have been completed, the server can be installed and put into operation. The following safeguards must be taken into account during installation and commissioning:

Operation

After the initial installation and a test operation phase, regular operations can be initiated. The following security aspects must be taken into account in this phase:

Disposal

A server cannot simply be switched off without prior notice. If a server needs to be withdrawn from operation, then the users must be informed in due time and a number of aspects need to be taken into account to prevent downtimes and losses of data. These aspects are described in S 2.320 Orderly withdrawal from operation of servers. If the services provided by the server will be migrated to another computer, then S 2.319 Migration of servers also needs to be taken into account.

When disposing of a server, it is also necessary to ensure that the hard disks do not contain any information requiring protection. It is not enough to just reformat the hard disks in this case, but instead the disks need to be completely overwritten at least once. It must be noted that the data stored on a hard disk is not removed by a logical delete operation, nor is it removed by reformatting the disk using the resources provided by the operating system installed, which means it is possible to reconstruct the data with suitable software, in many cases with little effort. Corresponding instructions can be found in S 2.13 Correct disposal of resources requiring protection, which is covered in the overall context of module S 1.1 Organisation, and in S 4.234 Orderly withdrawal from operation of IT systems and data media which is subsumed within module S 1.9 Hardware and software management.

The disposal of the server must be documented. Inventory lists and network plans must be updated, and if the disposal of a server results in structural changes to the IT system, then the security concept needs to be adapted accordingly.

Contingency Planning

Only regular and comprehensive data backups can reliably guarantee the ability to restore the availability of all data stored in case of malfunctions, hardware failures, or (intentional or unintentional) deletion. The necessary safeguards are described in module S 1.4 Data backup policy.

In addition to performing regular backups during operation, contingency planning also plays a particularly important role since this is the only way to reduce the damage resulting from an emergency. Information on contingency planning can be found in module S 1.3 Business continuity management. Contingency planning also includes planning how to handle security incidents, and this planning should be based on the safeguards in module S 1.8 Handling of security incidents. Some information on special aspects to take into account when planning for contingencies for a server are described in S 6.96 Contingency planning for a server.

It is assumed that the server will be installed in a server room (see module S 2.4 Server room), a server cabinet (see module S 2.7 Protective cabinets), or in a computer centre (see module S 2.9 Computer centre). The safeguards to be implemented for the server can be found in the corresponding operating system-specific modules. The same applies to the connected clients. The safeguards in module S 1.9 Hardware and software management always form the overall framework for the operation of server-based networks.

Furthermore, the following additional safeguards must be implemented:

Planning and design

S 1.28 (B) Local uninterruptible power supply
S 2.314 (Z) Use of high-availability architectures for servers
S 2.315 (A) Planning the use of servers
S 2.316 (A) Defining a security policy for a general server
S 4.250 (Z) Selection of a central, network-based authentication service
S 4.432 (A) Secure configuration of server applications
S 5.10 (A) Restrictive granting of access rights
S 5.138 (Z) Usage of RADIUS servers

Purchasing

S 2.317 (C) Criteria for the procurement of servers

Implementation

S 2.32 (Z) Establishment of a restricted user environment
S 2.204 (A) Prevention of insecure network access
S 2.318 (A) Secure installation of an IT system
S 4.7 (A) Change of preset passwords
S 4.15 (A) Secure log-in
S 4.16 (C) Restriction on access to user IDs and/or terminals
S 4.17 (A) Blocking and erasure of unneeded accounts and terminals
S 4.40 (C) Preventing unauthorised use of computer microphones and cameras
S 4.97 (Z) One service per server
S 4.237 (A) Secure basic configuration of IT systems
S 4.305 (B) Use of storage restrictions (storage quotas)

Operation

S 2.22 (Z) Escrow of passwords
S 2.273 (A) Prompt installation of security-relevant patches and updates
S 4.24 (A) Ensuring consistent system management
S 4.93 (Z) Regular integrity checking
S 4.238 (A) Use of local packet filters
S 4.239 (A) Secure operation of a server
S 4.240 (Z) Setting up a testing environment for servers
S 5.8 (B) Regular security checks of the network
S 5.9 (B) Logging on the server

Disposal

S 2.319 (C) Migration of servers
S 2.320 (A) Orderly withdrawal from operation of servers

Contingency Planning

S 6.24 (A) Creating an emergency boot medium
S 6.96 (A) Contingency planning for a server