GUIDE TO GENERAL SERVER SECURITY
2. Background
A server is a host that provides one or more services for other hosts over a network as a primary
function.
1
For example, a file server provides file sharing services so that users can access, modify, store,
and delete files. Another example is a database server that provides database services for Web
applications on Web servers. The Web servers, in turn, provide Web content services to users’ Web
browsers. There are many other types of servers, such as application, authentication, directory services,
email, infrastructure management, logging, name/address resolution services (e.g., Domain Name Server
[DNS]), print, and remote access.
This section provides background information on server security. It first discusses common server
vulnerabilities and threats, and places them in the context of the types of environments in which servers
are deployed. Next, it explains how the security needs of a server can be categorized so that the
appropriate security controls can be determined. The section also gives an overview of the basic steps
that are required to ensure the security of a server and explains fundamental principles of securing
servers.
2.1 Server Vulnerabilities, Threats, and Environments
To secure a server, it is essential to first define the threats that must be mitigated. Knowledge of potential
threats is important to understanding the reasons behind the various baseline technical security practices
presented in this document. Many threats against data and resources are possible because of mistakes—
either bugs in operating system and server software that create exploitable vulnerabilities, or errors made
by end users and administrators. Threats may involve intentional actors (e.g., attacker who wants to
access information on a server) or unintentional actors (e.g., administrator who forgets to disable user
accounts of a former employee.) Threats can be local, such as a disgruntled employee, or remote, such as
an attacker in another geographical area. Organizations should conduct risk assessments to identify the
specific threats against their servers and determine the effectiveness of existing security controls in
counteracting the threats; they then should perform risk mitigation to decide what additional measures (if
any) should be implemented, as discussed in NIST Special Publication (SP) 800-30, Risk Assessment
Guide for Information Technology Systems. Performing risk assessments and mitigation helps
organizations better understand their security posture and decide how their servers should be secured.
The baseline technical security practices presented in this publication are based on commonly accepted
technical security principles and practices, documented in various NIST SPs (including SP 800-14, SP
800-23, and SP 800-53) and other sources such as the Department of Defense (DoD) Information
Assurance Technical Framework. In particular, NIST SP 800-27, Engineering Principles for Information
Technology Security (A Baseline for Achieving Security), contains a set of engineering principles for
system security that provide a foundation upon which a more consistent and structured approach to the
design, development, and implementation of IT security capabilities can be constructed.
An important element of planning the appropriate security controls for a server is understanding the
threats associated with the environment in which the server is deployed.
2
The recommendations in this
publication are based on the assumption that the servers are in typical enterprise environments and thus
face the threats and have the security needs usually associated with such environments. Organizations
1
For the purposes of this document, a host that does not provide services for other hosts as a primary function, but
incidentally provides one or a few services for maintenance or accessibility purposes, is not considered a server. An
example is a laptop that has a remote access service enabled so that IT support staff can remotely maintain the laptop and
perform troubleshooting.
2
Additional information on environments is available from NIST SP 800-70, Security Configuration Checklists Program for
IT Products: Guidance for Checklists Users and Developers (
http://csrc.nist.gov/publications/PubsSPs.html).
2-1