How to properly secure a server

---

Securing a server is critical to protect sensitive data, prevent unauthorized access, and ensure the reliability of your systems. This guide covers essential steps to harden a Linux or Windows Server, from initial configuration to ongoing maintenance.

---

1. Pre-Deployment: Choose the Right Tools and Infrastructure 🛠️ / 🌐

1.1. Use Trusted Operating Systems

• For Linux:
  • Opt for hardened OS distributions (e.g., Ubuntu Server, CentOS, Alpine Linux).
• For Windows:
  • Use Windows Server 2022 or 2019 for stability and security.
  • Consider Windows Server Core for minimal footprint (equivalent to Alpine Linux for Linux users).

1.2. Plan Your Network Architecture

• Segregate networks (e.g., DMZ, internal, and external networks) using VLANs or firewalls.
• Avoid exposing critical services directly to the internet. Use reverse proxies (e.g., Nginx, Caddy) for web services.
• For Windows:
  • Enable Windows Defender Firewall and configure Advanced Security to block unnecessary traffic.
  • Use Windows Server Manager to monitor network interfaces.

---

2. Initial Configuration: Secure the Base System 🔐 / 🔧

2.1. Update and Patch the System

• For Linux:

  sudo apt update && sudo apt upgrade -y  # Debian/Ubuntu
  sudo dnf upgrade -y                    # Fedora
  sudo yum update -y                     # CentOS/RHEL

• For Windows:
  • Enable Windows Update via Settings > Update & Security.
  • For enterprise environments, use Windows Server Update Services (WSUS).
  • Use Group Policy (GPO) to enforce automatic updates.

2.2. Configure the Firewall

• For Linux:
  • Use iptables, nftables, or UFW.
• For Windows:
  • Enable Windows Defender Firewall and configure rules:
  • Block all traffic by default.
  • Allow only necessary ports (e.g., 3389 for RDP, 443 for HTTPS).
  • Use Advanced Security to set inbound/outbound rules.

2.3. Disable Unnecessary Services

• For Linux:
  • Disable unused services with systemctl disable <service>.
• For Windows:
  • Disable services via Services Manager (e.g., disable Telnet, SMB 1.0).
  • Use Group Policy to disable non-critical services.

2.4. Secure the Kernel (Linux) / Secure Boot (Windows)

• For Linux:
  • Enable ASLR, KASLR, and PaX.
• For Windows:
  • Enable Secure Boot in BIOS/UEFI.
  • Use BitLocker for full-disk encryption with a recovery key.

---

3. User and Access Management 👤 / 🔐

3.1. Create Non-Root Users (Linux) / Non-Admin Users (Windows)

• For Linux:
  • Use adduser and sudo for elevated access.
• For Windows:
  • Create non-administrator accounts with limited permissions.
  • Use Group Policy to enforce Least Privilege.

3.2. Enforce Strong Passwords and Multi-Factor Authentication (MFA)

• For Linux:
  • Use pam_pwquality and Google Authenticator.
• For Windows:
  • Set password policies via Local Security Policy (secpol.msc):
  • Minimum password length, complexity, and history.
  • Enable Azure MFA or Windows Hello for MFA.
  • Use Remote Desktop Gateway (RD Gateway) with MFA for RDP.

3.3. Use SSH Keys (Linux) / Secure Remote Access (Windows)

• For Linux:
  • Use SSH keys and disable password authentication.
• For Windows:
  • Use RDP with Network Level Authentication (NLA).
  • Enable Certificate-based authentication for RDP.
  • Disable Remote Desktop if not needed.

3.4. Limit User Privileges

• For Linux:
  • Use sudoers file for granular permissions.
• For Windows:
  • Use User Rights Assignment in Local Security Policy.
  • Assign permissions via Group Policy and Active Directory (if applicable).

---

4. Secure Communication and Data 🔒 / 🌐

4.1. Use HTTPS and TLS (Linux/Windows)

• For Linux:
  • Use Let’s Encrypt with Certbot.
• For Windows:
  • Use IIS with SSL/TLS certificates.
  • Ensure TLS 1.2+ is enabled via Group Policy.

4.2. Encrypt Data at Rest (Linux/Windows)

• For Linux:
  • Use LUKS or dm-crypt.
• For Windows:
  • Enable BitLocker with TPM or USB key.
  • Use Windows Server Backup for encrypted backups.

---

5. Application-Specific Security 🖥️ / 🗄️

5.1. Secure Web Servers (Linux/Windows)

• For Linux:
  • Use Apache or Nginx with mod_security.
• For Windows:
  • Use IIS with Application Request Routing (ARR) and Web Application Firewall (WAF).

5.2. Secure Databases (Linux/Windows)

• For Linux:
  • Secure MySQL, PostgreSQL, or MongoDB.
• For Windows:
  • Secure SQL Server with:
  • Always Encrypted.
  • TLS 1.2+.
  • SQL Server Audit.

---

6. Monitoring and Incident Response 📊 / 🔍

6.1. Monitor Logs (Linux/Windows)

• For Linux:
  • Use auditd, rsyslog, or ELK Stack.
• For Windows:
  • Use Event Viewer and Windows Security Log.
  • Use PowerShell for log analysis:

    Get-EventLog -LogName Security -InstanceId 4624

6.2. Use SIEM Tools (Linux/Windows)

• For Linux:
  • Use ELK Stack, Graylog, or Splunk.
• For Windows:
  • Integrate with Azure Sentinel or Splunk for real-time monitoring.

---

7. Ongoing Maintenance and Updates 🕰 / 📅

7.1. Regular Patching (Linux/Windows)

• For Linux:
  • Use Unattended Upgrades.
• For Windows:
  • Enable Windows Update for Business.
  • Use WSUS for centralized patch management.

7.2. Enable Windows Defender (Windows)

• Use Windows Defender ATP for endpoint protection.
• Enable Real-Time Protection and Cloud-Based Protection.

7.3. Backups (Linux/Windows)

• For Linux:
  • Use rsync, Duplicity, or BorgBackup.
• For Windows:
  • Use Windows Server Backup or Azure Backup.

---

8. Quick Checklist ✅ / 📋

Linux Checklist

• [ ] Use hardened OS (e.g., Ubuntu, CentOS).
• [ ] Enable automatic updates.
• [ ] Configure firewall (iptables, UFW).
• [ ] Use SSH keys, disable password auth.
• [ ] Enable audit logging.
• [ ] Secure web and database servers.

Windows Checklist

• [ ] Use Windows Server 2022/2019.
• [ ] Enable BitLocker and Secure Boot.
• [ ] Configure Windows Defender Firewall.
• [ ] Enable MFA for RDP.
• [ ] Set strong password policies.
• [ ] Enable Windows Defender ATP.
• [ ] Use IIS with TLS 1.2+.

---

Conclusion

Whether you’re securing a Linux or Windows Server, the principles of least privilege, regular patching, strong authentication, and monitoring apply universally. This guide ensures your servers are hardened against common threats, whether in on-premises or cloud environments.