As a server administrator, you must make sure to implement adequate security measures to protect a server from attacks. A compromised server risks the resources and data on the server and risks the resources and data on other connected computers. The compromised server can be used as a base by attackers to launch attacks on other computers inside or outside your network.
Securing servers requires an assessment of the cost of implementing security with the likelihood of a successful attack and the impact of that attack. It isn’t possible to eliminate all security risks but you can do certain things to minimize risks and deal with them efficiently.
Best security practices for server system administration include the following:
Enable SSL encryption for all services that you use.
Check for updates regularly for any software installed on your computer.
Update your servers with critical security patches and updates.
Install antivirus tools, use them regularly, and update virus definition files and software regularly.
Although viruses are less prevalent on the Mac platform than on Windows, they still pose a risk.
Restrict physical access to the server.
Because local access generally allows an intruder to bypass most system security, use security locks to secure the server room, server racks, and network junctures. Locking your servers is a prudent thing to do.
Make sure there’s adequate protection from physical damage to servers, and make sure that the climate control functions in the server room work.
Take additional precautions to secure servers. For example, enable firmware passwords, encrypt passwords where possible, and secure backup media.
Secure logical access to the server. For example, remove or disable unnecessary accounts. Accounts for outside parties should be disabled when not in use.
Configure service access control lists (SACLs) as needed. Use them to specify who can access services.
Configure access control lists (ACLs) as needed. Use them to control who can access share points and their contents.
Protect any account with root or system administrator privileges by following recommended password practices using strong passwords.
Don’t use administrator (UNIX admin group) accounts for daily use.
Restrict the use of administration privileges by keeping the admin login and password separate from daily use.
Back up critical data on the server regularly, with a copy stored at a secure offsite location.
Backup media is of little use in recovery if it’s destroyed with the computer in a fire. Test your backup and recovery contingency plans to ensure that recovery actually works.
Review system audit logs regularly and investigate unusual traffic.
Disable services that aren’t required on your server.
A vulnerability that occurs in any service on your server can compromise the entire system. In some cases, the default configuration (out of the box) of a system leads to exploitable vulnerabilities in services that were enabled implicitly.
Turning on a service opens up a port that users can use to access your server. Although enabling Firewall service helps avoid unauthorized access, an inactive service port remains a vulnerability that an attacker might exploit.
Enable IP address restrictions on servers at the network frontier and DMZ.
Your server’s firewall is the first line of defense against unauthorized access. Consider also a third-party hardware firewall as an additional line of defense if your server is highly prone to attack.
If needed, install a local firewall on critical or sensitive servers.
Implementing a local firewall protects the server from an attack that might originate in your organization’s network or from the Internet.
For additional protection, implement a local virtual private network (VPN) that provides a secure encrypted tunnel for communication between a client computer and your server application. Some network devices provide a combination of functions: firewall, intrusion detection, and VPN.
Administer servers remotely.
Manage your servers remotely using apps like the Server app and Apple Remote Desktop. Minimizing physical access to the servers reduces the possibility of mischief.
Use secure passwords.
Many apps and services require that you create passwords to authenticate. OS X includes apps that help create complex passwords (using Password Assistant), and store your passwords securely (using Keychain Access).