Mavericks Server Admin: Security best practices
Securing servers requires an assessment of the cost of implementing security with the likelihood of a successful attack and the impact of that attack. It is not possible to eliminate all security risks but you can do certain things to minimize risks and deal with them efficiently.
Best security practices for server system administration include the following:
- Check for updates regularly for any software installed on your computer.
- Update your systems with critical security patches and updates.
- Install antivirus tools, use them regularly, and update virus definition files and software regularly.
Although viruses are less prevalent on the Mac platform than on Windows, they still pose a risk.
- Restrict physical access to the server.
Because local access generally allows an intruder to bypass most system security, use security locks to secure the server room, server racks, and network junctures. Locking your systems is a prudent thing to do.
- Make sure there is adequate protection from physical damage to servers and ensure that the climate control functions in the server room work.
- Take additional precautions to secure servers.
For example, enable firmware passwords, encrypt passwords where possible, and secure backup media.
- Secure logical access to the server.
For example, remove or disable unnecessary accounts. Accounts for outside parties should be disabled when not in use.
- Configure service access control lists (SACLs) as needed.
Use SACLs to specify who can access services.
- Configure access control lists (ACLs) as needed.
Use ACLs to control who can access share points and their contents.
- Protect any account with root or system administrator privileges by following recommended password practices using strong passwords.
- Do not use administrator (UNIX “admin” group) accounts for daily use.
Restrict the use of administration privileges by keeping the admin login and password separate from daily use.
- Back up critical data on the system regularly, with a copy stored at a secure offsite location.
Backup media is of little use in recovery if it is destroyed with the computer during a fire. Test your backup and recovery contingency plans to ensure that recovery actually works.
- Review system audit logs regularly and investigate unusual traffic.
- Disable services that are not required on your system.
A vulnerability that occurs in any service on your system can compromise the entire system. In some cases, the default configuration (out of the box) of a system leads to exploitable vulnerabilities in services that were enabled implicitly.
Turning on a service opens up a port that users can use to access your system. Although enabling Firewall service helps avoid unauthorized access, an inactive service port remains a vulnerability that an attacker might exploit.
- Enable Firewall service on servers, especially at the network frontier and DMZ.
Your server’s firewall is the first line of defense against unauthorized access. Consider also a third-party hardware firewall as an additional line of defense if your server is highly prone to attack.
- If needed, install a local firewall on critical or sensitive servers.
Implementing a local firewall protects the system from an attack that might originate in the organization’s network or from the Internet.
- For additional protection, implement a local Virtual Private Network (VPN) that provides a secure encrypted tunnel for communication between a client computer and your server application. Some network devices provide a combination of functions: firewall, intrusion detection, and VPN.
- Administer servers remotely.
Manage your servers remotely using applications like the Server app, Server Monitor, and Apple Remote Desktop. Minimizing physical access to the systems reduces the possibility of mischief.
- Use secure passwords.
Many applications and services require that you create passwords to authenticate. OS X includes applications that help create complex passwords (using Password Assistant), and store your passwords securely (using Keychain Access).