5 server security concerns you need to know

Physical security is always the number one priority for a server. No matter what tricks, technologies or software you use, if you allow uncontrolled physical access to a server, you risk compromising the device. For a data center, whether your own or a cloud service, physical security is usually built in to the operation. Only authorized people are allowed in the facility, and specific data halls or equipment cages may have additional levels of physical security, further limiting access to these critical servers.

Not every business can afford this level of security. But leaving a server sitting in an open office area is just an invitation to unauthorized access. Simply keeping a departmental server locked in a closet can make a big difference. Running it headless, with no monitor or keyboard, provides an additional layer of security.

Users with a requirement for administrative access, whether IT staff or business workers, should be assigned only those privileges necessary for them to accomplish their required tasks. Operating systems have granular levels of control so that administrative tasks can be assigned to specific users, without the need to grant overall administrative access rights. Web consoles for cloud services will also often offer graduated levels of administrative access, depending on the service. Remember that in almost all cases, less is more.

There is a reason that software vendors regularly patch and update their operating systems and applications. While many patches are to solve functional problems, there are almost always security patches that need to be applied in order to maintain server security. For example, Microsoft¹ had released an emergency patch for Windows Server to plug a hole in its security.

Unpatched servers are one of the biggest sources of malware infections on the Internet, so unless you are planning to keep a server disconnected from the outside world, you need to make sure that, at the very least, security patches are applied as they appear and are tested. For cloud-based servers and applications, you may need to regularly update client software running on your end to make certain that the latest security fixes have been applied.

Keeping up to date on these changes can also create staffing issues, especially at smaller businesses where the IT department may consist of just a handful of people. One solution to this problem is to outsource these sorts of tasks to an outside vendor or partner, to allow your in-house staff to focus on mission-critical tasks.

Servers don’t need web browsers, yet you often find them present. Disable them or, depending on the operating system, remove them completely. If you’re running a Windows Server for file and print services, it needs very few other features installed. Do your homework, and disable any other feature unnecessary to the desired operation. Every extra feature that has remote access or availability provides another venue for attack.

Maintaining secure servers is, in various ways, simply limiting the opportunities for access — by staff, strangers, viruses and malware. Keeping strict limits can go a long way to keeping a secure computing environment.