Administrators control the software installed on their servers and its configuration, but they don’t control endpoints, the devices on which software is used and data is accessed. As client-server software delivery models grew in popularity, particularly Software-as-a-Service, endpoint security became increasingly important. But server admins can’t guarantee endpoint security given the vast array of devices that might be used to access software and users’ lack of security awareness.
Users lose logged-in devices, choose weak passwords, share passwords, install malware, and fall for phishing attacks. Given the lack of control over endpoints and user behavior, server administrators can’t rely on security at the endpoint. But admins can configure servers to limit the impact of insecure endpoints. Working with the assumption that endpoints are inherently insecure, they can implement server security strategies to defend against the worst consequences of a compromised endpoint.
1. Multi-factor authentication
Multi-factor authentication is the first line of defense. Although it won’t protect software and data from the loss of logged-in devices, it may limit the ability of attackers to access sensitive information from a lost or stolen laptop or mobile device (assuming the mobile device isn’t used as the second factor of authentication). Multi-factor authentication also helps protect servers and software against brute-force and dictionary attacks that target vulnerable endpoints.
It’s not simply enough to enable multi-factor authentication, administrators must require that 2FA be enabled on applications before a user can login to ensure that multi-factor authentication is being properly utilized.
2. Limit lateral movement
Once an attacker gains access via an insecure endpoint, their goal is typically to move further into the network, seeking valuable data and access to critical infrastructure. Effective system administrators employ several strategies to limit an attacker’s ability to extend their beachhead.
- The principle of least privilege. All user accounts should have the lowest access compatible with achieving the user’s goals. If a web developer only needs SSH access to a website hosted on a server, they don’t need to log in on the root account or have the certificate/credentials necessary for root access. Make sure lost and stolen endpoint devices have only the privileges they require.
- Use separate devices for admin access. If practical, only allow root or admin access from a limited subset of devices. Ensure that those devices are locked down as much as possible and are used in a secure environment, i.e., not on the morning commute or from a location with an insecure WiFi network.
- Do not store passwords in plain text. In 2019, no one should store passwords in plain text, but it still happens. Ensure that all passwords are salted and hashed with a slow hashing algorithm and that the hashes are not stored on a server that is easily accessible via an insecure endpoint.
In short, configure servers and software such that access to an insecure endpoint doesn’t give attackers access to the entire network.
3. Maintain Reliable Backups
It’s important to realize that even the most protected endpoints are vulnerable to ransomware and other kinds of malware. It can be as simple as clicking a link in a suspicious email which leads to an entire network of improperly connected devices being held ransom.
Maintaining reliable backups using a cloud backup provider and testing them regularly is the only way to ensure that if a device is compromised, no important business information is lost and no ransom must be paid.
4. Utilize VPNs
One of the best ways of protecting endpoints is by limiting access to internal company resources to devices that are physically located within the network, and if remote access is required, through a VPN that is also protected via multi-factor authentication.
This ensures that if a device is lost or stolen and attempts to connect to a private company resource, it will not be able to connect and steal any data.
5. Key and Password Rotation
Key rotation is often such a hassle that server administrators avoid it, but, for SSH keys, it’s an effective way to remove access from endpoints that no longer require it. For keys used to encrypt data, key rotation also limits the data encrypted under a specific key, and thus the data that can leak if a key is compromised.
Manually rotating keys is error-prone, and it’s better to use an automation framework such as Ansible to handle rotation.
While there is debate amongst the security industry, password expiry may also be a good policy for your organization. In the event that a system was compromised in the past without detection, a password expiry system would at least mean that the potentially exposed passwords were no longer active.
6. Monitor User Activity
Network administrators should be continuously monitoring network traffic for unusual behaviour. Any sharp increase in network traffic could be the result of a compromised endpoint transferring data off the network, or a device being used as part of a botnet attack.
Software such as Crowdstrike can help monitor and protect endpoint devices and immediately report suspicious activity to network engineers. These solutions can use machine learning and AI in order to detect when a device accesses a dangerous file or start behaving suspiciously and promptly disconnected the device from the network to ensure it cannot spread to other endpoints.
7. Consistent Patching
No article on server security would be complete without the obligatory reminder to patch. Patching fixes security vulnerabilities, and, if you don’t patch and update software, both on the server and endpoints, they will be vulnerable. It’s doubly important to patch on the server because software vulnerabilities are often used for privilege escalation by attackers who have gained access via a compromised endpoint.
If you have trouble keeping up with the latest server security and management practices, consider hiring a server management team to help.
Endpoint security is important, but server hosting clients can’t guarantee the security of the trusted devices that connect to their servers. To mitigate the risk, they should assume that endpoint devices will be compromised and work to limit the effect of an attack that originates from a compromised device.
Have questions about endpoint security or how to better protect your servers from attack. Book a free consultation today and we can help you review your hosting and server management needs.