Adopting standard server configurations is a proven method of reducing operating risk. For more information on the benefits of standard server configurations, refer to the Info-Tech Advisor research note, “Formal Configuration Management Improves Cost Efficiency.” The foundation for establishing a standard server configuration regimen is implementing clear policies and standards.

Improving Efficiencies and Security

Enforcing a minimum number of server configurations in conjunction with the organization’s change management process begins with a relatively short and tightly focused policy statement. A server configuration security policy is a clear statement of what the enterprise servers are and, how they are to be managed and updated. The policy acts as:

• A blueprint for deploying servers securely using a base-line configuration.
• A compass for the organization detailing expected and required behavior.

• A reflection of the enterprise’s overall security policy.

Use the following tips, in conjunction with Info-Tech’s editable "Server Configuration Security Policy" template and establish a base for a strong change management process.

Action Plan:

1. Introduce management tools. Any organization supporting more than 15 servers should have some server management tools in place. All servers in the enterprise should be documented, tracked and managed through the server management system regardless of current configuration status. The Info-Tech Advisor research note, “Management Tools Fortify Server Health” details the benefits of server management tools.
2. Ensure physical security. All servers, regardless of their business role, must reside in controlled access environments. Locate servers in centralized server rooms or secured wiring closets. Where logical access to servers may be delegated, physical access must be tightly controlled and monitored. Additional guidance on securing wiring closets is available in the Info-Tech Advisor research note, “Wiring Closet Security Improves Network Reliability.”
3. Define supported server operating systems. Settling on a single vendor server OS is no longer as important as defining standards allowing IT to efficiently preload standard base operating system builds with consistent security configurations. Info-Tech’s “Information Technology Standards and Guidelines” template will help establish mandatory technology standards that are complementary to an enterprise policy infrastructure.
4. Implement formal change management. Most IT service disruptions occur as a result of incorrect or inappropriate change. All changes, no matter how small, must be controlled through the enterprise change management process. The Info-Tech Advisor research note, “Keep Production Environments Safe with Solid IT Change Management” outlines the change process.
5. Introduce log file management. IT is obligated to the enterprise to protect customer data, financial information, and intellectual property residing on corporate servers. A key method for IT to meet this requirement is through the use of event logs. Servers generate mountains of event, alert, and notification log files that provide evidence and audit records. Review the Info-Tech Advisor research note “Event Log Management Improves Compliance” to learn more about effective log management.

Bottom Line

Deploying standard server configurations is a proven method of reducing operating risk. Implementing a server configuration policy is the best way to ensure that all servers have been hardened with consistent security configurations and processes.