Most commonly available servers operate on a general-purpose OS. Many security issues can be avoided if the OSs underlying the servers are configured appropriately. Because manufacturers are unaware of each organization‘s security needs, server administrators need to configure new servers to reflect their organizations‘ security requirements and reconfigure them as those requirements change. The practices recommended here are designed to help server administrators with server security configuration. Server administrators managing existing servers should confirm that their servers address the issues discussed.

The techniques for securing different OSs vary greatly; therefore, this section includes the generic procedures common in securing most OSs. Security configuration guides and checklists for many OSs are publicly available; these documents typically contain recommendations for settings stronger than the default level of security, and they may also contain step-by-step instructions for securing servers.  In addition, many organizations maintain their own guidelines specific to their requirements. Some automated tools also exist for securing OSs, and their use is recommended. After planning the installation and deployment of the OS, and installing the OS, the following basic steps are necessary to secure the OS: Patch and update the OS

  • Harden and configure the OS to address security adequately
  • Install and configure additional security controls, if needed
  • Test the security of the OS to ensure that the previous steps adequately addressed all security issues.
  • The combined result of these steps should be a reasonable level of protection for the server‘s OS.


Once an OS is installed, applying needed patches or upgrades to correct for known vulnerabilities is essential. Any known vulnerabilities an OS has should be corrected before using it to host a server or otherwise exposing it to untrusted users. To adequately detect and correct these vulnerabilities, server administrators should do the following: Create, document, and implement a patching process.

  • Identify vulnerabilities and applicable patches.
  • Mitigate vulnerabilities temporarily if needed and if feasible (until patches are available, tested, and installed).
  • Install permanent fixes (patches, upgrades, etc.)

Administrators should ensure that servers, particularly new ones, are adequately protected during the patching process. For example, a server that is not fully patched or not configured securely could be compromised by threats if it is openly accessible while it is being patched. When preparing new servers for deployment, administrators should do either of the following:

  • Keep the servers disconnected from networks or connect them only to an isolated ―build‖ network until all patches have been transferred to the servers through out-of-band means (e.g., CDs) and installed, and the other configuration steps listed in this section have been performed.
  • Place the servers on a virtual local area network (VLAN) or other network segment that severely restricts what actions the hosts on it can perform and what communications can reach the hosts—only allowing those events that are necessary for patching and configuring the hosts. Do not transfer the hosts to regular network segments until all the configuration steps listed in this section have been performed.

Administrators should generally not apply patches to production servers without first testing them on another identically configured server because patches can inadvertently cause unexpected problems with proper server operation. Although administrators can configure servers to download patches automatically, the servers should not be configured to install them automatically so that they can first be tested.


  • Administrators should perform the following steps to harden and securely configure a server OS:
  • Remove unnecessary services, applications, and network protocols
  • Configure OS user authentication
  • Configure resource controls appropriately.


Ideally, a server should be on a dedicated, single-purpose host. When configuring the OS, remove all services, applications, and network protocols (e.g., IPv4, IPv6) that are not required, and disable any such unnecessary components that cannot be removed. If possible, install the minimal OS configuration and then add, remove, or disable services, applications, and network protocols as needed. Many uninstall scripts or programs are far from perfect in completely removing all components of a service, so it is better not to install unnecessary services. Common types of services and applications that should usually be removed if not required (or disabled if they cannot be removed) include the following;

  • File and printer sharing services (e.g., Windows Network Basic Input/output System [NetBIOS] file and printer sharing, Network File System [NFS], FTP)
  • Wireless networking services
  • Remote control and remote access programs, particularly those that do not strongly encrypt their communications (e.g., Telnet)
  • Directory services (e.g., Lightweight Directory Access Protocol [LDAP], NetworknInformation System [NIS])
  • Web servers and services
  • Email services (e.g., SMTP)
  • Language compilers and libraries
  • System development tools
  • System and network management tools and utilities, including Simple NetworknManagement Protocol (SNMP).

Removing unnecessary services and applications is preferable to simply disabling them through configuration settings because attacks that attempt to alter settings and activate a disabled service cannot succeed when the functional components are completely removed. Disabled services could also be enabled inadvertently through human error.