Server Security Audit: Basic Stages and Audit Checklist

Information security is a priority for any business that operates online and handles large amounts of data, regardless of the type of business. Viruses, outdated services and applications, and unauthorized access to a server can significantly impact a company's financial position and reputation.

In most cases, checking for all server vulnerabilities can take a long time, but it's worth it. We have prepared a checklist for auditing the security of a server and its software, with the most crucial points to consider.

What is Security Audit?

Software and security auditing is the regular practice of monitoring and cleaning the server for existing and potential vulnerabilities.

An audit is conducted by a server administrator or hosting owner to fix problems and strengthen the server's security system, for example, against DDoS attacks, data theft, and unauthorized access.

General guidelines are available for users with no programming skills to perform an audit.

Server Security Audit Checklist

This server security and software audit checklist is an abridged version of the major server components that should be checked regularly. The checklist may vary depending on the server's purpose.

OS:

1. Regularly update the operating system and all software with the latest updates.
2. Enforce a strong password/passphrase policy for root/admin accounts.
3. Remove default/unused accounts and services.
4. Configure login restrictions, e.g., IP whitelisting, MFA.

Network:

1. Configure the firewall to allow only necessary inbound and outbound traffic.
2. Monitor and restrict unauthorized network access/scans.
3. Periodically, scan ports for vulnerabilities.

Remote access and accounts:

1. Use secure protocols such as SSH instead of Telnet or RDP.
2. Review and, if necessary, restrict remote access users and their privileges.
3. Remove disabled or dormant accounts.
4. Monitor failed login attempts.

Services:

1. Disable/remove unnecessary services such as SMB and NFS if not in use.
2. Configure available services (turn off directory listing, file upload, etc.).

Software environment:

1. Verify that installed applications/configurations conform to approved baselines.
2. Scan software versions for vulnerabilities.
3. Enforce application whitelisting.

Backups and recovery:

1. Perform regular backups of critical data and configurations.
2. Test the recovery process regularly.
3. Store backups in a secure off-site location.

Below, we will provide further detail on some of the points mentioned.

Preparing for a Server Security Audit

Begin by identifying the areas to be audited and setting clear objectives. Use the checklist to divide the audit into manageable parts, checking each area thoroughly and allocating more time to those that require it.

Collect up-to-date information on operating system versions, programs, services, and account access at different levels. Record any modifications, as this information will be necessary for future reporting.

The audit can be conducted independently without the need for specialists and can be partially automated using specialized software.

Software auditing tools can scan and analyze your server environment effectively. They can assess vulnerabilities, ensure license compliance, and generate reports.

Popular options include:

• Opsview Monitor is a monitoring platform that comprehensively covers operating systems, networks, virtual machines, containers, and databases.
• Netwrix provides IT audit, security, and compliance solutions to manage, monitor, and analyze user activities in hybrid environments.
• SolarWinds, as a tool for remediation, can provide valuable information about configuration changes and their impact on performance.
• Puppet Enterprise is an automation platform that simplifies infrastructure and application management, providing the most convenient deployment in any environment, from mainframes to containers.
• Palo Alto Networks provides cybersecurity solutions, including firewalls, threat prevention systems, and network security platforms.
• Check Point is a monitoring and automation tool that tracks changes in real time, reducing the risk of human error in server management.
• Nessus is a vulnerability scanner and an open-source tool that identifies and assesses vulnerabilities in systems and applications.
• OpenVAS is an open-source tool for assessing and managing vulnerabilities. It scans for vulnerabilities and provides recommendations for remediation.

Conducting Software Security Audit

Identify the installed software and its versions and verify software licenses and compliance.

1. Conduct a thorough automated scan using software logging tools to identify all software installed on the network.
2. Capture software names and versions and build numbers for accurate reporting.
3. Centralize and verify license documentation to ensure compliance with license agreements.

Tools to use: Microsoft SCCM, PDQ Inventory, Lansweeper, Snow License Manager, and Flexera.

Analyze software usage to identify any unused applications.

1. Implement software usage analytics tools to track application usage patterns in real time.
2. Analyze trends to identify actively used applications and those that may be unnecessary.
3. Gather user feedback and conduct surveys to understand preferences and requirements.
4. Develop a plan to remove or optimize unused applications based on usage analysis.

Tools to use: IBM License Metric Tool, Snow Software, Flexera, and USAGE Intel by Anthropic.

Perform vulnerability scans on the server's firewall, file system, password policy, logs, access control, and backup components. Pay attention to the following:

Solutions like Lynis and UpGuard can be used as specific, comprehensive security auditing tools.

Lynis is a security auditing tool for Linux, macOS, and UNIX-based systems. It assists with compliance testing for standards such as HIPAA, ISO 27001, and PCI DSS, as well as system hardening.

UpGuard is the best alternative to Lynis for Windows. It allows for comprehensive system analysis, including data leakage prevention and identification of attack direction.

Reports and Analysis

The audit report must contain an executive summary that outlines the audit's scope and objectives. It should then list all software installed on the server, including versions and license compliance. The main body of the report should document the results of the configuration assessments and vulnerability scans.

To validate any findings and decisions made, include screenshots, configuration file snippets, or system logs in the report.

Additionally, list the specific actions required or applied to remediate each vulnerability or issue discovered.

Analyzing the identified issues may lead to a deeper understanding of vulnerabilities in the server, requiring more comprehensive solutions.

How Often Should a Server Be Audited?

Perform a server security audit at least once a month. With a well-defined plan and awareness of hardware vulnerabilities, you can effectively handle unexpected situations and respond promptly to any security threats.

During the audit, you can identify deviations from the recommended settings and correct them, evaluate the implemented solutions, and conclude on their effectiveness. Additionally, you can identify server vulnerabilities for penetration testing.

Fixing minor problems before they cause more damage is generally more beneficial. Automating the server security audit process will complement monthly audits and improve responsiveness and resilience to attacks.