Five recommendations to improve the security of intranet servers

The server version of the information system provides a good platform for collaboration between employees, but it also has certain negative effects, such as security risks. For this piece of content, the author will give you five suggestions.

In the process of enterprise information construction, the server is an indispensable component. Both the ERP system and the OA system require server support. With the popularization of information technology, the stand-alone version of the information management system will be gradually eliminated, and will be replaced by the server version of the management system. However, the server version of the information system provides a good platform for collaboration between employees, but it also has certain negative effects, such as security risks. For this piece of content, the author will give you five suggestions.

Recommendation 1: Use virtualization technology to avoid interference between multiple applications

There may be multiple information applications within the enterprise. Such as office automation systems, expense reimbursement systems, and so on. However, for reasons of ease of management and cost savings, we tend to deploy multiple applications on a single server. However, in this case, there may be certain security risks. If the OA office automation system is attacked by viruses, Trojans, etc., it may affect other information management systems such as expense reimbursement on the same server. So here is a question of balance between security and cost.

I suggest here that you can use virtualization technology to avoid interference between multiple applications. For example, you can use virtual CPU technology. Several separate spaces are divided on the server CPU and used by multiple information systems. At this time, even if the office automation system is attacked by a virus, the CPU load is overloaded, and it will not affect other information management systems on the same server. This is mainly because virtualization technology limits the resources available to an application. Each application can only use the server's resources within a certain scope. In this way, you can provide a relatively independent environment for each application on the same server to ensure that they do not interfere with each other.

Recommendation 2: Provide file-level security with the NTFS file system

The more internal servers used in the enterprise are Microsoft operating systems. The file formats currently supported by the Windows operating system are FAT32 and NTFS. I recommend everyone to use the NTFS file system. Because the NTFS file system provides additional security compared to the FAT32 file system. For example, the NTFS file system provides a mechanism for disk quotas. This feature allows you to limit the disk quota for each application on the server, thus preventing an application from taking up a lot of disk space and affecting the operation of other applications.

Another example is the NTFS file system, which can also set access permissions for any disk partition. In this case, users can prevent sensitive information and server information from being partitioned on different disks. If there is a file server now, the administrator can set different permissions for different users through the NTFS file system. For example, users in other departments cannot view the files of their own departments, or can only read them, and cannot change or delete them. Thereby maximizing the security of corporate documents.

It is also possible to make separate permissions restrictions for operating system files and application data files. For example, some enterprise OA systems have OA system administrators and operating systems have system administrators. Various IT technicians work together. In this case, you need to set different permissions for them. To prevent their work from inadvertently affecting the configuration of other systems. At this time, the NTFS system can also guarantee the independence of each system.

Recommendation 3: Turn off unused services and ports

By default, after the server operating system is deployed, it will open many ports. Such as 21 port, 80 port and so on. However, it should be noted that these ports are not used at all in actual work. If these ports are opened, it is as if the door of the house is not closed, which will cause a relatively large security risk. To improve server security for this, you need to shut down unnecessary ports and servers.

Whether it is the Windows operating system or the Linux operating system, there are actually many services and ports that are not needed. If you want to deploy a file server in the Windows operating system, then port 21 is useless. Security personnel need to pay attention to these unnecessary ports. Don't think that the port that the system opens by default will not be a security risk. This is a very serious misunderstanding. Ports that seem useless can provide attackers with a lot of sensitive information. Such as the type of operating system selected, the deployed application, and so on. Give a simple example. If the attacker knows that the server has port 69 open, then it can be judged that this server is likely to use a similar operating system such as Linux. This is mainly because this port is used by the TFTP service by default. This service is not enabled by default in the Windows operating system, and Linux will install the service and start it. Knowing the information about the operating system is the first step in the attack when attacking the server. Now, because of this inconspicuous port information, the attacker is provided with information about the operating system.

There are many similar cases. Such as the Telent service, etc., often do not need to use. Before the administrator puts the server into the production environment, the administrator needs to evaluate the ports and services that the system opens. It is best to turn off ports and services that you don't need to use. Wait until you need to use it.

Suggestion 4: Do a good job of backing up data

There are unexpected events. Even if the server's security system is designed to be the best, there will be loopholes. The author believes that it is very important to improve the security of the server and do a good job of backing up related data. Although this trick is relatively old-fashioned, it is very practical. Even if the server is stolen, the hard disk is physically damaged, etc., as long as you do a good job of backup, everything can be repeated.

When I back up data, I have three suggestions.

First, the data backup consists of three contents. The first content is information at the operating system level, such as configuration information, system policies, and so on. The second content is the configuration information of the application, such as database optimization and so on. The third content is the application's data file. The only three of these three pieces of content are those that need to be backed up every day. You can use the strategy of differential backup. The other two pieces of content require an immediate backup after the change. There is no need to back up every day.

Second, if conditions permit, you need to perform offsite backup. If the data is backed up on a local hard drive, the data will not be recovered when the hard drive is physically damaged or stolen. For this purpose, for the data on the server, an offsite backup is required if conditions permit. In general, the data is first backed up to the local hard disk. Then copy the data to a location other than the server. This is like giving a double insurance to the server.

The third is to separately back up different applications. For example, there are mail servers, database servers, etc. on one server. When backing up, is the backup of the data of the two systems at the same time, or is it separately backed up for different applications? I recommend the latter here. For example, when the mail is lost and the data of the database server is not damaged, only the data of the mail system needs to be restored at this time, and the data of the database server is not needed to be restored. It is also relatively simple to achieve this. For example, you can use the backup function that comes with the application to back up. Or this uses virtualization technology to store data from multiple applications in a fixed range. Then perform backup and recovery separately.

Recommendation 5: Beware of internal user damage

Most companies have blind spots when designing internal server security. They pay too much attention to external security and ignore the threats of users inside the enterprise. In fact, according to the author's experience, many security threats are caused by unintentional users inside the enterprise. Give a simple example. The user copies a file from a host computer or a hotel computer to a file server through a device such as a USB flash drive. And this file is likely to carry a virus. At this point, the file is copied directly from the enterprise to the file server, so there is no firewall detection. When other users open this file, the virus can spread across the corporate intranet.

So when designing internal server security, you need to pay attention to the security threats of internal users to the server. These mobile devices can be disabled if appropriate. Or force the operation of adding anti-virus files to the newly added files. Do not allow viruses and Trojans to take advantage of.