Dedicated server 'Good Practice' guide
Posted by Phil (Netcetera) on 18 January 2008 08:26 AM
Jump to: Users, Security, Websites, Email, Licensing/Installation of Software
(a) Ensure all users connected via management software (such as TS and Pcanywhere) are logged out after use.
(b) We recommend setting 'Lock workstation' screen saver on servers so they automatically lock if you are not using them and do not log off the user.
(c) Disconnecting PCAnywhere connections when not in use is advisable as it is a high bandwidth consumer.
(d) User permissions should be tightly controlled. Incorrect use of the Everyone user, IUSER_SERVERNAME may result in your server being accessible without authentication. This may also result in a root hack against the server.
(e) NT users should be tightly controlled to ensure users cannot connect to the files of other users on the server. This is most common in incorrectly setup FTP access which should be tested after creation.
(f) Ensure Anonymous FTP access is disabled on all FTP sites. This is a common problem which enables malicious users to upload warez and other illegal software to the server for anyone to download. It is the clients responsibility to control the software, and licensing thereof, on the server unless the software was already present when they took control of the server. As well as licensing implications this is also a very high bandwidth user.
(g) Carefully control root access to the server and ensure strong 6+ character alphanumeric passwords are set on all users.
(h) Password changes should be carried out on a regular basis.
(i) The use of elevated permissions is not recommended, only the highest level users should be added to the Administrative group. Never add anonymous users to the administrators group.
(j) The Netcetera Admin user 'netca' should NOT be changed in any way, this includes renaming and resetting the password as well as changing access policies. This is the admin user and Netcetera support personnel may require access at any time to resolve issues or change server configuration.
(a) Ensuring all servers are kept up to date with all critical updates and service packs is of paramount importance to ensure the stability and security of your server.
(b) Running the Microsoft IIS Lockdown tool on your server is advisable.
(c) It is recommended that all services which are not needed during the day to day running of your server are disabled until they are needed.
(d) Third party software that is not from a trusted source should not be installed on your server as it may contain backdoor Trojans and other programs intended to compromise the security of the server.
(e) Using email software on your server to download and read your emails should be avoided as emails may contain viruses which may damage or compromise the server once opened.
(f) Installing anti-virus software on to server is recommended as well as scheduling scans and virus definition updates on a regular basis.
(g) Installation of an Intrusion Detection System (IDS) is recommended unless other protection is in place between the server and the un-trusted network connection.
(h) Firewall technology should be implicated either on the server or between the server and the un-trusted network connection. The firewall should contain some description of application security or the use of an IDS is also recommended.
(i) Connection to the server via the firewall should be completed with the use of a secure VPN connection if possible.
(j) It is recommended that some sort of backup solution is implemented on all servers in case of failure or data corruption.
(a) We do not allow explicit content of any nature to be uploaded to servers. This is down to the high bandwidth usage of sites with this material as well as moral issues.
(b) For software downloads the client is responsible for ensuring they have the permission of the copy right owner of the software which they are offering for download. Netcetera is not responsible for seeking this permission on behalf of the client and as such may not be held responsible for any repercussions as a result of the client having not obtained such permission. This is a high bandwidth user so please take this in to account.
(c) Media files (including but NOT limited to .wav, .mp3, .asf, .wma, .avi, .mpeg, .midi, .aiff, .au) should not be uploaded to a server unless permission is sought from the copy right owner of the files which are being offering for download. Netcetera is not responsible for seeking this permission on behalf of the client and as such may not be held responsible for any repercussions as a result of the client having not obtained such permission. This is also a very high bandwidth user, so please take this in to account.
(d) Storing of credit card details on servers is bad practice and not recommended in any case.
(e) Storing personal details on the server may be in breach of the Data Protection act 1998 and as such is not recommended. Netcetera will not be held accountable for any breach of the Data Protection Act.
(f) Collection of personal details including credit card details is not recommended unless over a SSL connection (https://) with high encryption.
(g) It is not acceptable to host any content which may result in illegal activity. This includes the hosting of any educational documentation which may be used in such a way.
(a) As previously stated using an Email client on the server is not recommended as this may result in the server being infected or compromised by a virus or other malicious program.
(b) Ensuring the restriction of Relaying must be a priority when setting up the SMTP service on the server. As standard servers are not always secure and ensuring the anonymous user cannot send should be your primary task, also restricting access by IP is advisable. Leaving servers available as open relay can result in the blacklisting of other servers on the same subnet so we will not hesitate in taking servers off the network which are not secure. Open SMTP servers are very high bandwidth users.
(c) We do not accept SPAMMING from servers in any way, shape or form. Please see http://help.inetc.net/e-mail/spam/
(a) Only licensed software may be installed on servers. It is not the responsibly of Netcetera to seek licensing for software installed by the client.
(b) Free software may be installed only after ensuring any criteria outlined in the terms and conditions is met by the installing party.
(c) Free non-commercial software may not be installed on to commercially used dedicated servers.
(d) It is the clients responsibility to remove any software at the end of the license agreement which has been installed.
(e) Installing software designed for the use of transferring media and other copy right materials (including but NOT limited to .wav, .mp3, .asf, .wma, .avi, .mpeg, .midi, .aiff, .au) is not permitted on dedicated servers.
(f) Clients who install software which blocks access to a server (including Software Firewalls) will be charged at our standard rate for Server Admin time to have the software removed or disabled to allow access to the server. Client who are not willing to pay this fee may agree a time/date with a technician to resolve after logging a support call. This will then be added to our maintenance schedule which usually has a turnaround of approximately 48hours. If you wish to install software which may restrict access please log a support call to have this added to the Maintenance Schedule. This will give us the ability to have is a technician available to grant access to ensure there is not a prolonged outage. There may also be a charge for this service, but it is dependent on what work will be involved.