At Superb Internet, we have virtual private servers (VPSs) as an alternative to dedicated or shared hosting. As you may be aware, the VPS solution lies between dedicated and shared. Essentially, it allows you a plot of server soil to call your own while not causing you to have to bear the upfront cost and maintenance expenses of an entire independent server.
One of the types of hosting we offer is the virtualized private server, or VPS. This three-part series will look at how two different virtualization systems, OpenVZ and Xen, compare. Note that we use OpenVZ for a number of different reasons, which we will cover briefly in the conclusion to the series, but our general assessment will look at the two platforms from various angles.
We will draw primarily from discussion by Scott Yang of HostingFu, VPS6.net via HostingDiscussion.com, and Steven from The Linux Fix. Citing general advice sources will allow us to talk openly about the subject so you can determine what virtual environment makes the most sense for you.
Shoelaces and Velcro create a similar conundrum for business people, so I’ll also cover that debate. Shoelaces, as we all know, are a terrible idea. They are constantly coming untied. Tying your shoe involves making these two loops and twisting them around each other, whether they want to be twisted or not. It’s aggressive, forceful, and complicated – very similar to punk square dancing. Velcro, though, is seen by many key influencers as a more efficient and sophisticated way to tighten your shoes. Continue reading Xen vs. OpenVZ & Shoelaces vs. Velcro→
To quickly review our previous discussion, we are discussing the different types of Linux. Linux, along with Windows, is one of the two basic operating systems used on servers. It’s also used on personal desktops, though not nearly as frequently (meaning it’s a tiny percentage of consumer use). The basis for that is because IT folks appreciate the control, freedom, and security Linux allows – like any open-source software, its source code is accessible and changeable – so they build it into networks.
Because the source code is changeable, it invites experimentation, in a similar way to a chef who learns the basic recipes of other chefs and then elaborates on them to concoct his own version. Linux in this way is unlike Microsoft code, which is, for better (one simple standard) and worse (lack of access and freedom) inaccessible (well, sorta) and unmanipulable (legally speaking). Standardization with Microsoft allows one efficient and predictable taste. Experimentation with Linux allows manifold community recipes.
Linux is delicious—so delicious, in fact, that some people can’t get enough, even if it’s awkward to pull out the OS and get a brief blast to the tastebuds. A key example is when Bill Gates was riding a glass elevator with me in Chicago, Illinois. He suddenly started speaking rapidly into a microsensor on his arm, “Open Linux Mint. Must feel something. Sixteen-year-old virtual reality overlord removing my feeling code. My love for Cinnamon Bun is dying. Sad Bill. Where are my pills?” Though Cinnamon Bun was his dog, it did not appear that his arm heard him, or that he was the real Bill Gates. Continue reading Many Different Flavors of Linux: A Look at Distros & How They Taste – Part 3→
As we discussed in the first installment of this series, deciding on an operating system for your server is one of the most important decisions you make when choosing a hosting environment. Your options get broader when you are using dedicated servers (in contrast to shared hosting) or virtual private servers (VPSs – the middle ground between dedicated and shared hosting in which your chunk of the server is partitioned into its own unit).
Windows is simple. You obviously want the most up-to-date version; but other than that, it’s Windows, and that’s it. That is kind of nice for simplicity’s sake, but if you are interested in open source environments (access to the source code) and general computing freedom, Linux is probably the way you want to go. Linux comes in a wide variety of flavors, so choosing between those options is your first challenge.
It is widely acknowledged throughout the Linux community that the different versions of Linux smell pretty much the same but taste very different. “It’s hard to explain,” said Bill Gates to me in a glass elevator overlooking the Chicago shoreline, “but there is a way in which you can feel different distributions of Linux on your tongue.” Bill (or it’s possible it was his doppelgänger) straightened his unitard, gave his dog Cinnamon Bun a piece of bacon from his breast pocket, and continued: “Some are sweet, some are sour, and some are bitter… I hate eating.” Then the elevator stopped between floors for an hour of maintenance. Continue reading Many Different Flavors of Linux: A Look at Distros & How They Taste – Part 2→
When you look at servers, one of the most important decisions you need to make is the operating system. Typically that means choosing between Windows and Linux. However, you may choose to use a dedicated server (a server you control, with a hosting company or on your own) or co-location (using a hosting company’s data center to store your server in an ultra-secure environment). In that case, you will have a wide variety of types of Linux you can potentially explore. The same is true of your PC desktop.
Linux has all these options to choose from because it is an open-source (freely available source code) version of UNIX. UNIX, then, is the real base operating system. Linux became an incredibly popular version of UNIX, the standard for use by high-tech folks and many companies around the globe. Due to its widespread adoption and the fact that it is open source and can be manipulated as desired, a widespread array of versions has proliferated.
Perhaps the best part of Linux flavors is, in fact, not how they operate or feel but how they taste. Probably the most ridiculous comment Bill Gates ever made was when he complained that “all species of Linux taste like chicken.” He then explained that Windows tasted “like a warm blueberry muffin at one moment, like crisp roast duck the next.” Granted, he was a little inebriated when he made these comments, and it’s also possible it wasn’t him. Some guy who looked like Gates definitely said this, though. Continue reading Many Different Flavors of Linux: A Look at Distros & How They Taste→
Well, here we all are (except for my cousin Steve, who had to go to his tuba lesson), taking a final look at server hardening in our final segment of this series. Considering the series as a ham sandwich, we’ve looked at the topic generally (top bread), as well as basic techniques that can be used to improve security on Linux systems (just ham… we’ve run out of vegetables). Today we look at Windows servers (bottom bread, which many sandwich enthusiasts believe is the best part).
Note that some concepts related to server security are of use to anyone interacting with a server; but generally speaking, they are of particular use to those with dedicated and VPS accounts. Both of those types of hosting environments allow you system administrative responsibilities that you cannot access through a shared account. That system access means you can change default settings and implement policies that are otherwise under the auspices of the hosting company.
We’re actually looking at three types of servers. In addition to Windows and Linux, we are also reviewing the NSA Datamine server. That server allows you to quickly and efficiently transfer all of your information into the federal government database so that you can know, once and for all, if you are a threat to the social order. If that’s the case, millions of microscopic, lightly humming insectile nanobots come directly to your location, get into flying carpet formation, and spirit you away to a safe location.
We are reviewing thoughts from three primary sources for this series: “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com; and “Baseline Server Hardening,” by Microsoft’s TechNet. Unfortunately, none of these articles focuses on the NSA server. That information had to come to me in a densely encoded daydream.
How to Harden Your Windows Server
Prior to getting into specifics for server hardening, Microsoft outlines four baseline installation rules – essentially prerequisites for a secure server:
The initial installation of the OS and any additional applications all arise from legitimate and credible sources.
The server should only be on reliable networks while both installation and hardening are underway.
The initial installation contains the most up-to-date service packs and any other security-related system updates.
Following completion of base installation, you follow the same procedures on all additional servers.
Again, that careful OS and software implementation lays the groundwork for a server they can be reasonably hardened. Also, if you’re going to eat a popsicle while hardening the server, don’t give bites to it, even if it says it really likes cherry flavor. Servers cannot harden while experiencing brain freeze.
Group Policy Templates – Microsoft covers these templates in a specific section of its recommended guidelines. Though policies for the group can help protect the server in some ways, you also need to change security templates. In other words, these are two different levels to allow hardening that must be combined to be reasonably effective.
Partitions – NTFS should always be used in place of any file allocation table (FAT) partitions. Simply put, NTFS gives you access to security parameters you don’t have with FAT. You can use Convert to change any FAT systems to NTFS. If you do convert, you want to open Fixacls to change the ACLs (access control lists). Otherwise, all users will have access to that portion of the system by default. It’s like a salad bar without a sneeze guard.
Passwords – You can use extremely lengthy passwords in Windows environments, upwards of 100 characters. Go long and strong: combinations of symbols, letters, numbers, and – if you want to get really fancy – ASCII device control characters. Note that the usable ASCII ones will not print and can be created by using “Alt” combined with various digit combinations. Specifically, Microsoft recommends passwords never be eight characters or less and that one of the first seven should be a symbol or ASCII. Finally, differentiate your passwords for each machine.
Renaming – This technique is so basic that it almost seems silly. However, renaming your Administrator account can be incredibly helpful because it’s the general focus for infiltrations. Then create a new account, call that one Administrator, and limit its rights. That new faux-Administrator account can have a lengthy and intricate password. Don’t worry about getting into that account often. It’s just a decoy for anyone trying to get into the system. Apply this method throughout your system, on all individual devices. Also, the real Administrator account should have a different name on every server. If that seems to be going too far for everyday use, at least differentiate the passwords, even if not the names. Similarly, if you have any sons, it’s acceptable to name each of them George Foreman so long as they each have different keys to your heart.
Conclusion & Continuation
That should give you a basic sense of Windows server hardening. Here are additional details if you want to explore the topic further.
In closing out our server hardening trilogy, here is information on our dedicated, VPS, and colocation services.