When I am building out a new server or designing a new server environment, I cannot help but think and plan in my head the different ways I could break-in. Having an attacker or Red Team mindset is key to constructing a defensive strategy. The ability to think offensively will lead you to develop better defensive layers and alerting mechanisms. We should inherently assume anything we build will be attacked at some point in time and we need to defend it. If a server or service is on a WAN connected network, it will be attacked, at a minimum by a bot.
It’s important to be aware that you cannot stop a determined attacker from breaching a system. However, there are millions of other targets in the world. So if you can build layers of obstacles to slow down and annoy an attacker, hopefully, they will move on to lower hanging fruit. Keep this in mind while you construct walls around your castle of servers and Data.
If you want a 100% secure server, then shut it down and unplug it. However, this only works until an attacker calls up one of your Users and convince them they need to turn the server back on.
This is just the basics, a simple 101 breakdown of best practices for a single system. I am also going to try and keep this operating system agnostic.
Short on time? TLDR