What Are Must-Do Security Steps When Setting Up a New Server?

Every server provisioned without hardening may as well be a ticking time bomb. If you don’t apply security controls from the beginning, you risk exposing the system to attack, even before attackers put in motion an attack plan. Misconfigured ports, missing patches, or exposed admin panels are often found by attackers within hours or days.

New server hardening closes these gaps. It’s a foundational piece of your security strategy—especially when servers help power your organization and keep you in business.

Why Server Hardening Matters

Hardening your organization’s servers essentially boils down to one thing: Reducing your attack surface. Initial server configuration often includes unnecessary services, sample applications, and insecure defaults. 

Hardening ensures every system is launched with least-privilege access, visibility, and defensive controls in place.

Step 1: Apply System Updates Immediately

Before you connect a new server to the network, make sure it’s fully updated. Run all OS-level patches and security updates to close off known vulnerabilities. Set up auto-updates if possible, and verify that security configurations are current.

Unpatched systems are a favorite target—attackers often scan for them within hours of a CVE (Common Vulnerability and Exposure) being published. Getting ahead with patching gives you a critical early shield.

Step 2: Harden SSH Access Control

SSH access control is a high-priority focus during initial server configuration, since SSH (Secure Shell) is a main way admins remotely access and manage servers, making it a top target for attackers. Use SSH keys instead of passwords, restrict access by IP, disable root login, and change the default port to reduce risk.

SecurityScorecard can identify misconfigured SSH services, highlighting dangerous exposure before it’s exploited.

Step 3: Remove Unnecessary Services and Ports

Leaving unnecessary ports open makes it easier for attackers to find a way into your server. Only keep the ports your organization truly needs and block everything else. Here are some common risky ports to watch for:

• Port 21 (FTP) – often used for file transfers, but outdated and insecure

• Port 23 (Telnet) – sends data in plain text, including passwords

• Port 161 (SNMP) – often forgotten but can leak sensitive system info

The fewer services you expose, the smaller your attack surface and the harder it is for bad actors to get in.

Step 4: Configure a Local Firewall

A local firewall built into your server’s operating system can help control for malicious software and for what traffic can get in or out. This can help your organization:

• Block unwanted traffic

• Limit exposure by only allowing specific ports or IP addresses

Step 5: Manage Access

Enforce least-privilege access, which is central to a Zero Trust approach, leaving users only capable of accessing what they need. This can minimize the impact of a security incident in case of a breach. Enforce it at all layers:

• Create user groups tied to job roles
• Disable inactive accounts regularly
• Require mutli-factor authentication (MFA) for all administrators

The fewer users with elevated access, the smaller your attack surface.

Step 6: Deploy Malware and Intrusion Detection

An Intrusion Detection System (IDS) adds visibility and can leverage both signature-based and behavior-based detection to give you a more comprehensive view of potential threats. Log alerts and integrate with Security Information and Event Management (SIEM) tools.

SecurityScorecard’s STRIKE Team can support your organization’s detection efforts with threat intelligence from dark web sources, ransomware groups, and global exploits.

Step 7: Enable Central Logging and Audit Controls

Logging is foundational to defense, since if you don’t log it, you can’t investigate it. Configure logging to include logs from continuous threat monitoring and alerts for suspicious logins, repeated failures, or other unusual behaviors.

Step 8: Harden Web Application Interfaces

If your server runs a website or web app, it’s important to secure it from day one. Attackers often target public-facing pages and forms to find easy ways in. Here’s how to reduce your risk:

• Use HTTPS via TLS enforcement to encrypt data sent between users and your site (this can help protect logins and personal info)

• Remove or hide default pages and admin tools that attackers can use to gain access

SecurityScorecard can detect external indication of weak TLS configs or exposed services that increase attack surface risks.

Step 9: Configure and Test Reliable Backups

Hardening must include recoverability and planning for incidents:

• Schedule full and incremental backups
• Store backups offsite and encrypted
• Use immutable or air-gapped backup methods
• Monitor for ransomware attempting to delete backups

Hardening doesn’t matter if attackers can wipe everything without recovery.

Step 10: Vet Third-Party Integrations

According to SecurityScorecard’s 2025 Third-Party Breach Report, 35.5% of breaches now stem third-parties:

• Check vendor patching policies and breach history
• Use least-privilege access for all external connections

SecurityScorecard continuously monitors third-party exposure from the outside, highlighting publicly accessible software, service, and vendor misconfigurations before attackers do.

Final Thoughts

In today’s interconnected digital landscape, ensuring servers are hardened from the outset is crucial to prevent potential breaches and maintain business continuity.

SecurityScorecard can provide your organization external visibility into what attackers can see. Whether it’s a forgotten port, expired certificate, or misconfigured integration, we surface exposures across your organization and your vendors.

Protect Your Supply Chain with Real-Time Threat Detection
SecurityScorecard’s SCDR solution offers continuous monitoring of your third-party ecosystem, enabling swift identification and mitigation of cyber threats. Enhance your organization’s resilience by proactively managing supply chain risks.

🔗 Understand SCDR