← Patterns / SP-002

Server Module

The Server Module is the companion to the Client Module (SP-001) and represents the other fundamental building block in the OSA pattern library. It encapsulates the security controls that should be applied to any server system -- whether physical hardware in a data centre, a virtual machine on a hypervisor, or a cloud-hosted instance. Other OSA patterns reference this module wherever a server component appears, ensuring a consistent and comprehensive security baseline across web servers, application servers, database servers, and infrastructure services. Servers are high-value targets because they concentrate data, processing capability, and administrative access. A compromised server typically grants an attacker access to multiple users' data, lateral movement pathways into the broader network, and persistence mechanisms that survive endpoint remediation. The controls in this module address server-specific risks across access control, audit and accountability, configuration management, physical and environmental protection, system integrity, incident response, and cryptographic services. With 90 controls spanning 15 NIST 800-53 control families, the Server Module is the most control-dense module in the OSA library. Compared to the Client Module, it adds the entire Physical and Environmental Protection (PE) family -- 12 controls covering physical access, power, cooling, fire suppression, and environmental monitoring. This reflects the reality that servers, unlike mobile endpoints, typically reside in controlled physical environments where environmental controls are as important as logical ones. The module also includes AU-06 (Audit Monitoring, Analysis, and Reporting), SC-02 (Application Partitioning), SC-10 (Network Disconnect), and SI-10 (Information Accuracy, Completeness, Validity, and Authenticity) -- controls that are more relevant to multi-user, always-on server systems than to client endpoints. As a module rather than a standalone pattern, the Server Module is designed for composition. It defines what controls apply to the server itself, but does not prescribe network architecture, perimeter defences, or client-side protections. Patterns like SP-008 (Public Web Server), SP-011 (Cloud Computing), SP-023 (Industrial Control Systems), and SP-026 (PCI Full Environment) reference this module to inherit its baseline, then add pattern-specific controls for their particular deployment context. This modular approach means that when the Server Module is strengthened, every referencing pattern inherits the improvement. Practitioners should focus on three foundational pillars when implementing this module: hardened baseline configuration (CM-02, CM-06, CM-07) to minimise the attack surface; comprehensive audit logging and monitoring (AU-02, AU-03, AU-06, SI-04) to detect and investigate compromise; and physical and environmental protection (PE-02 through PE-16) to ensure that the physical infrastructure supporting the server is resilient against environmental and physical access threats.

Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-06

Assess

ATT&CK This pattern addresses 462 techniques across 13 tactics View on ATT&CK Matrix →

Click any control badge to view its details. Download SVG

Key Control Areas

Access Control and Privilege Management

AC-03 AC-05 AC-06 AC-07 AC-10

Server access control is fundamentally about restricting who can do what on a system that serves many users and processes. AC-03 enforces access decisions based on security policy, typically through OS-level permissions, application-level authorisation, and database access controls. AC-05 enforces separation of duties so that no single administrator can provision accounts, modify configurations, and suppress audit logs. AC-06 implements least privilege for both human administrators and service accounts -- the principle that a web server process should not run as root, a monitoring agent should not have write access to application data, and a database administrator should not have OS-level root. AC-07 defends against brute-force attacks on server authentication interfaces, which are frequently targeted by automated scanners. AC-10 limits concurrent sessions to prevent session-based resource exhaustion and detect credential sharing.

Audit Logging, Monitoring, and Analysis

AU-02 AU-03 AU-06 AU-08 AU-09 AU-11

Servers generate the richest and most security-relevant audit data in any architecture. AU-02 defines the events that must be logged: authentication attempts, privilege use, file and database access, configuration changes, process execution, and network connections. AU-03 specifies record content including timestamp, user identity, event type, resource accessed, and outcome. AU-06 is critical for servers -- it requires active monitoring, analysis, and reporting of audit logs rather than passive collection. This means SIEM integration, correlation rules, anomaly detection, and alerting on suspicious patterns such as unusual administrative access times, mass data access, or privilege escalation sequences. AU-08 ensures NTP-synchronised timestamps for cross-system correlation. AU-09 protects logs from tampering, and AU-11 defines retention aligned with compliance requirements. Servers should forward logs in near-real-time to a separate, protected log management infrastructure.

Configuration Management and Server Hardening

CM-02 CM-06 CM-07 CM-08

Server hardening is the single most impactful security investment for this module. CM-02 establishes a hardened baseline configuration -- built from CIS Benchmarks, vendor security guides, or organisational standards -- that every server is deployed from. Configuration-as-code approaches (Ansible, Puppet, Chef, Terraform) make baselines repeatable, auditable, and drift-detectable. CM-06 enforces specific settings: disabled unnecessary services, restricted network listeners, hardened kernel parameters, secure default file permissions, and removal of default credentials. CM-07 applies least functionality aggressively: a web server should not have a compiler installed, a database server should not run an FTP daemon, and no server should expose management interfaces to untrusted networks. CM-08 maintains inventory of all server components including OS version, installed software, firmware versions, and network interfaces, which is essential for vulnerability management at scale.

Physical and Environmental Protection

PE-02 PE-03 PE-05 PE-06 PE-09 through PE-16

This control area distinguishes the Server Module from the Client Module. Servers typically reside in data centres, server rooms, or colocation facilities where physical security is paramount. PE-02 and PE-03 control who can physically access server infrastructure through access authorisation lists, badge systems, biometric controls, and mantrap entries. PE-05 prevents unauthorised viewing of server console displays. PE-06 provides physical access monitoring through CCTV, access logs, and alarm systems. The environmental controls (PE-09 through PE-16) protect against power failures (redundant feeds, UPS, generators), fire (detection, suppression with clean agents), water damage (raised floors, leak detection), temperature and humidity excursions (precision cooling, monitoring, alerting), and controlled equipment delivery and removal (PE-16) to prevent unauthorised hardware installation or theft. For cloud-hosted servers, these controls are inherited from the cloud provider but should be validated through SOC 2 reports or equivalent attestations.

Vulnerability Management and Patch Lifecycle

RA-05 SI-02 SI-05 SI-07

Server vulnerability management requires a disciplined, risk-prioritised approach. RA-05 mandates regular vulnerability scanning -- both authenticated scans that inspect installed packages and configurations, and network-level scans that identify exposed services and known vulnerabilities. SI-02 requires timely flaw remediation with patching SLAs calibrated to severity and exposure: internet-facing servers demand faster patching cycles than internal infrastructure. SI-05 ensures that vendor advisories, CVE notifications, and CERT alerts are monitored and triaged. SI-07 verifies software and firmware integrity, detecting unauthorised modifications that could indicate rootkit installation, backdoor deployment, or supply chain compromise. Server patching is more complex than endpoint patching due to availability requirements -- change windows, rolling updates, blue-green deployments, and rollback procedures must be planned. Organisations should maintain a patching cadence of 72 hours for critical vulnerabilities on internet-facing servers and 14 days for internal systems.

Cryptographic Services and Secure Communications

SC-12 SC-13 SC-02 SC-10

Servers handle sensitive data at scale, requiring robust cryptographic infrastructure. SC-12 covers key management for TLS certificates, database encryption keys, API authentication tokens, and inter-service communication secrets. Automated certificate lifecycle management (ACME/Let's Encrypt, HashiCorp Vault, enterprise PKI) is essential to prevent certificate expiry outages and to enable short-lived certificates. SC-13 mandates approved algorithms: TLS 1.2+ with strong cipher suites, AES-256 for data at rest, and deprecation of legacy protocols (SSLv3, TLS 1.0/1.1, RC4, 3DES). SC-02 requires application partitioning -- separating user-facing functionality from administrative interfaces and security functions so that compromise of one component does not expose the others. SC-10 enforces network disconnect after defined inactivity periods, preventing stale connections from becoming attack vectors.

Incident Response and Recovery

IR-04 IR-05 IR-06 CP-09 CP-10

Server incident response must support rapid detection, containment, forensic preservation, and recovery. IR-04 defines server-specific incident handling: isolating compromised servers without disrupting dependent services, preserving volatile memory and disk state for forensics, and coordinating with network security to block attacker C2 channels. IR-05 provides continuous monitoring through host-based IDS, file integrity monitoring, and SIEM correlation. IR-06 defines escalation and reporting procedures for server compromises, which typically have higher impact than endpoint incidents. CP-09 covers server backup with attention to backup integrity verification, encryption of backup media, and air-gapped or immutable backup copies to resist ransomware. CP-10 addresses recovery and reconstitution -- the ability to rebuild a compromised server from known-good baselines and restore data from verified backups within defined recovery time objectives.

When to Use

This module should be referenced by any OSA pattern that includes a server component in its architecture. It applies to physical servers, virtual machines, cloud instances (IaaS), and any system that provides services to other components rather than directly to end users. It is the standard server baseline for patterns including web server deployments, application platforms, database tiers, directory services, file servers, mail servers, and infrastructure services such as DNS, NTP, and DHCP.

When NOT to Use

This module is not designed for client endpoints (see SP-001 Client Module), mobile devices, or network infrastructure devices (routers, switches, firewalls) which have distinct management models and control requirements. Container orchestration platforms (Kubernetes) and serverless/function-as-a-service deployments require adapted control sets where many traditional server controls are abstracted by the platform. Embedded systems and IoT devices with constrained operating environments cannot implement the full server control baseline. For PaaS and SaaS deployments where the server layer is fully managed by the provider, the physical and environmental controls and many OS-level controls are inherited rather than directly implemented.

Typical Challenges

Server sprawl and configuration drift are persistent challenges: as the server estate grows through organic provisioning, maintaining consistent baselines becomes increasingly difficult without configuration-as-code and automated compliance scanning. Legacy servers running end-of-life operating systems or applications resist hardening and patching, creating risk pockets that compensating controls must address. Patching production servers requires careful change management to balance security urgency with availability requirements -- downtime windows are shrinking while patch volumes increase. Privileged access management is complex when multiple teams (infrastructure, application, database, security) require different levels of administrative access to the same server. Audit log volumes from servers can be enormous, and without proper tuning, critical security events are buried in noise. Physical and environmental controls in colocation or shared facilities may not meet organisational standards, requiring contractual enforcement and audit verification. Virtualisation and containerisation introduce new attack surfaces (hypervisor escape, container breakout) that traditional server controls may not fully address.

Threat Resistance

The Server Module addresses the full range of server-targeted threats. Remote exploitation of unpatched vulnerabilities is mitigated by RA-05 scanning, SI-02 patching, and CM-07 attack surface reduction. Privilege escalation and lateral movement are constrained by AC-06 least privilege, AC-05 separation of duties, and SC-02 application partitioning. Unauthorised administrative access is prevented by AC-03 access enforcement, AC-07 brute-force protection, and IA-02 strong authentication. Data exfiltration is detected by AU-06 log analysis, SI-04 monitoring, and IR-05 incident monitoring. Physical compromise and hardware theft are addressed by PE-02/PE-03 physical access controls and SC-12/SC-13 encryption of data at rest. Environmental threats (power failure, fire, flood, overheating) are mitigated by PE-09 through PE-15. Ransomware and destructive attacks are countered by CP-09 backup with integrity verification and CP-10 recovery procedures. Configuration drift and unauthorised changes are detected by CM-03/CM-04 change control and CA-07 continuous monitoring. Supply chain and integrity attacks are identified by SI-07 software integrity verification.

Assumptions

The organisation operates a managed server infrastructure with centralised configuration management, patch deployment, and monitoring capabilities. Servers are deployed in environments with appropriate physical and environmental controls (data centres, server rooms, or cloud providers with equivalent attestations). Administrative access to servers is controlled through privileged access management, with individual accountability for all administrative actions. Network segmentation exists to separate server tiers (web, application, database) and restrict lateral movement. The organisation has defined service level objectives for availability that inform patching windows and recovery time targets. For cloud-hosted servers, the shared responsibility model is understood and documented.

Developing Areas

Serverless and container security models are fundamentally challenging the traditional server hardening paradigm. When workloads run as ephemeral containers with sub-second lifetimes or as serverless functions with no visible OS, the entire CM family of controls (baseline configuration, hardening, least functionality) must be reimagined. Container-specific security tools (Aqua, Sysdig, Falco) and serverless security frameworks are emerging but the control mapping to NIST 800-53 is still being formalised by the community.
Confidential computing technologies -- Intel TDX, AMD SEV-SNP, and ARM CCA -- are moving from research prototypes toward production readiness, promising to protect data in use by encrypting memory at the hardware level. This addresses the long-standing gap where data is vulnerable during processing even when encrypted at rest and in transit. However, performance overhead of 5-15%, limited toolchain support, and the complexity of remote attestation workflows mean that adoption is concentrated in cloud provider managed offerings rather than general enterprise deployment.
Hardware root of trust and measured boot adoption is accelerating but remains inconsistent across server fleets. Technologies like Intel Boot Guard, AMD Platform Secure Boot, and TPM-based measured boot can provide cryptographic assurance that server firmware and OS have not been tampered with, directly addressing supply chain threats. The challenge is operationalising attestation at scale: collecting, validating, and acting on measurements from thousands of heterogeneous servers requires tooling that most organisations have not yet deployed.
Immutable infrastructure -- where servers are never patched in place but replaced entirely with freshly built, pre-hardened images -- is becoming the preferred model for cloud-native deployments, eliminating configuration drift by design. However, the transition from mutable to immutable infrastructure requires mature CI/CD pipelines, comprehensive image scanning, and rapid rebuild capabilities that many organisations lack. Hybrid estates where some workloads are immutable and others are traditionally patched create operational complexity and inconsistent security posture.

Related Patterns

Patterns that operate within or alongside this one. Click any to view.

SP-001 Client Module SP-008 Public Web Server Pattern SP-011 Cloud Computing Pattern SP-013 Data Security Pattern SP-016 DMZ Module SP-018 Information Security Management System (ISMS) Module SP-023 Industrial Control Systems SP-025 Advanced Monitoring and Detection SP-026 PCI Full Environment

AC: 8AT: 2AU: 9CA: 4CM: 7CP: 5IA: 3IR: 6MA: 5MP: 1PE: 12RA: 4SA: 6SC: 10SI: 8

AC-03 Access enforcement

AC-05 Separation Of Duties

AC-06 Least privilege

AC-07 Unsuccessful login attempts

AC-08 System use notification

AC-09 Previous Logon Notification

AC-10 Concurrent Session Control

AC-12 Session Termination

AT-03 Security Training

AT-04 Security Training Records

AU-02 Auditable Events

AU-03 Content Of Audit Records

AU-04 Audit Storage Capacity

AU-05 Response To Audit Processing Failures

AU-06 Audit Monitoring, Analysis, And Reporting

AU-08 Time Stamps

AU-09 Protection Of Audit Information

AU-10 Non-Repudiation

AU-11 Audit Record Retention

CA-02 Security Assessments

CA-04 Security Certification

CA-06 Security Accreditation

CA-07 Continuous Monitoring

CM-02 Baseline Configuration

CM-03 Configuration Change Control

CM-04 Monitoring Configuration Changes

CM-05 Access Restrictions For Change

CM-06 Configuration Settings

CM-07 Least Functionality

CM-08 Information System Component Inventory

CP-03 Contingency Training

CP-04 Contingency Plan Testing And Exercises

CP-05 Contingency Plan Update

CP-09 Information System Backup

CP-10 Information System Recovery And Reconstitution

IA-02 User Identification And Authentication

IA-06 Authenticator Feedback

IA-07 Cryptographic Module Authentication

IR-02 Incident Response Training

IR-03 Incident Response Testing And Exercises

IR-04 Incident Handling

IR-05 Incident Monitoring

IR-06 Incident Reporting

IR-07 Incident Response Assistance

MA-02 Controlled Maintenance

MA-03 Maintenance Tools

MA-04 Remote Maintenance

MA-05 Maintenance Personnel

MA-06 Timely Maintenance

MP-02 Media Access

PE-02 Physical Access Authorizations

PE-03 Physical Access Control

PE-05 Access Control For Display Medium

PE-06 Monitoring Physical Access

PE-09 Power Equipment And Power Cabling

PE-10 Emergency Shutoff

PE-11 Emergency Power

PE-12 Emergency Lighting

PE-13 Fire Protection

PE-14 Temperature And Humidity Controls

PE-15 Water Damage Protection

PE-16 Delivery And Removal

RA-02 Security Categorization

RA-03 Risk Assessment

RA-04 Risk Assessment Update

RA-05 Vulnerability Scanning

SA-02 Allocation Of Resources

SA-03 Life Cycle Support

SA-04 Acquisitions

SA-05 Information System Documentation

SA-06 Software Usage Restrictions

SA-08 Security Engineering Principles

SC-02 Application Partitioning

SC-03 Security Function Isolation

SC-04 Information Remnance

SC-05 Denial Of Service Protection

SC-06 Resource Priority

SC-10 Network Disconnect

SC-12 Cryptographic Key Establishment And Management

SC-13 Use Of Cryptography

SC-14 Public Access Protections

SC-18 Mobile Code

SI-02 Flaw Remediation

SI-03 Malicious Code Protection

SI-04 Information System Monitoring Tools And Techniques

SI-05 Security Alerts And Advisories

SI-06 Security Functionality Verification

SI-07 Software And Information Integrity

SI-10 Information Accuracy, Completeness, Validity, And Authenticity

SI-11 Error Handling