← Patterns / SP-002

Server Module

The Server Module is the companion to the Client Module (SP-001) and represents the other fundamental building block in the OSA pattern library. It encapsulates the security controls that should be applied to any server system -- whether physical hardware in a data centre, a virtual machine on a hypervisor, or a cloud-hosted instance. Other OSA patterns reference this module wherever a server component appears, ensuring a consistent and comprehensive security baseline across web servers, application servers, database servers, and infrastructure services. Servers are high-value targets because they concentrate data, processing capability, and administrative access. A compromised server typically grants an attacker access to multiple users' data, lateral movement pathways into the broader network, and persistence mechanisms that survive endpoint remediation. The controls in this module address server-specific risks across access control, audit and accountability, configuration management, physical and environmental protection, system integrity, incident response, and cryptographic services. With 90 controls spanning 15 NIST 800-53 control families, the Server Module is the most control-dense module in the OSA library. Compared to the Client Module, it adds the entire Physical and Environmental Protection (PE) family -- 12 controls covering physical access, power, cooling, fire suppression, and environmental monitoring. This reflects the reality that servers, unlike mobile endpoints, typically reside in controlled physical environments where environmental controls are as important as logical ones. The module also includes AU-06 (Audit Monitoring, Analysis, and Reporting), SC-02 (Application Partitioning), SC-10 (Network Disconnect), and SI-10 (Information Accuracy, Completeness, Validity, and Authenticity) -- controls that are more relevant to multi-user, always-on server systems than to client endpoints. As a module rather than a standalone pattern, the Server Module is designed for composition. It defines what controls apply to the server itself, but does not prescribe network architecture, perimeter defences, or client-side protections. Patterns like SP-008 (Public Web Server), SP-011 (Cloud Computing), SP-023 (Industrial Control Systems), and SP-026 (PCI Full Environment) reference this module to inherit its baseline, then add pattern-specific controls for their particular deployment context. This modular approach means that when the Server Module is strengthened, every referencing pattern inherits the improvement. Practitioners should focus on three foundational pillars when implementing this module: hardened baseline configuration (CM-02, CM-06, CM-07) to minimise the attack surface; comprehensive audit logging and monitoring (AU-02, AU-03, AU-06, SI-04) to detect and investigate compromise; and physical and environmental protection (PE-02 through PE-16) to ensure that the physical infrastructure supporting the server is resilient against environmental and physical access threats.
Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-06
Assess
ATT&CK This pattern addresses 462 techniques across 13 tactics View on ATT&CK Matrix →
Server module : 08.02.10_Pattern_002_Server_Module*CM03 Can also be performed by Change Manager.*IR04/05/06 Can also be performed by Incident Manager with assistance from IT Security ManagerMany or all controls addressed by Technical Architect may also be responsibility of Application ArchitectOSA is licensed under Creative Commons sharealike. See www.opensecurityarchitecture.org Server Mod Actor: IT FacilitiesManager Actor: TechnicalArchitect Actor: ServiceOwner Actor: IT OperationsManager Actor: IT SecurityManager AC-03 Access Enforcement AC-05 Separation Of Duties AC-06 Least Privilege AC-07 Unsuccessful LoginAttempts AC-08 System UseNotification AC-09 Previous LogonNotification AC-10 Concurrent SessionControl AC-12 Session Termination AT-03 Security Training AT-04 Security TrainingRecords AU-02 Auditable Events AU-03 Content Of AuditRecords AU-04 Audit StorageCapacity AU-05 Response To AuditProcessing Failures AU-06 Audit Monitoring,Analysis, And Repor.. AU-08 Time Stamps AU-09 Protection Of AuditInformation AU-10 Non-Repudiation AU-11 Audit RecordRetention CA-02 Security Assessments CA-04 SecurityCertification CA-06 SecurityAccreditation CA-07 ContinuousMonitoring CM-02 BaselineConfiguration CM-03 ConfigurationChange Control CM-04 MonitoringConfiguration Chang.. CM-05 Access RestrictionsFor Change CM-06 ConfigurationSettings CM-07 Least Functionality CM-08 Information SystemComponent Inventory CP-03 Contingency Training CP-04 Contingency PlanTesting And Exercis.. CP-05 Contingency PlanUpdate CP-09 Information SystemBackup CP-10 Information SystemRecovery And Recons.. IA-02 User IdentificationAnd Authentication IA-06 AuthenticatorFeedback IA-07 CryptographicModule Authenticati.. IR-02 Incident ResponseTraining IR-03 Incident ResponseTesting And Exercis.. IR-04 Incident Handling IR-05 Incident Monitoring IR-06 Incident Reporting IR-07 Incident ResponseAssistance MA-02 ControlledMaintenance MA-03 Maintenance Tools MA-04 Remote Maintenance MA-05 MaintenancePersonnel MA-06 Timely Maintenance MP-02 Media Access PE-02 Physical AccessAuthorizations PE-03 Physical AccessControl PE-05 Access Control ForDisplay Medium PE-06 Monitoring PhysicalAccess PE-09 Power Equipment AndPower Cabling PE-10 Emergency Shutoff PE-11 Emergency Power PE-12 Emergency Lighting PE-13 Fire Protection PE-14 Temperature AndHumidity Controls PE-15 Water DamageProtection PE-16 Delivery And Removal RA-02 SecurityCategorization RA-03 Risk Assessment RA-04 Risk AssessmentUpdate RA-05 VulnerabilityScanning SA-02 Allocation OfResources SA-03 Life Cycle Support SA-04 Acquisitions SA-05 Information SystemDocumentation SA-06 Software UsageRestrictions SA-08 SecurityEngineering Princip.. SC-02 ApplicationPartitioning SC-03 Security FunctionIsolation SC-04 Information Remnance SC-05 Denial Of ServiceProtection SC-06 Resource Priority SC-10 Network Disconnect SC-12 Cryptographic KeyEstablishment And M.. SC-13 Use Of Cryptography SC-14 Public AccessProtections SC-18 Mobile Code SI-02 Flaw Remediation SI-03 Malicious CodeProtection SI-04 Information SystemMonitoring Tools An.. SI-05 Security Alerts AndAdvisories SI-06 SecurityFunctionality Verif.. SI-07 Software AndInformation Integri.. SI-10 InformationAccuracy, Completen.. SI-11 Error Handling AT-03 Security Training

Click any control badge to view its details. Download SVG

Key Control Areas

  • Access Control and Privilege Management (AC-03, AC-05, AC-06, AC-07, AC-10): Server access control is fundamentally about restricting who can do what on a system that serves many users and processes. AC-03 enforces access decisions based on security policy, typically through OS-level permissions, application-level authorisation, and database access controls. AC-05 enforces separation of duties so that no single administrator can provision accounts, modify configurations, and suppress audit logs. AC-06 implements least privilege for both human administrators and service accounts -- the principle that a web server process should not run as root, a monitoring agent should not have write access to application data, and a database administrator should not have OS-level root. AC-07 defends against brute-force attacks on server authentication interfaces, which are frequently targeted by automated scanners. AC-10 limits concurrent sessions to prevent session-based resource exhaustion and detect credential sharing.
  • Audit Logging, Monitoring, and Analysis (AU-02, AU-03, AU-06, AU-08, AU-09, AU-11): Servers generate the richest and most security-relevant audit data in any architecture. AU-02 defines the events that must be logged: authentication attempts, privilege use, file and database access, configuration changes, process execution, and network connections. AU-03 specifies record content including timestamp, user identity, event type, resource accessed, and outcome. AU-06 is critical for servers -- it requires active monitoring, analysis, and reporting of audit logs rather than passive collection. This means SIEM integration, correlation rules, anomaly detection, and alerting on suspicious patterns such as unusual administrative access times, mass data access, or privilege escalation sequences. AU-08 ensures NTP-synchronised timestamps for cross-system correlation. AU-09 protects logs from tampering, and AU-11 defines retention aligned with compliance requirements. Servers should forward logs in near-real-time to a separate, protected log management infrastructure.
  • Configuration Management and Server Hardening (CM-02, CM-06, CM-07, CM-08): Server hardening is the single most impactful security investment for this module. CM-02 establishes a hardened baseline configuration -- built from CIS Benchmarks, vendor security guides, or organisational standards -- that every server is deployed from. Configuration-as-code approaches (Ansible, Puppet, Chef, Terraform) make baselines repeatable, auditable, and drift-detectable. CM-06 enforces specific settings: disabled unnecessary services, restricted network listeners, hardened kernel parameters, secure default file permissions, and removal of default credentials. CM-07 applies least functionality aggressively: a web server should not have a compiler installed, a database server should not run an FTP daemon, and no server should expose management interfaces to untrusted networks. CM-08 maintains inventory of all server components including OS version, installed software, firmware versions, and network interfaces, which is essential for vulnerability management at scale.
  • Physical and Environmental Protection (PE-02, PE-03, PE-05, PE-06, PE-09 through PE-16): This control area distinguishes the Server Module from the Client Module. Servers typically reside in data centres, server rooms, or colocation facilities where physical security is paramount. PE-02 and PE-03 control who can physically access server infrastructure through access authorisation lists, badge systems, biometric controls, and mantrap entries. PE-05 prevents unauthorised viewing of server console displays. PE-06 provides physical access monitoring through CCTV, access logs, and alarm systems. The environmental controls (PE-09 through PE-16) protect against power failures (redundant feeds, UPS, generators), fire (detection, suppression with clean agents), water damage (raised floors, leak detection), temperature and humidity excursions (precision cooling, monitoring, alerting), and controlled equipment delivery and removal (PE-16) to prevent unauthorised hardware installation or theft. For cloud-hosted servers, these controls are inherited from the cloud provider but should be validated through SOC 2 reports or equivalent attestations.
  • Vulnerability Management and Patch Lifecycle (RA-05, SI-02, SI-05, SI-07): Server vulnerability management requires a disciplined, risk-prioritised approach. RA-05 mandates regular vulnerability scanning -- both authenticated scans that inspect installed packages and configurations, and network-level scans that identify exposed services and known vulnerabilities. SI-02 requires timely flaw remediation with patching SLAs calibrated to severity and exposure: internet-facing servers demand faster patching cycles than internal infrastructure. SI-05 ensures that vendor advisories, CVE notifications, and CERT alerts are monitored and triaged. SI-07 verifies software and firmware integrity, detecting unauthorised modifications that could indicate rootkit installation, backdoor deployment, or supply chain compromise. Server patching is more complex than endpoint patching due to availability requirements -- change windows, rolling updates, blue-green deployments, and rollback procedures must be planned. Organisations should maintain a patching cadence of 72 hours for critical vulnerabilities on internet-facing servers and 14 days for internal systems.
  • Cryptographic Services and Secure Communications (SC-12, SC-13, SC-02, SC-10): Servers handle sensitive data at scale, requiring robust cryptographic infrastructure. SC-12 covers key management for TLS certificates, database encryption keys, API authentication tokens, and inter-service communication secrets. Automated certificate lifecycle management (ACME/Let's Encrypt, HashiCorp Vault, enterprise PKI) is essential to prevent certificate expiry outages and to enable short-lived certificates. SC-13 mandates approved algorithms: TLS 1.2+ with strong cipher suites, AES-256 for data at rest, and deprecation of legacy protocols (SSLv3, TLS 1.0/1.1, RC4, 3DES). SC-02 requires application partitioning -- separating user-facing functionality from administrative interfaces and security functions so that compromise of one component does not expose the others. SC-10 enforces network disconnect after defined inactivity periods, preventing stale connections from becoming attack vectors.
  • Incident Response and Recovery (IR-04, IR-05, IR-06, CP-09, CP-10): Server incident response must support rapid detection, containment, forensic preservation, and recovery. IR-04 defines server-specific incident handling: isolating compromised servers without disrupting dependent services, preserving volatile memory and disk state for forensics, and coordinating with network security to block attacker C2 channels. IR-05 provides continuous monitoring through host-based IDS, file integrity monitoring, and SIEM correlation. IR-06 defines escalation and reporting procedures for server compromises, which typically have higher impact than endpoint incidents. CP-09 covers server backup with attention to backup integrity verification, encryption of backup media, and air-gapped or immutable backup copies to resist ransomware. CP-10 addresses recovery and reconstitution -- the ability to rebuild a compromised server from known-good baselines and restore data from verified backups within defined recovery time objectives.

When to Use

This module should be referenced by any OSA pattern that includes a server component in its architecture. It applies to physical servers, virtual machines, cloud instances (IaaS), and any system that provides services to other components rather than directly to end users. It is the standard server baseline for patterns including web server deployments, application platforms, database tiers, directory services, file servers, mail servers, and infrastructure services such as DNS, NTP, and DHCP.

When NOT to Use

This module is not designed for client endpoints (see SP-001 Client Module), mobile devices, or network infrastructure devices (routers, switches, firewalls) which have distinct management models and control requirements. Container orchestration platforms (Kubernetes) and serverless/function-as-a-service deployments require adapted control sets where many traditional server controls are abstracted by the platform. Embedded systems and IoT devices with constrained operating environments cannot implement the full server control baseline. For PaaS and SaaS deployments where the server layer is fully managed by the provider, the physical and environmental controls and many OS-level controls are inherited rather than directly implemented.

Typical Challenges

Server sprawl and configuration drift are persistent challenges: as the server estate grows through organic provisioning, maintaining consistent baselines becomes increasingly difficult without configuration-as-code and automated compliance scanning. Legacy servers running end-of-life operating systems or applications resist hardening and patching, creating risk pockets that compensating controls must address. Patching production servers requires careful change management to balance security urgency with availability requirements -- downtime windows are shrinking while patch volumes increase. Privileged access management is complex when multiple teams (infrastructure, application, database, security) require different levels of administrative access to the same server. Audit log volumes from servers can be enormous, and without proper tuning, critical security events are buried in noise. Physical and environmental controls in colocation or shared facilities may not meet organisational standards, requiring contractual enforcement and audit verification. Virtualisation and containerisation introduce new attack surfaces (hypervisor escape, container breakout) that traditional server controls may not fully address.

Threat Resistance

The Server Module addresses the full range of server-targeted threats. Remote exploitation of unpatched vulnerabilities is mitigated by RA-05 scanning, SI-02 patching, and CM-07 attack surface reduction. Privilege escalation and lateral movement are constrained by AC-06 least privilege, AC-05 separation of duties, and SC-02 application partitioning. Unauthorised administrative access is prevented by AC-03 access enforcement, AC-07 brute-force protection, and IA-02 strong authentication. Data exfiltration is detected by AU-06 log analysis, SI-04 monitoring, and IR-05 incident monitoring. Physical compromise and hardware theft are addressed by PE-02/PE-03 physical access controls and SC-12/SC-13 encryption of data at rest. Environmental threats (power failure, fire, flood, overheating) are mitigated by PE-09 through PE-15. Ransomware and destructive attacks are countered by CP-09 backup with integrity verification and CP-10 recovery procedures. Configuration drift and unauthorised changes are detected by CM-03/CM-04 change control and CA-07 continuous monitoring. Supply chain and integrity attacks are identified by SI-07 software integrity verification.

Assumptions

The organisation operates a managed server infrastructure with centralised configuration management, patch deployment, and monitoring capabilities. Servers are deployed in environments with appropriate physical and environmental controls (data centres, server rooms, or cloud providers with equivalent attestations). Administrative access to servers is controlled through privileged access management, with individual accountability for all administrative actions. Network segmentation exists to separate server tiers (web, application, database) and restrict lateral movement. The organisation has defined service level objectives for availability that inform patching windows and recovery time targets. For cloud-hosted servers, the shared responsibility model is understood and documented.

Developing Areas

  • Serverless and container security models are fundamentally challenging the traditional server hardening paradigm. When workloads run as ephemeral containers with sub-second lifetimes or as serverless functions with no visible OS, the entire CM family of controls (baseline configuration, hardening, least functionality) must be reimagined. Container-specific security tools (Aqua, Sysdig, Falco) and serverless security frameworks are emerging but the control mapping to NIST 800-53 is still being formalised by the community.
  • Confidential computing technologies -- Intel TDX, AMD SEV-SNP, and ARM CCA -- are moving from research prototypes toward production readiness, promising to protect data in use by encrypting memory at the hardware level. This addresses the long-standing gap where data is vulnerable during processing even when encrypted at rest and in transit. However, performance overhead of 5-15%, limited toolchain support, and the complexity of remote attestation workflows mean that adoption is concentrated in cloud provider managed offerings rather than general enterprise deployment.
  • Hardware root of trust and measured boot adoption is accelerating but remains inconsistent across server fleets. Technologies like Intel Boot Guard, AMD Platform Secure Boot, and TPM-based measured boot can provide cryptographic assurance that server firmware and OS have not been tampered with, directly addressing supply chain threats. The challenge is operationalising attestation at scale: collecting, validating, and acting on measurements from thousands of heterogeneous servers requires tooling that most organisations have not yet deployed.
  • Immutable infrastructure -- where servers are never patched in place but replaced entirely with freshly built, pre-hardened images -- is becoming the preferred model for cloud-native deployments, eliminating configuration drift by design. However, the transition from mutable to immutable infrastructure requires mature CI/CD pipelines, comprehensive image scanning, and rapid rebuild capabilities that many organisations lack. Hybrid estates where some workloads are immutable and others are traditionally patched create operational complexity and inconsistent security posture.
AC: 8AT: 2AU: 9CA: 4CM: 7CP: 5IA: 3IR: 6MA: 5MP: 1PE: 12RA: 4SA: 6SC: 10SI: 8
AC-03 Access enforcement
AC-05 Separation Of Duties
AC-06 Least privilege
AC-07 Unsuccessful login attempts
AC-08 System use notification
AC-09 Previous Logon Notification
AC-10 Concurrent Session Control
AC-12 Session Termination
AT-03 Security Training
AT-04 Security Training Records
AU-02 Auditable Events
AU-03 Content Of Audit Records
AU-04 Audit Storage Capacity
AU-05 Response To Audit Processing Failures
AU-06 Audit Monitoring, Analysis, And Reporting
AU-08 Time Stamps
AU-09 Protection Of Audit Information
AU-10 Non-Repudiation
AU-11 Audit Record Retention
CA-02 Security Assessments
CA-04 Security Certification
CA-06 Security Accreditation
CA-07 Continuous Monitoring
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-04 Monitoring Configuration Changes
CM-05 Access Restrictions For Change
CM-06 Configuration Settings
CM-07 Least Functionality
CM-08 Information System Component Inventory
CP-03 Contingency Training
CP-04 Contingency Plan Testing And Exercises
CP-05 Contingency Plan Update
CP-09 Information System Backup
CP-10 Information System Recovery And Reconstitution
IA-02 User Identification And Authentication
IA-06 Authenticator Feedback
IA-07 Cryptographic Module Authentication
IR-02 Incident Response Training
IR-03 Incident Response Testing And Exercises
IR-04 Incident Handling
IR-05 Incident Monitoring
IR-06 Incident Reporting
IR-07 Incident Response Assistance
MA-02 Controlled Maintenance
MA-03 Maintenance Tools
MA-04 Remote Maintenance
MA-05 Maintenance Personnel
MA-06 Timely Maintenance
MP-02 Media Access
PE-02 Physical Access Authorizations
PE-03 Physical Access Control
PE-05 Access Control For Display Medium
PE-06 Monitoring Physical Access
PE-09 Power Equipment And Power Cabling
PE-10 Emergency Shutoff
PE-11 Emergency Power
PE-12 Emergency Lighting
PE-13 Fire Protection
PE-14 Temperature And Humidity Controls
PE-15 Water Damage Protection
PE-16 Delivery And Removal
RA-02 Security Categorization
RA-03 Risk Assessment
RA-04 Risk Assessment Update
RA-05 Vulnerability Scanning
SA-02 Allocation Of Resources
SA-03 Life Cycle Support
SA-04 Acquisitions
SA-05 Information System Documentation
SA-06 Software Usage Restrictions
SA-08 Security Engineering Principles
SC-02 Application Partitioning
SC-03 Security Function Isolation
SC-04 Information Remnance
SC-05 Denial Of Service Protection
SC-06 Resource Priority
SC-10 Network Disconnect
SC-12 Cryptographic Key Establishment And Management
SC-13 Use Of Cryptography
SC-14 Public Access Protections
SC-18 Mobile Code
SI-02 Flaw Remediation
SI-03 Malicious Code Protection
SI-04 Information System Monitoring Tools And Techniques
SI-05 Security Alerts And Advisories
SI-06 Security Functionality Verification
SI-07 Software And Information Integrity
SI-10 Information Accuracy, Completeness, Validity, And Authenticity
SI-11 Error Handling