Server Build Review
A server build review maps your Windows Server and Linux configurations against industry standard security benchmark controls, the same standards your auditor or penetration tester will reference. We identify the specific settings that need to change and give your team a line-by-line remediation plan to close them.
Beyond Automated Scripts
Script-Based Hardening
- Implement a subset of security controls only
- Cannot detect config drift post-deployment
- Miss application-specific overrides
- No privilege escalation path testing
- Not accepted as independent audit evidence
CREST-Accredited Assessment
- 500+ security controls per OS version
- Manual privilege escalation path testing
- Config drift and Ansible override detection
- Credential caching and LSASS analysis
- Compliance-mapped report for auditors
The Server Hardening Gap
PRIVILEGE ESCALATION RATE
Of servers we review have at least one privilege escalation path from standard user to root or SYSTEM. These are the paths that turn initial access into full compromise.
SECURITY BENCHMARK CONTROLS
We test against 500+ industry standard security benchmark controls per OS version, covering Windows Server 2012+ and all major Linux distributions. Scripts typically implement a subset.
PORTAL DELIVERY
Findings are published to our real-time penetration testing portal as they are identified. Also available in PDF and DOCX formats.
Controls
When to Commission a Server Review
Most server build reviews are triggered by a pen test finding, an audit deadline, or a gold image standardisation project. If any of these scenarios describe your situation, an independent review provides the evidence you need.
Post-Pen Test Finding
Your external penetration test flagged insufficient server hardening as a high-severity finding. You need a control-by-control remediation plan mapped to industry standard benchmarks, not another finding list.
ISO 27001 Audit Deadline
Your surveillance audit requires independent evidence of configuration assessment against Annex A.12.6 and A.14.2. The auditor will not accept self-assessment or automated script output as independent evidence.
PCI DSS Requirement 2.2
Your QSA requires configuration standards evidence for system components in the cardholder data environment. Industry standard benchmark pass/fail mapping satisfies PCI DSS Requirement 2.2 and the assessment is approaching.
Config Drift After Deployment
Your Ansible playbooks were applied 18 months ago. Security benchmarks have been updated. Redis and Kafka were added with default configs. A client has asked for hardening evidence and you cannot honestly certify current state.
Gold Image Standardisation
You are building a new deployment pipeline and need a hardened base AMI, OVA, or VHDX template as the deployment baseline. You want security built in before deployment, not audited after.
Board Accountability
The Cyber Security and Resilience Bill introduces fines up to £17M or 4% of turnover for inadequate security controls. The board needs demonstrable evidence that server infrastructure has been independently assessed against recognised benchmarks.
What We Typically Find
Across every server estate we review, the same misconfigurations appear. These are not theoretical risks. They are findings our consultants document in reports issued to UK organisations every month.
Root login enabled via SSH on production Linux server
PermitRootLogin is set to yes in /etc/ssh/sshd_config. Attackers with valid credentials gain immediate root privileges without requiring sudo escalation. Industry standard security benchmarks for Ubuntu 22.04 explicitly require this setting to be disabled.
Plaintext database credentials in application config file
A configuration management tool left plaintext database credentials in /opt/app/config.yml with world-readable permissions. The credentials grant full database access and were deployed via Ansible but never rotated or restricted post-deployment.
SMBv1 enabled on production Domain Controller
Server Message Block v1 is enabled on the Domain Controller, exposing it to EternalBlue (MS17-010) and related exploits. SMBv1 is a known attack vector used by WannaCry and NotPetya ransomware. Industry standard security benchmarks for Windows Server 2022 require SMBv1 to be disabled.
Unquoted service path allows local privilege escalation
A third-party service executable path contains spaces but is not quoted in the Windows Service Control Manager. A local user can plant a malicious binary in the unquoted path and escalate to the service account (often LocalSystem) when the service restarts.
Unnecessary services listening on all interfaces
Print Spooler, WinRM, and Telnet services are running and listening on all network interfaces despite having no business requirement. Each unnecessary service increases the attack surface available to an attacker who has gained initial access to the network.
Security event log maximum size set to 20MB
The Security event log is configured to 20MB with overwrite-when-full policy. In an active environment, this results in log retention of only a few hours. An attacker can operate undetected because their actions are overwritten before incident response begins.
Most server builds we review have at least one Critical and three or more High findings on first independent assessment.
What We Assess
We validate your server builds against 500+ industry standard security benchmark controls and NIST SP 800-123, covering Windows Server 2012+, all major Linux distributions, and cloud instances on AWS, Azure, and GCP. Every finding is mapped to a specific control with line-by-line remediation guidance.
Gold Image Hardening
We audit your master templates (AMI, OVA, VHDX) to ensure they form a hardened deployment baseline. A secure-by-design image your team can confidently roll out across the environment, rather than hardening each server individually after deployment.
Service Minimisation
We identify and disable unnecessary services (Print Spooler, Xbox Live, Telnet, LLMNR, WPAD) that increase the attack surface without adding business value. Each disabled service is mapped to the relevant industry standard control.
Privilege Escalation
We hunt for weak file permissions, SUID/SGID binaries, unquoted service paths, and weak sudo rules that let attackers elevate from User to Root or System. These are the paths that turn a compromised web shell into full server control.
Credential Caching
We hunt for cleartext passwords in config files, registry keys, and LSASS memory, including credentials left by configuration management tools that were never removed post-deployment. Credential exposure is the most common finding in server build reviews.
Lateral Movement
We verify if a compromised server can poison local subnets or expose management interfaces (RDP, SSH, WinRM) to the internet without multi-factor authentication enforcement.
Patch Management
We audit your patching cadence, identifying known kernel privilege escalation vulnerabilities (DirtyCow, EternalBlue) that remain unpatched in production across Windows and Linux estates.
Operating Systems We Assess
We assess all major server operating systems, cloud instances, and hypervisors. Our consultants have deep hands-on experience with each platform, not generic methodology applied across unknown environments.
Windows Server
Linux
Cloud Instances
Hypervisors
Server Audit Workflow
From access provisioning to a compliance-ready hardening report. Automated baselining plus manual verification for complete coverage.
Access Provisioning
We connect via SSH or RDP, or review a provided offline VM image. Local admin or root access is required to audit deeper configuration layers beyond surface-level checks.
Automated Baselining
We run industry-standard tooling to benchmark your build against 500+ security controls and NIST SP 800-123 security settings across Windows Server and Linux.
Manual Verification
Automated tools validate intended configuration. We inspect cron jobs, custom scripts, and application-specific overrides for hardcoded credentials, config drift from the Ansible or IaC baseline, and exceptions introduced by application teams post-deployment.
Hardening Report
You receive a risk-rated hardening report with pass/fail results against each security control, specific remediation steps with exact file paths and commands, and an executive summary suitable for ISO 27001, PCI DSS, or Cyber Essentials Plus auditor submission.
What You Receive
Every server build review includes the following deliverables, formatted for technical remediation teams, compliance stakeholders, and auditor submission.
Reports are delivered via our real-time penetration testing portal with role-based access. Also available in PDF and DOCX formats.
Close the Hardening Loop.
A server build review identifies misconfigurations at a point in time. Pair hardening findings with an internal network penetration test to validate whether those configurations can be exploited in practice, and continuous SOC monitoring to detect when new config drift introduces fresh exposure.
Discuss Your RequirementsInternal Network Pentest
Validate what an attacker can do after compromising a poorly hardened server
Workstation Build Review
Extend security benchmark assessment to your Windows 10/11 desktop estate
Managed SOC
Monitor for privilege escalation and lateral movement in real time
Configuration Reviews
Firewall, VPN, database, and cloud configuration assessments
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Server build review pricing typically ranges from £2,500 to £8,000+ depending on server count and operating system complexity. Single server or gold image reviews (Windows Server or Linux) average £2,500-£3,500 including security benchmark assessment and remediation guidance. Multiple server reviews (3-5 servers, mixed OS) typically cost £4,000-£6,000. Enterprise reviews (5+ servers, Domain Controllers, complex environments) typically cost £6,000-£8,000+. Pricing includes cloud instance reviews (EC2, Azure VMs) at the same rates. We provide fixed quotes after understanding your server inventory and review scope. See our penetration testing cost guide for additional context on assessment pricing.
Automated hardening scripts provide baseline security but do not guarantee security: (1) Scripts may not be applied consistently across all servers or may be overridden by applications, (2) Industry standard security benchmarks cover hundreds of controls across multiple profile levels and scripts typically implement only a subset, (3) Application-specific configurations (web servers, databases) require custom hardening beyond generic OS scripts, (4) Privileged access paths through SUID binaries, scheduled tasks, and service accounts need manual analysis, (5) Gold image drift occurs as servers are patched, configured, and modified post-deployment, and (6) Compliance auditors require independent verification, not self-assessment. A server build review validates that hardening is actually effective, not just applied.
Yes, we review Domain Controllers, Member Servers, Standalone Servers, and Hypervisors (ESXi and Hyper-V). For Windows Server environments, we cover Windows Server 2016, 2019, and 2022 and assess against industry standard security benchmarks (Level 1 and Level 2 profiles). We verify GPO application, check for NTLM relay exposure, review LAPS deployment, audit Credential Guard and Device Guard status, and identify SMBv1, LLMNR, and WPAD misconfigurations. Where Microsoft Security Baseline GPOs are already applied, we identify the delta against the full benchmark control set: they are not equivalent. This assessment pairs well with an Active Directory security assessment for comprehensive AD coverage.
Yes. We review RHEL 7/8/9, Ubuntu 18.04/20.04/22.04, Debian, CentOS, Amazon Linux, and Alpine Linux. We cover SSH configuration (sshd_config hardening, root login, cipher restriction), sudo privilege review, SUID/SGID binary audit, kernel parameter hardening (sysctl), auditd log configuration, and SELinux or AppArmor enforcement. For cloud instances (EC2, Azure VMs, GCP Compute Engine), we additionally check metadata service security, including IMDSv2 enforcement on AWS instances. We also identify config drift where Ansible hardening playbooks have been overridden by application-specific changes post-deployment. See our cloud security configuration review for cloud-native coverage.
Yes. A server build review applies regardless of where the server is hosted. For cloud instances, we also check cloud-specific metadata service security (IMDSv2 enforcement), instance profile permission boundaries, and exposed management interfaces. Cloud instance reviews are priced at the same rates as on-premises servers and can be combined with a cloud security configuration review for full cloud coverage.
You receive a structured hardening report containing: a pass/fail assessment against each applicable industry standard benchmark control for your OS version, risk-rated Critical / High / Medium / Low; line-by-line remediation guidance with specific configuration changes (file paths, registry keys, or command-line steps); an executive summary suitable for board-level reporting or auditor submission; and a re-test consultation to verify critical findings have been resolved. The report satisfies ISO 27001 (A.12.6, A.14.2), PCI DSS Requirement 2.2, Cyber Essentials Plus, and NHS DSPT requirements.
Server hardening is the process of securing an operating system by reducing its attack surface: disabling unnecessary services, applying secure configuration settings, restricting user privileges, and enforcing encryption standards. The goal is to ensure that if an attacker gains initial access to a network, they cannot use a poorly configured server as a pivot point to escalate privileges or move laterally. Professional server hardening assessments validate these controls against recognised industry frameworks such as NIST SP 800-123, producing independent evidence that hardening has been applied correctly.
A professional server hardening checklist covers: (1) Service minimisation: disabling SMBv1, LLMNR, WPAD, and unused listening services; (2) User account policy: password complexity, account lockout, built-in administrator account renaming; (3) Privilege escalation paths: SUID/SGID binaries, unquoted service paths, weak sudo rules, scheduled task permissions; (4) Credential exposure: cleartext passwords in config files, LSASS protection, registry credential storage; (5) Network exposure: management interfaces accessible over the internet (RDP, SSH, WinRM); (6) Patch management: missing OS patches including known privilege escalation vulnerabilities; (7) Audit logging: event log size, log forwarding configuration, login auditing. Our server build review maps every finding to a specific industry standard control with line-by-line remediation guidance.
Hardening a Windows Server involves applying a security baseline aligned to industry standard benchmarks (Level 1 or Level 2 profile for your OS version: 2016, 2019, or 2022). Key areas include: Group Policy hardening (password policy, account lockout, audit policy), disabling legacy protocols (SMBv1, NTLM authentication, LLMNR), enabling Credential Guard and LAPS, restricting PowerShell execution and enabling PowerShell logging, disabling unnecessary services (Print Spooler, Xbox services, Telnet), and hardening Remote Desktop Protocol (NLA enforcement, restricted admin mode). A professional Windows Server hardening assessment verifies these controls are applied consistently across your server estate and identifies where application teams have created exceptions.
Hardening a Linux server involves reviewing and securing the SSH configuration (disabling root login, enforcing key authentication, restricting ciphers in sshd_config), auditing sudo rules and SUID/SGID binaries, applying kernel hardening parameters via sysctl.conf, configuring auditd for system call logging, enforcing SELinux or AppArmor in enforcing mode, reviewing cron jobs and scheduled tasks for credential exposure, and disabling unnecessary network services. Key standards include industry security benchmarks for your distribution (RHEL, Ubuntu, Debian, Amazon Linux) and NIST SP 800-123. A server build review also checks for config drift, instances where Ansible playbooks or hardening scripts were applied initially but individual servers have since been modified by application teams.
Yes. A CREST-accredited server build review from Precursor Security satisfies the audit evidence requirements for ISO 27001 Annex A (A.12.6, Technical Vulnerability Management; A.14.2, Security in Development and Support Processes). The report includes pass/fail results against industry standard security benchmark controls, risk-rated findings, and an executive summary suitable for auditor submission. The same report satisfies PCI DSS Requirement 2.2 (configuration standards for system components), Cyber Essentials Plus (Secure Configuration technical control), and NHS DSPT Data Security Standard 9. If you have a specific surveillance audit or external certification deadline, we scope and deliver within 2-3 weeks.