Checklists for Server Hardening.
Many of the hardening checklists provided by the Center for Internet Security (CIS) and the National Vulnerability Database (NIST) are free for personal use. For most Windows OS and Unix variants (as well as firewalls and network appliances), there are Configuration Hardening Checklists available (such as Cisco ASA, Checkpoint and Juniper). Additionally, desktop applications such as Office, email, and web browser clients can be hardened to provide additional protection for the user environment.
But if you’re looking for specific checklists for your devices and operating systems, you may be better served by searching for manufacturer or community-specific guides. CentOS and Ubuntu communities, like Cisco, have a wide variety of online guides for secure configuration.
So, which one is the best? When it comes to security, which hardening benchmark is the best?
All Windows 2012R2 benchmarks, for example, focus on eliminating the same vulnerabilities, so there is a lot of commonality to be found. All of them say the same thing, but they say it in slightly different ways and with minor differences.
Consider how much functionality you can give up in order to keep your system safe, because this is now more important than ever. SSH-based root access bans dramatically improve host security, but it requires giving up the practise of using root directly (which everyone knows is wrong, but many people continue to do)!
Protecting Your System from Vulnerabilities
If you don’t already know, it’s critical to distinguish between software-based and configuration-based vulnerabilities. The primary goal of a hardening programme is to provide a consistent level of security by establishing a secure build standard.
There are a lot of variables to consider when trying to harden your system. There’s nothing more basic than removing web and FTP access from a host. Unless, of course, the web server is also a host! Open firewall ports and allow terminal server or ssh services if you need network access to the host; otherwise, remove or disable them to better secure the host. With the most recent version always the most secure, patching has become a lot more convenient.
Hardening the Configuration
Configuration hardening, like patching, is an ongoing procedure that does not occur just once. New flaws are discovered on a daily basis. Often, it’s a new attack on a previously exploited flaw. In order to keep your systems secure, it is imperative that you regularly update your hardened configuration guidelines.
IT services are constantly being improved in a typical IT environment. Changes necessitated by new programmes, users, and devices may compromise the device’s inherent security. In order to ensure that all hardening measures are carried out consistently and continuously, most checklists contain between 200 and 400 measures.
This can only be done if the server under test has been granted administrator or root access by a vulnerability scanning appliance like Nessus or Qualys. Since the host is now network-accessible and has at least one additional administrator or root account that can be exploited, this introduces new security risks. In-server auditing is always preferred.
Verifying the integrity of files
Scanners, whether agent-based or agentless, can only ever get a snapshot of the equipment they are scanning. In spite of the fact that this is an excellent way to verify that the file system has not been infiltrated by a Trojan or other malware, this method does not guarantee that the file system has not been compromised. Systems must be constantly monitored for compliance and security breaches in order to ensure that they remain secure at all times.
System security can only be ensured through constant monitoring of file integrity and hardening of the system’s configuration. There are many other options to branded checklists like the CIS Benchmarks, but they are not the only ones. The manufacturer is a more reliable source of information on how to mitigate vulnerabilities when given checklists. In spite of the abundance of checklists, there is only one way to truly harden any given system: implementing all of the recommended measures. Hardening your environment is more important than balancing operational and functional constraints with risk reduction.