As we have mentioned in previous Tips and Tricks, here at NNT we are big fans of system hardening, the science of rendering servers, database systems, firewalls, EPOS systems and all other IT devices fundamentally secure.
A Hardened System is one that has a ‘locked down’ configuration, removing all unnecessary function, access and other potential vulnerabilities that could be exploited by a hacker.
Producing a homegrown hardening policy for your organization requires a lot of research and testing and is a time-consuming task. NNT Change Tracker goes some way to lightening the load with its use of Center for Internet Security (CIS) benchmarks. The CIS are the information security industry’s authority on secure configuration guidance and recommended hardened build-standard. Compliance standards such as the PCI DSS recommend that when hardening or configuration standards are required, the CIS is a primary resource of information.
Change Tracker comes complete with a range of CIS reporting for all manner of operating systems and equipment types and will quickly enable users to baseline how secure (or not!) the current environment is.
It is not uncommon when initially working with NNT Change Tracker, reviewing system’s configuration standards, to find differences in the results for systems which really ought to be configured the same J. It's also possible, as your experience with Change Tracker grows, that Change Tracker will inform you that a particular system has slipped away from the accepted hardened state.
Whatever the case, a good starting point to identify differences or configuration changes, is Change Tracker’s compliance comparison feature. Available from Change Tracker build 220.127.116.11 (note: your Change Tracker version is displayed at the bottom of any console page), the compliance comparison has the capability to compare two compliance reports, displaying the deviations between two system configurations. This is useful if you have a system with which you are more familiar with the configuration and it is thought to have the desired configurations or, you actually have a device with the sole purpose of representing your build gold standard, the compliance comparer can be used to rate other systems against these systems.
For example, in the following scenario WIN-1R4LJTOEOV2 and WIN-PRDBGHGTRKS should be identical system but are tracking slightly different results from the CIS Windows 2012 R2 report.
Ideally, they should be configured the same and so by selecting a check box against for each system and pressing the ‘Compare Results’ button.
We are able to see which of the CIS hardening rules differ between the servers.
The comparison lists the three rules which have passed on WIN-1R4LJTOEOV2 but failed on WIN-PRDBGHGTRKS. Further information about the difference is listed in the ‘Reason for change’ box on the right-hand side. For example, rule 2.2.5 has failed because the ‘Adjust memory quotas for a process’ security setting includes ‘IIS APPPOOL\NNT WEB APPLICATIONS’. A fairly obvious cause for these differenced, both systems are lab machines, WIN-1R4LJTOEOV2 is a Windows web server running a copy of Change Tracker and WIN-PRDBGHGTRKS was built in preparation of a new Change Tracker version which requires testing. It would seem that IIS has not been installed on WIN-PRDBGHGTRKS. This little scenario is innocuous, fiddling around with servers in a lab environment is only going to impact testing! However, in the real, production world a slip in a hardening posture and a lack of understanding of what has changed could be catastrophic.
As always, if you have any questions about this Tips and Tricks please let Support know and keep an eye on the Tips and Tricks area for further details on new features.