Taking on a hardening project can be an intimidating task, and with so many different types of systems, it is difficult to know where to start! Nevertheless, the benefits of hardening are clear to see and from a security perspective, hardening is one of the most worthwhile projects.
It is a well-accepted fact that many operating systems have exploitable weaknesses in the out-of-the-box state. However, these vulnerabilities can be remediated or mitigated by making simple system configuration changes to reduce the attack surface of the operating system. This process is known as configuration, or system, hardening.
The Center for Internet Security (CIS) is a non-profit organization that works to produce secure configuration guidelines for operating systems, applications and other systems, specifically to help with hardening projects. These guidelines are known as the CIS Benchmarks.
New Net Technologies (NNT) is a CIS Certified Vendor and our flagship product, NNT Change Tracker™, can automatically audit any scale of IT estate against the full range of CIS Benchmarks to identify where vulnerabilities are present and to report any drift from your previously hardened configuration settings.
Figure 1 - NNT Change Tracker™ Compliance Page
NNT helps customers with the development of a hardened build standard as part of the installation of the Change Tracker™ software and we have a number of tactics that help.
Group your Systems for Hardening Evaluation
It stands to reason that systems can be organized into specific groups based on the operating system and the function they support. Once grouped together the categories can then be assessed for their suitability to a particular CIS hardening standard. For example, a Windows 2016 server assessed against the CIS Windows 2016 guidelines will score differently when running an SQL database to a server running as a file and print server.
Identify your Priority
You cannot harden all systems at the same time, that is just too much work unless you have a large team that it dedicated to the project. Instead, talk to department heads and look at your groupings to decide where the priority exists, for example, systems that are publicly available or exposed to the internet in order to provide services, or applications that you know to be mission-critical.
Review and Develop a Hardening Minimum Threshold
Even though there will be configuration differences caused by server functions, there will be more commonality than not and therefore a minimum baseline threshold is readily achievable.
There are a few hundred rules within a CIS report but don't be disheartened, most of the rules are straight forward. At NNT, we use Change Tracker™ to export the results of a CIS assessment into an editable format such as an Excel file, review the rules and make a note if the configuration can be made without assessment, requires some testing or is not applicable to the system.
Figure 2 - Change Tracker™ editable report output
Testing, Testing, Testing!!
There is no silver bullet, so when creating a hardening standard for an environment, testing will have to be undertaken. One approach would be to identify a system that is representative of a group or application that you are hardening against and start to configure in line with the CIS Benchmark. Start with your minimal guideline as discussed in the previous section before moving onto rules that will require more detailed analysis.
Be mindful before you begin the hardening process that you will need some mechanism to test any application being supported by the system that you are hardening. Speak to the application owners and discuss what testing should be performed on the application to confirm that it has not been impacted by the hardening activity. It is prudent that this testing is documented somewhere in a UAT type document in order to demonstrate at a later time that confirmatory application testing was undertaken. To give you an idea of what the test should look like, below is one of the UAT tests that NNT recently used when conducting a Change Tracker™ installation project.
Figure 3 - Develop a test procedure for application
Don't Delay the Hardening Deployment
As you may have grasped by this point, a hardening project, although not complicated, has the potential to take up a reasonable amount of time. Hardening is really your first line of defense in the prevention of malicious activity and so, think about deploying your hardening in stages. Moving the hardening needle quickly, even if it's only by a small amount, is preferable to waiting until the hardening project is complete. With this in mind, if you have defined and successfully tested your minimal CIS hardening baseline then get that deployed into your production environment while you spend time on the rules that require more specific testing.
Figure 4 - Deploy any hardening quick wins immediately
Use the CIS Build Kits to Help (formally Remediation Kits)
For each guideline, the CIS produces matching build kits to help with the hardening process. The kits, comprising of a group policy object for the Windows operating system and a shell script for Linux, are able to quickly configure a single or group of servers to match the CIS recommended settings.
Figure 5 - CIS build kit for Windows - GPO
Figure 6 – CIS build kit for Linux - .sh script
Be Prepared to Remediate Away from the CIS Guidelines
It is very unlikely that all your systems will fit nicely into the default CIS guidelines for your operating systems. In certain circumstances, allowances will have to be made for the configuration and operation of applications running on systems. This is normal and NNT sees this all the time while working with customers. For instance, some applications will require specific permissions that need to be included as part of a system security policy.
Document Any Remediation Work
In order to aid future hardening work, use the groupings you created earlier to document any remediations away from the standard CIS compliance. This will make it easier for follow up reviews or future work on hardening standards. For example, below is an extract from one of NNT's project documents. The extract shows the server groups, the NNT servers in this case, their function and the CIS standard to which they adhere. The document also lists the exceptions that needed to be put in place specifically for these systems.
Figure 7 - Document exceptions from a CIS baseline
Of course, NNT Change Tracker™ will also help track the remediation work carried out, and more importantly, continue to track the remediations and deviations, informing if configurations change or 'drift'.
Figure 8 - Tracking remediations with Change Tracker™
Figure 9 - Highlighting configuration deviations between systems
In closing, there is no panacea for a hardening project, it takes the acquisition of knowledge and a decent amount of time for testing, confirmation and deployment. Nevertheless, by leveraging the work done by the CIS and using the simple steps suggested within this article, we hope to have given you a starting point.
Learn how to implement a hardened build standard by registering for one of our Engineers Workshops, with time slots available in January, February and March.
In this workshop members of the NNT Support Team will teach you:
- How to work through a CIS Benchmark Secure Configuration Guide & how to avoid the 'Gotchas'
- How to customize and expand to deliver a hardened build standard that's designed for you
- How to roll out to your IT systems, both manually and automatically
- How to maintain everything in its secure, hardened state