Any information security policy or standard will include a requirement to use a ‘hardened build standard’. The concept of hardening is straightforward enough, but knowing which source of information you should reference for a hardening checklist when there are so many published can be confusing.
Server Hardening Checklist Reference Sources
The most popular ‘brands’ in this area are the Center for Internet Security or CIS hardening checklists (free for personal use), the NIST (aka National Vulnerability Database) provided National Checklist Program Repository or the SANS Institute Reading Room articles regarding hardening of Top 20 Most Critical Vulnerabilities. Most manufacturers provide their own hardening guides too, for example RedHat and Microsoft.
All of these groups offer Configuration Hardening Checklists for most Windows Operating Systems, Linux variants (Debian, Ubuntu, CentOS, RedHat Enterprise Linux aka RHEL, SUSE Linux), Unix variants (such as Solaris, AIX and HPUX), and firewalls and network appliances, (such as Cisco ASA, Checkpoint and Juniper). Desktop applications such as Office, Email and Web Browser clients can also be hardened to provide greater security to the user environment, vital with the increased threat from Ransomware.
These sources offer a convenient, one-stop shop for checklists but you may be better served by seeking out the manufacturer or community-specific checklists for your devices and Operating Systems. For example, Microsoft and Cisco offer very comprehensive hardening best-practice recommendations on their websites, and the various CentOS and Ubuntu communities have numerous secure configuration best practice tutorials across the internet.
So which checklist is the best? Which configuration hardening benchmark is going to make you most secure? If you consider that all benchmarks for say, Windows 2012R2 are all seeking to eliminate the same vulnerabilities from the same operating system, then you quickly realize that there is naturally a high degree of commonality between the various sources. In short, they are all saying the same thing, just in slightly different terms and with some additions/exceptions.
What actually becomes more important is that you assess the relevant risk levels for your systems versus what compromises you can make in terms of reduced functionality in return for greater security. Simple example: disabling root access via SSH greatly enhances the security of a Linux/Unix host, but it means you need to kick the habit of using root directly (which everyone knows is the right thing to do, but still leaves plenty of people continuing to do so!)
Configuration Hardening and Vulnerability Management
Quick diversion - It is important to distinguish between software-based vulnerabilities which require patching for remediation, and configuration based vulnerabilities which can only ever be mitigated by use of hardened settings. Achieving a hardened, secure build standard is really what a hardening program is all about as this provides a constant and fundamental level of security.
Configuration hardening presents a uniquely tough challenge as the level to which you can harden depends on your environment, applications and working practices. For example, removing web and ftp services from a host are good, basic hardening practices. However, if the host needs to act as a web server, then this is not going to be a sensible hardening measure!
Similarly, if you need remote access to the host via the network then you will need to open firewall ports and enable terminal server or ssh services on the host, otherwise these should always be removed or disabled to help secure the host.
Conversely, patching is a much simpler discipline, with a general rule that the latest version is always the most secure (but test it first just to make sure it works!).