Any information security policy or standard will include a requirement to use a ‘hardened build standard’. The concept of hardening is straightforward enough, but knowing which source of information you should reference for a hardening checklist when there are so many published can be confusing.

Cyber Security Controls


Server Hardening Checklist Reference Sources

The most popular ‘brands’ in this area are the Center for Internet Security or CIS hardening checklists (free for personal use), the NIST (aka National Vulnerability Database) provided National Checklist Program Repository or the SANS Institute Reading Room articles regarding hardening of Top 20 Most Critical Vulnerabilities. Most manufacturers provide their own hardening guides too, for example RedHat and Microsoft.

All of these groups offer Configuration Hardening Checklists for most Windows Operating Systems, Linux variants (Debian, Ubuntu, CentOS, RedHat Enterprise Linux aka RHEL, SUSE Linux), Unix variants (such as Solaris, AIX and HPUX), and firewalls and network appliances, (such as Cisco ASA, Checkpoint and Juniper). Desktop applications such as Office, Email and Web Browser clients can also be hardened to provide greater security to the user environment, vital with the increased threat from Ransomware.

These sources offer a convenient, one-stop shop for checklists but you may be better served by seeking out the manufacturer or community-specific checklists for your devices and Operating Systems. For example, Microsoft and Cisco offer very comprehensive hardening best-practice recommendations on their websites, and the various CentOS and Ubuntu communities have numerous secure configuration best practice tutorials across the internet.

So which checklist is the best? Which configuration hardening benchmark is going to make you most secure? If you consider that all benchmarks for say, Windows 2012R2 are all seeking to eliminate the same vulnerabilities from the same operating system, then you quickly realize that there is naturally a high degree of commonality between the various sources. In short, they are all saying the same thing, just in slightly different terms and with some additions/exceptions.

What actually becomes more important is that you assess the relevant risk levels for your systems versus what compromises you can make in terms of reduced functionality in return for greater security. Simple example: disabling root access via SSH greatly enhances the security of a Linux/Unix host, but it means you need to kick the habit of using root directly (which everyone knows is the right thing to do, but still leaves plenty of people continuing to do so!)

To try an NNT Compliance Audit for yourself and see how secure your servers are, click HERE

Configuration Hardening and Vulnerability Management

Quick diversion - It is important to distinguish between software-based vulnerabilities which require patching for remediation, and configuration based vulnerabilities which can only ever be mitigated by use of hardened settings. Achieving a hardened, secure build standard is really what a hardening program is all about as this provides a constant and fundamental level of security.

Configuration hardening presents a uniquely tough challenge as the level to which you can harden depends on your environment, applications and working practices. For example, removing web and ftp services from a host are good, basic hardening practices. However, if the host needs to act as a web server, then this is not going to be a sensible hardening measure!

Similarly, if you need remote access to the host via the network then you will need to open firewall ports and enable terminal server or ssh services on the host, otherwise these should always be removed or disabled to help secure the host.

Conversely, patching is a much simpler discipline, with a general rule that the latest version is always the most secure (but test it first just to make sure it works!).

Configuration Hardening Procedure

In a similar way that patching should be done at least once a month, configuration hardening must also be practiced regularly – it is not a one-time exercise.

New vulnerabilities are discovered all the time. Often it’s the case that it’s a new exploit of an already known vulnerability. As such, refreshing your systems’ compliance with hardened configuration guidance must be performed regularly and often.

Top Tip: NNT now provide a range of Threat Mitigation Kits, comprising Group Policy and Puppet templates to automatically apply hardened configuration settings - Click HERE to try them now

In a typical IT environment, changes are being made all the time to improve IT services. New applications or updates to existing ones, new users and new devices all require changes to be made to hardened system, any of which may adversely affect the inherent security of the device.

When you consider that any checklist can typically comprise between 200 and 400 measures, verifying that all hardening measures are being consistently and continuously applied has to be an automated process.

This can be provided by vulnerability scanning appliances such as Nessus or Qualys, however these are limited in the range and depth of checks they can make unless they are given administrator or root access to the host under test. Of course, in doing so, this actually introduces additional security vulnerabilities, as the host is now accessible via the network and there is at least one more administrator or root account in circulation which could be abused. Better to use secure ‘in server’ agents to audit for compliance.

To try an NNT Compliance Audit for yourself and see how secure your servers are, click HERE

Configuration Hardening – File Integrity Monitoring

On the subject of agent-based versus agentless scanning approaches, the other limitation of scanning appliances is that they can only ever take a snapshot assessment of the device concerned. While this is a good way to check compliance of the device with a configuration hardening best practice checklist, there is no way to verify that the filesystem has not been compromised, for example, by a Trojan or other malware. Only by using continuous compliance assessment with real-time breach detection can you guarantee that systems are secure – and remain secure – 24/7.


Continuous file integrity monitoring combined with continuous configuration hardening assessment is the only true solution for maintaining secure systems. While branded checklists such as the CIS Benchmarks are a great source of hardening best practices, they are not the only option available. In fact, manufacturer provided checklists are generally a more focused source of vulnerability mitigation practices. Remember that there may be a wide choice of checklists using different terms and language, but that ultimately there is only one way to harden any particular system. What is more important is that you apply the hardening measures appropriate for your environment, balancing risk reduction against operational and functional compromises.

To try an NNT Compliance Audit for yourself and see how secure your servers are, click HERE


USA Offices
New Net Technologies Ltd
9128 Strada Place
Naples, Florida, 34108
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
NNT Logo
UK Office
New Net Technologies Ltd
Spectrum House, Dunstable Road
St Albans


Tel: 08456 585 005
Fax: 08456 122 031
Connect with NNT
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
Sign up to NNT's IT security and compliance monthly newsletter. Get breaking security news, how-to tips, trends and commentary direct to your inbox.