Server Hardening Policy - Examples and Tips
Despite the increased sophistication employed by hackers for both external and internal attacks, around 80% of all reported breaches continue to exploit known, configuration-based vulnerabilities. Server or system hardening is, quite simply, essential in order to prevent a data breach.
Determining which policy is the right one for your environment however can be somewhat overwhelming, which is why NNT now offers a complete and extensive range of options to cover every system type, OS or even appliance within your estate, including database, cloud and container technologies. NNT is one of only a handful of vendors fully certified by the Center for Internet Security (CIS), providing the most pervasive suite of benchmarks and remediation kits in the world.
We encourage you to help yourself to our hardening guides below as well as any of our secure benchmarks, all of which are freely available to you to download.
NNT provides software solutions that will ensure the right policies are applied to every system all of the time and will immediately notify you of any drift, breach or unauthorized change. For more details feel free to request a trial or a demo using the buttons at the top right of your screen.
Any server deployed in its default state will naturally be lacking in even basic security defenses. This leaves it vulnerable to compromise. In order to mitigate potential exploits it is vital that servers are hardened:
In any large estate, commercial systems like NNT Change Tracker or Tripwire® Enterprise provide automated means of auditing and scoring compliance with your chosen server hardening policy.
The Benchmark Checklists are an ideal reference source because the configuration hardening recommendations are consensus base.
Applying the hardened build settings can also be automated using NNT Threat Mitigation Kits, comprising the appropriate hardened build templates for deployment using Group Policy or Puppet.
Getting access to a hardening checklist or server hardening policy is easy enough. For example, the Center for Internet Security provides the CIS hardening checklists, Microsoft and Cisco produce their own checklists for Windows and Cisco ASA and Cisco routers, and the National Vulnerability Database hosted by NIST provides checklists for a wide range of Linux, Unix, Windows and firewall devices. NIST also provides the National Checklist Program Repository, based on the SCAP and OVAL standards.
However, any default checklist must be applied within the context of your server's operation – what is its role? For example, if it is internet-facing then it will need to be substantially more hardened with respect to access control than if it is an internal database server behind a perimeter and internal firewall. Once you have established your hardened server policy and have applied the various security best practice checklists to your hardened server build, you will now need to regularly audit all servers and devices within your estate for compliance with the build standard.
Ideally, the hardened build standard for your server hardening policy will be monitored continuously, with any drift in configuration settings being reported. In conjunction with your change management process, changes reported can be assessed, approved and either remediated or promoted to the configuration baseline. NNT Change Tracker provides Intelligent Change Control, which means that changes only need to be approved once, for one server only, for any other occurrences of the same change pattern to be automatically approved. This intelligent learning approach removes the biggest problem with most FIM and SIEM systems in that 'change noise' can easily become overwhelming.
As one of a handful of CIS Certified Vendors, NNT has access to hundreds of CIS Benchmark reports which can be used to audit enterprise networks and then monitor continuously for any drift from your hardened build standard.
Prevention of security breaches is the best approach to data security. By locking out configuration vulnerabilities through hardening measures, servers can be rendered secure and attack-proof.
Using file integrity monitoring not only provides an initial audit and compliance score for all servers against standardized hardening checklists but ensures all platforms remain securely configured at all times.
Learn more about compliance standards and GRC (Governance, Risk management and Compliance) regulatory controls
- Disable Windows Services
- Cyber Threat Sharing Bill and Cyber Incident Response Scheme – Shouldn’t We Start with System Hardening and FIM?
- File Integrity Monitoring – Database Security Hardening Basics
- Linux Server Hardening
- Windows Server 2008 2008R2 Hardening Guide
- Server Hardening Policy - Examples and Tips
- All Device Hardening Articles