Server Hardening Policy - Examples and Tips

Despite the increased sophistication employed by hackers for both external and internal attacks, around 80% of all reported breaches continue to exploit known, configuration-based vulnerabilities. Server or system hardening is, quite simply, essential in order to prevent a data breach.

Determining which policy is the right one for your environment however can be somewhat overwhelming, which is why NNT now offers a complete and extensive range of options to cover every system type, OS or even appliance within your estate, including database, cloud and container technologies. NNT is one of only a handful of vendors fully certified by the Center for Internet Security (CIS), providing the most pervasive suite of benchmarks and remediation kits in the world.

We encourage you to help yourself to our hardening guides below as well as any of our secure benchmarks, all of which are freely available to you to download.

NNT provides software solutions that will ensure the right policies are applied to every system all of the time and will immediately notify you of any drift, breach or unauthorized change. For more details feel free to request a trial or a demo using the buttons at the top right of your screen.

Download The Complete Hardened Services Guide

Server Hardening Policy Background

Any server deployed in its default state will naturally be lacking in even basic security defenses. This leaves it vulnerable to compromise. In order to mitigate potential exploits it is vital that servers are hardened:

 

tip icon

Top Tip:
In any large estate, commercial systems like NNT Change Tracker or Tripwire® Enterprise provide automated means of auditing and scoring compliance with your chosen server hardening policy.

tip icon

Top Tip:
The CIS Benchmark Checklists are an ideal reference source because the configuration hardening recommendations are consensus base.

tip icon

Top Tip:
Applying the hardened build settings can also be automated using NNT Threat Mitigation Kits, comprising the appropriate hardened build templates for deployment using Group Policy or Puppet.

Request a free trial of NNT Change Tracker

So what is the Server Hardening Policy for you?

Getting access to a hardening checklist or server hardening policy is easy enough. For example, the Center for Internet Security provides the CIS hardening checklists, Microsoft and Cisco produce their own checklists for Windows and Cisco ASA and Cisco routers, and the National Vulnerability Database hosted by NIST provides checklists for a wide range of Linux, Unix, Windows and firewall devices. NIST also provides the National Checklist Program Repository, based on the SCAP and OVAL standards.

However, any default checklist must be applied within the context of your server's operation – what is its role? For example, if it is internet-facing then it will need to be substantially more hardened with respect to access control than if it is an internal database server behind a perimeter and internal firewall. Once you have established your hardened server policy and have applied the various security best practice checklists to your hardened server build, you will now need to regularly audit all servers and devices within your estate for compliance with the build standard.

Ideally, the hardened build standard for your server hardening policy will be monitored continuously, with any drift in configuration settings being reported. In conjunction with your change management process, changes reported can be assessed, approved and either remediated or promoted to the configuration baseline. NNT Change Tracker provides Intelligent Change Control, which means that changes only need to be approved once, for one server only, for any other occurrences of the same change pattern to be automatically approved. This intelligent learning approach removes the biggest problem with most FIM and SIEM systems in that 'change noise' can easily become overwhelming. 

As one of a handful of CIS Certified Vendors, NNT has access to hundreds of CIS Benchmark reports which can be used to audit enterprise networks and then monitor continuously for any drift from your hardened build standard.

View our CIS Benchmark library to access more custom reports

CIS Benchmark Hardening/Vulnerability Checklists

Summary

Prevention of security breaches is the best approach to data security. By locking out configuration vulnerabilities through hardening measures, servers can be rendered secure and attack-proof.

Using file integrity monitoring not only provides an initial audit and compliance score for all servers against standardized hardening checklists but ensures all platforms remain securely configured at all times.

Learn more about compliance standards and GRC (Governance, Risk management and Compliance) regulatory controls

Open Ports
windows
linux
Configuration Remediation Kit
Ransomware Mitigation Kit
System Hardening Blog
System Hardening White Papers
System Hardening Case Studies
System Hardening Articles
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
1175 Peachtree St NE
Atlanta, Georgia, 30361.
Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified IBM Security
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.