Every organization should have a hardened Windows build standard, a hardened Linux build standard, a hardened SQL Server / Oracle database build standard, a hardened firewall standard etc. However, determining what is an appropriate server hardening policy for your environment will require detailed research of hardening checklists and then an understanding of how this should be applied to your operating systems and applications.

All governance, regulatory and compliance standards such as NIST SP 800-53, SOX, NERC CIP, ISO27001, PCI DSS, DISA STIG and HIPAA all call for strong cyber security defenses, with a hardened build standard at the core. This is maintained using file integrity monitoring to highlight any significant changes or 'drift'.

Server Hardening Policy Background

Any server deployed in its default state will naturally be lacking in even basic security defenses. This leaves it vulnerable to compromise. In order to mitigate potential exploits it is vital that servers are hardened:

User Accounts and Password

  • Is there a regular review process for removing redundant or leavers' accounts?
  • Is there an audit trail of all account creation, privilege or rights assignments and a process for approval?
  • Default local accounts, such as the Windows Guest account, should be disabled. Similarly, the built-in Administrator and Guest accounts on Windows should be renamed - default settings that are well-known are as good as not requiring Username controls

Specific examples: Account Policy that utilizes all password parameters, for example,

  • Maximum Password Age – 60 or fewer days (but not 0)
  • Minimum password age to 1 or more days
  • Minimum password length to 14 or more characters
  • Enable Password Complexity
  • Account lockout threshold to 10 or fewer attempts (but not 0)
  • Reset account lockout counter after 15 minutes or longer

NNT can provide an exacting services profile for a default hardened build

Request a free trial of NNT Change Tracker

Operating System Configuration

  • Is the OS service packed/patched to latest levels and is this reviewed at least once a month?
  • Are all services/daemons removed or disabled where not required? For example, obvious candidates like web, FTP and telnet services should be removed. Similarly, remote desktop access should be removed if business operations will not be overly compromised. The best tip is to remove everything you know is not required e.g. Themes service, and then carefully experiment one at a time with other services you feel are unnecessary but may not be sure, however, don't feel obliged to take this process too far – if you find that disabling a service compromises server operation too much for you, then don't feel you need to do so.
  • What about open ports? Do you know which ports are open? Is there a good reason for the ports being open or can they be removed? Can you detect new ports when they appear?
  • Has the Local Security Policy been fully leveraged? Exploitable vulnerabilities can be mitigated by correct use of the Security Policy, with hundreds of fine-grain security configuration controls provided to strengthen security

Specific examples: User Account Control Settings:

  • Allow UIAccess applications to prompt for elevation without using the secure desktop - Disabled
  • Behavior of the elevation prompt for administrators in Admin Approval Mode - Prompt for consent on the secure desktop
  • Behavior of the elevation prompt for standard users - Automatically deny elevation requests
  • Detect application installations and prompt for elevation – Enabled
  • Only elevate UIAccess applications that are installed in secure locations – Enabled
  • Run all administrators in Admin Approval Mode – Enabled
  • Virtualize file and registry write failures to per-user locations – Enabled

NNT can provide an exacting services profile for a default hardened build

Request a free trial of NNT Change Tracker

Filesystem Permissions

  • For example, for Unix and Linux Servers, are permissions on key security files such as /etc/password or /etc/shadow set in accordance with best practice checklist recommendations?
  • Is sudo being used, and are only root wheel members are allowed to use it?
  • For Windows servers, are the key executables, DLLs, and drivers protected in the System32 and SysWOW64 folder, along with the Program Files/(x86)?

Specific Example: Apply File Integrity Monitoring to the following files/folders

  • %PROGRAMFILES%, use SHA1 hash, system file changes, exclude log files, recursive
  • %PROGRAMFILES(x86)%, use SHA256 hash, system file changes, exclude log files, recursive
  • %SYSDIR%, use SHA256 hash, system file changes, exclude log files, recursive
  • %WINDIR%\SysWOW64, use SHA256 hash, system file changes, exclude log files, recursive

NNT can provide an exacting services profile for a default hardened build

Request a free trial of NNT Change Tracker

Client/Server Network Security

  • Is the built-in software Firewall enabled and configured as 'Deny All'?
  • On Linux, have the TCP Wrappers been configured for a Deny All setup?
  • Have Remotely Accessible Registry Paths and Shares been restricted appropriately for your environment? This will be different for a Member Server compared to a Domain Controller

Specific Examples: Security Policy: Network Client and Network Server settings

  • Digitally sign communications (if server agrees) – Enabled
  • Send unencrypted password to third-party SMB servers - Disabled
  • Digitally sign communications (always) - Enabled
  • Digitally sign communications (if client agrees) - Enabled
  • Disconnect clients when logon hours expire - Enabled

NNT can provide an exacting services profile for a default hardened build

Request a free trial of NNT Change Tracker

Software and Applications image/ Patching and Updates

  • Which packages and applications are defined within the Secure Build Standard? For example, anti-virus, data leakage protection, firewalling and file integrity monitoring?
  • Is there a process to check latest versions and patches have been tested and applied
  • Are automated updates to packages disabled in favor of scheduled, planned updates deployed in conjunction with a Change Management process?
  • Can you provide a documented baseline of packages and versions that are approved?
  • What is the process for periodically updating the baselines with any approved changes?

NNT can provide an exacting services profile for a default hardened build

Request a free trial of NNT Change Tracker

Auditing and Change Control

  • Are audit trails enabled for all access, use of privilege, configuration changes and object access, creation and deletion? Are audit trails securely backed up and retained for at least 12 months?
  • Is file integrity monitoring used to verify the secure build standard/hardened server policy?
  • Is there a Change Management process, including a change proposal (covering impact analysis and roll back provisions), change approval, QA Testing and Post Implementation Review?

To provide sufficiently comprehensive audit trails for compliance, events logged will need to be securely backed-up at a central log server. This not only requires some means of forwarding events from monitored servers to the log server (usually a Syslog forwarding agent, like NNT Log Tracker) but also a structured audit policy.

Specific Examples: Advanced Audit Policy: Logon/Logoff

  • Audit Logoff - Success
  • Audit Logon - Success and Failure
  • Audit Other Logon/Logoff Events - Success and Failure
  • Audit Special Logon - Success
Tip: See NNT's full, recommended audit policy for PCI DSS here

NNT can provide an exacting services profile for a default hardened build

Request a free trial of NNT Change Tracker


So what is the Server Hardening Policy for you?

Getting access to a hardening checklist or server hardening policy is easy enough. For example, the Center for Internet Security provides the CIS hardening checklists, Microsoft and Cisco produce their own checklists for Windows and Cisco ASA and Cisco routers, and the National Vulnerability Database hosted by NIST provides checklists for a wide range of Linux, Unix, Windows and firewall devices. NIST also provides the National Checklist Program Repository, based on the SCAP and OVAL standards.

However, any default checklist must be applied within the context of your server's operation – what is its role? For example, if it is internet-facing then it will need to be substantially more hardened with respect to access control than if it is an internal database server behind a perimeter and internal firewall. Once you have established your hardened server policy and have applied the various security best practice checklists to your hardened server build, you will now need to regularly audit all servers and devices within your estate for compliance with the build standard.

Ideally, the hardened build standard for your server hardening policy will be monitored continuously, with any drift in configuration settings being reported. In conjunction with your change management process, changes reported can be assessed, approved and either remediated or promoted to the configuration baseline. NNT Change Tracker provides Intelligent Change Control, which means that changes only need to be approved once, for one server only, for any other occurrences of the same change pattern to be automatically approved. This intelligent learning approach removes the biggest problem with most FIM and SIEM systems in that 'change noise' can easily become overwhelming. 

Top Tip:
In any large estate, commercial systems like NNT Change Tracker or Tripwire® Enterprise provide automated means of auditing and scoring compliance with your chosen server hardening policy.

Top Tip:
The CIS Benchmark Checklists are an ideal reference source because the configuration hardening recommendations are consensus base.

Top Tip:
Applying the hardened build settings can also be automated using NNT Threat Mitigation Kits, comprising the appropriate hardened build templates for deployment using Group Policy or Puppet.

To try examples of NNT Threat Mitigation Kits, request a trial system here

Request a free trial of NNT Change Tracker


Prevention of security breaches is the best approach to data security. By locking out configuration vulnerabilities through hardening measures, servers can be rendered secure and attack-proof.

Using file integrity monitoring not only provides an initial audit and compliance score for all servers against standardized hardening checklists but ensures all platforms remain securely configured at all times.

NNT Products
USA Offices
New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email [email protected]
UK Office
New Net Technologies LLC
Rivers Lodge
West Common

Tel: 01582 287310
email [email protected]
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500 Sans Institute
Copyright 2018, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.