CIS Benchmark SYSTEM HARDENING VULNERABILITY MANAGEMENT

Every organization should have a hardened Windows build standard, a hardened Linux build standard, a hardened SQL Server / Oracle database build standard, a hardened firewall standard etc. However, determining what is an appropriate server hardening policy for your environment will require detailed research of hardening checklists and then an understanding of how this should be applied to your operating systems and applications.

NNT specialize in providing automated file integrity monitoring solutions, and NNT Change Tracker has been developed to play a key part in any IT security strategy by continuously auditing all IT systems for compliance with Best Practice in security configuration.

All governance, regulatory and compliance standards such as NIST SP 800-53, SOX, NERC CIP, ISO27001, PCI DSS, DISA STIG and HIPAA all call for strong cyber security defenses, with a hardened build-standard at the core. This is maintained using file integrity monitoring to highlight any significant changes or 'drift'.

Data Protection and Information Security best practice guidelines always place server hardening at the top of the list of measures that should be taken.

Top Tip: The CIS Benchmark Checklists are an ideal reference source because the configuration hardening recommendations are consensus based. In other words, the very best brains available, including security researchers, white hat hackers and the manufacturers themselves, have collaborated to pool their collective knowledge about exploits and vulnerabilities and to document how these can be mitigated or remediated from Windows, Linux, Unix, Database systems etc.

NNT Change Tracker is one of an elite group of products certified by the Center for Internet Security to deliver an accurate CIS Hardening Checklist audit of server and database platforms.

Server Hardening Policy background: Any server deployed in its default state will naturally be lacking in even basic security defenses. This leaves it vulnerable to compromise. In order to mitigate potential exploits it is vital that servers are hardened:

User Accounts and Password

  • Is there a regular review process for removing redundant or leavers’ accounts?
  • Is there an audit trail of all account creation, privilege or rights assignments and a process for approval?
  • Default local accounts, such as the Windows Guest account, should be disabled. Similarly, the built-in Administrator and Guest accounts on Windows should be renamed - default settings that are well-known are as good as not requiring Username controls

Specific examples: Account Policy that utilizes all password parameters, for example,

  • Maximum Password Age – 60 or fewer days (but not 0)
  • Minimum password age to 1 or more days
  • Minimum password length to 14 or more characters
  • Enable Password Complexity
  • Account lockout threshold to 10 or fewer attempts (but not 0)
  • Reset account lockout counter after 15 minutes or longer

NNT can provide an exacting services profile for a default hardened build – please request this here

Operating System Configuration

  • Is the OS service packed/patched to latest levels and is this reviewed at least once a month?
  • Are all services/daemons removed or disabled where not required? For example, obvious candidates like web, ftp and telnet services should be removed. Similarly, remote desktop access should be removed if business operations will not be overly compromised. The best tip is to remove everything you know is not required e.g. Themes service, and then carefully experiment one at a time with other services you feel are unnecessary but may not be sure, however, don’t feel obliged to take this process too far – if you find that disabling a service compromises server operation too much for you, then don’t feel you need to do so.
  • What about open ports? Do you know which ports are open? Is there a good reason for the ports being open or can they be removed? Can you detect new ports when they appear?
  • Has the Local Security Policy been fully leveraged? Exploitable vulnerabilities can be mitigated by correct use of the Security Policy, with hundreds of fine-grain security configuration controls provided to strengthen security

Specific examples: User Account Control Settings:

  • Allow UIAccess applications to prompt for elevation without using the secure desktop - Disabled
  • Behavior of the elevation prompt for administrators in Admin Approval Mode - Prompt for consent on the secure desktop
  • Behavior of the elevation prompt for standard users - Automatically deny elevation requests
  • Detect application installations and prompt for elevation – Enabled
  • Only elevate UIAccess applications that are installed in secure locations – Enabled
  • Run all administrators in Admin Approval Mode – Enabled
  • Virtualize file and registry write failures to per-user locations – Enabled

NNT can provide an exacting services profile for a default hardened build – please request this here

Filesystem Permissions

  • For example, for Unix and Linux Servers, are permissions on key security files such as /etc/password or /etc/shadow set in accordance with best practice checklist recommendations?
  • Is sudo being used, and are only root wheel members are allowed to use it?
  • For Windows servers, are the key executables, DLLs and drivers protected in the System32 and SysWOW64 folder, along with the Program Files/(x86)?

Specific Example: Apply File Integrity Monitoring to the following files/folders

  • %PROGRAMFILES%, use SHA1 hash, system file changes, exclude log files, recursive
  • %PROGRAMFILES(x86)%, use SHA1 hash, system file changes, exclude log files, recursive
  • %SYSDIR%, use SHA1 hash, system file changes, exclude log files, recursive
  • %WINDIR%\SysWOW64, use SHA1 hash, system file changes, exclude log files, recursive

NNT can provide an exacting services profile for a default hardened build – please request this here

Client/Server Network Security

  • Is the built-in software Firewall enabled and configured as ‘Deny All’?
  • On Linux, have the TCP Wrappers been configured for a Deny All setup?
  • Have Remotely Accessible Registry Paths and Shares been restricted appropriately for your environment? This will be different for a Member Server compared to a Domain Controller

Specific Examples: Security Policy: Network Client and Network Server settings

  • Digitally sign communications (if server agrees) – Enabled
  • Send unencrypted password to third-party SMB servers - Disabled
  • Digitally sign communications (always) - Enabled
  • Digitally sign communications (if client agrees) - Enabled
  • Disconnect clients when logon hours expire - Enabled

NNT can provide an exacting services profile for a default hardened build – please request this here

Software and Applications image/ Patching and Updates

  • Which packages and applications are defined within the Secure Build Standard? For example, anti-virus, data leakage protection, firewalling and file integrity monitoring?
  • Is there a process to check latest versions and patches have been tested and applied
  • Are automated updates to packages disabled in favor of scheduled, planned updates deployed in conjunction with a Change Management process?
  • Can you provide a documented baseline of packages and versions that are approved?
  • What is the process for periodically updating the baselines with any approved changes?

Auditing and Change Control

  • Are audit trails enabled for all access, use of privilege, configuration changes and object access, creation and deletion? Are audit trails securely backed up and retained for at least 12 months?
  • Is file integrity monitoring used to verify the secure build standard/hardened server policy?
  • Is there a Change Management process, including a change proposal (covering impact analysis and rollback provisions), change approval, QA Testing and Post Implementation Review?

To provide sufficiently comprehensive audit trails for compliance, events logged will need to be securely backed-up at a central log server. This not only requires some means of forwarding events from monitored servers to the log server (usually a Syslog forwarding agent, like NNT Log Tracker), but also a structured audit policy.

Specific Examples: Advanced Audit Policy: Logon/Logoff

  • Audit Logoff - Success
  • Audit Logon - Success and Failure
  • Audit Other Logon/Logoff Events - Success and Failure
  • Audit Special Logon - Success

NNT can provide more comprehensive build guidance for configuration of the Windows Advanced Audit Policy here

So what is the Server Hardening Policy for you?: Getting access to a hardening checklist or server hardening policy is easy enough. For example, the Center for Internet Security provide the CIS hardening checklists, Microsoft and Cisco produce their own checklists for Windows and Cisco ASA and Cisco routers, and the National Vulnerability Database hosted by NIST provides checklists for a wide range of Linux, Unix, Windows and firewall devices. NIST also provide the National Checklist Program Repository, based around the SCAP and OVAL standards.

However, any default checklist must be applied within the context of your server’s operation – what is its role? For example, if it is internet-facing then it will need to be substantially more hardened with respect to access control than if it is an internal database server behind a perimeter and internal firewall.

Top Tip: In any large estate, commercial systems like NNT Change Tracker or Tripwire® Enterprise provide automated means of auditing and scoring compliance with your chosen server hardening policy.

Server Hardening and File Integrity Monitoring: Once you have established your hardened server policy and have applied the various security best practice checklists to your hardened server build, you will now need to regularly audit all servers and devices within your estate for compliance with the build standard.

Top Tip: Applying the hardened build settings can also be automated using NNT Threat Mitigation Kits, comprising the appropriate hardened build templates for deployment using Group Policy or Puppet.

To try examples of NNT Threat Mitigation Kits, request a trial system here

Ideally, the hardened build standard for your server hardening policy will be monitored continuously, with any drift in configuration settings being reported. In conjunction with your change management process, changes reported can be assessed, approved and either remediated or promoted to the configuration baseline. NNT Change Tracker provides Intelligent Change Control, which means that changes only need to be approved once, for one server only, for any other occurrences of the same change pattern to be automatically approved. This intelligent learning approach removes the biggest problem with most FIM and SIEM systems in that ‘change noise’ can easily become overwhelming. 

Summary: Prevention of security breaches is the best approach to data security. By locking out configuration vulnerabilities through hardening measures, servers can be rendered secure and attack-proof.

Using file integrity monitoring not only provides an initial audit and compliance score for all servers against standardized hardening checklists, but ensures all platforms remain securely configured at all times.

Google+

Products
USA Offices
New Net Technologies Ltd
Naples
9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email USinfo@nntws.com
NNT Logo
UK Office
New Net Technologies Ltd
Spectrum House, Dunstable Road
Redbourn,
St Albans

Herts
AL3 7PR

Tel: 08456 585 005
Fax: 08456 122 031
email info@newnettechnologies.com
Connect with NNT
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
Sign up to NNT's IT security and compliance monthly newsletter. Get breaking security news, how-to tips, trends and commentary direct to your inbox.

Sign up to the NNT newsletter