System Hardening and Vulnerability Management

System Hardening is the process of securing a system’s configuration and settings to reduce IT vulnerability and the possibility of being compromised. This can be done by reducing the attack surface and attack vectors which attackers continuously try to exploit for purpose of malicious activity.

By creating a secure and compliant state for all IT systems and combining that with ongoing, context-based change control plus baseline management, Change Tracker™ Gen7 R2 ensures systems remain in a secure and compliant state at all times.

Download The Complete Hardened Services Guide

Understand the recommended hardened services settings for various compliance standards & requirements.

Download CIS Benchmarks

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License.

Windows Server

Windows Desktop

Windows 10

Linux

CentOS

CIS CentOS Linux 8 Benchmark v1.0.0
CIS CentOS Linux 7 Benchmark v3.0.0
CIS CentOS Linux 7 Benchmark v2.2.0
CIS CentOS Linux 6 Benchmark v2.1.0

Apple OSX

Cisco

IBM

Database Servers

IBM DB2

CIS IBM DB2 10 Benchmark v1.1.0
CIS IBM DB2 9 Benchmark v3.0.1
CIS IBM DB2 Benchmark v1.2.0

MS SQL Server

CIS Microsoft SQL Server 2019 Benchmark v1.1.0
CIS Microsoft SQL Server 2019 Benchmark v1.0.0
CIS Microsoft SQL Server 2017 Benchmark v1.1.0
CIS Microsoft SQL Server 2017 Benchmark v1.0.0
CIS Microsoft SQL Server 2016 Benchmark v1.2.0
CIS Microsoft SQL Server 2016 Benchmark v1.1.0
CIS Microsoft SQL Server 2014 Benchmark v1.5.0
CIS Microsoft SQL Server 2012 Benchmark v1.5.0
CIS Microsoft SQL Server 2008 R2 Benchmark v1.7.0
CIS Microsoft SQL Server 2008 R2 Benchmark v1.6.0

Sharepoint Servers

DNS and Authentication Servers

Email Servers

Office Applications

Office 365

CIS Microsoft Office 365 Foundations Benchmark v1.2.0

CIS Microsoft Office 365 Foundations Benchmark v1.0.0

Other Applications

Virtualization and Container Servers

VMware

CIS VMware ESXi 6.7 Benchmark v1.1.0
CIS VMware ESXi 6.5 Benchmark v1.0.0
CIS VMware ESXi 5.5 Benchmark v1.2.0
CIS VMware ESXi 5.1 Benchmark v1.0.1

Kubernetes

CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
CIS Google Kubernetes Engine (GKE) Benchmark v1.1.0
CIS Google Kubernetes Engine (GKE) Benchmark v1.0.0
CIS Kubernetes Benchmark v1.6.1
CIS Kubernetes Benchmark v1.6.0
CIS Kubernetes Benchmark v1.5.1
CIS Kubernetes Benchmark v1.5.0
CIS Kubernetes Benchmark v1.4.0
CIS Kubernetes Benchmark v1.2.0
CIS Kubernetes Benchmark v1.1.0

Cloud Providers

Amazon Web Services

CIS Amazon Web Services Foundations Benchmark v1.3.0

CIS Amazon Web Services Foundations Benchmark v1.2.0

CIS Amazon Web Services Three-tier Web Architecture Benchmark v1.0.0

Operational Technology / Industrial Control Systems (ICS/OT)

Mobile Devices

Apple iOS
Google Android

Apple iOS
Google Android

Apple iOS

CIS Apple iOS 13 and iPadOS 13 Benchmark v1.0.0
CIS Apple iOS 12 Benchmark v1.0.0
CIS Apple iOS 11 Benchmark v1.0.0
CIS Apple iOS 10 Benchmark v1.0.0
CIS Apple iOS 9 Benchmark v1.0.0

Secure Configuration – No compromise
Full range of CIS Benchmark hardening reports are built-in at no extra cost. NNT are one of a handful of CIS Certified Vendors – The Center for Internet Security are the industry's authoritative source of secure configuration guidance. STIGs and any other SCAP/OVAL automated content can also be used.

Remediation Guidance? Vulnerability Details? All yours
Hardening doesn't have to be Hard! Clear, concise guidance makes hardening systems an almost 'paint-by-numbers' process. Rationale for any hardening measures provided in plain English, together with all remediation commands and settings needed.

Auditor-ready reports to prove compliance
And for compliance, get all the evidential reports you and your auditor could wish for – dashboards, exceptions-only, estate-wide. Full change tracking shows where any Planned Changes have been approved – compliance doesn't have to be a drag.

Key Issues - System Hardening and Vulnerability Management

1. How do you make systems truly secure?

A hardened system is one that is fundamentally secure and rendered hack-proof. Hardening a device requires known security 'vulnerabilities' to be eliminated or mitigated. A 'vulnerability' is any weakness or flaw in software design, implementation, administration and configuration of a system, which provides a mechanism for an attacker to exploit. A secure, locked down configuration requires care to achieve a good balance between security and operational function.

Vulnerability management and maintaining a hardened build standard are inextricably linked to tight change control. Any configuration changes, be it a through patching or other system maintenance, may introduce vulnerabilities so visibility and control of changes is an essential security best practice.

» Learn more about Configuration Management/Change Control and File Integrity Monitoring here

2. How do you get comprehensive and authoritative hardening checklists for all IT systems?

Authoritative hardening checklists for all platforms, database systems and applications – CIS Benchmarks

While there are numerous reference sources for such checklists – The SANS Institute, NIST, Microsoft and Oracle all publish hardening best practice checklists, plus there are numerous guides and forums across the internet - these different sources can lead to contradictory advice, provided in inconsistent formats.

The Center for Internet Security are the information security industry's Number One authority on secure-configuration guidance. CIS Benchmarks are recognized as the Industry-standard for System hardening and Vulnerability Mitigation guidance.

And because CIS Benchmark vulnerability mitigation intelligence is consensus-derived from a variety of manufacturer, security specialist and academic sources, this approach delivers the most complete and accurate hardening checklists available.

Included for each vulnerability is a detailed description, rationale and testing direction for auditing compliance. Where vulnerabilities are identified, easy-to-understand remediation advice is presented.

Best of all, CIS Benchmarks are consistently presented for all

Windows, Linux and Unix platforms
Database Systems such as SQL Server, Oracle, DB2 and MySQL
Applications such as web servers, email servers, LDAP, DNS and Browsers
Virtualization Platforms such as ESX Server
Mobile platforms such as iOS and Android
Network Devices and Firewalls such as Cisco, Juniper and CheckPoint

NNT are one of a handful of CIS Certified Vendors – NNT provide a full range of CIS Benchmark reports that can be used to audit enterprise networks and then monitor continuously for any drift from your hardened build-standard. This ensures systems stay within compliance 24/7.

» Learn more about CIS Benchmarks and File Integrity Monitoring here

» Learn more about database hardening and File Integrity Monitoring here

3. How do you measure and maintain compliance with your hardened build standard and governance standard?

Hardening checklists are usually lengthy, complex to understand and time-consuming to implement, even for one server, let alone a whole estate. A typical checklist for an operating system like Windows or Linux will run into hundreds of tests and settings.

The typical approach to testing for vulnerabilities and measuring compliance with a hardened build standard is to use a vulnerability scanner , such as Qualys®, Rapid 7®, Nessus® or Tripwire®/nCircle®.

There are two problems with this – first, scans are simply a snapshot of compliance and any configuration drift between scans will not be detected leaving systems vulnerable to attack until the next scheduled scan. The other major problem is that a scanner is blind to zero day threats and doesn't provide any file integrity monitoring to detect breach activity. NNT's non-stop file integrity monitoring provides continuous compliance assessment and real-time breach detection.

» Learn more about Continuous Compliance and File Integrity Monitoring here

» Learn more about Breach Detection and File Integrity Monitoring here

Additional System Hardening Resources

System Hardening Blog

All System Hardening Blogs

System Hardening White Papers

System Hardening Articles

The Most Powerful & Reliable Cybersecurity Products

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Latest Resources

CIS

Access CIS Resources
Access a broad range of CIS Benchmark reports to audit your enterprise and continuously monitor for any drift from your hardened state.
Download Reports »

Server Hardening

Server Hardening Resources
Download Hardened Services checklists, derived by NNT in conjunction with Microsoft, to manually audit your servers for compliance.
Download Checklists »

Audit Policy

Audit Policy Template Resources
Gain access to audit policies derived from the Center for Internet Security to generate audit logs on all relevant security levels.
Download Audit Policies »

Next Steps

Are you ready to get started in securing your IT environment with
industry-approved foundational controls, intelligent change control and automation?