System Hardening and Vulnerability Management

System Hardening is the process of securing a system’s configuration and settings to reduce IT vulnerability and the possibility of being compromised. This can be done by reducing the attack surface and attack vectors which attackers continuously try to exploit for purpose of malicious activity.

By creating a secure and compliant state for all IT systems and combining that with ongoing, context-based change control plus baseline management, Change Tracker™ Gen7 R2 ensures systems remain in a secure and compliant state at all times.

Hardened Services Guide »
Understand the recommended hardened services settings for various compliance standards and requirements.

Download CIS Benchmarks

Windows Desktop

Windows 10

CIS Microsoft Windows 10 Enterprise Release 1809 Benchmark v1.6.0
CIS Microsoft Windows 10 Enterprise Release 1803 Benchmark v1.5.0
CIS Microsoft Windows 10 Enterprise Release 1709 Benchmark v1.4.0
CIS Microsoft Windows 10 Enterprise Release 1703 Benchmark v1.3.0
CIS Microsoft Windows 10 Enterprise Release 1607 Benchmark v1.2.0
CIS Microsoft Windows 10 Enterprise Release 1511 Benchmark v1.1.1

Linux

CentOS

CIS CentOS Linux 7 Benchmark v2.2.0
CIS CentOS Linux 6 Benchmark v2.1.0

Apple OSX

Cisco

Database Servers

IBM DB2

CIS IBM DB2 10 Benchmark v1.1.0
CIS IBM DB2 9 Benchmark v3.0.1
CIS IBM DB2 Benchmark v1.2.0

Sharepoint Servers

DNS and Authentication Servers

Secure Configuration – No compromise
Full range of CIS Benchmark hardening reports are built-in at no extra cost. NNT are one of a handful of CIS Certified Vendors – The Center for Internet Security are the industry's authoritative source of secure configuration guidance. STIGs and any other SCAP/OVAL automated content can also be used.

Remediation Guidance? Vulnerability Details? All yours
Hardening doesn't have to be Hard! Clear, concise guidance makes hardening systems an almost 'paint-by-numbers' process. Rationale for any hardening measures provided in plain English, together with all remediation commands and settings needed.

Auditor-ready reports to prove compliance
And for compliance, get all the evidential reports you and your auditor could wish for – dashboards, exceptions-only, estate-wide. Full change tracking shows where any Planned Changes have been approved – compliance doesn't have to be a drag.

Key Issues - System Hardening and Vulnerability Management

1. How do you make systems truly secure?

A hardened system is one that is fundamentally secure and rendered hack-proof. Hardening a device requires known security 'vulnerabilities' to be eliminated or mitigated. A 'vulnerability' is any weakness or flaw in software design, implementation, administration and configuration of a system, which provides a mechanism for an attacker to exploit. A secure, locked down configuration requires care to achieve a good balance between security and operational function.

Vulnerability management and maintaining a hardened build standard are inextricably linked to tight change control. Any configuration changes, be it a through patching or other system maintenance, may introduce vulnerabilities so visibility and control of changes is an essential security best practice.

» Learn more about Configuration Management/Change Control and File Integrity Monitoring here

2. How do you get comprehensive and authoritative hardening checklists for all IT systems?

Authoritative hardening checklists for all platforms, database systems and applications – CIS Benchmarks

While there are numerous reference sources for such checklists – The SANS Institute, NIST, Microsoft and Oracle all publish hardening best practice checklists, plus there are numerous guides and forums across the internet - these different sources can lead to contradictory advice, provided in inconsistent formats.

The Center for Internet Security are the information security industry's Number One authority on secure-configuration guidance. CIS Benchmarks are recognized as the Industry-standard for System hardening and Vulnerability Mitigation guidance.

And because CIS Benchmark vulnerability mitigation intelligence is consensus-derived from a variety of manufacturer, security specialist and academic sources, this approach delivers the most complete and accurate hardening checklists available.

Included for each vulnerability is a detailed description, rationale and testing direction for auditing compliance. Where vulnerabilities are identified, easy-to-understand remediation advice is presented.

Best of all, CIS Benchmarks are consistently presented for all

Windows, Linux and Unix platforms
Database Systems such as SQL Server, Oracle, DB2 and MySQL
Applications such as web servers, email servers, LDAP, DNS and Browsers
Virtualization Platforms such as ESX Server
Mobile platforms such as iOS and Android
Network Devices and Firewalls such as Cisco, Juniper and CheckPoint

NNT are one of a handful of CIS Certified Vendors – NNT provide a full range of CIS Benchmark reports that can be used to audit enterprise networks and then monitor continuously for any drift from your hardened build-standard. This ensures systems stay within compliance 24/7.

» Learn more about CIS Benchmarks and File Integrity Monitoring here

» Learn more about database hardening and File Integrity Monitoring here

3. How do you measure and maintain compliance with your hardened build standard and governance standard?

Hardening checklists are usually lengthy, complex to understand and time-consuming to implement, even for one server, let alone a whole estate. A typical checklist for an operating system like Windows or Linux will run into hundreds of tests and settings.

The typical approach to testing for vulnerabilities and measuring compliance with a hardened build standard is to use a vulnerability scanner , such as Qualys®, Rapid 7®, Nessus® or Tripwire®/nCircle®.

There are two problems with this – first, scans are simply a snapshot of compliance and any configuration drift between scans will not be detected leaving systems vulnerable to attack until the next scheduled scan. The other major problem is that a scanner is blind to zero day threats and doesn't provide any file integrity monitoring to detect breach activity. NNT's non-stop file integrity monitoring provides continuous compliance assessment and real-time breach detection.

» Learn more about Continuous Compliance and File Integrity Monitoring here

» Learn more about Breach Detection and File Integrity Monitoring here

Additional System Hardening Resources

System Hardening Blog

System Hardening White Papers

System Hardening Case Studies

System Hardening Articles

NNT Suite of Products

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

Latest Resources

CIS

Access CIS Resources
Access a broad range of CIS Benchmark reports to audit your enterprise and continuously monitor for any drift from your hardened state.
Download Reports »

Server Hardening

Server Hardening Resources
Download Hardened Services checklists, derived by NNT in conjunction with Microsoft, to manually audit your servers for compliance.
Download Checklists »

Audit Policy

Audit Policy Template Resources
Gain access to audit policies derived from the Center for Internet Security to generate audit logs on all relevant security levels.
Download Audit Policies »