What are the recommended hardened services settings for Windows for PCI DSS, NERC-CIP, NIST 800-53 / 800-171 or other compliance standards?
Security Best Practice advocates the minimizing of your IT systems' 'Attack Surface'. By using CIS Benchmark secure configuration guidance we can harden systems against attack. Known vulnerabilities can be removed and defenses strengthened by applying an expert-derived configuration policy.
The Center for Internet Security also recommends hardening services configurations, cutting back functionality to reduce further the opportunities to compromise a system. However, the demands of each organization, their IT services and their environment are all different, making it impossible to accurately prescribe a hardened services policy for every situation.
To help you get started with deriving your own hardened services policies, NNT in conjunction with Microsoft have provided the following Hardened Services checklists. You can manually audit your server for compliance using the checklists provided below, changing service mode and state using the Windows Services Console (search or run -> services.msc). As ever, it pays to test application and service delivery as you apply hardening measures to ensure required functionality is preserved while security is improved.
Please contact [email protected] with any questions or to get help with your hardening project.
PCI DSS V3.2: Req 2.2d 'Enabling only necessary services'
- "Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server
- Enabling only necessary services, protocols, daemons, etc., as required for the function of the system"