Server Hardening Tools 101

Server hardening refers to the actions performed to reduce the server OS and application attack surface. this is done by changing the default configurations of the system's components (servers, applications, etc.) and removing unnecessary components.

Out of the box, Server OS are more function-oriented rather than for security, which means that unnecessary functions are enabled. Default, insecure configurations reflect a potential attack vector. The benefits of system hardening reduce the server attack surface and assist organizations achieve compliance.

Organizations should implement different server hardening benchmarks for each system component, aspiring to be as granular as possible (differentiating components' type, role, version, environment, etc.) to reduce their security risk.

Hardening has become a mandatory requirement in every regulation. Therefore, setting a good hardening policy is no longer open for debate and there are security hardening best practices that organizations must follow (e.g., CIS Benchmarks and DISA STIG).

When it comes to the different types of system hardening measures, ensuring a robust and granular plan for compliance, the Center for Internet Security (CIS) guidelines play a vital role. CIS Compliance provides a comprehensive system hardening checklist called the CIS Benchmarks which are a set of best practices for securing IT systems, including servers, through robust operating system hardening (OS hardening) and application hardening guidelines.

The CIS guidelines offer detailed recommendations for system configuration, access controls, authentication mechanisms, and vulnerability management, including the regular application of updates and patches. By adhering to CIS Compliance, it serves as a proactive approach to safeguarding critical data and maintaining a strong defense against evolving cyber threats.

After establishing a hardening policy there are 3 stages you must complete to achieve baseline hardening:

Testing – is a critical phase in server hardening where baseline configuration changes should not be applied directly to avoid extensive damage. Despite hardening best practices advocating for disabling potential attack vectors, some specifications may be challenging to implement due to their role in ongoing server and application operations. To determine enforceable rules, a thorough understanding of network dependencies is essential. The testing stage involves creating a simulation of the network environment to assess the impact of each rule enforcement accurately. Although it is the most challenging and resource-intensive stage, it is crucial for preventing production outages if executed improperly.

2. Enforcing - Following the completion of testing for each configuration change’s impact, a reassessment of the policy is necessary to determine the appropriate course of action for each affected rule.

3. Monitoring -Continuous monitoring is crucial for maintaining compliance posture, preventing setbacks, and adapting to the dynamic nature of organizational networks. With the constant changes in applications and hardware, it’s essential to promptly address intentional or unintentional configuration changes to uphold compliance standards.

Patching and updating your systems is a crucial security practice, but it’s not a silver bullet. Having proper tools for performing robust Server hardening and achieving compliance is highly recommended if you are dealing with large complex environments.

There are 4 groups of tools you should check before starting a hardening project:

Compliance scanners
Hardening automation tools
Configuration Management
Free open-source tools

Each type of tool offers a solution for a different stage in the hardening project:

	Testing	Enforcing	Compliance monitoring
Hardening automation tools	V	V	V
Configuration Management tools		V	V
Compliance Scanners			V

Compliance scanners

Features: Compliance Monitoring- only

Description: Compliance scanning focuses on assessing adherence to a certain compliance framework (e.g. CIS Benchmarks, DISA STIG). Compliance scanners produce a report indicating how well a system is hardened comparing to a compliance framework. Compliance tools can be used as complementary tools for assessing hardening but they are not server hardening tools.

Hardening software typically refers to the process of strengthening the security of a system or application rather than specific software products. However, there are various tools and utilities that can aid in the hardening process. These tools are often used to automate security configuration and monitoring. Here are a few examples:

Tripwire Configuration Manager – gives you the ability to view all your assets’ configuration and compliance status of all your assets in a single reporting environment.

Qualys - provides configuration scanning and simplifies workflows to address configuration issues.

NNT SecureOps - provides intelligence change control and automation. Audits and automates continuous compliance. Provides real-time detection for suspicious changes.

Tenable nessus– Provides audit and compliance scanning of computing assets according to the CIS benchmarks. Custom baselines can be created and customized.

CIS-CAT Pro – CIS-CAT® Pro Assessor evaluates the cybersecurity posture of a system against recommended policy settings. The tool helps organizations save time and resources by supporting automated content with policy-setting recommendations based on the globally recognized CIS Benchmarks. By adhering to CIS benchmark compliance, organizations can ensure that their servers are configured to industry-recognized standards, reducing the risk of security breaches and unauthorized access.

Hardening automation tools

Features: Testing, enforcing, monitoring

Description: hardening automation tools offer a complete hardening solution. They transform this tangled process into a ‘click-of-a-button’ task. Using hardening automation tools you won’t need to write a single script or have any specific expertise.

They perform the entire testing procedure automatically by learning your infrastructure’s dependencies and reporting the potential impact of each configuration change. Only this feature alone can save most of the time and resources invested in the hardening project, making hardening automation tools preferable in terms of ROI.

Following the testing phase, hardening automation tools will also implement your policy on your entire production, using a single point of control. This dramatically eases the enforcement task and lowers the possibility of human errors to a minimum. The entire configuration orchestration procedure is easy and controlled from a single point of control.

Finally, hardening automation tools will monitor your network and remediate any undesired changes in compliance posture. It will alert and correct configuration drifts and be reactive to structural changes of the network (setting up new machines or killing old ones). This will promise to preserve your compliance posture.

Hardening automation tools have all the capabilities of Security Configuration tools and Compliance Scanners in addition to the capability to perform impact analysis.

Tools:

CalCom Hardening Automation Suite– CalCom Hardening Automation Suite (CHS) is a server hardening automation platform designed to reduce operational costs and increase infrastructure security and compliance posture. CHS eliminates outages and reduces hardening costs by automating every stage in the hardening process:
1. Automatic impact analysis: indicating the impact of a security hardening change on the production services.
2. Automatic policy implementation: after setting a policy according to the impact analysis report, CHS will implement each policy on the right machine from a single point of control.
3. Continues compliance – CHS will monitor your compliance posture, alert, and remediate configuration drifts.CHS will ensure your compliance level remains high in the dynamic ever-changing infrastructure, so you won’t need to perform hardening from scratch a few months post your initial hardening project.

Configuration management tools

Features: enforcing, monitoring.

Description: according to NIST, security configuration management (SCM) can be described as "The management and control of configurations for an information system with the goal of enabling security and managing risk.". Configuration management tools can help enforce policies in a basic level but achieving robust hardening and compliance is very challenging as they are not server hardening tools.

By using SCM tools you'll be able to:

Enforce your desired policy, enabling you to configure your infrastructure to your desired state.
Easily enforce configuration changes throughout the infrastructure from a single point of control.
Choose the version you're working with.
Easily make changes in code.
Keep track of what changes were made and who changed them.
Approve or reject changes request.
Reporting and recording the configuration status.

Tools:

Ansible - Ansible is a RedHat platform allowing the user to control and develop automation in the IT network. It is not specific for hardening but can be used for that.

Chef – Chef Enterprise Automation Stack (EAS) provides teams implementing DevSecOps with a common approach for automating application delivery, infrastructure configuration, and compliance auditing. It is not specific for hardening but can be used for that.

Puppet - open-sourced powered infrastructure automation platform. It is not specific for hardening but can be used for that.

Microsoft System Center Configuration Management - Microsoft Configuration Manager that provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. It is not specific for hardening but can be used for that.

SolarWinds Network Configuration Manager - features network compliance, network automation, configuration backup, and vulnerability assessment.

Open-source server hardening tools:

Open source hardening tools:

Salt Project – Its automation, infrastructure management, its data-driven orchestration, remote execution, configuration management.

Microsoft Security Compliance Toolkit 1.0 – a set of tools that allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products while comparing them against other security configurations.

Hardening auditor– Scripts for comparing Microsoft Windows compliance with the ASD 1709 & Office 2016 Hardening Guides.

Windows Exploit Suggester Next Generation – WES-NG is a tool based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.

Privesc – Windows PowerShell script that finds misconfiguration issues which can lead to privilege escalation.

Windows-privesc-check – Windows-privesc-check is a standalone executable that runs on Windows systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Hardening Tools 101

There are 4 groups of tools you should check before starting a hardening project:

Compliance scanners

Hardening automation tools

Configuration management tools

Open-source server hardening tools:

Subscribe to Email Updates

You might be interested

Experience a personalized demo

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 8 months 26 days 14 hours	No description
drift_campaign_refresh	30 minutes	No description
fpestid	1 year	No description
st_samesite	session	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.