CalCom CIS Hardening and Configuration Security Guide

The Center for Internet Security (CIS) published an updated version for the CIS Controls- CIS Controls v8. The CIS Controls are a set of gold standard guidelines for organizations facing data security issues. These controls were developed to simplify and help IT ops and security teams to remain focused on the essentials of CIS hardening.

The CIS updates its recommendation according to changes and new discoveries in the Information Security field. The 8^th version of the CIS Controls was published in May 2021. In this version, the CIS changes a little the perspective around baseline security and system hardening.

In this post, we will demonstrate CIS security guidelines for baseline security, and what has changed from the previous versions.

CIS Control 4: Secure Configuration of Enterprise Assets and Software

"Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications)".

This Control is all about CIS hardening standards for any configurable component in your system, hardware, and software. Deploying CIS configuration settings is extremely complex. It requires multi-disciplined staff that will analyze potentially hundreds or thousands of possibilities to make the right decision. Furthermore, after configuration settings are deployed, they must be continually managed as the system constantly changes and new vulnerabilities emerge.

There are few options for hardening tools that can help you achieve a hardened infrastructure, but only a few of them are dedicated only to hardening. We strongly recommend automating system hardening. Using unautomated tools will most likely result in one of two scenarios: 1. Critical machines not configured in the most secure fashion, increasing the organization's attack surface. 2. Critical machines downtime due to using manual tools in such complex tasks.

(Resource: CIS Critical Security Controls v8)

12 Actions for Secure Baseline

According to the CIS Controls, there are 12 actions required to achieve a secure baseline.

1)Establish and Implement Security Controls: Maintaining a Secure Configuration Process

This refers to all enterprise assets including the target system (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). It also refers to cloud platforms like Microsoft Azure.

The process of securing configurations has 3 stages:

1. Building a configuration security policy - each system component type, role, version, and environment should have each own policy. The policies should be updated annually, or when a significant change in the organization occurs. The CIS Benchmarks cover policies based on configuration security best practices and security standards.

2. Testing and implementing the policy - Once the policy is approved, it must be implemented in its approved version. Any deviations should be handled as an exception. This stage imposes a major technical challenge and can cause severe damage to the organization when not managed correctly. The main danger in this stage is causing production outages as a result of configuration changes. The desired policy will impact your machines, and in order to avoid production outages, you must understand the potential impact of your policy before enforcing it.

Therefore, each policy should be tested before being pushed to production. The test's goal is to generate an impact analysis report that will indicate each configuration change’s impact on the machine's functionality. This impact analysis is crucial, or downtime will certainly happen.

3. Monitoring the compliance posture – Investing efforts in the proper hardening of servers is not enough. Ongoing monitoring and maintenance are required as the production environment constantly changes and new vulnerabilities are discovered. In addition, you can discover malicious activity by monitoring the compliance posture. Lots of time and money can be saved when adopting healthy habits that will prevent the need to harden your infrastructure from scratch every few years.

2)Establish and Maintain a Secure Configuration Process for Network Infrastructure

Establish the same process mentioned previously on network devices to prevent unauthorized access.

3)Configure Automatic Session Locking: A Key Secure Solution for Enterprise Assets

The default value of Automatic Session Locking in most operating systems (OS) is either Disabled or Not Defined.

To prevent unauthorized access, it is recommended to set Locking time to be no more than 15 minutes in general-purpose OS and no more than 2 minutes on an end-user mobile device. This will help to prevent access from unauthorized users when a currently single user leaves without locking the desktop.

4)Implement and Manage a Firewall on Servers

Firewalls are part of the organization's cybersecurity foundations. But you should be aware that this tool has its own security weaknesses. Therefore, it is important not to put all your trust in it and to be aware of how it is configured and how it can be maliciously used. Here are some examples of firewalls vulnerabilities:

Configuration mistakes - configuring your firewall wrong will make it very easy for an attacker to take this security tool and leverage it for breaching your network. Mistakes such as allowing dynamic routing to be Enabled are common to see.
Missed patches - this is usually a result of bad firewall management. An unpatched firewall is an open gate for attackers to your organization.
Inside threat - firewall won't be useful for attacking that origin inside your organization unless you have an internal firewall.

5)Implement and Manage a Firewall on End-User Devices

End-user device firewalls are the first line of defense against penetration attacks. Personal firewall's job is to: 1. screen incoming traffic and block suspicious code. 2. Screen sent messages that can harm the addressee. 3. Prevent attackers from using logical ports.

6)Securely Manage Enterprise Assets and Software

Examples for best practices for this section will be:

Set a hardening policy that will be specific not only to the type of infrastructure but also specific to its version. Meaning that for example, Windows Server 2016 hardening policy should be different from than Windows Server 2019 hardening policy.
Use only secure network protocols. For example, try to neglect using HTTP where possible.
Try to avoid using insecure protocols (Telnet for instance).

7)Manage Default Accounts on Enterprise Assets and Software

Default accounts have standard build scripts that set their password. This results in having all systems in the environments using the same password.

Let's take for example Administrator default accounts. The reason why your assets hold this option is for you to use it as a setup or as a disaster recovery account. When not used for these purposes, it should be disabled. If you will need to use it for recovery or for booting into safe mode, the account will automatically be re-enabled for use in troubleshooting tools.

By letting people use a default account, you will lose your ability to audit their actions. This will make the task of finding the source in case of an attack, to be impossible. It can also jeopardize compliance with industry standards like PCI DSS.

8)Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Not all system components require all functionalities. While it is the manufacturer's interest to allow as many functionalities possible, it is often doesn't come in one hand with security. Many services expose the organization to vulnerabilities. For example, RDP is one most prevalent tools for attackers to leverage these days. Although there are ways to configure RDP in a more secure fashion, the best practice will be to disable it where it is not needed.

The main challenge in applying this recommendation is to generate an impact analysis report to understand which service is needed where. In this case, you have two options:

Use automation tools that will learn your network and automatically report to you what will be the impact of each change.
Start testing manually each change's impact on your production. This will require you to simulate all types of system components and environments and start testing each change. It will take you long hours, and usually result in human errors that will lead to downtime.

CIS Hardened Images are pre-built computer systems for the cloud that are already configured to be more secure.

You can find here all the tools, paid and free, available for this task.

9)Configure Trusted DNS Servers on Enterprise Assets

The Domain Name Server is a key component of an organization's interface with the Internet and IP networks. The following are recommendations published by SANS Institute for DNS defense:

Stay up to date with the latest patches and builds being released.
Separate between internal and external DNS servers.
Disable recursion.
Try to run DNS servers that are only dedicated to a single purpose.
Diverse in the locations of your DNS servers to help to prevent DoS attacks.
Restrict zone transfer.
Authenticate zone transfer.
Restrict dynamic updates.
Hide the BIND version of the server.
Restrict external access to the DNS servers by using queries for clients with public IP addresses.

10)Enforce Automatic Device Lockout on Portable End-User Devices

Recommended number of failed attempts diverse according to the type of device. For laptops limit number of failed attempts should not accede to 20. For tablets and smartphones, the number of failed attempts should not accede 10.

You can use tools such as InTune Device Lock for Microsoft devices and Apple® Configuration Profile maxFailedAttempts for Apple®.

11)Enforce Remote Wipe Capability on Portable End-User Devices

This is especially important in cases of lost or stolen devices. It is also a good practice for handling a device of a former employee that you want to ban from accessing the organization's data.

12)Separate Enterprise Workspaces on Mobile End-User Devices

Aspire to isolate as much as possible between your employee's mobile workspace and personal usage, ensuring both systems and networks remain uncompromised. This will lower the risk of employees' personal activities being leveraged by attackers to access your network.

Hardening automation tools for CIS system hardening

Hardening automation tools offer a complete hardening solution to implement CIS recommendations. For any target system, they transform this tangled process into a ‘click-of-a-button’ task. Using hardening automation tools you won’t need to write a single script or have any specific expertise. They have all the capabilities of Security Configuration tools and Compliance Scanners in addition to the capability to perform impact analysis.

CalCom Hardening Automation Suite– CalCom Hardening Automation Suite (CHS) is a hardening automation platform designed to reduce operational costs and increase infrastructure security and compliance posture. CHS eliminates outages and reduces hardening costs by automating every stage in the hardening process:

1. Automatic impact analysis: indicating the impact of a security hardening change on the production services.
2. Automatic policy implementation: after setting a policy according to the impact analysis report, CHS will implement each policy on the right machine from a single point of control.
3. Continues compliance – CHS will monitor your compliance posture, alert, and remediate configuration drifts.CHS will ensure your compliance level remains high in the dynamic ever-changing infrastructure, so you won’t need to perform hardening from scratch a few months post your initial hardening project.

Hardening Tools 101

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

CIS Hardening and Configuration Security Guide