Data Protection Hardening Checklist

By Keren Pollack, on June 17th, 2021

Data protection is a broad definition that covers many information security practices. But before jumping into purchasing shiny tools that claim to protect your data, there is a lot you can do to elevate data protection that won’t cost you a penny. You can dramatically reduce your attack surface by enforcing a good hardening policy.

 

This set of checklists will help you build your data protection hardening policy and for the hardening process itself.

These recommendations are based on industry best practices, with a reference to specific rules in the CIS Benchmarks (Windows Server 2019).

CIS Hardening and Configuration Security Guide

We divided data protection hardening into three topics:

  1. Data Access Control
  2. Sensitive Data Transit
  3. Sensitive Data at Rest

 

5 Things you should know before starting to harden:

  1. Hardening means securing your system’s configurations to reduce the attack surface.
  2. Hardening is a basic information security practice that can dramatically decrease chances for successful attacks to happen.
  3. Do not perform any configuration change before testing its impact on your production in a test environment. The potential for downtime is huge.
  4. Establish a configuration change mechanism that will allow you to keep track after every change, in case you’ll need to roll back.
  5. Consider using hardening automation tools to help you with this complicated task and to avoid downtime.

5 reasons why system hardening should be your top priority this year

 

Data Access Control

Know who can do what. Sounds simple, but it requires strict methodologies, or you’ll be losing your feet. Configure access control lists based on what your users must know. Control access permissions to local and remote file systems, databases, and applications.

 

Data Access Control Checklist:

Task Relevant CIS Benchmarks (Windows Server 2019) Done?

Yes/No

If Not, Why? Notes
Only allow Administrators to take ownership of files and other objects. (Domain Controller + Member Server)

 

2.2.48

Make sure no shares can be accessed anonymously. (Domain Controller + Member Server)

 

2.3.10.12

 

Audit attempts to access shared folders and the files and folders they contain. Make sure you keep track after failed attempts. (Domain Controller + Member Server).

 

17.6.1

17.6.2

Do not allow Windows apps to share data between users.

18.9.4.1

Restrict users from sharing files with other users without having Administrator Approval.

 

19.7.28.1

 

Windows Passwords Setting Guide

Sensitive Data Transit

Sensitive data should be encrypted when transported. Data in transit is commonly targeted by attackers. Unencrypted data in transit is an easy target to use for many types of attacks. Use protocols such as TLS and OpenSSH to encrypt data in transit.

 

Sensitive Data in Transit Hardening Checklist:

Task Relevant CIS Benchmarks (Windows Server 2019) Done?

Yes/No

If Not, Why? Notes
Make sure that Domain Controllers LDAP servers are configured to require channel binding tokens.

 

2.3.5.3

Make sure that Domain Controllers LDAP servers are configured to require LDAP signing.

 

2.3.5.4

Make sure that Domain Members encrypt or sign any secure channel traffic.

 

2.3.6.1

2.3.6.2

2.3.6.3

Make sure that Network Clients use a digital signature when communicating.

 

2.3.8.1

2.3.8.2

Ensure that Network Clients cannot send an unencrypted password to third-party servers.

 

2.3.8.3

Set Network Servers to use a digital signature when communicating.

 

2.3.9.2

2.3.9.3

Keep Kerberos encryption updated.

 

2.3.11.4

Require LDAP clients to use LDAP signing

2.3.11.8

Do not allow communicating using NTLM versions older than NTLMv2 with 128-bit encryption.

 

2.3.11.9

2.3.11.10

Set client connection encryption level to ‘high level’.

 

18.9.62.3.9.5

Do not allow basic authentication in WinRM client connection.

 

18.9.97.1.1

Do not allow WinRM communication to be unauthenticated.

 

18.9.97.2.3

 

Sensitive Data at Rest

Stored sensitive data should always be encrypted. This is relevant for sensitive data located in servers, applications, and databases. Using server-side encryption should be your first step. Client-side (application layer) encryption is also recommended.

 

Sensitive Data at Rest Hardening Checklist:

Task Relevant CIS Benchmarks (Windows Server 2019) Done?

Yes/No

If Not, Why? Notes
Do not use reversible encryption in stored passwords.

 

1.1.6

Do not use ‘WDigest Authentication’.

 

2.3.11.5

Do not use ‘WDigest Authentication’.

 

18.3.6

Do not allow automatic log-on.

 

18.4.1

Make sure you use Encryption Oracle Remediation to protect against oracle attacks.

 

18.8.4.1

Do not allow the usage of exportable versions of credentials in remote connection credential delegation.

 

18.8.4.2

Do not allow encrypted files to be indexed.

 

8.9.64.3

Set an updated policy that will ensure you’ll be updated on the latest bug fixes and security patches and install them as fast as possible.

 

18.9.102.1.3

18.9.102.2

18.9.102.3

18.9.102.4

 

Protecting Data at Large Scale Organizations:

By following these checklists you’ll be elevating your data protection. But doing so in large-scale organizations with big and complex infrastructure is not a walk in the park. Furthermore, the potential of causing damage to production often leads organizations not to use these recommendations.

 

CalCom offers a solution perfectly suited to organizations that can’t perform hardening manually. CalCom Hardening Automation Suite provides solutions to multiple system components and automates the entire hardening process. Using automation in hardening eliminates the need to generate an impact analysis of your policy, your policies will be automatically enforced on your production and your compliance posture will be maintained.