Data protection is a broad definition that covers many information security practices. But before jumping into purchasing shiny tools that claim to protect your data, there is a lot you can do to elevate data protection that won't cost you a penny. You can dramatically reduce your attack surface by enforcing a good hardening policy.
This set of checklists will help you build your data protection hardening policy and for the hardening process itself.
These recommendations are based on industry best practices, with a reference to specific rules in the CIS Benchmarks (Windows Server 2019).
We divided data protection hardening into three topics:
5 Things you should know before starting to harden:
- Hardening means securing your system's configurations to reduce the attack surface.
- Hardening is a basic information security practice that can dramatically decrease chances for successful attacks to happen.
- Do not perform any configuration change before testing its impact on your production in a test environment. The potential for downtime is huge.
- Establish a configuration change mechanism that will allow you to keep track after every change, in case you'll need to roll back.
- Consider using hardening automation tools to help you with this complicated task and to avoid downtime.
5 reasons why system hardening should be your top priority this year
Data Access Control
Know who can do what. Sounds simple, but it requires strict methodologies, or you'll be losing your feet. Configure access control lists based on what your users must know. Control access permissions to local and remote file systems, databases, and applications.
Data Access Control Checklist:
| Task | Relevant CIS Benchmarks (Windows Server 2019) | Done?
Yes/No |
If Not, Why? | Notes |
| Only allow Administrators to take ownership of files and other objects. (Domain Controller + Member Server)
|
2.2.48 |
|||
| Make sure no shares can be accessed anonymously. (Domain Controller + Member Server)
|
2.3.10.12
|
|||
| Audit attempts to access shared folders and the files and folders they contain. Make sure you keep track after failed attempts. (Domain Controller + Member Server).
|
17.6.1 17.6.2 |
|||
| Do not allow Windows apps to share data between users. |
18.9.4.1 |
|||
| Restrict users from sharing files with other users without having Administrator Approval.
|
19.7.28.1 |
Sensitive Data Transit
Sensitive data should be encrypted when transported. Data in transit is commonly targeted by attackers. Unencrypted data in transit is an easy target to use for many types of attacks. Use protocols such as TLS and OpenSSH to encrypt data in transit.
Sensitive Data in Transit Hardening Checklist:
| Task | Relevant CIS Benchmarks (Windows Server 2019) | Done?
Yes/No |
If Not, Why? | Notes |
| Make sure that Domain Controllers LDAP servers are configured to require channel binding tokens.
|
2.3.5.3 |
|||
| Make sure that Domain Controllers LDAP servers are configured to require LDAP signing.
|
2.3.5.4 |
|||
| Make sure that Domain Members encrypt or sign any secure channel traffic.
|
2.3.6.1 2.3.6.2 2.3.6.3 |
|||
| Make sure that Network Clients use a digital signature when communicating.
|
2.3.8.1 2.3.8.2 |
|||
| Ensure that Network Clients cannot send an unencrypted password to third-party servers.
|
2.3.8.3 |
|||
| Set Network Servers to use a digital signature when communicating.
|
2.3.9.2 2.3.9.3 |
|||
| Keep Kerberos encryption updated.
|
2.3.11.4 |
|||
| Require LDAP clients to use LDAP signing |
2.3.11.8 |
|||
| Do not allow communicating using NTLM versions older than NTLMv2 with 128-bit encryption.
|
2.3.11.9 2.3.11.10 |
|||
| Set client connection encryption level to 'high level'.
|
18.9.62.3.9.5 |
|||
| Do not allow basic authentication in WinRM client connection.
|
18.9.97.1.1 |
|||
| Do not allow WinRM communication to be unauthenticated.
|
18.9.97.2.3 |
Sensitive Data at Rest
Stored sensitive data should always be encrypted. This is relevant for sensitive data located in servers, applications, and databases. Using server-side encryption should be your first step. Client-side (application layer) encryption is also recommended.
Sensitive Data at Rest Hardening Checklist:
| Task | Relevant CIS Benchmarks (Windows Server 2019) | Done?
Yes/No |
If Not, Why? | Notes |
| Do not use reversible encryption in stored passwords.
|
1.1.6 |
|||
| Do not use 'WDigest Authentication'.
|
2.3.11.5 |
|||
| Do not use 'WDigest Authentication'.
|
18.3.6 |
|||
| Do not allow automatic log-on.
|
18.4.1 |
|||
| Make sure you use Encryption Oracle Remediation to protect against oracle attacks.
|
18.8.4.1 |
|||
| Do not allow the usage of exportable versions of credentials in remote connection credential delegation.
|
18.8.4.2 |
|||
| Do not allow encrypted files to be indexed.
|
8.9.64.3 |
|||
| Set an updated policy that will ensure you'll be updated on the latest bug fixes and security patches and install them as fast as possible.
|
18.9.102.1.3 18.9.102.2 18.9.102.3 18.9.102.4 |
Protecting Data at Large Scale Organizations:
By following these checklists you’ll be elevating your data protection. But doing so in large-scale organizations with big and complex infrastructure is not a walk in the park. Furthermore, the potential of causing damage to production often leads organizations not to use these recommendations.
CalCom offers a solution perfectly suited to organizations that can’t perform hardening manually. CalCom Hardening Automation Suite provides solutions to multiple system components and automates the entire hardening process. Using automation in hardening eliminates the need to generate an impact analysis of your policy, your policies will be automatically enforced on your production and your compliance posture will be maintained.
