Hardening IT infrastructure-servers to applications

By Roy, on November 15th, 2017

Hardening the IT infrastructure is an obligatory task for achieving a resilient to attacks infrastructure and complying with regulatory requirements. Hackers attack information systems and websites on an ongoing basis using various cyber-attack techniques.

 

To reduce these increasing amounts of dynamically emerging cyber-attacks, information systems, and servers especially, need to get hardened. Hardening is a unique security task as the requirement is coming from the security team but IT Ops often execute it. If you are managing a hardening project learn more about how to automate hardening tasks.

Server hardening-Regulatory overview

Server hardening can be a painful procedure. If you’re reading this article, you probably already know it. Endless hours, labor, and money are invested in this process, which can often result in production breakdown despite the effort to prevent it. CSH by CalCom is automating the entire server hardening process. CHS’s unique ability to ‘learn’ your network abolishes the need to perform lab testing while ensuring zero outages to your production environment. CHS will allow you to implement your policy directly on your production hassle-free. want to know more? Click here and get the datasheet. 

 

Hardening the 4 main infrastructure layers

Hardening activities can be classified into a few different layers:

Server hardening

Application hardening

Operating System hardening

Database hardening

The default configurations of most operating environments, servers, applications, and databases are not designed with security as its main focus. The defaults concentrate more on usability and functionality. This implies that without hardening done, these information assets will be running a high level of security risks.

The following are some of the effective hardening techniques followed by organizations across the globe:

 

Server hardening guidelines

Server hardening, in its simplest definition, is the process of boosting a server’s protection using viable, effective means. It is recommended to use the CIS benchmarks as a source for hardening benchmarks. You can find below a list of high-level hardening steps that should be taken at the server level.

 

Important notice: Never attempt to establish or test hardening procedures on production unless using a proper hardening impact analysis tool

 

  1. Implement a”least functionality” approach. for example: Do not install the IIS server on a domain controller.
  2. Install the appropriate post-Service Pack security hotfixes
  3. Avoid installing applications on the server unless they are absolutely necessary to the server’s function. For example, don’t install e-mail clients, office productivity tools, or utilities that are not strictly required for the server to do its job
  4. Use two different network interfaces in the server. One will be for the network and the other will be for the administrator
  5. Create a secure remote administration for the server
  6. Harden the OS and application layers (see below)
  7. Consider using the server’s local firewall. Windows- Windows firewall, Linux-IPtables, AppArmor
  8. Avoid the use of insecure protocols for processing requests, especially those that send information (i.e. passwords) in plain text
  9. Keep a backup for all your data and files.
  10. Secure separate partitions.
  11. When hosting multiple applications, make sure that each has its own accounts separate from the others.
  12. Never provide write access to web content directories.
  13. Remove administrative shares if not needed.
  14. Closely monitor failed login attempts. Lock accounts after a specified number of failures.
  15. Rename the guest account even though it may be disabled.
  16. Enable account lockout on the local administrator account
  17. Rename the local Administrator account to something other than Administrator
  18. Enforce strong account and password policies for the server.
  19. Do not allow users and administrators to share accounts.
  20. Disable FTP, SMTP , NNTP, Telnet services if they are not required.
  21. Install and configure URLScan.
  22. For non-public sites authentication methods should be put in place and for sites that are only to be accessible by internal users.
  23. Web server logs should be reviewed routinely for suspicious activity. Any attempts to access unusual URLs on the web server typically indicate an attempt to exploit problems in outdated or unpatched web servers.
  24. Domain Name Servers (DNS) provide the translation of human-friendly names for network destinations (such as a website URL) to the IP addresses understood by routers and other network devices. Steps should be taken to ensure DNS software is updated regularly and that all access to servers is authenticated to prevent unauthorized zone transfers.
  25. Access to the server may be prevented by blocking port 53 or restricted by limiting access to the DNS server to one or more specified external systems.
  26. Anonymous FTP accounts should be used with caution and monitored regularly.
  27. In the case of authenticated FTP, it is essential that Secure FTP be used so that login and password credentials are encrypted, rather than transmitted in plain text. 

How to Automate IIS Hardening with PowerShell

Application Hardening

Application hardening is the process of securing applications against local and Internet-based attacks. Application hardening can be implemented by removing the functions or components that you don’t require. We can restrict access and make sure the application is kept up-to-date with patches. Maintaining application security is very important because we need to make the application to be accessible to users. Most applications have problems with buffer overflows in the legitimate user input field so patching the application is the only way to secure it from attack. The following are some of the successfully proven application hardening guidelines:

 

  1. Apply vendor-provided patches in a timely manner for all 3rd party applications
  2. For securing an IIS, the first step is to remove all simple files. To help the user in the setting of sample files, which can be used by the user to examine and as a reference when constructing their web sites. But these sample files are full of vulnerabilities and holes, so they should never be present on a production web server.
  3. Sample files are stored in virtual and physical directories, so to remove IIS sample application, remove the virtual and physical directories. For example, IIS samples are present in the Virtual Directory of \IISS samples and its location is C:\Inetpub\IISsample.
  4. The next step in securing IIS is to set up the appropriate permissions for the web server’s file and directories this is possible using Access Control Lists (ACLs).
  5. Avoid the use of insecure protocols for processing requests, especially those that send information (i.e. passwords) in plain text.
  6. Never install IIS unless the server is to be a dedicated Web Server
  7. Install SSL Architecture
  8. Install and configure a web application firewall (WAF)
  9. Avoid installing and do not run network device firmware versions that are no longer available from the manufacturer.
  10. Closely monitor the security bulletins applicable to applications and other software used.
  11. Use cryptographic and CHEKSUM controls wherever it is applicable.
  12. Implement an Active directory which allows only single login to multiple applications, data sources, and system. This includes advanced encryption capabilities-Kerberos and PKI features also. 

IIS hardening: 6 configurations changes to harden IIS 10 web server

Database hardening guidelines

Databases often store sensitive data. Incorrect data or loss of data could negatively affect business operations. Databases can be used as bases to attack other systems. The following are some of the successfully proven database hardening guidelines: 

 

  1. Have a TNS Listener Password (encrypted) to prevent unauthorized administration of the Listener.
  2. Turn on Admin Restrictions to ensure certain commands cannot be called remotely.
  3. Turn on TCP Valid Node Checking to allow certain hosts to connect to the database server and prevent others.
  4. Switch off XML Database if it is not used.
  5. Turn off external procedures if not required.
  6. Encrypt network traffic using the Oracle Net Manager tool.
  7. Lock and Expire unused accounts.
  8. Define user account naming standards.
  9. Define and enforce a password policy.
  10. Manage a role-based access privileges control.
  11. Generate a periodic review and revoke any unnecessary permissions.
  12. Enable data protection for preventing users access sensitive tables.
  13. Ensure PL/SQL coding standard usage.
  14. Generate periodic database security audits.
  15. Disabling all the Null sessions (anonymous logons).
  16. Roll out all the necessary database patches as soon as released by the vendors. 

 

Operating System hardening guidelines

Operating System hardening is the process that helps in reducing the cyber-attack surface of information systems by disabling functionalities that are not required while maintaining the minimum functionality that is required. The following are some of the successfully proven operating system hardening guidelines:

 

  1. Keep operating systems updated with the latest, most robust versions. Also, make sure that security patches and hotfixes are constantly updated.
  2. Install the latest Service Pack for the operating systems used
  3. Routers and wireless should be protected with strong passwords
  4. Remove unnecessary drivers
  5. Do not create more than two accounts in the Administrators group
  6. Disable or delete unnecessary accounts quarterly
  7. Disable Non-essential services
  8. Enable Audit Logs to capture successful and failed login efforts, usage of elevated privileges, and all kinds of unauthorized activities
  9. Secure CMOS settings.
  10. File and Directory Protection – Through the use of Access Control Lists (ACLs) and file permissions.
  11. File and File System Encryption – All disk partitions are formatted with a file system type with encryption features (NTFS in the case of Windows)
  12. Configure the operating system to log every activity, error, and warning.
  13. Secure separate partitions.
  14. Tighten NTFS/Registry Permissions
  15. Configure appropriate settings for access control on file shares, given that permissions are set through NTFS security features
  16. Disable any unnecessary file sharing
  17. Remove administrative shares if not needed.
  18. Ensure services are running with the least-privileged accounts.
  19. Implement a strong password management practice.

PCI-DSS requirement 2.2 hardening standards

 

Conclusion

Cyber-attacks are being so dynamic these days and every new attack brings new concerns about the security of very high-cost network-based information systems owned by business organizations. Continuous system hardening will keep the information security configurations checked on an ongoing basis which will help in reducing the cyber-attack surface of organizations. Applied in an effective manner, hardening will improve the resiliency of the existing cyber-security environment of organizations. So organizations should verify their information system vulnerabilities on a periodic basis through Vulnerability Analysis & Penetration Testing and apply appropriate hardening techniques. This will help them in improving the performance and security posture of their information systems to the next optimum level where the information systems will have high performance and reduced expensive system failures.