Server hardening is an essential prerequisite for attaining security and compliance. By implementing server hardening measures, one can deter unauthorized access, unauthorized utilization, and service interruptions. It plays a crucial role in the setup and upkeep of servers, safeguarding data integrity and confidentiality. Furthermore, server hardening aligns with various compliance frameworks and industry standards, making it an indispensable component.
This blog post will summarize all you need to know before starting a hardening project:
- What does hardening mean?
- Basic hardening techniques for server hardening
- 20 steps towards a successful server hardening project
- Server hardening automation
Why does hardening mean?
Hardening refers to the process of securing a computer system by reducing its vulnerability to potential threats and attacks. It involves implementing a series of security measures, configurations, and best practices to strengthen the system’s defenses against cyberattacks, unauthorized access, and data breaches.
It is very common to see security flaws with the operating system from application misconfigurations. This means it can be days or even weeks between the changes in the recommendation of configuration hardening, and the release of updates to the actual implementation all while the organization is exposed.
For an Enterprise organization, this means:
* Exposure to configuration vulnerabilities for servers that are not properly configured and hardened
* Falling short of being server compliant and being exposed to an audit
There are three challenges in performing server hardening:
* Testing must be performed before hardening servers. Hardening the servers without testing, simulating, and performing a learning process can be risky to day-to-day operations. Testing requires a significant investment in manual work.
* Any user with administrative rights can change the configuration of a hardened server, causing configuration drifts and non-compliant servers. Limiting users is important for this reason.
* Multiple policies and environments are difficult to manage.
CalCom provides a complete solution to address the server hardening struggles. CalCom Hardening Suite learns your network and therefore eliminates the need to perform any testing. It eases the task of configuration management, as the entire control over your network’s configuration is centralized to a single point of control. Finally, it prevents any configuration drifts and continuously monitors your network’s compliance posture. Click here to get more information about CalCom Hardening Suite.
Why hardening servers with a “weak” security policy is not enough?
Server hardening standards for OS and applications such as the Center for Internet Security (CIS) Benchmarks provide a list of hundreds of configuration settings that should be hardened. It is common to see organizations that enforce only a couple of dozens of these recommended using GPO’s or scripts. The reason for hardening a “weak” security policy is the potential impact and damage caused to production and network services. Vulnerabilities and security flaws resulting from misconfigurations will most likely be found by either an auditor or detected by vulnerability scanners..
Both CIS 18 security controls and the NIST cybersecurity framework recommend, that once a new server or application is installed or updated, it is highly important to perform configuration hardening with a robust security baseline such as the CIS benchmarks and ensure continuous adherence with this configuration baseline. This means continuously perform and check the server’s hardening state.
Server hardening checklist – 5 basic principles:
1. Team collaboration:
Collaboration between the IT operations team and the security team is essential for the success of a server hardening project.
Review the security baselines (preferably based on the CIS Benchmarks) and make adaptions and customizations that are relevant to your organization.
Testing is an integral part of making changes in an IT environment. When it comes to hardening, testing is as critical as it gets. Failing to perform suitable testing will cause damage to production servers and applications.
In many cases failing to perform proper testing caused IT teams to stop the hardening project or to enforce a poor baseline policy that won’t satisfy the compliance and audit requirements. There are three testing scenarios to cover in a hardening project:
- Most important is testing – test policies before deploying them to production, this kind of testing is also the most challenging one. Hardening means making changes to production at the OS level, this kind of change can create damage to the applications and create server malfunctions. To avoid damage, the infrastructure team should create a test environment that will try to simulate the production environment Only when the changes are tested in a suitable environment (keeping in mind server roles, applications, etc.) the changes can be enforced to production servers. This testing phase might take a very long time and requires large efforts and resources. This testing procedure is an ongoing one because the environment is dynamic, new applications, OS’s, and policies are installed and updated frequently.
- Test servers functionality after hardening – We want to make sure that after the hardening is applied everything works fine and there are no operational problems.
- Post-hardening – we should test servers locally to make sure that they got the security policies and are now hardened according to the organizational policy.
Setting up an audit team in your IT organization (if you don’t have one) is highly recommended. This can be a system administrator or a security analyst that will audit the policy of the servers every month/quarter. Make sure that if there are deviations from the policy, these deviations are reported and remediated as soon as possible.
5. Computer Security
User Account: This falls under the realm of access control and user management, which is a fundamental aspect of computer security.
Windows Firewall: This is a key component of network security, which is essential for protecting systems and data from external threats.
File System: File system management is a part of data security and access control, ensuring that files are stored and accessed securely.
Event Log: Event logging is a critical component of system monitoring and security management, helping to detect and respond to security incidents.
Server hardening essentials:
1. Disable legacy protocols. Remove unnecessary legacy protocols such as NTLMv1, TLS 1.0, SMBv1 that are being abused by attackers. It is important to disable them, if not then to configure them for optimal security
2. Enforce secured configuration for the usage of Powershell in the server environment. Powershell can be used by attackers to perform collateral movement and gain high privileges and access to servers in the network
3. Enforce Best practices for basic NTFS permissions on a share. It is recommended to implement a tool or process which standardizes the way shares and file folder permissions are created in the organization. Once the best practices are enforced, it is essential to actively preserve permissions degradation.
4. Enforce secured configuration for remote connection services. Enforce and harden RDP connections with a dedicated RDP security baseline.
5. Enforce best practice OS baselines to reduce the attack surface. User rights, network traffic, users groups, remote access, deactivate autoplay, use of strong passwords, disabling vssaexe, registry keys,
6. Hardening software and enforcing local Firewall configurations, settings, and port usage. For example for server security, block malicious TOR IP addresses – By blocking TOR IP addresses known to be malicious
7. Harden and enforce browser policies. Use browser policy hardening best practices. CIS benchmarks provide benchmarks for different browsers. Some settings can be configured at the OS level.
8. Antivirus- Harden and ensure antivirus is installed and up to date across all endpoints within the business. While this will not protect against zero-day exploits, many ransomware are not as developed and use older versions for which there are security software defenses.
9. Patching although not considered configuration hardening, it is as important to verify and enforce the latest security patches for the OS, domain controller, firewall, antivirus, and applications.
How can you automate server hardening?
CalCom CHS is a server hardening automation platform designed to help IT operation teams harden servers in a cost-effective fashion. The CHS learning capabilities enable an assessment of the potential impact of baseline changes directly in the production environment, eliminating the need for IT teams to undergo a policy testing procedure prior to server hardening.
- Deploy the required security baseline without affecting the production services.
- Reduce the costs and resources required for implementing and achieving compliance.
- Manage the hardening baseline for the entire infrastructure from a single point.
- Avoid configuration drifts and repeated hardening processes.