Server Hardening - The Comprehensive Server Hardening Guide

What is Server Hardening?

Server hardening is a process that secures, essentially “hardening” a server infrastructure reducing the attack surface, which encompasses all potential entry points that unauthorized attackers could exploit. The objective is to enhance protection, minimize vulnerability and improve security posture.

Achieving security and compliance requires implementing server hardening as an essential prerequisite. Server hardening is a proactive process that involves

Disabling unused programs and functionality for unauthorized access
Stricter security measures
Enforcing auditing and incident response best practices
The goal is to make servers less vulnerable to attack vectors

It is very common to see security flaws with the operating system from application misconfigurations. This means it can be days or even weeks between the changes in the recommendation of configuration hardening, and the release of updates to the actual implementation all while the organization is exposed.

For an Enterprise organization, this means:

* Exposure to configuration vulnerabilities for servers that are not properly configured and hardened

* Falling short of being server compliant and being exposed to an audit

Server Hardening Challenges

There are three challenges in performing server hardening:

Testing: Before hardening servers, it’s crucial to conduct testing. Skipping the testing, simulation, and learning process during server hardening poses risks to daily operations. Testing demands a substantial investment in manual work.
User Access Control: To prevent configuration drifts and ensure server compliance, it is crucial to limit users who possess administrative rights from altering the configuration of a hardened server.
Configuration management: Managing multiple policies, their role, version and environment becomes challenging.

Increased Server Security with Server Hardening

Center for Internet Security CIS 18 security controls and the NIST cybersecurity framework recommend, that once a new server or application is installed or updated, it is highly important to perform security hardening with a robust security baseline such as the CIS benchmarks and ensure continuous adherence with this configuration baseline. This means continuously perform and check the server's hardening state.

CalCom provides a complete solution to address the server hardening struggles. CalCom Hardening Suite (CHS) runs a non-intrusive background process and learns the activity of the server in your production environment.

The learning mode capability in server hardening serves multiple functions: first, it identifies objects that can’t be hardened and saves them as exceptions, providing insight into why hardening is not feasible. Secondly, it facilitates the comparison of various policies for a single server, allowing administrators to select the most stringent policy without disrupting operations. Additionally, it enables system administrators to apply learned policies from one server to a group of identical servers, streamlining the process.

Server Hardening Process: 21 Steps

Machine hardening

1. Disable legacy protocols. Remove unnecessary legacy protocols such as NTLMv1, TLS 1.0, SMBv1 that are being abused by attackers. It is important to disable them, if not then to configure them for optimal security

2. Enforce secured configuration for the usage of Powershell in the server environment. Powershell can be used by attackers to perform collateral movement and gain high privileges and access to servers in the network

3. Enforce Best practices for basic NTFS permissions on a share. It is recommended to implement a tool or process that standardizes the way shares and file folder permissions are created in the organization. Once the best practices are enforced, it is essential to actively preserve permissions degradation.

4. Enforce secured configuration for remote connection services. Enforce and harden RDP connections with a dedicated RDP security baseline.

5. Enforce best practice OS baselines to reduce the attack surface. User rights, network traffic, users groups, remote access, deactivate autoplay, use of strong passwords, disabling vssaexe, registry keys,

6. Hardening software and enforcing local Firewall configurations, settings, and port usage. For example for server security, block malicious TOR IP addresses – By blocking TOR IP addresses known to be malicious

7. Harden and enforce browser policies. Use browser policy hardening best practices. CIS benchmarks provide benchmarks for different browsers. Some settings can be configured at the OS level.

8. Antivirus- Harden and ensure antivirus is installed and up to date across all endpoints within the business. While this will not protect against zero-day exploits, many ransomware are not as developed and use older versions for which there are security software defenses.

9. Patching although not considered configuration hardening, it is as important to verify and enforce the latest security patches for the OS, domain controller, firewall, antivirus, and applications.

Server Hardening Checklist (Bonus)

Section 1: User Secure Configuration: Establish and maintain a secure configuration process for various enterprise assets and server operations. Regularly review and update the configuration process documentation: Annually review and update configuration processes, aligning them with evolving security needs and technologies.

Section 2: Network Configuration: Develop and sustain a secure configuration process dedicated to network services.

Section 3: Configure Automatic Locking for Enterprise Devices: Set up automatic session locking on enterprise assets following a specified period of user inactivity.

Section 4: Server Firewall Configuration: Deploy and oversee firewall protection on servers, utilizing available options.

Section 5: End-User Device Firewall Configuration: Implement and manage host-based firewalls/port-filtering tools on end-user devices with a default-deny rule, allowing only explicitly permitted services and ports.

Section 6: Device and Software Configuration: Implement secure management practices for enterprise assets, software and security systems.

Section 7: Control Default Accounts: Administer default accounts on enterprise assets and software, which encompass accounts like root, administrator, and pre-configured vendor accounts.

Section 8: Minimize Unnecessary Services: Remove or deactivate superfluous services on enterprise assets and software.

Section 9: Trusted DNS Server Configuration: Set up reliable DNS servers on enterprise assets.

Section 10: Portable End-user Device Lockout Configuration: Implement an automatic device lockout mechanism after a specific number of local authentication failures on portable end-user devices.

Section 11: Portable End-user Remote Device Lockout Configuration: Enable remote data wiping for enterprise-owned portable end-user devices, based on specific situations like: lost or stolen devices or individuals no longer associated with the enterprise.

Section 12: Isolate Enterprise Workspaces on Mobile Device Configuration: Establish distinct enterprise workspaces on mobile end-user devices, leveraging supported capabilities.

NIST 800-171 Hardening Standards

Server Hardening Guide to Prepare for the Project

1. Team collaboration:
Collaboration between the IT operations team and the security team is essential for the success of a server hardening project.

2. Planning
Review the security baselines (preferably based on the CIS Benchmarks) and make adaptions and customizations that are relevant to your organization.

3. Testing
Testing is an integral part of making changes in an IT environment. When it comes to hardening, testing is as critical as it gets. Failing to perform suitable testing will cause damage to production servers and applications.

In many cases failing to perform proper testing caused IT teams to stop the hardening project or to enforce a poor baseline policy that won't satisfy the compliance and audit requirements. There are three testing scenarios to cover in a hardening project:

1. - Most important is testing – test policies before deploying them to production, this kind of testing is also the most challenging one. Hardening means making changes to production at the OS level, this kind of change can create damage to the applications and create server malfunctions. To avoid damage, the infrastructure team should create a test environment that will try to simulate the production environment Only when the changes are tested in a suitable environment (keeping in mind server roles, applications, etc.) the changes can be enforced to production servers. This testing phase might take a very long time and requires large efforts and resources. This testing procedure is an ongoing one because the environment is dynamic, new applications, OS’s, and policies are installed and updated frequently.
  - Test servers functionality after hardening – We want to make sure that after the hardening is applied everything works fine and there are no operational problems.
  - Post-hardening – we should test servers locally to make sure that they got the security policies and are now hardened according to the organizational policy.

4. Audit
Setting up an audit team in your IT organization (if you don't have one) is highly recommended. This can be a system administrator or a security analyst that will audit the policy of the servers every month/quarter. Make sure that if there are deviations from the policy, these deviations are reported and remediated as soon as possible.

5. Computer Security

User Account: This falls under the realm of access control and user management, which is a fundamental aspect of computer security.

Windows Firewall: This is a key component of network security, which is essential for protecting systems and data from external threats.

File System: File system management is a part of data security and access control, ensuring that files are stored and accessed securely.

Event Log: Event logging is a critical component of system monitoring and security management, helping to detect and respond to security incidents.

Automate Your Server Hardening Project

CalCom CHS is a server hardening automation platform designed to help IT operation teams perform server hardening cost-effectively.

CHS’s Benefits:

Deploy the required security baseline without affecting the production services.
Reduce the costs and resources required for implementing and achieving compliance.
Manage the hardening baseline for the entire infrastructure from a single point.
Avoid configuration drifts and repeated hardening processes.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Server Hardening Steps and Guide to Secure Your Server