Achieving security and compliance requires implementing server hardening as an essential prerequisite. Server hardening measures actively deter unauthorized access, utilization, and service interruptions, playing a crucial role in setting up and maintaining servers to safeguard data integrity and confidentiality. Additionally, it aligns with various compliance frameworks and industry standards, establishing itself as an indispensable component.
This blog post will summarize all you need to know before starting a system hardening project:
- What does server hardening mean?
- Basic hardening techniques
- 21 Tips for a Successful Server Hardening Project
- Server hardening automation
What is server hardening?
Server hardening is a process that secures a server infrastructure from cyberattacks by diminishing its attack surface. The attack surface comprises all potential system entry points where an unauthorized attacker may try to gain access. The objective is to enhance protection and minimize vulnerability.
It is very common to see security flaws with the operating system from application misconfigurations. This means it can be days or even weeks between the changes in the recommendation of configuration hardening, and the release of updates to the actual implementation all while the organization is exposed.
For an Enterprise organization, this means:
* Exposure to configuration vulnerabilities for servers that are not properly configured and hardened
* Falling short of being server compliant and being exposed to an audit
There are three challenges in performing server hardening:
- Testing: Before hardening servers, it’s crucial to conduct testing. Skipping the testing, simulation, and learning process during server hardening poses risks to daily operations. Testing demands a substantial investment in manual work.
- User Access Control: To prevent configuration drifts and ensure server compliance, it is crucial to limit users who possess administrative rights from altering the configuration of a hardened server.
- Configuration management: Managing multiple policies, their role, version and environment becomes challenging.
CalCom provides a complete solution to address the server hardening struggles. CalCom Hardening Suite (CHS) runs a non-intrusive background process, learns the servers activity in your production environment, and performs the impact analysis directly on them. This eliminates the need to set up test environments and do the impact analysis manually.
Since the learning takes place in the production environment, you'll get the most accurate impact analysis possible. Finally, it prevents any configuration drifts and continuously monitors your network’s compliance posture. Click here to get more information about CalCom Hardening Suite (CHS).
Why hardening servers with a “weak” security policy is not enough?
Hardening servers with a “weak” security policy is insufficient for a secure environment because a weak security policy lacks the necessary measures to adequately protect against potential threats. A robust security policy involves comprehensive guidelines, practices, and configurations to fortify servers against various vulnerabilities and cyberattacks.
A weak policy may leave critical security gaps, making the environment more susceptible to unauthorized access, data breaches, and other security risks. To establish a truly secure environment, it’s essential to implement a strong and well-defined security policy during the server hardening process.
Both Center for Internet Security CIS 18 security controls and the NIST cybersecurity framework recommend, that once a new server or application is installed or updated, it is highly important to perform configuration hardening with a robust security baseline such as the CIS benchmarks and ensure continuous adherence with this configuration baseline. This means continuously perform and check the server’s hardening state.
Server Hardening Guide to Prepare for the Project
1. Team collaboration:
Collaboration between the IT operations team and the security team is essential for the success of a server hardening project.
Review the security baselines (preferably based on the CIS Benchmarks) and make adaptions and customizations that are relevant to your organization.
Testing is an integral part of making changes in an IT environment. When it comes to hardening, testing is as critical as it gets. Failing to perform suitable testing will cause damage to production servers and applications.
In many cases failing to perform proper testing caused IT teams to stop the hardening project or to enforce a poor baseline policy that won't satisfy the compliance and audit requirements. There are three testing scenarios to cover in a hardening project:
- Most important is testing – test policies before deploying them to production, this kind of testing is also the most challenging one. Hardening means making changes to production at the OS level, this kind of change can create damage to the applications and create server malfunctions. To avoid damage, the infrastructure team should create a test environment that will try to simulate the production environment Only when the changes are tested in a suitable environment (keeping in mind server roles, applications, etc.) the changes can be enforced to production servers. This testing phase might take a very long time and requires large efforts and resources. This testing procedure is an ongoing one because the environment is dynamic, new applications, OS’s, and policies are installed and updated frequently.
- Test servers functionality after hardening – We want to make sure that after the hardening is applied everything works fine and there are no operational problems.
- Post-hardening – we should test servers locally to make sure that they got the security policies and are now hardened according to the organizational policy.
Setting up an audit team in your IT organization (if you don't have one) is highly recommended. This can be a system administrator or a security analyst that will audit the policy of the servers every month/quarter. Make sure that if there are deviations from the policy, these deviations are reported and remediated as soon as possible.
5. Computer Security
User Account: This falls under the realm of access control and user management, which is a fundamental aspect of computer security.
Windows Firewall: This is a key component of network security, which is essential for protecting systems and data from external threats.
File System: File system management is a part of data security and access control, ensuring that files are stored and accessed securely.
Event Log: Event logging is a critical component of system monitoring and security management, helping to detect and respond to security incidents.
Top 21 Tips for Hardening Your Servers:
1. Disable legacy protocols. Remove unnecessary legacy protocols such as NTLMv1, TLS 1.0, SMBv1 that are being abused by attackers. It is important to disable them, if not then to configure them for optimal security
2. Enforce secured configuration for the usage of Powershell in the server environment. Powershell can be used by attackers to perform collateral movement and gain high privileges and access to servers in the network
3. Enforce Best practices for basic NTFS permissions on a share. It is recommended to implement a tool or process that standardizes the way shares and file folder permissions are created in the organization. Once the best practices are enforced, it is essential to actively preserve permissions degradation.
4. Enforce secured configuration for remote connection services. Enforce and harden RDP connections with a dedicated RDP security baseline.
5. Enforce best practice OS baselines to reduce the attack surface. User rights, network traffic, users groups, remote access, deactivate autoplay, use of strong passwords, disabling vssaexe, registry keys,
6. Hardening software and enforcing local Firewall configurations, settings, and port usage. For example for server security, block malicious TOR IP addresses – By blocking TOR IP addresses known to be malicious
7. Harden and enforce browser policies. Use browser policy hardening best practices. CIS benchmarks provide benchmarks for different browsers. Some settings can be configured at the OS level.
8. Antivirus- Harden and ensure antivirus is installed and up to date across all endpoints within the business. While this will not protect against zero-day exploits, many ransomware are not as developed and use older versions for which there are security software defenses.
9. Patching although not considered configuration hardening, it is as important to verify and enforce the latest security patches for the OS, domain controller, firewall, antivirus, and applications.
Server Hardening Checklist (Bonus)
Section 1: User Secure Configuration: Establish and maintain a secure configuration process for various enterprise assets and server operations. Regularly review and update the configuration process documentation: Annually review and update configuration processes, aligning them with evolving security needs and technologies.
Section 2: Network Configuration: Develop and sustain a secure configuration process dedicated to network services.
Section 3: Configure Automatic Locking for Enterprise Devices: Set up automatic session locking on enterprise assets following a specified period of user inactivity.
Section 4: Server Firewall Configuration: Deploy and oversee firewall protection on servers, utilizing available options.
Section 5: End-User Device Firewall Configuration: Implement and manage host-based firewalls/port-filtering tools on end-user devices with a default-deny rule, allowing only explicitly permitted services and ports.
Section 6: Device and Software Configuration: Implement secure management practices for enterprise assets, software and security systems.
Section 7: Control Default Accounts: Administer default accounts on enterprise assets and software, which encompass accounts like root, administrator, and pre-configured vendor accounts.
Section 8: Minimize Unnecessary Services: Remove or deactivate superfluous services on enterprise assets and software.
Section 9: Trusted DNS Server Configuration: Set up reliable DNS servers on enterprise assets.
Section 10: Portable End-user Device Lockout Configuration: Implement an automatic device lockout mechanism after a specific number of local authentication failures on portable end-user devices.
Section 11: Portable End-user Remote Device Lockout Configuration: Enable remote data wiping for enterprise-owned portable end-user devices, based on specific situations like: lost or stolen devices or individuals no longer associated with the enterprise.
Section 12: Isolate Enterprise Workspaces on Mobile Device Configuration: Establish distinct enterprise workspaces on mobile end-user devices, leveraging supported capabilities.
How can you automate server hardening?
CalCom CHS is a server hardening automation platform designed to help IT operation teams perform server hardening cost-effectively. The CHS learning capabilities enable an assessment of the potential impact of baseline changes directly in the production environment, eliminating the need for IT teams to undergo a policy testing procedure prior to server hardening.
- Deploy the required security baseline without affecting the production services.
- Reduce the costs and resources required for implementing and achieving compliance.
- Manage the hardening baseline for the entire infrastructure from a single point.
- Avoid configuration drifts and repeated hardening processes.