Securing or Hardening

Securing or Hardening aims to protect and secure your IT infrastructure against cyberattacks by reducing the attack surface. The attack surface is all the different points where an attacker can to attempt to gain access or damage the equipment.  This blog is focused on securing Servers and storage.

The goal of server hardening is to remove all unnecessary components and access in order to maximize security.  This is easiest when a server performs a single function. For example, a web server needs to be visible to the internet whereas a database server needs to be more protected. It will often be visible only to the web servers or application servers and not directly connected to the internet.

If a single server is providing multiple functions, there may be a conflict of security requirements.  It is best practice not to mix application functions on the same server.

Implementing Hardening Policies

The information below provides a starting point for implementing hardening policies.  Some of these only apply to the servers, but others apply to all devices on the network (Servers, Storage, Networking).

All Devices:

• Change default credentials and remove (or disable) default accounts – before connecting the server to the network.
• Disable guest accounts, setup accounts and vendor accounts (Vendor accounts can be enabled when necessary).
• Install security patches and firmware updates on a scheduled basis. My recommendation is to review devices firmware, virtualization layer software, and operating systems a minimum of every 6 months.  If possible, review them every quarter.
• If possible, sign up for service update notifications from all vendors. You will be notified of critical updates.  Depending on the update, Critical Security updates may require immediate implementation.
• Develop a patch/firmware management process that includes what gets updated, when it gets updated, outage window required, can it be automated, process for patching/firmware upgrade, etc. Some devices may be updated quarterly, others monthly.
• Accurate time keeping is essential for some security protocols to work effectively. Configure NTP servers to ensure all servers, storage and network devices share the same timestamp.  It is much harder to investigate security or operational issues if the logs on each device are not synchronized.
• Ensure all devices are located in a physically secured location and restricted to approved staff only. Review and disable access for anyone that has left or changed roles.
• Review user and administrator level access to all devices. Ensure all default userids and passwords have been changed. Remove all users that are not on the approved list.  If possible, use roles-based access using Active Directory or the equivalent.
• For connection to all devices, use Secure Shell Protocol (or SSH) when possible. This enables you to make a secure connection to your network services over an unsecured network. Avoid using FTP, Telnet and rsh commands.  Use a secured protocol.

Servers:

• Turn off services that are not required – this includes scripts, drivers, features, subsystems, file systems, and unnecessary web services. Remove all unnecessary software.
• On Windows systems only activate the Roles and Features required for that host to function correctly.
• On Linux systems remove packages that are not required and disable daemons that are not required.
• Remote Access (Windows RDP) is one of the most attacked subsystems on the internet – ideally only make it available within a VPN and not published directly to the internet. For Linux systems, remote access is usually using SSH.  Configure SSH to whitelist permitted IP addresses that can connect and disable remote login for root.
• Configure operating system and application logging so that logs are captured and preserved.  Consider an SIEM Solution to centralize and manage the event logs from across your network.
• Review Administrator Access to host operating systems. Administrator accounts should only be used when required by approved personnel.
• Set password settings to require “Strong and Unique” passwords. Force password changes periodically according to internal security practices (usually 30 to 90 days).
• Configure account lockout policies. Lockout user accounts after failed attempts.
• Consider using Multi-Factor Authentication (MFA) if feasible to improve the level of security.
• Review backup policies to ensure all servers are being backed up correctly according to company retention policies. Periodically test the backup to be sure recovery is possible.
• Review monitoring requirements and be aware of any activity on each system.
• Set up custom admin accounts. They can be an Active Directory (AD) account or a local account in the administrators group.
• Limit security context on accounts used for running services. By default, these are Network Service, Local System, or Local Service accounts. For sensitive application and user services, set up accounts for each service and limit privileges to the minimum required for each service. This limits the ability for privilege escalation and lateral movement.
• For Linux systems, use Secure Shell Protocol (or SSH) when possible. This enables you to make a secure connection to your network services over an unsecured network. Use a secured protocol.
• Enable UEFI Secure Boot will further ensure only trusted binaries are loaded during boot.
• If not in use, disable the IPv6 protocol to decrease the attack surface.
• Keep partitions separated can help decrease the radius of any attack. Separate the boot partition from the user data and application data will help protect your data.

Contact Zunesis today if you would like more information on hardening your infrastructure.