NIST 800-53 Server Hardening perspective

Many organizations approach us with the request to be NIST 800-53 compliant, not fully understanding what that really means. Well, it is not their fault, as it is really easy to get lost in the NIST 800-53 recommendations and not fully understand their bottom line. But do they even have a bottom line? This article should give you a clue on what does it mean to harden your servers according to NIST 800-53.

This article summarizes NIST 800-53 controls that deal with server hardening. This summary is adjusted to only present recommended actions to achieve hardened servers. Not all controls will appear, as not all of them are relevant to server hardening.

We'll take a deep dive inside NIST 800-53 3.5 section: Configuration Management. This section contains 12 different controls (CM) dealing with the configuration management of your entire system.

We'll investigate the following CM that relates to server hardening and how:

CM-1 configuration management policy and procedure
CM-2 baseline configuration
CM-3 Configuration Change Control
CM-4 Security and Privacy Impact Analysis
CM-5 Access Restrictions for Change
CM-6 Configuration Settings
CM-7 Least Functionality
CM-9 Configuration Management Plan

NIST 800-123 server hardening guidelines

CM-1 configuration management policy and procedures:

This control refers to the implementation of the rest of the controls. It is basically instructing you to establish a formal procedure for the effective implementation of the rest of the controls. You might need to develop a system-specific policy, as not all procedures are required for all systems.

According to CM-1, you'll need to:

Develop, document, and distribute configuration management policy that will address and differentiate roles, responsibilities and management commitment among the organizational entities. In addition, it should consist of laws, executive orders, regulations, policies, standards, and guidelines.
Develop procedures to facilitate the policy and the rest of the configuration management controls.
Designate human resources to manage the configuration management policy and procedures.
Review and update both the policy and procedures on a defined frequency.
Ensure that procedures are done for configuration management indeed implement the policy and controls.
Develop, document, and implement remediation actions in case of violation of the policy.

CM-2 baseline configuration:

This control establishes a baseline configuration for each component in the system, including servers. Although it is instructed to have different configurations for each type of component, there are no specifications on what should be the desired configurations, like established in the CIS Benchmarks or DISA STIG. NIST only instructs to use documented, formally reviewed and agreed-upon set of configurations. Note also that part of maintaining baseline configuration requires creating a new baseline, as systems change over time.

According to CM-2 you'll need to:

Develop, document, and maintain configuration control a baseline configuration to each component type in the system, meaning that each type of server OS will need to have its own baseline. We highly recommend using known best practices such as CIS Benchmarks or DISA STIG as a base for your baseline.
Review and update baseline configuration at a defined frequency, when circumstances require and when servers are installed or upgraded.
Employ automated mechanisms to maintain an up-to-date, complete, accurate, and readable baseline configuration.
Establish procedures that will allow the rollback of changes in case of need.
Maintain different baselines for test and development environments and differentiate it from the production baseline.

The Complete Guide for Server Hardening

CM-3 Configuration Change Control:

Configuration change control refers to changes in the server's baseline configuration, that can be either unscheduled and unauthorized, or for vulnerability remediation purposes. Each authorized change must be reviewed and approved by authorized entities in the organization. Changes must be audited.

According to CM-3 you'll need to:

Determine the kind of changes to the server that are configuration controlled.
Proposed changes must be approved or disapproved after reviewing their impact on the server's security.
Document changes in server configurations.
After being approved, changes must be implemented in the servers.
The time period that changes records must be saved needs to be set by the organization.
Monitor and review any activity of the server that associates with the change after implementing it.
Use automation in order to:
Document proposed changes in the server's configuration
Notify and request approval on proposed changes from authorized entities in the organization.
Highlight changes that aren't yet approved or disapproved.
Prevent changes until they are authorized.
Document all changes in the system (proposed and not proposed).
Notify the responsible entity in your organization when an approved change in server configuration is fully implemented.
Test and validate changes in the server's configuration before fully implemented in production. This is especially important in the context of both the server's security and servers' outages.
Use automation to implement the desired changes on the servers in production.
Ensure that cryptographic mechanisms are also under configuration management.

CM-4 Security and Privacy Impact Analysis:

The person responsible for conducting an impact analysis should have the necessary skills and technical expertise to analyze the impact of any configuration change on your server's security and functionality. This is a very complex task as the system structure is usually very complex and in order to perform a thorough impact analysis, you should understand the dependencies in the system. Doing it manually can be prone to mistakes.

According to CM-4 you'll need to:

Analyze desired changes to the server to determine potential security and privacy impact before you implement the changes.
Analyze the potential impact in a separate test environment before implementing the change to production. The test environment should be completely separated from the production environment.
Check the security and privacy functions after the changes in the server's configuration, to make sure that the functions implemented correctly, functioning as intended, and producing the desired functionality while meeting the security and privacy requirements.

the complete server hardening Guide

CM-5 Access Restrictions for Change:

Unwanted changes to the server's configuration can be a result of malicious activity or un-intended everyday actions that can lead to configuration drifts. Every un-intended and malicious change can lead to potentially have significant effects on the overall security of the systems. Therefore, organizations should permit only qualified and authorized individuals to have the right privileges for initiating changes. The organization should also espier to privilege the minimal number of users to initiate changes.

According to CM-5 you'll need to:

Define, document, approve and enforce physical and logical access restrictions associated with changes to servers' configuration.
Enforce access restrictions and generate audit records for enforcement actions.
Review system changes in a defined frequency and defines specifications to determine whether unauthorized changes have occurred.
Prevent installations on the server without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
Enforce dual authorization for implementing changes to server configuration.
Limit privileges to change configuration settings in the production environment. Review and reevaluate the privileges at the organization's defined frequency.

CM-6 Configuration Settings:

The server's Operating System 'out of the box' configurations are usually aimed for the maximum functionality of the server. That's often doesn't comply with security standards and often leaves the server open to vulnerabilities. Server configurations will establish the server's security posture and functionality. Organizations should establish a specific configuration baseline for each server OS type. For example, Windows 10 baseline will be different from Windows 16 any kind of Linux OS.

There are common configuration checklists and benchmarks developed by public institutes (such as the CIS Benchmarks) that provide recognized, standardized, and established benchmarks for specific platforms and instructions for configuring those systems components to meet operational requirements. Organizations can also develop their own policies for their servers.

Implementing a specific common benchmark may be mandated for the organization in order to stand in regulatory requirements.

According to CM-6 you'll need to:

Establish and document configuration settings for the server's OS using common secure configuration benchmarks that reflect the most restrictive and secure mode possible with the operational requirements.
Implement the configuration settings. This may sound easy, but infect implementing the configuration settings is a complex labor demanding task. As mentioned in CM-4, every change in configuration should go under impact analysis before implemented in a separate testing environment. Even after performing an impact analysis, each change in configuration can lead to damage to production and servers' outages. An automatic approach to this process can solve the majority of the pains in this issue.
Identify, document, and approve any deviations from the established baseline.
Monitor and control changes.
Employ automated mechanisms to centrally manage, apply and verify configuration baseline.
Establish and employ security measures to respond to unauthorized changes to servers' configuration settings.

CM-7 Least Functionality:

Servers' OS is provided by the manufacturer with a wide variety of functions and services. Some may not be necessary to provide servers' functionality. Using the server OS with out-of-the-box configuration settings increases the attack surface of the server. Organizations should review functions and services provided by the server, to determine which functions and services are candidates for elimination. Organizations should also employ network scanning tools, intrusion detection, and prevention systems such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, protocols, ports, and services.

According to CM-7 you'll need to:

Configure server OS to provide only essential capabilities and prohibit the use of unnecessary functions, ports, and services.
Review the system at a determined frequency to identify unnecessary and non-secure functions, ports, protocols, and services.
Disable any unnecessary and non-secure functions, ports, protocols, and services.
Ensure compliance with the organization's policy.
Use blacklisting to prevent the usage of unauthorized software. Make sure you review and update this list.
Use whitelisting to allow the usage of only authorized software. Make sure you review and update this list.

CM-9 Configuration Management Plan:

Configuration management plans should define processes and procedures for how configuration management is used to support server development life cycle activities. They are usually developed during the development and acquisition phase of the server's life cycle. The plan will establish procedures such as moving changes through change management processes, updating configuration settings and baseline, and controlling the development of test and operational environment.

According to CM-9 you'll need to:

Develop, document, and implement a configuration management plan for the server that will:

Address server roles, responsibilities, and configuration management processes and procedures.
Establish a process for identifying configuration items throughout the server development life cycle.
Define the configuration items for the server and places the configuration items under configuration management.
Be reviewed and approved by an authorized individual in the organization.
Protect the configuration management plan from unauthorized disclosure and modification.
You should assign responsibility for developing the configuration management process to organizational personnel that is not directly involved in system development.

CMMC Compliance

As mentioned in the begging, NIST 800-53 only presents 'high-level' recommendations. This is a good place to start your hardening project. In order to get more practical, it is recommended to assist in server hardening benchmarks, such as the CIS Benchmarks. Implementing automation into this process can make the difference between an endless project that is almost designed for failure in a complex enterprise IT environment, to a successful project that will help you protect your organization from common server vulnerabilities.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.