Hardening the IT infrastructure from servers to applications

Hardening the IT infrastructure is an obligatory task for achieving a resilient to attacks infrastructure and complying with regulatory requirements. Hackers’ attack information systems and websites in an ongoing basis using various cyber-attack techniques that are called attack vectors.

To reduce these increasing amount of dynamically emerging cyber-attacks, information systems and servers especially need to get hardened. Hardening is a unique security task as the requirement is coming from the security team but it is often executed by operations teams. If you are managing a hardening project learn more about how to automate hardening tasks.

Hardening the 4 main infrastructure layers

Hardening activities can be classified into few different layers:

– Server hardening

– Application hardening

– Operating System hardening

– Database hardening

The default configuration of most  operating environments, servers, applications and databases are not designed with security as its main focus. The defaults concentrate more on the usability and functionality. This implies that without hardening done, these information assets will be running high level of security risks.

The following are some of the effective hardening techniques followed by organizations across globe:

 

Server hardening guidelines

Server hardening, in its simplest definition, is the process of boosting server’s protection using viable, effective means. It is recommended to use the CIS benchmarks for as a source for hardening benchmarks. You can find below  a list of high-level hardening steps that should be taken at the server level.

Important notice: Never attempt to establish or test hardening procedures on a production unless using a proper hardening impact analysis tool

  • implement a”least functionality” approach. for example: Do not install the IIS server on a domain controller or
  • Install the appropriate post-Service Pack security hot fixes
  • Avoid installing applications on the server unless they are absolutely necessary to the server’s function. For example, don’t install e-mail clients, office productivity tools, or utilities that are not strictly required for the server to do its job
  • Use two different network interfaces in the server. One will be for the network and the other will be for the administrator
  • Create a secure remote administration for the server
  • Harden the OS and application layers (see below)
  • Consider using the server local firewall. Windows- Windows firewall, Linux-IPtables, AppArmor
  • Avoid the use of insecure protocols for processing requests, especially those that send information (i.e. passwords) in plain text
  • Keep a backup for all your data and files.
  • Secure separate partitions.
  • When hosting multiple applications, make sure that each has their own accounts separate from the others.
  • Never provide write access to web content directories.
  • Remove administrative shares if not needed.
  • Closely monitor failed login attempts. Lock accounts after a specified number of failures.
  • Rename the guest account even though it may be disabled.
  • Enable account lockout on the local administrator account
  • Rename the local Administrator account to something other than Administrator
  • Enforce strong account and password policies for the server.
  • Do not allow users and administrators to share accounts.
  • Disable FTP, SMTP , NNTP, Telnet services if they are not required.
  • Install and configure URLScan.
  • For non-public sites authentication methods should be put in place and for sites that are only to be accessible by internal users.
  • Web server logs should be reviewed routinely for suspicious activity. Any attempts to access unusual URLs on the web server typically indicate an attempt to exploit problems in outdated or unpatched web servers.
  • Domain Name Servers (DNS) provide the translation of human friendly names for network destination (such as a web site URL) to the IP addresses understood by routers and other network devices.Steps should be taken to ensure DNS software is updated regularly and that all access to servers is authenticated to prevent unauthorized zone transfers.
  • Access to the server may be prevented by blocking port 53, or restricted by limiting access to the DNS server to one or more specified external systems.
  • Anonymous FTP accounts should be used with caution and monitored regularly.
  • In the case of authenticated FTP it is essential that Secure FTP be used so that login and password credentials are encrypted, rather than transmitted in plain text. 

 

Application hardening

Application hardening is the process of securing applications against local and internet-based attacks. Application hardening can be implemented by removing the functions or components that you don’t require. We can restrict access and make sure the application is kept up-to-date with patches. Maintaining application security is very important because we need to make the application to be accessible to users. Most application have problems of buffer overflows in legitimate user input field so patching the application is only way to secure it from attack. The following are some of the successfully proven application hardening guidelines:

  • Apply vendor provided patches in a timely manner for all 3rd party applications
  • For securing an IIS, the first step is to remove all simple files. To help user in setting of sample files, which can be used by user to examine and as reference when constructing their web sites. But these sample files are full of vulnerabilities and holes, so they should never be present on production web server.
  • Sample files are stored in virtual and physical directories, so to remove IIS sample application, remove the virtual and physical directories. For example, IIS samples are present in Virtual Directory of \IISS samples and it location is C:\Inetpub\IISsample.
  • Next step in securing IIS is to set up the appropriate permissions for the web server’s file and directories this is possible using Access Control Lists (ACLs).
  • Avoid the use of insecure protocols for processing requests, especially those that send information (i.e. passwords) in plain text.
  • Never install IIS unless the server is to be a dedicated Web Server
  • Install SSL Architecture
  • Install and configure a web application firewall (WAF)
  • Avoid installing and do not run network device firmware versions that are no longer available from the manufacturer.
  • Closely monitor the security bulletins applicable to applications and other software used.
  • Use cryptographic and CHEKSUM controls wherever it is applicable.
  • Implement Active directory which allows only single login to multiple applications, data sources and system. This includes advanced encryption capabilities-Kerberos and PKI features also. 

 

Database hardening guidelines

Databases often store sensitive data. Incorrect data or loss of data could negatively affect business operations. Databases can be used as bases to attack other systems from. The following are some of the successfully proven database hardening guidelines: 

  • Having a TNS Listener Password (encrypted) to prevent unauthorized administration of the Listener
  • Turning on Admin Restrictions to ensure certain commands cannot be called remotely
  • Turning on TCP Valid Node Checking allow certain hosts to connect to the database server and prevent others
  • Switching off XML Database if it is not used
  • Turning off External Procedures if not required
  • Encrypting Network Traffic using the Oracle Net Manager tool
  • Locking and Expiring Unused Accounts
  • Defining user account naming standards
  • Defining and Enforcing Password Policy
  • Role based access control privileges
  • Periodic review and revoking of any unnecessary permissions
  • Enabling data protection for preventing users access sensitive tables
  • Ensuring usage of PL/SQL coding standard
  • Carrying out database security audits in a periodic manner
  • Disabling all the Null sessions (anonymous logons).
  • Rolling out all the necessary database patches as soon as soon released by the vendors. 

Operating System hardening guidelines

Operating System hardening is the process that helps in reducing the cyber-attack surface of information systems by disabling functionalities that are not required while maintaining the minimum functionality that is required. The following are some of the successfully proven operating system hardening guidelines:

  • Keep operating systems updated with the latest, most robust versions. Also make sure that security patches and hot fixes are constantly updated.
  • Install the latest Service Pack for the operating systems used
  • Routers and wireless should be protected with strong passwords
  • Remove unnecessary drivers
  • Do not create more than two accounts in the Administrators group
  • Disable or delete unnecessary accounts quarterly
  • Disable Non-essential services
  • Enable Audit Logs to capture successful and failed login efforts, usage of elevated privileges and all kinds of unauthorized activities
  • Secure CMOS settings.
  • File and Directory Protection – Through the use of Access Control Lists (ACLs) and file permissions.
  • File and File System Encryption – All disk partitions are formatted with a file system type with encryption features (NTFS in the case of Windows)
  • Operating system is configured to log all activity, errors and warnings.
  • Secure separate partitions.
  • Tighten NTFS/Registry Permissions
  • Configure appropriate settings for access control on file shares, given that permissions are set through NTFS security features
  • Operating system is configured to log all activity, errors and warnings.
  • Disable any unnecessary file sharing
  • Remove administrative shares if not needed.
  • Ensure services are running with least-privileged accounts.
  • Strong Password management 

 

Defense in Depth approach adopted in applying hardening

As hardening need to perform at different levels, it will completely align with the DEFENSE IN DEPTH strategy adopted by organizations for arriving with information and cyber security architecture. This defense in depth approach of hardening process shall ensure that security is ensured at host level, the application level, the operating system level, the user level, the physical level and all other sub levels in between. The hardening process implemented based on Defense In Depth approach will include security measures at each of these layers. 

Conclusion

Cyber-attacks are being so dynamic these days and every new attack brings new concerns about the security of very high cost network-based information systems owned by business organizations. Continuous system hardening will keep the information security configurations checked in ongoing basis which will help in reducing the cyber-attack surface of organizations. Applied in an effective manner, hardening will improve the resiliency of the existing cyber-security environment of organizations. So organizations should verify their information system vulnerabilities in periodic basis through Vulnerability Analysis & Penetration Testing and apply appropriate hardening techniques. This will help them in improving the performance and security posture of their information systems to next optimum level where the information systems will have high performance and reduced expensive system failures.