What is Server Hardening?
Server hardening is a process that secures, essentially “hardening” a server infrastructure reducing the attack surface, which encompasses all potential entry points that unauthorized attackers could exploit. The objective is to enhance protection, minimize vulnerability and improve security posture.
Achieving security and compliance requires implementing server hardening as an essential prerequisite. Server hardening is a proactive process that involves
- Disabling unused programs and functionality for unauthorized access
- Stricter security measures
- Enforcing auditing and incident response best practices
- The goal is to make servers less vulnerable to attack vectors
It is very common to see security flaws with the operating system from application misconfigurations. This means it can be days or even weeks between the changes in the recommendation of configuration hardening, and the release of updates to the actual implementation all while the organization is exposed.
For an Enterprise organization, this means:
* Exposure to configuration vulnerabilities for servers that are not properly configured and hardened
* Falling short of being server compliant and being exposed to an audit
Server Hardening Challenges
There are three challenges in performing server hardening:
- Testing: Before hardening servers, it’s crucial to conduct testing. Skipping the testing, simulation, and learning process during server hardening poses risks to daily operations. Testing demands a substantial investment in manual work.
- User Access Control: To prevent configuration drifts and ensure server compliance, it is crucial to limit users who possess administrative rights from altering the configuration of a hardened server.
- Configuration management: Managing multiple policies, their role, version and environment becomes challenging.
Increased Server Security with Server Hardening
Center for Internet Security CIS 18 security controls and the NIST cybersecurity framework recommend, that once a new server or application is installed or updated, it is highly important to perform security hardening with a robust security baseline such as the CIS benchmarks and ensure continuous adherence with this configuration baseline. This means continuously perform and check the server's hardening state.
CalCom provides a complete solution to address the server hardening struggles. CalCom Hardening Suite (CHS) runs a non-intrusive background process and learns the activity of the server in your production environment.
The learning mode capability in server hardening serves multiple functions: first, it identifies objects that can’t be hardened and saves them as exceptions, providing insight into why hardening is not feasible. Secondly, it facilitates the comparison of various policies for a single server, allowing administrators to select the most stringent policy without disrupting operations. Additionally, it enables system administrators to apply learned policies from one server to a group of identical servers, streamlining the process.
Server Hardening Standards: 21 Steps
Machine hardening
1. Disable legacy protocols. Remove unnecessary legacy protocols such as NTLMv1, TLS 1.0, SMBv1 that are being abused by attackers. It is important to disable them, if not then to configure them for optimal security
2. Enforce secured configuration for the usage of Powershell in the server environment. Powershell can be used by attackers to perform collateral movement and gain high privileges and access to servers in the network
3. Enforce Best practices for basic NTFS permissions on a share. It is recommended to implement a tool or process that standardizes the way shares and file folder permissions are created in the organization. Once the best practices are enforced, it is essential to actively preserve permissions degradation.
4. Enforce secured configuration for remote connection services. Enforce and harden RDP connections with a dedicated RDP security baseline.
5. Enforce best practice OS baselines to reduce the attack surface. User rights, network traffic, users groups, remote access, deactivate autoplay, use of strong passwords, disabling vssaexe, registry keys,
6. Hardening software and enforcing local Firewall configurations, settings, and port usage. For example for server security, block malicious TOR IP addresses – By blocking TOR IP addresses known to be malicious
7. Harden and enforce browser policies. Use browser policy hardening best practices. CIS benchmarks provide benchmarks for different browsers. Some settings can be configured at the OS level.
8. Antivirus- Harden and ensure antivirus is installed and up to date across all endpoints within the business. While this will not protect against zero-day exploits, many ransomware are not as developed and use older versions for which there are security software defenses.
9. Patching although not considered configuration hardening, it is as important to verify and enforce the latest security patches for the OS, domain controller, firewall, antivirus, and applications.
Server Hardening Checklist (Bonus)
Section 1: User Secure Configuration: Establish and maintain a secure configuration process for various enterprise assets and server operations. Regularly review and update the configuration process documentation: Annually review and update configuration processes, aligning them with evolving security needs and technologies.
Section 2: Network Configuration: Develop and sustain a secure configuration process dedicated to network services.
Section 3: Configure Automatic Locking for Enterprise Devices: Set up automatic session locking on enterprise assets following a specified period of user inactivity.
Section 4: Server Firewall Configuration: Deploy and oversee firewall protection on servers, utilizing available options.
Section 5: End-User Device Firewall Configuration: Implement and manage host-based firewalls/port-filtering tools on end-user devices with a default-deny rule, allowing only explicitly permitted services and ports.
Section 6: Device and Software Configuration: Implement secure management practices for enterprise assets, software and security systems to keep systems secure.
Section 7: Control Default Accounts: Administer default accounts on enterprise assets and software, which encompass accounts like root, administrator, guest accounts and pre-configured vendor accounts.
Section 8: Minimize Unnecessary Services: Remove or deactivate superfluous services on enterprise assets and software.
Section 9: Trusted DNS Server Configuration: Set up reliable DNS servers on enterprise assets.
Section 10: Portable End-user Device Lockout Configuration: Implement an automatic device lockout mechanism after a specific number of local authentication failures on portable end-user devices.
Section 11: Portable End-user Remote Device Lockout Configuration: Enable remote data wiping for enterprise-owned portable end-user devices, based on specific situations like: lost or stolen devices or individuals no longer associated with the enterprise.
Section 12: Isolate Enterprise Workspaces on Mobile Device Configuration: Establish distinct enterprise workspaces on mobile end-user devices, leveraging supported capabilities.
Server Hardening Guide to Prepare for the Project
1. Team collaboration:
Collaboration between the IT operations team and the security team is essential for the success of a server hardening project.
2. Planning
Review the security baselines (preferably based on the CIS Benchmarks) and make adaptions and customizations that are relevant to your organization.
3. Testing
Testing is an integral part of making changes in an IT environment. When it comes to hardening, testing is as critical as it gets. Failing to perform suitable testing will cause damage to production servers and applications.
In many cases failing to perform proper testing caused IT teams to stop the hardening project or to enforce a poor baseline policy that won't satisfy the compliance and audit requirements. There are three testing scenarios to cover in a hardening project:
-
-
- Most important is testing – test policies before deploying them to production, this kind of testing is also the most challenging one. Hardening means making changes to production at the OS level, this kind of change can create damage to the applications and create server malfunctions. To avoid damage, the infrastructure team should create a test environment that will try to simulate the production environment Only when the changes are tested in a suitable environment (keeping in mind server roles, applications, etc.) the changes can be enforced to production servers. This testing phase might take a very long time and requires large efforts and resources. This testing procedure is an ongoing one because the environment is dynamic, new applications, OS’s, and policies are installed and updated frequently.
- Test servers functionality after hardening – We want to make sure that after the hardening is applied everything works fine and there are no operational problems.
- Post-hardening – we should test servers locally to make sure that they got the security policies and are now hardened according to the organizational policy.
-
4. Audit
Setting up an audit team in your IT organization (if you don't have one) is highly recommended. This can be a system administrator or a security analyst that will audit the policy of the servers every month/quarter. Make sure that if there are deviations from the policy, these deviations are reported and remediated as soon as possible.
5. Computer Security
User Account: This falls under the realm of access control and user management, which is a fundamental aspect of computer security.
Windows Firewall: This is a key component of network security, which is essential for protecting systems and data from external threats.
File System: File system management is a part of data security and access control, ensuring that files are stored and accessed securely.
Event Log: Event logging is a critical component of system monitoring and security management, helping to detect and respond to security incidents.
Automate Your Server Hardening Project
CalCom CHS is a server hardening automation platform designed to help IT operation teams perform server hardening cost-effectively.
CHS’s Benefits:
- Deploy the required security baseline without affecting the production services.
- Reduce the costs and resources required for implementing and achieving compliance.
- Manage the hardening baseline for the entire infrastructure from a single point.
- Avoid configuration drifts and repeated hardening processes.