Comments on: Open IT Forum: What are your suggestions for server hardening?

By: Member Guide: Server hardening tips & tricks - Enterprise IT Watch Blog

Member Guide: Server hardening tips & tricks - Enterprise IT Watch Blog — Wed, 15 Dec 2010 17:06:52 +0000

[...] adding some redundancy, we were curious as to what our users are doing in their own data centers. We asked our members and here’s what we got: Carlosdl suggests proper preparation with a [...]

By: mpez0

mpez0 — Mon, 13 Dec 2010 16:08:26 +0000

The US DoD Information Assurance Support group offers Security Technical Information Guides that provide the checklists for computer security from the US Government.

By: mpez0

mpez0 — Mon, 13 Dec 2010 16:06:00 +0000

The US DoD Information Assurance Support group offers

By: rechil

rechil — Sat, 11 Dec 2010 11:37:08 +0000

From my point of view.... Preparing the Infrastructure: A server should never be installed without a purpose. Usually, the purpose is to provide one or more network services to a group of users. The server and the services it provides must be placed in a proper environment. Customize / Minimize Server installation: Like most distros, they provide a minimal installation option. At the time of installation, can select this options during the initial installation process and it will install a minimal build on the system. Selection the Services: After installation, be aware that most distros initialize a lot of unnecessary services. To overcome this, use the built-in configuration management tool to reconfigure services. Remember, the CMT varies from one distro to another. Remote Management: Be extra careful, when configuring remote service. : This i s an important service will to retain is the secure shell (SSH), which allows secure remote management of hosts. Firewall: This is very crucial stage, and do restrict the services, that can provide more safe zone for the server. Password Policy: one of the best defense against compromise of a user account is a solid password policy. Ensure that users understand that simple passwords are easily guessable and should not be used. Keep Packages up-to-date: Proactive policy is the best choice line of defense; it is always better to anticipate a disaster than to have to recover from one which could have been prevented (A very popular proverb is there, "Prevention is better than cure"). One of the best things can do to protect host from attack is keep them up-to-date. Thanks !

By: carlosdl

carlosdl — Thu, 09 Dec 2010 23:17:51 +0000

Forgot to post this link: Microsoft Security Compliance Manager: "Brief Description The Microsoft Security Compliance Manager provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies".

By: carlosdl

carlosdl — Thu, 09 Dec 2010 23:12:31 +0000

These are some basic actions that should be taken independently of the platform:

-Don’t connect the server to an unsecure network until it has been properly hardened
-Install the latest service pack for the OS and all applicable updates to the applications running on it.
-Lock/disable/delete any unnecessary user accounts
-Stop and disable any unnecessary services/daemons
-Change all default passwords and default configurations (OS and applications)
-Use the principle of least privilege regarding user accounts.
-Set a password complexity policy
-Configure the OS to lock the session after certain inactivity period.
-Install and configure a software firewall
-Install antivirus/antispyware software
-Consider enabling auditing of some events
-Consider setting a policy to review event logs periodically

—————–

Melanie, can you share with us what ITKE did to harden the new servers ?

By: labnuke99

labnuke99 — Thu, 09 Dec 2010 14:12:16 +0000

Checkout the CIS security benchmarks - this is a very extensive list of suggested hardening criteria for many platforms. Per the CIS website:

The Security Configuration Benchmarks are distributed free of charge to propagate their worldwide use and adoption as user-originated, de facto standards.

The CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.

The Benchmarks are:

•Recommended technical control rules/values for hardening operating systems, middleware and software applications, and network devices;
•Unique, because the recommendations are defined via consensus among hundreds of security professionals worldwide;
•Downloaded several hundred thousand times per year;
•Distributed free of charge by CIS in .PDF format (many benchmarks are also available to CIS Members in XCCDF, a machine-readable XML format for use with benchmark audit tools and Members' custom scripts);
•Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.