What is secure configuration review?
A Secure Configuration review is the process of reviewing key settings of a company’s servers, network devices, applications, and other IT components. The objective of this review is to harden the systems to withstand local and network level attacks.
Checklist in System Hardening:
A security configuration checklist is document that contains hardening guideline, security control implementation instructions or procedures for configuring an IT product to an operational and secure environment. It contains some key guidelines to enable Authorization, Authentication and Accounting in an IT system before it is made operational. There are many non-profit research organisations/forums/Consortiums such as CIS, NIST, CERT, DIST etc which publishes hardening checklists for commonly used servers, network devices and other applications.
What is the best way to harden the system?
- Configuring and applying automatic updates (via GPO or WSUS).
- Confirming that security updates are installed on a regular basis.
- Change default or guessable account passwords to something non-obvious
- Remove or disable unnecessary software
- Disable any auto-run feature that allows file execution without user authorization and
- Ensure system time and date are accurate, and setup timekeeping synchronization.
- Configure log collection.
- Configure automatic periodic backups.
- Authenticate users before enabling Internet-based access to commercially or personally sensitive data, or data critical to the running of the organization.
- If required, installing anti-malware. (It’s must be up-to-date always)
- Vulnerability scans must be scheduled to run and be reviewed at least monthly
- Installing anti-spyware software.
- Do not allow any shares to be accessed anonymously.
- Removing or disabling any user accounts which are not necessary for the server/application to function properly.
- Configuring the device boot order on all computers.
- Enable automatic notification of patch availability.
- Disabling NetBIOS over TCP/IP.
- Blocking access to unnecessary ports/services.
- Records each change in each of servers.
- Thoroughly test and validate every proposed change to server hardware or software.
Sample checklist for OS Hardening
- User configuration- Protect your credentials- Requiring all users to implement strong passwords and change them on a regular basis
- Network Configuration-Establish communications
- Features and roles configuration- Add what you need, remove what you don't
- Update installation- Patch vulnerabilities- Automatically applying OS updates, service packs, and patches
- NTP configuration- Prevent clock drift
- Firewall configuration- Minimize your external footprint
- Remove access configuration- Harden remote administration sessions- Restricting unauthorized access and implementing privileged user controls
- Service configuration- Minimize your attack surface- Removing or disabling non-essential software, drivers, services, file sharing, and functionality, which can act as back doors to the system
- Further hardening- Protect the OS and other applications
- Logging and monitoring- Know what's happening on your system- Logging all activity, errors, and warnings
Sample checklist for Database configuration review
- Regularly perform a risk assessment.
- Disabling automatic administrative logon to the recovery console.
- Configuring account lockout Group Policy according
- Disallow users from creating and logging in with Microsoft accounts.
- Disabling the guest account in windows computers.
- Install the latest service packs and hotfixes from Microsoft.
- Restrict the ability to access to servers from the network to Administrators and Authenticated Users.
- Configure Microsoft Network Server to always digitally sign communications.
- Do not allow “everyone” permissions to apply to anonymous users.
- Do not allow anonymous enumeration of SAM accounts and shares.
- Disabling anonymous SID/Name translation.
- Disabling or deleting unused user accounts.
- Enabling the Windows firewall in all profiles (domain, private, public).
- Restricting the ability to access each computer from the network to Authenticated Users only.
- Denying guest accounts, the ability to log on as a service, a batch job, locally or via RDP.
- If RDP is utilized, set the RDP connection encryption level to high.
- Remove Enable LMhosts lookup.
- Removing ncacn_ip_tcp.
- Disabling the sending of unencrypted passwords to third-party SMB servers.
- Allow Local System to use computer identity for NTLM.
- Configuring allowable encryption types for Kerberos.
- Removing file and print sharing from network settings.
- Configuring registry permissions.
- Protecting the registry from anonymous access.
- Setting MaxCachedSockets (REG_DWORD) to 0.
- Setting SmbDeviceEnabled (REG_DWORD) to 0.
- Setting AutoShareServer to 0.
- Setting AutoShareWks to 0.
- Deleting all value data INSIDE the NullSessionPipes key.
- Deleting all value data INSIDE the NullSessionShares key.
- Removing unneeded Windows components.
- Enabling the built-in Encrypting File System (EFS) with NTFS or BitLocker on Windows Server.
- If the workstation has significant random access memory (RAM), disable the Windows swapfile.
- Do not use AUTORUN.
- Require Ctrl+Alt+Del for interactive logins.
- Ensuring all volumes are using the NTFS file system.
- Configuring Local File/folder permissions.
- Removing Guest, Everyone and ANONYMOUS LOGON from the user rights lists.
- Setting the system date/time and configure it to synchronize against domain time servers.
- Enable Audit policy.
- Configure log shipping to SIEM for monitoring.
- Make an image of each Windows Server installation and hardening.
- Enter the server into the domain and apply your domain group policies.
Configuration Audit of Network Security Device
Network devices are critical for the operations of every organization, and their compromise can have a huge impact, which can be immediately quantifiable in terms of lost revenue and productivity.
A network device audit by Qseap provides a comprehensive and detailed security audit of network components like (Firewall, Switches, Router, IPS, IDS etc.) to ensure that weaknesses in their configurations are identified and remediated, reducing the risk of a security incident.