Server Hardening Title Author Contributors Date Reviewed By Document Version

Similar documents
CS 356 Operating System Security. Fall 2013

Windows Server Security Best Practices

Cisco Secure Ops Solution

Cloud Security Whitepaper

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Cyber Essentials Questionnaire Guidance

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

IC32E - Pre-Instructional Survey

T22 - Industrial Control System Security

5 Mistakes Auditing Virtual Environments (You don t Want to Make)

GUIDE. MetaDefender Kiosk Deployment Guide

AUTHORITY FOR ELECTRICITY REGULATION

Client Computing Security Standard (CCSS)

The Common Controls Framework BY ADOBE

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Server Security Checklist

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

SECURITY PRACTICES OVERVIEW

Information Technology Resource Management Council (ITRMC) ENTERPRISE GUIDELINES G950 SECURITY PROCEDURES

Information Security Office. Server Vulnerability Management Standards

Enterprise Guest Access

CISSP - Certified Information Systems Security Professional

CounterACT VMware vsphere Plugin

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

ClearPath OS 2200 System LAN Security Overview. White paper

Standard CIP 007 3a Cyber Security Systems Security Management

Security Architecture

PCI DSS Compliance. White Paper Parallels Remote Application Server

Reviewer s guide. PureMessage for Windows/Exchange Product tour

QuickBooks Online Security White Paper July 2017

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Better Practices to Provide Reasonable Assurance of Compliance with the CIP Standards, Part 2

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Virginia State University Policies Manual. Title: Change/Configuration Management Policy: 6810 A. Purpose

Table Of Contents INTRODUCTION... 6 USER GUIDE Software Installation Installing MSI-based Applications for Users...9

Vendor Security Questionnaire

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Computer Classroom Security Standard

Access to University Data Policy

Information Technology Procedure IT 3.4 IT Configuration Management

Medical Sciences Division IT Services (MSD IT)

Information Security Office. Information Security Server Vulnerability Management Standards

Information Technology Branch Organization of Cyber Security Technical Standard

Belarc Product Description

Survey Results: Virtual Insecurity

During security audits, over 15,000 vulnerability assessments are made, scanning the network IP by IP.

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

SERVER HARDENING CHECKLIST

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

Windows Server 2008 Administration

Joint System Administrator Checklist Version December 2005

Information Security Controls Policy

California State Polytechnic University, Pomona. Server and Network Security Standard and Guidelines

Sophos Enterprise Console advanced startup guide

Ensuring Your Plant is Secure Tim Johnson, Cyber Security Consultant

Standard CIP 007 4a Cyber Security Systems Security Management

MIS Week 9 Host Hardening

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

Payment Card Industry (PCI) Data Security Standard

SECURITY POLICY FOR USER. 1.Purpose: The policy aims at providing secure and acceptable use of client systems.

A company built on security

PCI DSS and VNC Connect

Carbon Black PCI Compliance Mapping Checklist

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Sophos Enterprise Console

CoreMax Consulting s Cyber Security Roadmap

Table of Contents. Policy Patch Management Version Control

Standard for Security of Information Technology Resources

Cyber security - why and how

Standard Development Timeline

Standard CIP Cyber Security Systems Security Management

What s in Installing and Configuring Windows Server 2012 (70-410):

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Securing your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008

MOC 20416B: Implementing Desktop Application Environments

: Administration of Symantec Endpoint Protection 14 Exam

ForeScout Extended Module for Symantec Endpoint Protection

INFORMATION RESOURCE SECURITY CONFIGURATION AND MANAGEMENT

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

BERGRIVIER MUNICIPALITY

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Managing and Maintaining a Microsoft Windows Server 2003 Environment

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

EXAMGOOD QUESTION & ANSWER. Accurate study guides High passing rate! Exam Good provides update free of charge in one year!

CounterACT VMware vsphere Plugin

Course Content of MCSA ( Microsoft Certified Solutions Associate )

SEVENMENTOR TRAINING PVT.LTD

Sophos Enterprise Console

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

Operating system hardening

Security Standards for Information Systems

Standard CIP Cyber Security Systems Security Management

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

VMware vcloud Air SOC 1 Control Matrix

Cyber Security Program

S T A N D A R D : M O B I L E D E V I C E S

Transcription:

Server Hardening The University of Waikato Title Server Hardening Author Milton Markose (Systems Administrator Security) Contributors Information Security Forum (ISF) Date 21-08-2014 Reviewed By Information Security Forum (ISF) Document Version Final V1.0 REV NO: Final V1.0 Page 1 of 10 THE UNIVERSITY OF WAIKATO

Revision History Version Date Description/Notes Author(s) 0.1 (draft) 09/12/2013 Initial Server Hardening doc Milton Markose 0.2 (draft) 01/04/2014 Updated and shared with ISF Members Dougal Mair 0.3 (draft) 22/07/2014 Amendments following review by ISF Dougal Mair 1.0 (final) 21/08/2014 Approved by ICT Committee Dougal Mair REV NO: Final V1.0 Page 2 of 10 THE UNIVERSITY OF WAIKATO

Table of Contents Purpose... 4 Scope... 4 General Guidelines Applicable to All Servers... 4 Operating System Version... 4 Patching... 4 Configuration... 5 Steps Required Before Putting a Server into Production... 5 Guidelines Applicable to Windows Servers... 5 General... 5 Virtual Server Templates... 6 GPO based Windows Server hardening... 6 Guidelines Applicable to Linux Servers... 7 General... 7 ITS Puppet server (ITS servers only)... 7 Virtual Server Templates... 7 Firewall... 8 Vulnerability testing... 8 Internal vulnerability scan... 8 External vulnerability scan... 8 Microsoft Baseline Security Analyzer... 8 On-going Server Hardening... 8 Roles and Responsibilities... 9 Definitions... 9 REV NO: Final V1.0 Page 3 of 10 THE UNIVERSITY OF WAIKATO

Purpose The purpose of this server security hardening standard is to attain a much more secure server operating environment in the University of Waikato. To protect our servers, we have established best practices and policies for hardening the server operating systems. This server hardening document explains how to deploy a server in the most secure state possible by reducing as many threat vectors as possible while maintaining the server s functionality. Scope The Server Hardening process document applies to all University servers and should be followed when a new server is setup. These server hardening guidelines are intended to be the minimum protection that each server operating system should have. Some exceptions can be allowed based on the requirement and an understanding of the risk the exception may raise; such exceptions must be properly documented. General Guidelines Applicable to All Servers Operating System Version We encourage the use of Enterprise focused operating systems. When selecting the operating system version for a new server, the support lifecycle should be taken into consideration. Only under exceptional circumstances should an operating system version that is no longer in support, or for which support will end in the near future, be installed. Pre-release or immature projects should also be avoided where possible. Where applicable, the most recent service pack / service release should be used. Patching As part of the hardening process for a new server, the following should be installed: All security updates All firmware updates recommended by the vendor All non-security updates / hotfixes recommended by the vendor The latest available device driver versions recommended by the vendor The latest anti-virus software version and virus definitions (if applicable) If any additional applications not included with the operating system are to be installed, they must also be updated in the same way. REV NO: Final V1.0 Page 4 of 10 THE UNIVERSITY OF WAIKATO

Configuration A firewall should be installed, and should be configured to block incoming access by default. Only those exceptions that are necessary for the proper functioning of the server should be enabled. Unnecessary software components should not be installed / enabled. Each server should have a distinct local administrator /root password. This password should be stored in a secure way in case it is needed. ITS Only: the local administrator / root password must be saved in KeePass Password Safe. Access to the server must be properly restricted. Each form of access must be considered; for example, a file server might be configured to grant all users access to certain network shares, but interactive logon should be restricted to System Administrators only. Steps Required Before Putting a Server into Production An internal vulnerability scan should be performed. All test data and accounts must be removed before production systems become active. All custom application accounts, usernames, and passwords must be removed prior to applications becoming active or being released to faculties. A peer review must be performed to confirm that the requirements of this document have been met. Guidelines Applicable to Windows Servers General The Symantec Endpoint Protection (SEP) client should be installed on all Windows servers. Older file systems such as FAT, FAT32, etc., which do not support file-level security and auditing, must not be used. The guest account must be disabled (unless required). No unnecessary file shares should be configured. Do not enable any unwanted services. As part of the initial patching process, and again before being put into production, Windows Servers should be scanned against Windows Update or Microsoft Update as well as against the appropriate WSUS server. REV NO: Final V1.0 Page 5 of 10 THE UNIVERSITY OF WAIKATO

Virtual Server Templates To simplify virtual server deployment, ITS maintains templates for all versions of Windows commonly used in the University. In most cases, faculty requests to the Systems Team will be for a new blank Virtual Server (without any OS) or for a new Virtual server based on the existing templates. In either case, the Systems Administrators or Systems Owner of the new server is responsible for ensuring that the deployment conforms to the Server Hardening standards. These templates are maintained by the ITS Systems Team and will be configured in accordance with the Server Hardening standards: They will have the latest service packs installed and be kept reasonably current with post-service pack updates. They will have the Symantec Endpoint Protection (SEP) client installed and be kept reasonably current with anti-virus definitions. They will have the guest account disabled. They will have no non-administrative file shares configured. The Windows Firewall will be enabled with no unnecessary exceptions configured. They are configured with defined disk size(s). They are configured by default with isolated network settings. GPO based Windows Server hardening The University of Waikato recommends that all Windows based servers make use of the GPO settings created and maintained by ITS Infrastructure team. These security GPOs are created using the Security Compliance Manager (SCM) tool which brings together Microsoft s best practices around security settings. Changes to these GPOs will only be made following consultation with the ISF, and will follow the change management process. REV NO: Final V1.0 Page 6 of 10 THE UNIVERSITY OF WAIKATO

Guidelines Applicable to Linux Servers General ITS Only: all critical systems logs should be saved to SCARAB. ITS Only: the standard repository must be configured to fetch packages from SCARAB. ITS Puppet server (ITS servers only) The ITS Systems Team uses Puppet Server to setup and configure new ITS Linux servers. Two instances of puppet servers are running to form a Puppet cluster system. ITS has the standard repository created on SCARAB (the Systems Team s Operations server) for all the ITS Linux servers and the repository is updated every night. Puppet modules are configured to ensure that: Specified users are allowed to access the server with the right permissions and all other user access is blocked. Unwanted services are stopped and disabled. Only required packages are installed. Nagios is configured for monitoring purposes. The Networker client is installed where required. The standard repository configuration is used. IPTABLEs are configured with only those rules that are required to communicate. Virtual Server Templates To simplify virtual server deployment, ITS maintains templates for certain versions of Linux that are in common use in the virtual environment. In most cases, faculty requests to the Systems Team will be for a new blank Virtual Server (without any OS) or for a new Virtual server based on the existing templates. In either case, the Systems Administrators or Systems Owner of the new server is responsible for ensuring that the deployment conforms to the Server Hardening standards. These templates are maintained by the ITS Systems Team and will be configured in accordance with the Server Hardening standards: They will be kept reasonably up to date with the latest patches. Unwanted services will be stopped and disabled. Only required packages will be installed. IPTABLEs will be configured with only those rules that are required to communicate. They are configured with defined disk size(s). REV NO: Final V1.0 Page 7 of 10 THE UNIVERSITY OF WAIKATO

Firewall Once the server is ready, it should be configured within the University s firewall with policy appropriate to the server s role. A LANDesk request should be sent to the Networks Team with the list of ports to be opened for the server. Please note - configuring the firewall is not as straightforward as opening ports externally (i.e. to the Internet and REANNZ network). Due to internal virtual security domains (VDOMs) there are policies required for internal networks as well (e.g. eduroam, the VPN link to Tauranga, etc). If System Administrators are unsure of what firewall configuration changes they need for a new server they should consult with the ITS Networks Team. Preferably, an internal vulnerability scan should be performed (and all issues addressed) before requesting any firewall changes. Vulnerability testing All servers should undergo a vetting process that includes external and internal vulnerability scanning. All vulnerabilities should be addressed before the server goes into the production environment. Internal vulnerability scan The internal vulnerability assessment of a server should be done using the ITS Infrastructure Team s FortiAnalyzer system. The scan should be an authenticated one with a Full scan option. A LANDesk request should be sent to the ITS Systems Team when ready for this scan to be completed. External vulnerability scan The University of Waikato uses OpenVAS scanning software to perform external scanning on servers. Thorough scanning will be done on a new server based on its operating system before the server goes live. Microsoft Baseline Security Analyzer All Windows based servers should be tested using the Microsoft Baseline Security Analyzer tool to identify missing security updates and common security misconfigurations before they go to production. On-going Server Hardening As security vectors change, the security measures applied to servers will need ongoing assessment. Once servers are live, the steps below should be followed to ensure a secure environment. Periodic patching when updates are released by the vendors. This includes both the operating system and any installed applications, and is described in Patch Management - Servers and Services policy document. Scheduled internal and external scanning to identify any new vulnerabilities. REV NO: Final V1.0 Page 8 of 10 THE UNIVERSITY OF WAIKATO

Roles and Responsibilities System Owners and System Administrators are responsible for ensuring that the deployment of servers is managed according to these standards. Oversight of System Owners and System Administrators, to ensure that these standards are followed consistently, is the responsibility of the relevant line manager(s) as well as the Dean, Head, or Chairperson. In the case of ITS, this responsibility is delegated to the System Administrator Security. Additional oversight is provided by the ISF group. ITS is responsible for maintenance of the virtual machine templates. ITS is responsible for conducting vulnerability scanning. ITS is responsible for maintenance of the Windows server GPOs. Definitions Service - IT functionality provided by software running on a server. Services may be provided by the server s operating system itself, or by a separate installed software package. Server - a physical or virtual computer providing one or more services. Update, Patch, Hotfix - a modification to or new version of software, typically correcting one or more faults in the software, improving performance, and/or adding new functionality. Upgrade - a new and significantly changed version of software. This is most often applicable to operating systems or major application packages. Upgrades generally take more work and are slower to install than updates, and require more extensive precautions such as an extended testing period. Service release or service pack - a release of software that bundles together several patches and/or updates to provide a clear benchmark or version level of release (e.g. Service Pack 1). Service packs typically take longer to install than individual updates, and require some additional testing, but not as much as upgrades. Device Driver - Software required by the operating system to make a piece of hardware function. ITS Only - as used in this document, ITS Only describes policy and procedures applicable to ITS. KeePass - KeePass Password Safe is a software password management utility. Nagios - an open source computer system monitor, network monitoring and infrastructure monitoring software application. REV NO: Final V1.0 Page 9 of 10 THE UNIVERSITY OF WAIKATO

Networker - a backup solution from EMC. Puppet - an open source configuration management tool. Firewall - a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or host. FortiAnalyzer - a network vulnerability scanner used by University to perform internal scanning. OpenVAS - a framework of several services and tools offering a vulnerability scanning and vulnerability management solution. GPO - Group Policy Object, used to change configuration settings on computers within a Windows Active Directory domain. REV NO: Final V1.0 Page 10 of 10 THE UNIVERSITY OF WAIKATO

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback