|
To conclude this chapter, let's look at some valuable resources that provide hardening guidelines and automation techniques. Such documents and tools can assist in implementing the hardening best practices described throughout this chapter. Using a checklist or a script to harden hosts helps ensure that they are built in a consistent manner every time and that the extent of hardening applied to the systems is properly documented. Automating Host-Hardening StepsIf you expect to deploy more than one system in your organization, it often makes sense to automate the OS installation process, configuring the OS in a locked-down manner as part of the base build. You can accomplish this with Windows through the use of techniques such as Unattended Answer Files (UAF) and Remote Installation Services (RIS). A similar approach works with UNIX-based systems as well. For instance, the Sun Solaris "JumpStart" mechanism allows you to create a custom profile for the system that begins with Solaris Core System Support Software Group (abbreviated as SUNWCreq), along with any additional packages your host may require. In situations where beginning with a minimalist OS build is impossible or impractical, you will have to remove unneeded programs, libraries, and configuration files after installing the OS. We suggest carefully documenting and, when possible, automating this procedure to ensure that you end up with a setup that is predictable, reliable, and consistent with your intentions. A number of freely available tools can help you automate these host-hardening steps as well as those discussed throughout this chapter. The following list includes some of the more popular utilities of this nature that are available for free:
If a hardening toolkit does not meet your needs, you can replace or augment it with a collection of your own scripts that perform the steps you would need to take if locking down the host's configuration by hand. Common Security VulnerabilitiesThe SANS Top 20 Vulnerabilities list (http://www.sans.org/top20) provides a concise and authoritative summary of the most often compromised vulnerabilities. The purpose of creating this list was to help administrators start securing their hosts against the most common threats, without feeling overwhelmed by the task. We recommend that you review this list to verify that your hardening procedures account for the top 20 weaknesses and that your hosts' configurations do not match this "most wanted" list. Understanding the vulnerabilities in the system's configuration goes a long way toward helping to arm your hosts against them. Hardening ChecklistsMany great resources on the Internet contain detailed information on hardening various operating systems. For example, numerous software vendors provide security guidelines or step-by-step instructions on their websites. A general resource with many papers related to operating system, network, and application security is the SANS Reading Room, located at http://www.sans.org/rr. You can also find the following free OS hardening documents, helpful in defining procedures for securing your own hosts:
|
|