Additional Hardening Guidelines

Previous page
Table of content
Next page


To conclude this chapter, let's look at some valuable resources that provide hardening guidelines and automation techniques. Such documents and tools can assist in implementing the hardening best practices described throughout this chapter. Using a checklist or a script to harden hosts helps ensure that they are built in a consistent manner every time and that the extent of hardening applied to the systems is properly documented.

Automating Host-Hardening Steps

If you expect to deploy more than one system in your organization, it often makes sense to automate the OS installation process, configuring the OS in a locked-down manner as part of the base build. You can accomplish this with Windows through the use of techniques such as Unattended Answer Files (UAF) and Remote Installation Services (RIS). A similar approach works with UNIX-based systems as well. For instance, the Sun Solaris "JumpStart" mechanism allows you to create a custom profile for the system that begins with Solaris Core System Support Software Group (abbreviated as SUNWCreq), along with any additional packages your host may require.

In situations where beginning with a minimalist OS build is impossible or impractical, you will have to remove unneeded programs, libraries, and configuration files after installing the OS. We suggest carefully documenting and, when possible, automating this procedure to ensure that you end up with a setup that is predictable, reliable, and consistent with your intentions.

A number of freely available tools can help you automate these host-hardening steps as well as those discussed throughout this chapter. The following list includes some of the more popular utilities of this nature that are available for free:

  • Security Configuration and Analysis snap-in for the Microsoft Management Console (MMC)

  • The Center for Internet Security's tools and benchmarks for tuning your host's configuration to industry best practices (http://www.cisecurity.org)

  • Titan Security Toolkit, for Solaris, Linux, and Free BSD (http://www.fish.com/titan)

  • Bastille Hardening System, for Linux, HP-UX, and Mac OS X (http://www.bastille-linux.org)

  • Solaris Security Toolkit (JASS), for Solaris (http://wwws.sun.com/software/security/jass)

If a hardening toolkit does not meet your needs, you can replace or augment it with a collection of your own scripts that perform the steps you would need to take if locking down the host's configuration by hand.

Common Security Vulnerabilities

The SANS Top 20 Vulnerabilities list (http://www.sans.org/top20) provides a concise and authoritative summary of the most often compromised vulnerabilities. The purpose of creating this list was to help administrators start securing their hosts against the most common threats, without feeling overwhelmed by the task. We recommend that you review this list to verify that your hardening procedures account for the top 20 weaknesses and that your hosts' configurations do not match this "most wanted" list. Understanding the vulnerabilities in the system's configuration goes a long way toward helping to arm your hosts against them.

Hardening Checklists

Many great resources on the Internet contain detailed information on hardening various operating systems. For example, numerous software vendors provide security guidelines or step-by-step instructions on their websites. A general resource with many papers related to operating system, network, and application security is the SANS Reading Room, located at http://www.sans.org/rr.

You can also find the following free OS hardening documents, helpful in defining procedures for securing your own hosts:

  • National Security Agency (NSA) publishes well-researched security configuration guides for a variety of operating systems, applications, and network devices (http://www.nsa.gov/snac).

  • The Center for Internet Security offers several checklists and benchmarking tools to rate security of Windows and UNIX hosts (http://www.cisecurity.org).

  • Microsoft offers a number of checklists and guides for hardening Windows-based systems (http://www.microsoft.com/technet/security/topics/hardsys).

  • Sun provides a variety of guidelines for securing Solaris and Linux-based environments (http://wwws.sun.com/software/security/blueprints).

  • SANS Institute publishes several step-by-step guides for hardening Windows and UNIX-based hosts (http://store.sans.org).


    Previous page
    Table of content
    Next page
    Inside Network Perimeter Security
    Inside Network Perimeter Security (2nd Edition)
    ISBN: 0672327376
    EAN: 2147483647
    Year: 2005
    Pages: 230
    Authors: Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent, Ronald W. Ritchey
    BUY ON AMAZON
    Qshell for iSeries
    Certified Ethical Hacker Exam Prep
    Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
    Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
    C++ How to Program (5th Edition)
    Microsoft WSH and VBScript Programming for the Absolute Beginner
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy