If you are responsible for defending networks and systems, you have many different tools at your disposal (unfortunately so do the attackers). There are many products on the market, from firewalls to intrusion detection/prevention systems, that aim to protect your valuable resources. There are also many host-based products, such as host-based intrusion prevention systems and anti-virus software which live directly on the host and protect your systems from harm. Don’t get me wrong, I believe that all of these defensive measures are fantastic and you must use them in a layered approach to secure your networks and systems.
However, the one defensive layer that cannot be overlooked is system hardening (This was all we had before all the fancy defensive tools). This means without third-party tools, go through your settings, permissions, and other configuration parameters, to ensure that the system is secure. I believe this has been something that, from a defensive perspective, some have overlooked or forgotten about completely. This is why I am excited to be working on the Bandolier project, which was created to develop Nessus audit files to help harden control system application components (See Jason Holcomb’s postings for more information).
To start, I’ve been going through some of the various system hardening standards and guidelines trying to find which ones work best. I’ve found several great resources in this area which I want to share, which include:
- The NIST Special Publications (800 Series), specifically 800-53 and 800-68
- The Center For Internet Security (CIS) maintains best practice security standards for all major platforms. I’ve been working with the Windows Server 2003 template, and really find it useful.
- DISA (Defense Information Systems Agency) produces some of the best, and most restrictive, system hardening guidelines. For example, I really like their Windows 2003 Security Checklist Version 6, Release 1.8 and frequently use it as a starting point (similar to creating firewall rules, I like to start with a “Deny All” policy).
The nice part is that the commercial version of Nessus gives you access to audit files that can test your systems against all of the above standards. A great example of how the audit files actually work, and tests for a flaw that I am particularly fond of exploiting, is the Tenable blog posting on Auditing Windows 2003 Servers for Disabled USB Drives and AutoRun CD-ROM.