Hardening seems to be new to many organizations but is a basic building block of any Information Security Program. It basically means building default secure configurations for all devices at the offset. This is the systems equivalent to the 'deny all' rule of firewalls, and requires only allowing functions strictly required for business operations. It includes disabling (or removing) all default settings and accounts (2.1) and in-addition for wireless networks, changing network passwords, keys and SNMP strings (2.1.1). SNMP, or Simple Network Management Protocol, is a protocol that may return configuration and status of network devices. Obviously, this is more dangerous in a wireless environment where an attacker does not need to be physically present.
The way to ensure that all of these default settings are changed is to develop secure configuration standards (2.2) for all types of devices. Industry-accepted standards have been developed by a number of organizations, including but not limited to:
- Center for Internet Security (CIS)
- SysAdmin Audit Network Security (SANS) Institute
- National Institute of Standards Technology (NIST)
- International Organization for Standardization (ISO) (ISO is less useful for hardening in my opinion)
Complexity being the enemy of security, each system should only have one function (web server, middleware, database, etc.).
The standard an organization builds should be based on a trusted industry-accepted standard (such as the ones just presented), or at least validated against them. For many of my smaller clients, I've recommended that they use one of those source organizations, adopt the standards as-is, and document the differences with the external standard and what reasons justify the deviation. That way, it simplifies the maintenance of those standards over time. The hardening standards should be reviewed at least annually, and changes should be applied retroactively to all systems currently in production.
Finally, any administrative non-console (i.e. not physical, and by console, we mean the physical console of a system, often found in the data center) access must be encrypted (2.3). This type of access is generally done through protocols such as Remote Desktop (RDP), ICA or VNC.
- Section 3.7.2 of Volume 3