Physical protection brings to mind video cameras, combination locks, and motion detectors, all designed to prevent intruders from breaching a facility. Likewise, IT and cybersecurity professionals rely on system hardening to reduce the number of “unlocked” doors that malicious actors can exploit. The Center for Internet Security (CIS) seeks to make the hardening process understandable and encourage its use throughout multiple industries.
The CIS leads the way in developing international hardening standards and publishes CIS hardening guidelines that provide insight into improving your cybersecurity controls. Learn more about the hardening guidelines here.
Accessibility, clarity, and inclusivity underscore the CIS’s system hardening efforts. Because it produces easily understandable and accessible cybersecurity best practices, tools, and threat information, the CIS’s impact spans the globe. Additionally, unlike some standards that target only government organizations, CIS standards support public and private entities. By fostering a global community of IT professionals, the CIS gains a wealth of knowledge and feedback for developing new recommendations and benchmarks.
Why You Should Care about Hardening
As mentioned above, hardening is like removing unnecessary doors from a house. The more doors you have, the more risk of unauthorized entry. The same goes for computer systems and system/server images. Unsecured ports, redundant programs, multiple root accounts, unmonitored guest access, and unused services increase security risk. By removing these, companies secure “doors” and reduce risk. Furthermore, many existing compliance standards, including HIPAA, PCI DSS, SRG, and NIST, recognize CIS recommendations as to the standard for hardening systems and hardware.
The CIS developed different benchmarks for specific systems, such as Microsoft products. The standards cover two levels of configuration.
Level one concentrates on reducing the attack surface.
Level two focuses on in-depth defense.
Through these configuration changes, entities will harden their hardware, systems, networks, and servers.
- Desktop/web browsers – for Chrome, Edge, Internet Explorer, Firefox, Safari
- Mobile devices – encompassing Apple and Android systems
- Network devices – covering device configuration
- Security metrics, servers/OS servers/other
- Virtualization platforms
- Cloud – Sharepoint server benchmarks and benchmarks for cloud providers like Amazon, Microsoft Azure, IBM, and Oracle
Version 7.1 of the CIS benchmarks divides 20 control categories into three sections: basic controls, foundational controls, and organizational controls. These controls enable private and public organizations to adjust systems from their default usability mode to more security-oriented settings. The controls approach security from many different angles, including software, people, and processes.
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware/Software on Mobile Devices, Laptops, Workstations, Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
Critical CIS Controls for Small Businesses
The CIS benchmarks provide a broad outlook of security implementation rather than industry-specific standards. The breakdown of CIS controls into basic, foundational, and organizational categories helps smaller companies with fewer resources, and human resources still achieve an acceptable level of cybersecurity. The basic category encompasses six controls deemed critical for every entity and should be implemented as minimum safeguards.
The basic controls cover three main questions: What do you have? How are assets used or managed? And what is the scope?
What You Have
CIS specifies conducting an asset inventory covering both software and hardware when it comes to what you have. Knowing what hardware and software you utilize and how it is secured (either physically or logically) enables a company to close any “open doors” that may lead to future vulnerabilities.
Management and use cover everything from policies to plans to procedures. In particular, vulnerability management focuses on proactive security measures, incident handling procedures, and a clear timeline for reviewing processes or policies relating to vulnerability management. The management phase also targets user access, privileged access, and the tools used to enforce access limitations.
Lastly, the scope involves establishing a security boundary. It will likely look at mobile devices, laptops, workstations, servers, and facilities. Defining the scope will help companies identify any security aspects that are out of their control, such as if a vendor has the responsibility to secure a service. Scope typically changes as a company grows and expands to multiple locations or internationally. Thus, the CIS basic controls provide a stepping stone for increasing security measures organically as your company grows.
CIS Image Hardening
The CIS guidelines cover a variety of topics, including image hardening. An image is like a backup copy of a server or virtual machine that can be duplicated or cloned. This duplicated version can then be used to set up another server or instance of a virtual machine. These images allow for quick scalability and enable companies to easily give employees the tools they need using a base image on a new device. However, images are not stagnant and require upkeep. Understanding this, CIS provides pre-configured base images that already meet CIS benchmark controls. Using CIS base images gives companies a secure stepping stone for future image customization.
CIS Hardened Image Upkeep
Although the CIS provides base images for companies, experts still recommend following established best practices for implementing and maintaining those images.
Reviewing and tracking the imaging progress helps IT departments recognize flaws or areas for improvement. For example, a review could reveal that a new version/update is available for a particular application. Questions to consider when tracking include:
- How old is the current image?
- Are the images secure?
- Are specific images redundant?
In addition to tracking how many images your company currently employs, each image itself should have a maintenance/evolution tracker. This enables IT departments to track any infrastructure maintenance.
Versioning and Tagging
A stamp in the URL designates the application workload maintenance and ensures that users receive the newest image. The URL stamping process avoids confusion when rolling out new images. Tagging provides information such as when the image was updated and the type of build.
CIS Server Hardening
Server hardening falls under the basic control category. These controls include tracking, reporting, and correcting server configurations. Hardening your server helps limit attack vectors and points of entry for attackers. Utilizing automated configuration monitoring and configuration management tools can help prevent attacks like the WannaCry malware called a Server Message Block (SMB) worm. Below are steps to take when securing your servers. The three primary goals are to avoid disruptions, unauthorized access, or unauthorized use.
First Steps toward Hardening
Before beginning the hardening process, ensure transparent communication chains exist between the IT teams, compliance teams, and operations teams. Poor communication can result in implementation oversights. Furthermore, set up a lab environment to test the hardening safeguards to limit the organizational impact. Lastly, don’t be hasty. While it is difficult to harden servers without causing some down-time, rushing the process can lead to more errors.
Checklist for CIS Server Hardening
The 14 categories below, developed by the University of Texas Austin and based on CIS recommendations, will assist entities in thoroughly harden their servers. Some areas are more critical for entities working with confidential material. Although these categories deal with Windows servers, the general principles can be applied to any server. Similarly, each type can have multiple steps or subcategories depending on an entity’s IT infrastructure.
Preparations and Installations – When installing a new machine, keep it off the corporate network until the IT team can properly harden the operating system.
Service Packs and Hot Fixes – Always enable automatic patch notifications. If a software provider does not provide automatic patches, check with the provider consistently to see if any patches or service packs have been released.
User Account Policies – Develop a policy for user account access that includes password requirements, such as complexity or length, and avoid storing passwords with reversible encryption.
User Rights Assignment – Ensure access to computers is limited to only authenticated users or administrators and limits administrators’ local logon access. Additionally, partition guest access from employee system access prevents logon as a service, a batch job, locally, or via RDP.
Security Settings – It is recommended that companies use a banner to alert those attempting to logon that they are trying to access the company’s system and must follow company authentication procedures. Users should not be permitted to create a Microsoft account and login through that account. If a user is inactive for an extended period, sessions should terminate. Both network clients and servers should sign communications digitally. Ensure any passwords sent to an SMB server are encrypted.
Network Access Controls – Block anonymous activity, such as anonymous enumeration of Security Access Management (SAM) accounts, sharing, or anonymous access to pipes. Microsoft has a specific setting to “restrict anonymous access to Named Pipes and Shares.” Named pipes within Microsoft enable controlled communication channels within a system or between systems.
Network Security Settings – Enabling firewalls, reviewing Null session settings, and assessing LAN authentication mechanisms will strengthen network security. For example, firewalls should restrict remote access services (VNC, RDP, etc.) to only authorized company networks. Other considerations include allowing local systems to use a computer’s identity for Microsoft’s NT LAN Manager (NTLM), an authentication protocol.
Active Directory Domain Member Security Settings – Microsoft’s Active Directory allows companies to establish security groups and limit access to specific groups. Member security settings should digitally encrypt or sign secure channel data, cache previous logons, and require strong session keys.
Audit Policy Settings – Audit policies outline the restrictions on account or resource access. These rules are then used to compare when an audit scan occurs and assists in identifying policy violations. Microsoft recommends enabling the following audit policy settings to assess or identify any suspicious activity: account log on, account management, log on/log off, policy change, and privileged-use.
Event Log Settings – Configure the event log settings with specific methods and size limits. Determine how and where you want to send the event logs, such as for storage or review.
Linux Subsystem – If Linux subsystems are involved, in addition to Microsoft systems, harden those systems based on Linux hardening best practices.
Additional Security Protection – For security to remain effective, the settings and permissions must be upkept. For example, disable old user accounts, remove unused services, implement the principle of least privilege, configure system file and registry permissions, and prevent remote access if not required by the user’s role.
Additional Steps – CIS also highly recommends implementing system date/time synchronization, anti-spyware software, and anti-virus software while ensuring such systems are configured to update daily. The type of information handled should also influence the level of security controls implemented. For example, classified information or Controlled Unclassified Information will require stringent storage and transmission safeguards.
Physical Security – Review physical security measures to verify that systems cannot be shut down without the proper authentication and that the boot order cannot be changed to allow an unsanctioned boot from alternative media. Likewise, make sure a complex password protects access to the BIOS/firmware set up to prevent unauthorized system setting changes. Company policies and procedures should detail how systems will lock after a set period to prevent unauthorized system use.
CIS benchmarks offer numerous benefits for companies unfamiliar with the concept of hardening or those well-versed in the practice. The cross-compatibility of the CIS benchmarks with other standards, such as FISMA, HIPAA, and NIST’s Cybersecurity Framework, make them ideal for new or well-established businesses. Additionally, the global recognition CIS controls possess promotes international business and a shared understanding of cybersecurity. If you need assistance selecting CIS benchmarks for your company or simply want to learn more about CIS hardening guidelines, contact RSI Security today.