itsmevic
asked on
Linux and Windows: How to Harden These Systems
Hey Experts, wondering if i could get general information on hardening of the following systems: Linux Server/Desktop and Windows Server/Desktop
What steps would you take to harden both those systems types?
For example on a Windows Server you might do the following: (please expand on this)
1.) Limit the ports used
2.) Limit non-essential services
3.) Ensure AV .dat files are up-to-date
4.) If using NAC, can the system be segemented on it's on VLAN to contain (or stop the bleeding)
5.) Disable local Admin access
6.) Configure Dynamic Access Control that allows a user(s) upon proper vetting a certain time-frame where they have elevated permissions
7.) Install HIDS
8.) " "
9.) " "
10.) " "
Thank you kindly in advance!
What steps would you take to harden both those systems types?
For example on a Windows Server you might do the following: (please expand on this)
1.) Limit the ports used
2.) Limit non-essential services
3.) Ensure AV .dat files are up-to-date
4.) If using NAC, can the system be segemented on it's on VLAN to contain (or stop the bleeding)
5.) Disable local Admin access
6.) Configure Dynamic Access Control that allows a user(s) upon proper vetting a certain time-frame where they have elevated permissions
7.) Install HIDS
8.) " "
9.) " "
10.) " "
Thank you kindly in advance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, all.
Run as little services as possible, if they are needed on the local system only , just allow to listen on address 127.0.0.1 or ::1
2.) Limit non-essential services
See 1:
3.) Ensure AV .dat files are up-to-date
Ensure clamav (freshcalm service) is running or equivalent is other servers are used.
Allow freshclam to reach a configured distribution point and make sure that it is up to date.
4.) If using NAC, can the system be segemented on it's on VLAN to contain (or stop the bleeding)
NAC?
5.) Disable local Admin access
assign a random unknown password to root, only allow specific users to run admin command using sudo (the role model for runas on windows).
6.) Configure Dynamic Access Control that allows a user(s) upon proper vetting a certain time-frame where they have elevated permissions
See 5 use sudo
7.) Install HIDS
Several choices here
8.) " "
?
9.) " "
?
10.) " "
?
Summary:
MAKE & TEST backups, verify restore procedures.
Install what is needed, not more (this includes graphics shells).
Avoid graphic management systems for servers, you will need some specific tools that run from scripts or commandline so the increased attack surface isn't needed
make all access identifiable (no root login, no admin login, use unprivileged logins & sudo to define elevated privilege actions).
Firewall blockage that only allows for specific traffic and blocks all (as opposed to blocking specific ports).