Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Critical Control 3 - Secure Configurations for Hardware and Software on Laptops, Workstations and Servers - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical Control 3 - Secure Configurations for Hardware and Software on Laptops, Workstations and Servers

http://www.sans.org/critical-security-controls/control.php?id=3

Like the two prior controls, this is all about gaining control of your network. Control 1 and 2 identify all the hardware and software you own. With control 3, we now start configuring this software (and hardware) securely.

In my opinion, there are really two problems you have to solve here:

- establish a baseline configuration

There are a number of well respected organizations that publish standard configurations. For example the Center for Internet Security, the NSA and DISA hardening guides and of course guides provided from vendors like Apple and Microsoft. In most cases, these configuration guides will serve as a starting point, and you will have to adjust them to your local preferences and needs. Usually you will need a couple different configuration templates for different roles. A laptop traveling with a sales person from customer to customer needs to be configured differently then a server or a desktop in the IT department.

One you decided on a benchmark, and customized it, you can build standard images used to build new machines. If you are a large enough customer, you may be able to convince your vendor to deliver systems already preconfigured to your specifications. If you decide to go this route: You still need to verify that the vendor followed your guidelines.

Hardened configurations are known to cause problems with patching and some advanced software features. The closer you stick to one of the well established guidelines, the more likely you are going to find help in working around these problems.

- maintain the baseline configuration 

 Nothing is static, in particular in IT. Configurations will change, patches need to be applied and new threats will require you to reconsider some of the choices you made when originally setting your default system configuration. However, all changes made to systems need to be carefully controlled and need to be applied consistently. Configuration management  tools will help getting this job done. The configuration needs to be monitored continuously with tools like Aide or Tripwire to identify unauthorized changes quickly.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3631 Posts
ISC Handler
Not only can hardening cause problems with patching, patching can cause problems with hardening. Make hardening checks part of patch testing. Use the same monitoring tools in your test environment.

There have been errors in some of the published guides. Use standard troubleshooting methods to identify causes of issues.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!