The process of server hardening is complex and unique in its structure and demands, therefore requires the active participation of the teams’ management.
The hardening project can be divided into three stages:
- Setting a policy
- Implementing the policy
- Monitoring the policy and maintaining compliance
Setting a policy
Your hardening policy will determine how your servers will be configured according to their role, version, and environment. Management involvement is needed in order to address the following issues:
A) Managing the key players in this stage - Security & IT teams
Security and IT teams often maintain conflicting agendas. The policy can rely on best practices, such as the CIS Benchmarks, but the final policy will eventually be agreed upon following discussions between the two sides.
B) Finding the balance between security and functionality
Hardening requires a balance between security and functionality. The policy must consider both the security team’s requirements, but also the IT team’s ability to implement it using currently allocated time and manpower levels.
Management should take responsibility for deciding which challenges must be met and which aren’t worth the time and operational costs.
C) Deciding the right policy granularity
Every IT infrastructure contains multiple servers, each with different roles and versions, in several types of environments. Each one of them requires its own security policy. This can cause confusion. The process must be managed correctly in order to make sure that each server in every environment is properly handled.
Implementing the policy
Once the policy is approved, it must be implemented in its approved version. This stage imposes a major technical challenge and can cause severe damage to the organization.
The only way to minimize the risk for production outages is to understand the potential impact of your policy on your production before enforcing it – Impact Analysis.
You have two options to choose from when implementing your policy:
Option 1: Policy implementation using GPO, configuration management tools, or manual methods.
You can divide this option into two stages:
Stage 1: Setting up a test environment and performing an impact analysis of the policy.
The policy must be tested on a dedicated test environment in order to understand its impact (impact analysis).
In an optimal impact analysis, you’ll need to perfectly simulate every type of environment that you have in production. After doing that, you’ll need to simulate every required policy and check its impact on the server’s functionality.
Stage 2: Implementing the policy on a production environment.
IT teams implement the policy on the production system, hoping that nothing breaks. Since a highly accurate impact analysis is difficult to achieve using only native tools, things often do break.
Option 2: Policy implementation using a hardening automation tool:
You can divide this option into three stages:
Stage 1: Learning your production environment’s structure and dependencies.
Hardening automation tools will learn the servers’ activity in your production environment and perform the impact analysis directly on them. This eliminates the need to set up test environments and do the impact analysis manually, and you’ll get the most accurate impact analysis possible.
Stage 2: Automatically producing a full impact analysis report.
This will allow you to make an informed decision regarding cases in which a configured value in your policy may break a server.
Stage 3: Enforcing the policy from a central point of management.
This will allow you to minimize the number of users authorized to make changes in your infrastructure, thus improving your security posture.
Monitoring the policy and maintaining compliance
Ongoing monitoring and maintenance are required as the production environment constantly changes and new vulnerabilities are discovered.
You have two options to choose from:
Option 1: Monitoring the policy manually or by using scanning tools.
You’ll need to implement structured procedures for:
- Annual Policy Update: Annual updates are required due to new vulnerabilities and changes in the IT infrastructure.
- Change management: There should be a formal process when hardening actions are being performed.
- Compliance checks: Any change in compliance can indicate new exposures to vulnerabilities or attacks that are currently taking place in your organization.
- Knowledge management: Conserving information about what and where changes were made is crucial. If you don't do it, all relevant knowledge will be possessed by the IT staff member who is responsible for this matter. This can be a huge problem once that staff member leaves the organization.
Option 2: Policy monitoring and compliance maintenance using Hardening Automation Tools.
By choosing this option, you'll receive the following:
- Continuous monitoring: Your Hardening Automation Tool will present your current compliance posture at any time, eliminating the need for scanners.
- Configuration drifts prevention: You’ll be notified regarding unauthorized changes, helping you to detect attacks and prevent unintended changes that will expose your organization to vulnerabilities.
- Remediation: Undesired changes will be addressed by re-enforcing your policy, providing continuous remediation of issues in your production environment.
How to plan and manage a successful hardening project
The key for a successful hardening project is to understand the challenge, generate a plan tailored to your unique organizational needs, and choosing the right techniques and tools for execution.
Your main dilemma, as we presented in this article, is how deep are you going to go with automation, and this is really a matter of ROI.
From a perspective of 20 years of hardening and dozens of hardening projects, we suggest looking at the number of your machines as an indication of the level of automation required. Our experience shows that organizations with over 200-300 machines in their infrastructure achieve a good ROI from using hardening automation tools and automating the entire hardening process.
You can continue your reading in this eBook: “How to Plan and Manage a Hardening Project.”