For those of you that have gone through the Cyber Essentials scheme, like us, you will know that Secure Configuration is one of the five key controls spoken about by the UK Government in the guidelines.
Configuring systems securely at the point of being developed will ensure that vulnerabilities are kept to a minimum, however as we know, securing these systems is an ongoing process which must be addressed, via patching amongst other means, on a regular basis as new vulnerabilities are uncovered.
Many system vulnerabilities can be easily identified using bog standard, run of the mill scanning tools, and we all know how quickly a vulnerability, once discovered by hackers, can be exploited and what the end result can be.
Last year, the WannaCry cyberattack, caused havoc worldwide. This attack came about through a vulnerability in Microsoft’s implementation of the SMB (Server Message Block) protocol. This vulnerability was first uncovered by the National Security Agency (NSA) using an exploit dubbed EternalBlue. This exploit was then somehow acquired by the ShadowBrokers hacker group, who then leaked the exploit which in turn led to the WannaCry cyberattack.
Once the NSA made Microsoft aware that EternalBlue had been stolen they released an emergency patch for all supported versions of Windows at that time, however, this didn’t stop WannaCry infecting older versions of Windows or machines that hadn’t had the patch rolled out. This goes to show how important it is to regularly review and update system security.
Typically, we see several key elements to secure configuration. These are:
- Least Privilege
- Standard Baseline Configuration
- Locking down of Host Systems
- Locking down of OS
Least privilege is the process by which a company ensures that only users who need access to certain systems and information to do their day-to-day jobs have it. Least privilege should be applied to Hardware (Servers, Workstations, Laptops and Tablets), Software Applications, Network Protocols, All security solutions including security features within all hardware (switches and routers), and ALL data.
Considerations should be made to the Account Management process, including account creation, through-life and revocation. Revocation is when a user no longer needs an account, for example when they leave an organisation or alternatively change roles. Throughout their time with the organisation, all users should be made aware of the company’s acceptable account usage policy and their responsibilities when it comes to adhering to this.
Limiting the number of users given privileged access to systems will also help to greatly reduce the attack surface and can significantly limit the damage that can be caused should an attack occur.This coupled with additional password security or possibly two-factor authentication for privileged accounts will further secure your systems.
We highly recommend that a secure standard baseline configuration is designed, understood and rolled out across the organisation. This ensures that there is a minimum level of security in place across all IT and network systems. Once in place, additional security controls can then be built on top where and when required.
As we’ve spoken about previously in this blog and in earlier ones, we can’t stress enough how important it is to regularly monitor and review how you’re addressing security and the same can be said when developing your baseline configuration strategy. This is to ensure that no changes are being made to the configuration of client or server systems.
All Client systems should be booted to a secure state and there should be no possibility of this being altered.
A vulnerability assessment should be conducted on a regular basis to ensure that all security controls across the network have been fully rolled out and are working well.
Host System Lockdown
Host system lockdown also known as system hardening is the process of securing a system by reducing the potential attack surface.
There is a certain amount of generic advice we can give on this subject, however for more specific advice on system hardening it would be best to consult the specific manufacturer’s guidance for additional information. Determining what is an appropriate policy for your organisation will require detailed research.
Any server can be hardened; however, if you need to prioritise some servers over others, some are more important to address such as File Sharing Servers, Email Servers and Web Servers.
The first step to hardening the server is to review what services (DNS, HTTP, POP3 etc) are running and turn off those that aren’t needed. You should then complete a port scan to determine which ports are being communicated with closing down those with no response and again those that aren’t needed.
Any programs, services or drivers that aren’t required or weren’t loaded by default by the server should be removed.
The server and all associated services should be regularly patched.
Default accounts on the server should have their passwords changed and these passwords should follow the guidance set out in the organisation’s password policy.
Additional work can be undertaken on the various default accounts. Disabling the guest account, renaming the default administrator accounts and again ensuring all accounts have passwords that again meet the organisation’s password policy should be considered.
Organisations can also remove access to a number of features, including;
- Communication Ports (USB, TCP/IP)
- Removable Media (CD or DVD Drives)
- Network Communication Interfaces (Infrared, Wireless, Bluetooth)
During the hardening process, you can perform a vulnerability assessment of the server and patch any vulnerabilities identified. Once patched run another scan to confirm that all vulnerabilities have been addressed.
Once you’re happy with the additional security measures you should test the hardware to ensure that all services are still operational.
Similarly, to that of Host System Lockdown, how you go about this depends on the OS and the application to be used. It is therefore imperative that you consult the vendor-specific guidance on OS hardening as well as the following.
If the OS in question is running on a server then there is a good chance that the OS has already been hardened during the host lockdown. That being said, the OS on an end user device must also be secured.
The device OS should be configured to ONLY run the services that are required for which it was deployed and all activity including errors and warnings should be logged.
Similarly to that of Host System Lockdown, strong passwords should be enforced and all unnecessary accounts disabled or removed. It’s important when managing this process that staff turnover is monitored so when employees leave the company their accounts can be disabled.
File permissions should be implemented, and the use of Access Control Lists should be used to control access to files.
It goes without saying that all patches and fixes should be regularly reviewed and applied to all device OS’.
As you can see there are many steps you can take to secure your network before looking to procure additional security controls. Whilst we don’t suggest for one second that secure configuration is the only way to go, it is at least a good starting point.