The Complete

System Hardening
Cheat Sheet
If you haven’t yet established an organizational system
hardening routine, now is a good time to get started on it!

Your organization should verify its information system

vulnerabilities on a periodic basis using vulnerability
analyses and penetration testing, and should implement
appropriate hardening techniques. This will help to improve
the performance and security posture of your information
systems.

4 reasons why system

hardening should be at
a top priority:
1. Misconfigured assets are responsible for over 40% of
infrastructure vulnerabilities.

2. Over 30% of internal-facing vulnerabilities can be mitigated

by hardening actions.

3. Establishing secure configurations will protect you

from the widest array of attack vectors (145 techniques)
comparing to other safeguards.*
4. CIS benchmark implementation is mandatory in most
industry and governmental regulations, and is an integral
component in information security frameworks.

*According to a report published by @MITRE ATT&CK

Important
Never attempt to establish or test hardening procedures on production systems without a field-proven hardening impact analysis
tool. Without such a tool, you will be forced to perform long hours of testing, or increase the risk of production downtime.

Hardening is relevant at almost every layer in your network. The following sections offer guidelines for hardening components
from the following layers:

Servers Applications Databases Operating Systems

Server Hardening Guidelines
Implement a "least functionality" approach, in which
only functions that are essential to the server’s role
are authorized. For example: Do not install the IIS
server on a domain controller.
Install the appropriate post-Service-Pack security
hotfixes.
Avoid installing applications on the server unless they
are absolutely necessary to the server’s function. For
example, don’t install e-mail clients, office productivity
tools, or utilities that are not strictly required for the
server to do its job.
Use two different network interfaces in the server -
one for the network and the other for administrative
traffic.
Create a secure remote administration connection
for the server.
Harden the operating system and application layers
(see below).
Consider using the server's built-in firewall facilities.
For Windows - the Windows firewall, for Linux –
Iptables and AppArmor.
Avoid the use of insecure protocols for processing
requests, especially those that send information
(such as passwords) in plain text.
Keep backups of all your data and files.
Secure separate partitions.
When hosting multiple applications, make sure that
each application has its own dedicated accounts that
are separate from the other applications.
Never provide write access to web content directories.
Remove administrative shares if not needed.
Closely monitor failed login attempts. Lock accounts
after a specified number of failures.
Rename the guest account even if it has been disabled.
Continue your reading
Hardening Tools How to Secure Remote
101 Desktop - The Complete Guide
Enable account lockout on the local administrator
account.
Rename the local administrator account to something
other than “Administrator”.
Enforce strong account and password policies for
the server.
Do not allow users and administrators to share
accounts.
Disable FTP, SMTP, NNTP, and Telnet services if they
are not required.
Install and configure URLScan.
Authentication methods should be put in place for
non-public sites and for sites that are only to be
accessed by internal users.
Web server logs should be reviewed routinely for
suspicious activity. Any attempts to access unusual
URLs on the web server typically indicate an attempt
to exploit problems in outdated or unpatched web
servers.
Domain Name Servers (DNS) translate the human-
friendly names for network destinations (such as a
website URL) to the IP addresses that are understood
by routers and other network devices. Steps should
be taken to ensure that DNS software is updated
regularly and that all access to servers is authenticated
to prevent unauthorized zone transfers.
Access to the server may be prevented by blocking
port 53 or restricted by limiting access to the DNS
server to one or more specified external systems.
Anonymous FTP accounts should be used with caution
and monitored regularly.
In the case of authenticated FTP, it is essential that
Secure FTP be used so that login and password
credentials are encrypted, rather than transmitted
in plain text.
Windows Passwords
Settings Guide
Application Hardening Guidelines

Apply vendor-provided patches in a timely manner
for all third-party applications.
For securing an IIS, the first step is to remove all
the sample files that are used when constructing
and testing web sites. These sample files cause
vulnerabilities, and should never be present on a
production web server.
Sample files and applications are stored in virtual and
physical directories. To remove IIS sample applications,
remove the virtual and physical directories in which
they are stored. For example, IIS samples are present in
the Virtual Directory of \IISS samples, and its location
is C:\Inetpub\IISsample.
The next step in securing IIS is to set up the appropriate
permissions for the web server’s files and directories,
using Access Control Lists (ACLs).
Avoid installing and do not run network device
firmware versions that are no longer available from
the manufacturer.
Closely monitor the security bulletins applicable to
applications and other software used.
Use cryptographic and checksum controls wherever
applicable.
Implement an Active Directory platform that allows
a single login to multiple applications, data sources,
and systems.
Implement advanced encryption and authentication
techniques that include public-key infrastructure (PKI)
methodologies and the Kerberos protocol.

Avoid the use of insecure protocols for processing

requests, especially those that send information
(such as passwords) in plain text.

Never install IIS unless the server is to be a dedicated

Web Server.

Install the SSL Architecture.

Install and configure a web application firewall (WAF).

Continue your reading

Automating IIS Hardening Hardening IIS IIS Hardening: 6 Configuration

with PowerShell Server Guide Changes to Harden IIS Web Server
Database Hardening Guidelines

Establish a TNS Listener Password (encrypted) to

prevent unauthorized administration of the Listener.

Enable Admin Restrictions to ensure that certain

commands cannot be called remotely.

Turn on TCP Valid Node Checking in order to allow

specific hosts to connect to the database server while
preventing access by others.

Switch off the XML Database if it is not in use.

Turn off External Procedures if not required.

Encrypt Network Traffic using the Oracle Net Manager

tool.

Lock and expire unused accounts.

Define user account naming standards.

Define and enforce a password policy.

Manage role-based access privileges controls.

Perform a periodic review and revoke any unnecessary

permissions.

Perform periodic database security audits.

Enable data protection that prevents users from

accessing sensitive tables.

Ensure use of PL/SQL coding standards.

Disable all the sessions (anonymous logons).

Roll out all necessary database patches as soon as

they are released.

Continue your reading

How to Use IIS Request Filtering Rules to SQL Server Attacks:

Block SQL Injection Attacks Mechanisms You Must Know
Operating System Hardening Guidelines

Keep operating systems updated with the latest,
most robust versions. Also, make sure that security
patches and hotfixes are constantly being applied.
Install the latest operating system Service Packs.
File and File System Encryption – All disk partitions
should be formatted with a file system type that
offers encryption features (for example, NTFS in the
case of Windows).
Secure separate partitions.

Routers and wireless devices should be protected Tighten NTFS/Registry Permissions.

with strong passwords.

Remove unnecessary drivers. Configure appropriate settings for access control on

file shares, given that permissions are set using NTFS
Do not create more than two accounts in the security features.
Administrators group.
Disable any unnecessary file sharing.
Disable or delete unnecessary accounts quarterly.
Remove administrative shares if not needed.
Disable non-essential services.
Ensure that services are running on accounts with
Configure the operating system to log every activity, the lowest possible privilege level.
error, and warning.
Implement a strong password management practice.
Enable audit logs to record successful and failed login
attempts, usage of elevated privileges, and any kind
of unauthorized activity.

Secure the system’s CMOS settings.

Implement file and directory protection using Access

Control Lists (ACLs) and file permissions.

Continue your reading

Windows Password Windows 10

Setting Guide Hardening
The Sole Solution
for Hardening Automation
CalCom Hardening Automation Suite is designed to reduce
operational costs and increase the infrastructure’s security
and compliance posture. CalCom Hardening Automation
Suite eliminates outages and reduces hardening costs by
indicating the impact of a security hardening change on
the production services. It ensures a resilient, constantly
hardened and monitored server environment.

How CalCom Hardening

Automation Suite works
You won’t need an impact analysis – your production
environment is learned, and an impact analysis of your
policy is automatically produced.
Your policies are automatically enforced – each policy is
enforced on relevant systems from a single point of control.

You’ll easily maintain compliance – your network is monitored,

alerting you to changes and preventing configuration drifts.

Thank to the CalCom Hardening Automation Suite you’ll be

able to harden your machine, minimize your attack surface,
and achieve the best possible compliance posture in only
3 minutes per server. And you’ll always be audit-ready.

Want to know more?

Contact us:
www.calcomsoftware.com
[email protected]

Learn more about hardening automation