Security Hardening Configurations
A good configuration should take the entire life of the machine into account. It should start with BIOS or EFI settings, lay out the process for installation or imaging, cover base software installation, describe configuration changes to harden the OS and application, and incorporate commands or instructions to validating these changes on a recurring basis. Ultimately you should have a document, perhaps one per operating system that describes the standard build and hardening of a machine from it arriving to it rolling into production. Once this document is created, exceptions to this standard can be clearly documented so a configuration trail can be created by combining the build document with the exception ticket. Make sure you include the version of the configuration document in the exception ticket so you can easily track back exactly what was done to build out the machine/device when it was originally configured.
One of the biggest challenges when creating a hardening guide is finding the best practices. Every system administrator has their own idea of how to harden a server dictated by industries they've worked in, their IT background, and their work ethic. The same is true with security professionals, so it is necessary to start with a neutral baseline. To assist with this gap I recommend starting with best practices from various parties. I like to start with the NSA Operating System Guidelines, though it is worth noting they do not have material for all operating systems. Next, I add in recommendations from the Center for Internet Security (CIS) Security Benchmarkswhich cover a wider range of operating systems and applications. After that I check theNational Vulnerability Database (NVD) National Checklist Program Repository hosted by NIST as they tend to aggregate material from both of the prior sites as well as other reliable sources. Finally I search the papers on SANS Information Security Reading Room as some of the certification holders have written great papers on securing both operating systems and applications.
After creating a baseline its great to add in the tuning that you've picked up in your experience, and gives you an opportunity to meet with the system administrators and record changes they typically make.
Now comes the fun part, combine both into one document and present it to both the administrators and management to discuss the settings your recommending and their justification. Note and objections or changes and update the document with a new version to add the changes in.
Review these at least annually as service packs and updates can create drastic changes in security.
Components of a Configuration guide:
1. Any pre-bootloader changes include BIOS, EFI, RAID, etc. 2. OS install instructions 3. Applications to be installed, possibly sorted by machine function 4. Hardening guidelines starting with OS and including applications 5. Instructions for validating the configurables 6. Ensure exceptions are documented in the ticket for the device/machine 7. Regularly validate the configuration, this should be automated if possible