Security Baselines and Operating System, Network and Application Hardening
In this chapter we will look in detail at the concept of security baselines in conjunction with the steps involved in hardening operating systems, networks and applications.
Security Baselines
The process of baselining involves both the configuration of the IT environment to confirm to consistent standard levels (such as password security and the disabling of non-essential standards) combined with the identification of what constitutes typical behavior on a network or computer system (such that malicious behavior can more easily be identified should it occur during the baselining process).
The baselining process involves the hardening the key components of the IT architecture to reduce the risks of attack. The thre main areas requiring hardening are operating system, network and applications, each of which will be covered in detail in the remainder of this chapter.
Operating System Hardening
The hardening of operating systems involves ensuring that the system to configured to limit the possibility of either internal or external attack. While the methods for hardening vary from one operating system to another the concepts involved are largely similar regardless of whether Windows, UNIX, Linux, MacOS X or any other system is being baselined. Some basic hardening techniques are as follows:
- Non-essential services - It is important that an operating system only be configured to run the services required to perform the tasks for which it is assigned. For example, unless a host is functioning as a web or mail server there is no need to have HTTP or SMTP services running on the system.
- Patches and Fixes - As an ongoing task, it is essential that all operating systems be updated with the latest vendor supplied patches and bug fixes (usually collectively referred to as security updates).
- Password Management - Most operating systems today provide options for the enforcement of strong passwords. Utilization of these options will ensure that users are prevented from configuring weak, easily guessed passwords. As an additional level of security