- Ensure a system’s security configurations are appropriately set given the job it needs to do.
- Ensure operating system software, firmware and applications are updated to stay ahead of exploits that attack flaws in the underlying code.
- Ensure this process runs continually, leveraging and employing as much automation as possible.
What is Configuration Hardening?Configurations are, in an almost literal sense, the DNA of modern information systems. “Configuration settings” are the attributes and parameters that tell these systems—from servers to network devices and from databases to desktops and applications—how to act and how to behave. Unfortunately, these systems are made to “do work” and not to “be secure.” In other words, they’re shipped infinitely capable but effectively insecure. Modern computer systems have over 1,000 well-known ports with which to get work done. They also have another 40,000 or so “registered” ports and yet another 20,000 or so “private” ports. These in turn support a vast number of services and processes. There’s a nice analogy that helps us get our arms around this: If we translate a server’s “ports and processes and services” to the “doors and gates and windows” in a house, we see information systems as unimaginably large, fundamentally porous houses.
Security configuration managementSecurity configuration management becomes the job of determining which of these doors and gates and windows should be open, closed or locked at any given time. Of course, this notion of whether something should be “open or closed or locked” is very conditional—it depends on circumstances like “when” or “where.” If I’m going away for a week, I double-check that everything in my house is locked down tight. If I’m only going to be gone for an hour, I may leave the back door unlocked. And if it’s the height of summer, I may have an air conditioner in a window that comes right off the front porch. In this case, I’ve knowingly traded an inherent security weakness (I can’t lock that window until autumn!) for comfort. To drag this analogy back to the modern computer network, we need to amplify our numbers exponentially. The first thing we note is that the number of “configuration items”—doors and gates and windows that need to be monitored and assessed just to achieve a basic level of security—becomes staggering:
- Network device configurations can have an average of 2000 lines of code for each device.
- Each device configuration can contain hundreds of parameters for about 20 different IP protocols and technologies that need to work together.
- A Fortune 1000 enterprise can have over 50 million lines of configuration code in its extended network.
System hardening best practicesAt the device level, this complexity is apparent in even the simplest of “vendor hardening guideline” documents. These are vendor-provided “How To” guides that show how to secure or harden an out-of-the box operating system or application instance. Some examples:
- The hardening guide for Oracle Solaris v11 has 55 of these critical configuration items. (My house has just 30 doors and windows, by comparison.)
- The vmWare guide for vSphere 5 highlights 60 critical security items that must be checked
- For Windows 2008, the Microsoft guide for minimal system hardening includes 158 settings that need to be immediately secured out of the box (it’s is a big house).
- Are at least 8 characters in length for standard enterprises servers
- Are at least 11 characters for critical systems
- Are changed every 90 days but not more often than once a day
- Are different from the previous 24 passwords created by the user
- Contain characters from multiple classes: alphabet, numeric, special characters, etc.
- Are not saved or stored in any form of reversible encryption