Most applications and devices aren’t designed with security out-of-the-box. In this video, you’ll learn about the importance of secure configuration guides.
<< Previous Video: Compliance and Frameworks Next: Defense-in-Depth >>
When you first install an operating system, a web server, a database server, or almost any other kind of technology, you may find that it operates exactly as you might expect. But what you may not realize is that this new operating system, or web server, is far from being a secure configuration. Getting the system up and running is simply the first step. The second step is to harden the system and make sure that it is as secure as possible. You can usually find hardening guides that are specific to the operating system or the application you’re installing from the manufacturer or developer of the software itself. There are also internet interest groups, especially with the more popular operating systems and applications that also provide their own hardening guides and can help you understand how to make that system as secure as possible. And occasionally you’ll find another technologist who’s gone through this process before, who is nice enough to document their hardening process and make it available for everyone else to use.
One of the most popular services on the internet is web services. This is a server such as Microsoft’s Internet Information Server or Apache HTTP Server that provides the browsing front end that we use to access services on the internet. Because this is open to the internet, and so many people are accessing this resource this becomes a huge security issue. We want to make sure there are no data leaks. We want to make sure that the server access itself is secure, and so it’s very important that we concentrate on hardening these web servers. A small sample of the types of hardening processes you would go through with a web server are things like preventing information leakage. You can check the banner information, make sure that no one is able to browse directories on that web server. And you want to check permissions, that the web server itself is running from a non-privileged account so that nobody can take advantage of a privileged capability within the web server. And you want to make sure that all of the file permissions are configured properly.
If this is a web server you may want to configure an SSL certificate so that all of the communication across the network are performed over an encrypted channel. And lastly, there should be log files enabled. If not, you should make sure that you are monitoring, that you’re able to access, and that you can view all of the log files available for this web server. Another important piece of technology to harden would be our operating systems. This might be Windows, Linux, Mac OS, iOS, Android, or any other type of operating system that we might be using and connecting to the network. After your initial set up of the operating system, the next step is usually to make sure that you’re updated to the latest version. There might be service packs, or patches, that need to be applied, and you need to make sure that all of those are up to date.
If there are user accounts that will be configured on this operating system, you want to be sure that they’re using the best practices for password lengths and complexity, and you want to be sure that those accounts are limited to provide just enough capabilities to provide that user with what they need on that server. You also want to check network access, and make sure that you’ve set up the proper restrictions of who might be using this service across the network. And you want to provide ongoing monitoring for this system, and you want to be sure that you’re providing anti-virus, anti-malware, and other security controls as well. In some environments, the entire application flow is handled through multiple tiers. You might have the web server handling the front end, you have a database server on the back end, and occasionally there might be an application server in the middle. This is usually something providing additional runtime libraries and programming languages, and it generally sits between the web server and the back end database. Because this is in the middle you’ll sometimes hear this referred to as middleware.
This application server usually has a very specific function. That means if there are any other services running on that particular device you can disable those and focus solely on the application services. There might also be operating system updates. This is a standard operating system just like all of the other operating systems in your environment. So you want to be sure that it gets all of the latest patches. This is also a situation where you’ll want to limit the access controls for both the application server itself and for people who are accessing the application server. In some cases, the application server may only be communicating to the web server and the database server. So you can create some very granular controls over who may be able to access this device.
There are a number of network infrastructure devices that are always working behind the scenes. These are the switches, routers, and security appliances that are keeping our network up and running, but we never directly interact with them from our computers. These infrastructure devices don’t usually run Windows or Linux. It’s usually a purpose built embedded operating system that runs in these devices. And even when we’re administering the device, we generally don’t have detailed access to the operating system.
Usually, we are configuring these devices to provide access for the system administrators, and usually we’re integrating that with a back end authentication process. That way if someone does try to log in to these devices, they’re being authenticated against a known good database. These devices don’t usually have the number of updates that you might see on a laptop or a mobile operating system, but when an update is available, it’s usually something that’s very important. So you want to be sure you stay up-to-date with all of the latest patches for your network infrastructure devices.