KHIKA Standard Hardening Policies

From khika
Jump to navigation Jump to search

KHIKA Server Hardening for Windows Servers

The Policies and rules available in the default Server Hardening template provided by KHIKA for Windows Servers (2007 onwards) is as mentioned below:

Policy Name Rule Name and Description Desired Value
Account & Password Policy Password Age Minimum - Number of days for which user must use password before it can be changed. 1 Day
Password Age Maximum - Number of days after which password expires. 45 Days
Password Length Minimum - The least number of characters that can make up a password for a user account. 8 Characters
Password Complexity level - Denotes whether password complexity is enabled. Enabled
Password History count - The number of unique new passwords that have to be associated with a user account before an old password can be reused. 5 passwords
Password lock out count - Number of failed logon attempts after which a user account MUST be locked out. 5 attempts
Administrator Name - Denotes Administrator Account Name. Administrator
Password in clear text - Determines whether passwords are stored using reverse encryption . Disabled
Guest Account Enable/Disable - Denotes whether the Guest account is enabled or disabled. Disabled
Audit Policy Audit System Events - Audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. Audit Success & Failure
Audit Logon Events - Audit each instance of a user logging on to or logging off from a computer. Audit Success & Failure
Audit Object Access - Audit the event of a user accessing an object. No Audit
Audit Privilege Use - Audit each instance of a user exercising a user right. Audit Success & Failure
Audit Policy Change - Audit every incident of a change to user rights assignment policies, audit policies, or trust policies. Audit Success & Failure
Audit Account Manage - Audit each event of account management on a computer. Audit Success & Failure
Audit Process Tracking - Audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. No Audit
Audit Directory Services Access - Audit each instance of user attempts to access an Active Directory object. No Audit
Audit Account Logon - Audit each time this computer validates the credentials of an account. Audit Success & Failure
Event Log Policy Maximum Application event log size. 16384 KB
Maximum System event log size. 16384 KB
Maximum Security event log size. 16384 KB
Application event log overflow action. overwriteolder, overwriteasneeded
System event log overflow action. overwriteolder, overwriteasneeded
Security event log overflow action. overwriteolder, overwriteasneeded
Security Policy Digitally sign secure channel data (when possible). Enabled
Digitally encrypt secure channel data (when possible). Enabled
Everyone permissions to apply to anonymous users. Disabled
Restrict anonymous access to Named Pipes and Shares. Enabled
Names of any pipes than can be accessed anonymously. Should be empty
Names of any shares than can be accessed anonymously. Should be empty
Classic need to be the sharing and security model for local accounts. Enabled
Additional Security Policy Do not display last username Enabled
LDAP Server signing requirements Required
Network client: Digitally sign communications (if server agrees) Enabled
Minimum session security for NTLM SSP based (including secure RPC) clients Require NTLMv2 Session Security & 128-bit encryption
LAN manager authentication level Send NTLMv2 response only. Refuse LM & NTLM
Do not store LAN Manager hash value on next password change Enabled
LDAP client signing requirements None
Minimum session security for NTLM SSP based (including secure RPC) servers Require NTLMv2 Session Security & 128-bit encryption
Optional subsystems none None
Password protected screensaver with 10 minute timeout should be set on the Server Enabled
Do not allow anonymous enumeration of SAM accounts and shares Enabled
Do not allow storage of credentials or .NET passwords for network authentication Enabled
Privilege Policy Allow logon through RDP/Terminal Services Remote Desktop Users, Administrators, Domain Admins
Shut down the system Administrator
Deny access to this computer from the network Anonymous Login
Device Policy CDROM Status – whether CD ROM drive is enabled or disabled Disabled
USB Status – whether USB devices are enabled or disabled. Disabled
Services Policy Check whether the following services are enabled or disabled:

Messenger, Wireless Configuration, Alerter, Telnet, FTP, SMTP, Run As, Print Spooler, Fax Service, Client Services for Netware, Clipbook, File Services for Macintosh, FTP, Publishing Service, Help and Support, HTTP SSL,IIS Admin Service, Indexing Service, License Logging Service, Microsoft POP3 Service, Print Server for Macintosh, Wireless Configuration, Windows Media Server, Application Layer Gateway Service, Application Management, Distributed File System, Smart Card, Task, Scheduler, Telephony, Help and Support, Computer Browser, Windows Audio, Windows Installer, COM+ Event System, Portable Media Serial Number, Remote Procedure, Call (RPC) Locator, COM+ System Application

Disabled
Interactive Logon Policy Smart Card Removal behavior None
Prompt user to change password before expiration 14 days
Do not require CTRL + ALT + DEL None
Number of previous logons to cache(in case domain controller is not available) None
Require domain controller authentication to unlock workstation Enabled
Do not allow storage of credentials or .NET passwords for network authentication Enabled
Domain Settings Policy Allow server operators to schedule tasks Disabled
Refuse machine account password changes Disabled
Disable machine account password changes Disabled
Digitally sign secure channel data (when possible) Enabled
Digitally encrypt secure channel data (when possible) Enabled
Digitally encrypt or sign secure channel data (always) Enabled
Require strong (windows 2000 or later) session key Enabled
Network Settings Policy Network server: Amount of idle time required before suspending session 15 min
Network client: Send unencrypted password to third party SMB servers Disabled
Network server: disconnect clients when logon hours expire Enabled
Network server: Digitally sign communications (always) Enabled
Network Security Settings Policy Force logoff when logon hours expire Enabled


KHIKA Server Hardening for Linux Servers

The Policies and rules available in the default Server Hardening template provided by KHIKA for RHEL 7 is as mentioned below:

Policy Name Rule Name and Description Desired Value
Network Policy Ensure IP forwarding is disabled Disabled
Ensure IPv6 is disabled Disabled
Ensure DCCP is disabled Disabled
Ensure SCTP is disabled Disabled
Ensure RDS is disabled Disabled
Ensure TIPC is disabled Disabled
Services Policy Check the status of the following services:

chargen-dgram, chargen-stream, daytime-dgram, daytime-stream, discard-dgram, echo-dgram, echo-stream, time-dgram,timestream, rexec, rsh, talk, telnet, tftp, avahi-daemon, cups, dhcpd, slapd, nfs, rpcbind, named, httpd, dovecot, smb, squid, snmpd, ypserv, rsyslog, crond, vsftpd, ntpd, rsync, rlogin.

Disabled

Enabled (for services cron, ntp, rsyslog)

SSH Policy Ensure permissions on /etc/ssh/sshd_config are configured 700 (rwx------)
Ensure SSH Protocol is set to 2 2
Ensure SSH LogLevel is set to INFO INFO
Ensure SSH X11 forwarding is disabled Disabled
Ensure SSH MaxAuthTries is set to 4 or less 4
Ensure SSH IgnoreRhosts is enabled Enabled
Ensure only approved ciphers are used aes256-ctr,aes192-ctr,aes128-ctr
Ensure only approved MAC algorithms are used hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-sha2-256, hmac-sha2-512, hmac-ripemd160@openssh.com
Ensure SSH Idle Timeout Interval is configured 300 seconds
Ensure SSH Idle Timeout Interval is configured 0
Service Client Policy Ensure NIS Client is not installed Not installed
Ensure rsh Client is not installed Not installed
Ensure talk client is not installed Not installed
Ensure telnet client is not installed Not installed
Ensure LDAP client is not installed Not installed
Ensure X Window System is not installed Not installed
Ensure rsyslog is installed Installed
Ensure syslog-ng is not installed Not installed
Password Policy Minimum Length of password 8 characters
User cannot use last 5 passwords 5 password
Maximum no. of days password is valid 60 days
Minimum no. of days password is valid 1 day
Unsuccessful Attempts For Account Lock 5 attempts
Account Lockout Time 15 min
Ensure password creation requirements are configured retry=3 difok=3 minlen=8
Ensure lockout for failed password attempts is configured retry=3 difok=3 minlen=8
Ensure password reuse is limited 5 passwords
CRON Policy Ensure permissions on /etc/crontab are configured 700 (rwx------)
Ensure permissions on /etc/cron.hourly are configured 700 (rwx------)
Ensure permissions on /etc/cron.daily are configured 700 (rwx------)
Ensure permissions on /etc/cron.weekly are configured 700 (rwx------)
Ensure permissions on /etc/cron.monthly are configured 700 (rwx------)
Ensure permissions on /etc/cron.d are configured 700 (rwx------)


Every organization tends to have its own compliance policies and hence KHIKA’s hardening compliance templates are customizable to meet the needs of any organization and enable hardening compliance posture assessment on a regular basis. To know more about how to customize your hardening policy, please check out Customizing Hardening Policies

Please note that hardening policies customization is done as a service for clients who implement KHIKA on premise. If you are on KHIKA SaaS, please write to info@khika.com for policy customization so that someone from our sales team will get in touch with you.