KHIKA Standard Hardening Policies
Revision as of 08:47, 14 June 2019 by Dhanashree kulkarni (talk | contribs) (→KHIKA Server Hardening for Linux Servers)
KHIKA Server Hardening for Windows Servers
The Policies and rules available in the default Server Hardening template provided by KHIKA for Windows Servers (2007 onwards) is as mentioned below:
| Policy Name | Rule Name and Description | Desired Value |
|---|---|---|
| Account & Password Policy | Password Age Minimum - Number of days for which user must use password before it can be changed. | 1 Day |
| Password Age Maximum - Number of days after which password expires. | 45 Days | |
| Password Length Minimum - The least number of characters that can make up a password for a user account. | 8 Characters | |
| Password Complexity level - Denotes whether password complexity is enabled. | Enabled | |
| Password History count - The number of unique new passwords that have to be associated with a user account before an old password can be reused. | 5 passwords | |
| Password lock out count - Number of failed logon attempts after which a user account MUST be locked out. | 5 attempts | |
| Administrator Name - Denotes Administrator Account Name. | Administrator | |
| Password in clear text - Determines whether passwords are stored using reverse encryption . | Disabled | |
| Guest Account Enable/Disable - Denotes whether the Guest account is enabled or disabled. | Disabled | |
| Audit Policy | Audit System Events - Audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. | Audit Success & Failure |
| Audit Logon Events - Audit each instance of a user logging on to or logging off from a computer. | Audit Success & Failure | |
| Audit Object Access - Audit the event of a user accessing an object. | No Audit | |
| Audit Privilege Use - Audit each instance of a user exercising a user right. | Audit Success & Failure | |
| Audit Policy Change - Audit every incident of a change to user rights assignment policies, audit policies, or trust policies. | Audit Success & Failure | |
| Audit Account Manage - Audit each event of account management on a computer. | Audit Success & Failure | |
| Audit Process Tracking - Audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. | No Audit | |
| Audit Directory Services Access - Audit each instance of user attempts to access an Active Directory object. | No Audit | |
| Audit Account Logon - Audit each time this computer validates the credentials of an account. | Audit Success & Failure | |
| Event Log Policy | Maximum Application event log size. | 16384 KB |
| Maximum System event log size. | 16384 KB | |
| Maximum Security event log size. | 16384 KB | |
| Application event log overflow action. | overwriteolder, overwriteasneeded | |
| System event log overflow action. | overwriteolder, overwriteasneeded | |
| Security event log overflow action. | overwriteolder, overwriteasneeded | |
| Security Policy | Digitally sign secure channel data (when possible). | Enabled |
| Digitally encrypt secure channel data (when possible). | Enabled | |
| Everyone permissions to apply to anonymous users. | Disabled | |
| Restrict anonymous access to Named Pipes and Shares. | Enabled | |
| Names of any pipes than can be accessed anonymously. | Should be empty | |
| Names of any shares than can be accessed anonymously. | Should be empty | |
| Classic need to be the sharing and security model for local accounts. | Enabled | |
| Additional Security Policy | Do not display last username | Enabled |
| LDAP Server signing requirements | Required | |
| Network client: Digitally sign communications (if server agrees) | Enabled | |
| Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 Session Security & 128-bit encryption | |
| LAN manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | |
| Do not store LAN Manager hash value on next password change | Enabled | |
| LDAP client signing requirements | None | |
| Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 Session Security & 128-bit encryption | |
| Optional subsystems none | None | |
| Password protected screensaver with 10 minute timeout should be set on the Server | Enabled | |
| Do not allow anonymous enumeration of SAM accounts and shares | Enabled | |
| Do not allow storage of credentials or .NET passwords for network authentication | Enabled | |
| Privilege Policy | Allow logon through RDP/Terminal Services | Remote Desktop Users, Administrators, Domain Admins |
| Shut down the system | Administrator | |
| Deny access to this computer from the network | Anonymous Login | |
| Device Policy | CDROM Status – whether CD ROM drive is enabled or disabled | Disabled |
| USB Status – whether USB devices are enabled or disabled. | Disabled | |
| Services Policy | Check whether the following services are enabled or disabled:
Messenger, Wireless Configuration, Alerter, Telnet, FTP, SMTP, Run As, Print Spooler, Fax Service, Client Services for Netware, Clipbook, File Services for Macintosh, FTP, Publishing Service, Help and Support, HTTP SSL,IIS Admin Service, Indexing Service, License Logging Service, Microsoft POP3 Service, Print Server for Macintosh, Wireless Configuration, Windows Media Server, Application Layer Gateway Service, Application Management, Distributed File System, Smart Card, Task, Scheduler, Telephony, Help and Support, Computer Browser, Windows Audio, Windows Installer, COM+ Event System, Portable Media Serial Number, Remote Procedure, Call (RPC) Locator, COM+ System Application |
Disabled |
| Interactive Logon Policy | Smart Card Removal behavior | None |
| Prompt user to change password before expiration | 14 days | |
| Do not require CTRL + ALT + DEL | None | |
| Number of previous logons to cache(in case domain controller is not available) | None | |
| Require domain controller authentication to unlock workstation | Enabled | |
| Do not allow storage of credentials or .NET passwords for network authentication | Enabled | |
| Domain Settings Policy | Allow server operators to schedule tasks | Disabled |
| Refuse machine account password changes | Disabled | |
| Disable machine account password changes | Disabled | |
| Digitally sign secure channel data (when possible) | Enabled | |
| Digitally encrypt secure channel data (when possible) | Enabled | |
| Digitally encrypt or sign secure channel data (always) | Enabled | |
| Require strong (windows 2000 or later) session key | Enabled | |
| Network Settings Policy | Network server: Amount of idle time required before suspending session | 15 min |
| Network client: Send unencrypted password to third party SMB servers | Disabled | |
| Network server: disconnect clients when logon hours expire | Enabled | |
| Network server: Digitally sign communications (always) | Enabled | |
| Network Security Settings Policy | Force logoff when logon hours expire | Enabled |
Every organization tends to have its own compliance policies and hence KHIKA’s hardening compliance templates are customizable to meet the needs of any organization and enable hardening compliance posture assessment on a regular basis.
Please note that hardening policies customization is done for clients who implement KHIKA on premise.
KHIKA Server Hardening for Linux Servers
The Policies and rules available in the default Server Hardening template provided by KHIKA for RHEL 7 is as mentioned below:
| Policy Name | Rule Name and Description | Desired Value |
|---|---|---|
| Network Policy | Ensure IP forwarding is disabled | Disabled |
| Ensure IPv6 is disabled | Disabled | |
| Ensure DCCP is disabled | Disabled | |
| Ensure SCTP is disabled | Disabled | |
| Ensure RDS is disabled | Disabled | |
| Ensure TIPC is disabled | Disabled | |
| Services Policy | Check the status of the following services:
chargen-dgram, chargen-stream, daytime-dgram, daytime-stream, discard-dgram, echo-dgram, echo-stream, time-dgram,timestream, rexec, rsh, talk, telnet, tftp, avahi-daemon, cups, dhcpd, slapd, nfs, rpcbind, named, httpd, dovecot, smb, squid, snmpd, ypserv, rsyslog, crond, vsftpd, ntpd, rsync, rlogin. |
Disabled
Enabled (for services cron, ntp, rsyslog) |
| SSH Policy | Ensure permissions on /etc/ssh/sshd_config are configured | 700 (rwx------) |
| Ensure SSH Protocol is set to 2 | 2 | |
| Ensure SSH LogLevel is set to INFO | INFO | |
| Ensure SSH X11 forwarding is disabled | Disabled | |
| Ensure SSH MaxAuthTries is set to 4 or less | 4 | |
| Ensure SSH IgnoreRhosts is enabled | Enabled | |
| Ensure only approved ciphers are used | aes256-ctr,aes192-ctr,aes128-ctr | |
| Ensure only approved MAC algorithms are used | hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-sha2-256, hmac-sha2-512, hmac-ripemd160@openssh.com | |
| Ensure SSH Idle Timeout Interval is configured | 300 seconds | |
| Ensure SSH Idle Timeout Interval is configured | 0 | |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
| Example | Example | Example |
