7/30/2019 Hardening Process 2

1/4

Apalya Production servers Hardening Process

Partition of HDD and RAM Size allocation as per Standard Size

Team should ensure HDD partition and SWAP size allocation should be as per standard size

Named account with required access to their folders only

Team should ensure that only named account should be present and their access should be limited to their folders with required access permission.

Application Installation:

Team should ensure the installation directory should be as per the allocate directory not with default directory of app.

No Root Login :

Team will ensure that there should not be any login with root at user and application level as well.

Anonymous FTP Access should be disabled

Management should ensure that the anonymous access should be disabled and strong login credential should be used. Further for file transfer,secure services like SFTP should be used instead of clear text service such as FTP.

Strong Authentication Parameter

Management should ensure that Easy to guess and/or Organization default passwords should not be used. All the passwords should comply withthe Organization's password complexity settings.

7/30/2019 Hardening Process 2

2/4

No Presence of VNC /Remote Services

The management should critically review the requirement of using VNC on the impacted servers and disable the same if it is not required. Ifrequired, management should consider implementing an IP based access list/ filter to restrict and limit the access to VNC servers. Also, SSH

tunneling over a VNC connection should be implemented to secure the VNC session over public network.

Clear Text Services should be disabled

Management should consider disable FTP service and instead if required use SFTP service which is secure version of clear text FTP.

SU (Switch User) Privilege

Management should consider disabling 'ALL ALL = (ALL) ALL' in sudoers' configuration and allow 'su' privilege only to root and/or admin users

using customized configuration in /etc/sudoers.

UMASK setting

We recommend configuring the umask for the root account to 077 (only accessible for root) for the other accounts to at least 027 (only writable

for the account itself.

SSH v1 should be disabled

Management should consider disabling support for version 1 of the SSH protocol and allow use of only SSH version 2 instead.Change the configurations in /etc/sshd_config/

adequate Password aging parameter

Management should critically review the password parameters settings and should implement the appropriate values for the same in compliancewith the defined password policy.

7/30/2019 Hardening Process 2

3/4

No Multiple Accounts should be Present

No Default Login on Application Administration Console

Management should ensure that Easy to guess and/or default passwords should not be used. All the passwords should comply with theOrganization's password complexity settings.

Access to application server

Management should consider restricting access to the management console options to the limited and authorized users only.

URL Redirection not be allowed in between application

Application should allow redirection only to whitelist of URLs, also management should ensure that the parameters are passed in a encryptedform instead of clear text to prevent tampering.

Insecure Cookie

Management should consider enabling HTTP Only feature for session cookies, marking a cookie as HTTP Only would provide an additionallylayer of protection against attacks making the cookies not readable by client-side scripts

Login Banner

Team should ensure if any user get login he should go with login policy and he should get the details of login banner once he login to server.

Management should critically review the requirement of these accounts. If not required these accounts should be disabled.The following steps are recommended:- removing the unused accounts;- creating additional accounts for the administrators;- providing all the accounts with appropriate descriptions.- set an expiry value for each account

7/30/2019 Hardening Process 2

4/4

Securing default JBoss Landing page :

For Jboss 4.xGoto $JBOSS_HOME/server/default/deploy/ jbossweb-tomcat55.sar/ROOT.war/Rename index.html to .htmlCreate a new index.html and add the following html code Unauthorized Access

For Jboss 5.xGoto $JBOSS_HOME/server/default/deploy/ROOT.war/Rename index.html to .htmlCreate a new index.html and add the following html code Unauthorized Access

No Default Login to MySQL and JBoss, PHP

Team should ensure My Sql, Jboss, PHP app should not be installed with default login & password and should be secured as per the applicationsecurity policies.

Authentication on streaming servers

Team should ensure that we must have authentication module at client and streaming server to ensure security at streaming.

Firewall Policies

Team should ensure India CDN level based policies and Port level policies with inbound and outbound traffic.