hardening process 2
TRANSCRIPT
-
7/30/2019 Hardening Process 2
1/4
Apalya Production servers Hardening Process
Partition of HDD and RAM Size allocation as per Standard Size
Team should ensure HDD partition and SWAP size allocation should be as per standard size
Named account with required access to their folders only
Team should ensure that only named account should be present and their access should be limited to their folders with required access permission.
Application Installation:
Team should ensure the installation directory should be as per the allocate directory not with default directory of app.
No Root Login :
Team will ensure that there should not be any login with root at user and application level as well.
Anonymous FTP Access should be disabled
Management should ensure that the anonymous access should be disabled and strong login credential should be used. Further for file transfer,secure services like SFTP should be used instead of clear text service such as FTP.
Strong Authentication Parameter
Management should ensure that Easy to guess and/or Organization default passwords should not be used. All the passwords should comply withthe Organization's password complexity settings.
-
7/30/2019 Hardening Process 2
2/4
No Presence of VNC /Remote Services
The management should critically review the requirement of using VNC on the impacted servers and disable the same if it is not required. Ifrequired, management should consider implementing an IP based access list/ filter to restrict and limit the access to VNC servers. Also, SSH
tunneling over a VNC connection should be implemented to secure the VNC session over public network.
Clear Text Services should be disabled
Management should consider disable FTP service and instead if required use SFTP service which is secure version of clear text FTP.
SU (Switch User) Privilege
Management should consider disabling 'ALL ALL = (ALL) ALL' in sudoers' configuration and allow 'su' privilege only to root and/or admin users
using customized configuration in /etc/sudoers.
UMASK setting
We recommend configuring the umask for the root account to 077 (only accessible for root) for the other accounts to at least 027 (only writable
for the account itself.
SSH v1 should be disabled
Management should consider disabling support for version 1 of the SSH protocol and allow use of only SSH version 2 instead.Change the configurations in /etc/sshd_config/
adequate Password aging parameter
Management should critically review the password parameters settings and should implement the appropriate values for the same in compliancewith the defined password policy.
-
7/30/2019 Hardening Process 2
3/4
No Multiple Accounts should be Present
No Default Login on Application Administration Console
Management should ensure that Easy to guess and/or default passwords should not be used. All the passwords should comply with theOrganization's password complexity settings.
Access to application server
Management should consider restricting access to the management console options to the limited and authorized users only.
URL Redirection not be allowed in between application
Application should allow redirection only to whitelist of URLs, also management should ensure that the parameters are passed in a encryptedform instead of clear text to prevent tampering.
Insecure Cookie
Management should consider enabling HTTP Only feature for session cookies, marking a cookie as HTTP Only would provide an additionallylayer of protection against attacks making the cookies not readable by client-side scripts
Login Banner
Team should ensure if any user get login he should go with login policy and he should get the details of login banner once he login to server.
Management should critically review the requirement of these accounts. If not required these accounts should be disabled.The following steps are recommended:- removing the unused accounts;- creating additional accounts for the administrators;- providing all the accounts with appropriate descriptions.- set an expiry value for each account
-
7/30/2019 Hardening Process 2
4/4
Securing default JBoss Landing page :
For Jboss 4.xGoto $JBOSS_HOME/server/default/deploy/ jbossweb-tomcat55.sar/ROOT.war/Rename index.html to .htmlCreate a new index.html and add the following html code Unauthorized Access
For Jboss 5.xGoto $JBOSS_HOME/server/default/deploy/ROOT.war/Rename index.html to .htmlCreate a new index.html and add the following html code Unauthorized Access
No Default Login to MySQL and JBoss, PHP
Team should ensure My Sql, Jboss, PHP app should not be installed with default login & password and should be secured as per the applicationsecurity policies.
Authentication on streaming servers
Team should ensure that we must have authentication module at client and streaming server to ensure security at streaming.
Firewall Policies
Team should ensure India CDN level based policies and Port level policies with inbound and outbound traffic.