Monday, February 6, 2017

Tech-Sec Guideline: Safe defaults and Hardening

Guideline: Safe defaults and Hardening

Part of: Technology Security Guidelines
OverviewBuilding a set of Guidelines for Security and Privacy

Everything should have a secure default in such a way that access and functionalities are always explicitly granted, instead of implicitly. Functionality and features should always be disabled or uninstalled whenever it is not needed for the system or component to operate according to the needs of business or IT. Any of the already present security features should be enabled whenever possible.

Hardening are much like the same, although there are some differences. Hardening is about making the software, system or other components as hard as possible. Everything that is disabled or uninstalled is something that you don't have to worry about. It is a process in which, for instance, an Operating System is configured in such a way that weaknesses are limited wherever possible. In case of Microsoft Windows Server, think about configuring the register to disable weak ciphers and disabling the FTP-service.

It is also about enabling (or at least not disabling) security features that are incorporated with the software or system. Again, in case of Microsoft Windows Server, think about leaving the Local Firewall on and configure it, instead of disabling the service. The result should be a piece of software or system that utilize all security features while disabling all unused features to reduce the attack vector that accompanies the software or system.

Safe defaults has in essence the same principle as hardening, but there is a small difference. Where hardening is done after the creation of the software or system, safe defaults is all about pre-configuring. It is the same process as hardening, but everything is automated and deployed beforehand. Wherever possible, hardening should be a step in creating safe defaults for a piece of software or system. When a new Virtual Server is being deployed, all hardening steps should be as far as possible be automated, depending on the needs for the Virtual Server.

More information from Wikipedia about Environment Hardening.



Post a Comment