Device Auditing and Hardening

The best way to understand what device hardening and how to do it, is to follow CIS Benchmarks. This organization has developed standards for hardening different operating systems and applications to a proper level in an enterprise environment. Not only do they have step by step walk-troughs of what to look for and how to do it, they also have scripts that can check and even automate the hardening for you. As a security analyst of any level or specialty, learning the available configuration based vulnerabilities of the platforms you work with on a daily basis, is one of the most valuable things you can do to improve you skillset.

AuditScripts is another great set of tools that can perform configuration hardening audits based on different requirements, including the choice of those defined by CIS.

Security Auditing Tools

• Auditing toolkits

  • Lynis (Linux Security Auditing) - Lynis is a security auditing tool for systems based on UNIX like Linux, macOS, BSD, and others. It performs an in-depth security scan and runs on the system itself.

  • Seatbelt (Windows Security Auditing) - Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

  • BTPS: Blue team Powershell Toolkit - A collection of PowerShell tools that can be utilized to protect defend an environment based Microsoft's recommendations.

• Bloodhound Enterprise - Enterprise grade attack path management solution

• Purple Knight - An enterprise grade Active Directory Defense solution with AD mapping, security reports, security indicators and remediation guides.

• debsums - Utility for checking installed debian packages and comparing that hashes against a list of known good ones. Handy to run every once

• PSPKIAudit - PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).

• WDACTools - A PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies

• CSET - The Cyber Security Evaluation Tool (CSET®) is a stand-alone desktop application that guides asset owners and operators through a systematic process of evaluating Operational Technology and Information Technology.

Hardening Tools

• Microsoft Attack Surface Analyzer - Attack Surface Analyzer is a Microsoft developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.

• OSChameleon - OS Fingerprint Obfuscation for modern Linux Kernels.

  • https://adhdproject.github.io/#!Tools/Annoyance/OsChameleon.md

• Portspoof - A tool for confusing port scanners by returning false port information.

  • https://www.blackhillsinfosec.com/how-to-use-portspoof-cyber-deception/

• HardenTools - a collection of simple utilities designed to disable a number of "features" exposed by operating systems (Microsoft Windows, for now), and primary consumer applications.

• atc-mitigation - Actionable analytics designed to combat threats based on MITRE's ATT&CK.

• https://www.oo-software.com/en/shutup10 - Free anti-spy and telemetry logging tool for Windows 10 and 11

• Google's Browser Info Checker - Checks what info you might be sharing to others through your browser. Requires Javascript.

• Googe's MXChecker - Checks for common MX domain security settings.

• cs-php-bouncer - This bouncer leverages the PHP auto_preprend mechanism.

  New/unknown IP are checked against crowdsec API, and if request should be blocked, a 403 or a captcha can be returned to the user, and put in cache.

• dev-sec - Security + DevOps: Automatic Server Hardening.

• grapheneX - Automated System Hardening Framework

• Legit-Labs/legitify - Detect and remediate misconfigurations and security risks across all your GitHub assets

• https://github.com/cisagov/ScubaGear - Automation to assess the state of your M365 tenant against CISA's baselines

Linux

• https://wiki.ubuntu.com/AppArmor - proactively protects the operating system and applications from external or internal threats.

• https://github.com/SELinuxProject - provides a flexible Mandatory Access Control (MAC) system built into the Linux kernel.

Apache Web Server

• mod_evasive - mod_evasive module is an Apache web services module that helps your server stay running in the event of a DDOS or Brute Force attack.

  • https://phoenixnap.com/kb/apache-mod-evasive

• ModSecurity-apache - ModSecurity is a plug-in module for Apache that works like a firewall. It functions through rule sets, which allow you to customize and configure your server security.

  • https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache

Hardening Resources

• Awesome Lists Collection: Security Hardening

• Awesome Lists Collection: Windows Domain Hardening

• https://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx

• Developing a Secure Baseline

• OWASP Cryptographic Storage Cheatsheet - Guide and Reference for best standards for encrypting stored data.

• https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

• NSA's Secure Windows baseline

• https://www.securedyou.com/how-to-secure-linux-server-from-hackers-hardening-guide/

• NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDANCE_20220301.PDF

• https://admx.help/ - Group Policy Administrative Templates Catalog

• Defensive Securit Handbook: Microsoft Windows Infrastructure - pg. 81

• Defensive Securit Handbook: Hardening Endpoints - pg. 116

• Defensive Securit Handbook: Network Infrastructure - pg. 143

AD hardening

• Active Directory Security Assessment Checklist - CERT.FR

• Active Directory Certificate Services - An often overlooked tool that should come with most Microsoft licenses, use AD certificates to sign scripts and docs made in your environment, to easily detect what is foreign. Detections, alerts, and all the fancy security tools are completely worthless, if the devices you are trying to protect are not properly hardened against the onslaught of attacks they might face day to day. Most if not all devices and even applications, in their factory fresh state, are not properly hardened for use in an enterprise environment. Many features that you might appreciate as a convenience in your home network, are actually a major vulnerability in a large scale network deployed at your company.

  • Locksmith - A tool to identify and remediate common misconfigurations in Active Directory Certificate Services

    • https://www.hub.trimarcsecurity.com/post/wild-west-hackin-fest-toolshed-talk-locksmith

• Security Considerations for Domain Trusts - Microsoft

• Locking up your Domain Controllers - Microsoft

• Group Policies

  • Active Directory and Group Policy Guidelines

  • https://www.blackhillsinfosec.com/webcast-group-policies-that-kill-kill-chains

  • NIST Secure base set of GPOs

Certificate Pinning

• https://www.hasecuritysolutions.com/the-trusted-evil-intranet-page/

Email Defense Hardening

• https://www.cyber.gov.au/sites/default/files/2020-05/PROTECT%20-%20How%20to%20Combat%20Fake%20Emails%20%28September%202019%29.pdf

• https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf

• https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf

• https://www.m3aawg.org/sites/default/files/m3aawg-maliciousdomainregistratinos-2018-06.pdf

• https://www.m3aawg.org/sites/default/files/m3aawg-reporting-phishing-urls-2018-12.pdf

Hardening Commands

pageWindows Hardening Commands

Note: These may inadvertently break communication of devices and should be tested. It may also require a restart.