Device Auditing and Hardening
The best way to understand what device hardening and how to do it, is to follow CIS Benchmarks. This organization has developed standards for hardening different operating systems and applications to a proper level in an enterprise environment. Not only do they have step by step walk-troughs of what to look for and how to do it, they also have scripts that can check and even automate the hardening for you. As a security analyst of any level or specialty, learning the available configuration based vulnerabilities of the platforms you work with on a daily basis, is one of the most valuable things you can do to improve you skillset.
AuditScripts is another great set of tools that can perform configuration hardening audits based on different requirements, including the choice of those defined by CIS.
Security Auditing Tools
Auditing toolkits
Lynis (Linux Security Auditing) - Lynis is a security auditing tool for systems based on UNIX like Linux, macOS, BSD, and others. It performs an in-depth security scan and runs on the system itself.
Seatbelt (Windows Security Auditing) - Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
BTPS: Blue team Powershell Toolkit - A collection of PowerShell tools that can be utilized to protect defend an environment based Microsoft's recommendations.
Bloodhound Enterprise - Enterprise grade attack path management solution
Purple Knight - An enterprise grade Active Directory Defense solution with AD mapping, security reports, security indicators and remediation guides.
debsums - Utility for checking installed debian packages and comparing that hashes against a list of known good ones. Handy to run every once
PSPKIAudit - PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).
WDACTools - A PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies
CSET - The Cyber Security Evaluation Tool (CSET®) is a stand-alone desktop application that guides asset owners and operators through a systematic process of evaluating Operational Technology and Information Technology.
Hardening Tools
Microsoft Attack Surface Analyzer - Attack Surface Analyzer is a Microsoft developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.
OSChameleon - OS Fingerprint Obfuscation for modern Linux Kernels.
Portspoof - A tool for confusing port scanners by returning false port information.
HardenTools - a collection of simple utilities designed to disable a number of "features" exposed by operating systems (Microsoft Windows, for now), and primary consumer applications.
atc-mitigation - Actionable analytics designed to combat threats based on MITRE's ATT&CK.
https://www.oo-software.com/en/shutup10 - Free anti-spy and telemetry logging tool for Windows 10 and 11
Google's Browser Info Checker - Checks what info you might be sharing to others through your browser. Requires Javascript.
Googe's MXChecker - Checks for common MX domain security settings.
cs-php-bouncer - This bouncer leverages the PHP
auto_preprend
mechanism.New/unknown IP are checked against crowdsec API, and if request should be blocked, a 403 or a captcha can be returned to the user, and put in cache.
dev-sec - Security + DevOps: Automatic Server Hardening.
grapheneX - Automated System Hardening Framework
Legit-Labs/legitify - Detect and remediate misconfigurations and security risks across all your GitHub assets
https://github.com/cisagov/ScubaGear - Automation to assess the state of your M365 tenant against CISA's baselines
Linux
https://wiki.ubuntu.com/AppArmor - proactively protects the operating system and applications from external or internal threats.
https://github.com/SELinuxProject - provides a flexible Mandatory Access Control (MAC) system built into the Linux kernel.
Apache Web Server
mod_evasive - mod_evasive module is an Apache web services module that helps your server stay running in the event of a DDOS or Brute Force attack.
ModSecurity-apache - ModSecurity is a plug-in module for Apache that works like a firewall. It functions through rule sets, which allow you to customize and configure your server security.
Hardening Resources
OWASP Cryptographic Storage Cheatsheet - Guide and Reference for best standards for encrypting stored data.
https://admx.help/ - Group Policy Administrative Templates Catalog
Defensive Securit Handbook: Microsoft Windows Infrastructure - pg. 81
Defensive Securit Handbook: Hardening Endpoints - pg. 116
Defensive Securit Handbook: Network Infrastructure - pg. 143
AD hardening
Active Directory Certificate Services - An often overlooked tool that should come with most Microsoft licenses, use AD certificates to sign scripts and docs made in your environment, to easily detect what is foreign. Detections, alerts, and all the fancy security tools are completely worthless, if the devices you are trying to protect are not properly hardened against the onslaught of attacks they might face day to day. Most if not all devices and even applications, in their factory fresh state, are not properly hardened for use in an enterprise environment. Many features that you might appreciate as a convenience in your home network, are actually a major vulnerability in a large scale network deployed at your company.
Locksmith - A tool to identify and remediate common misconfigurations in Active Directory Certificate Services
Certificate Pinning
Email Defense Hardening
Hardening Commands
pageWindows Hardening CommandsNote: These may inadvertently break communication of devices and should be tested. It may also require a restart.
Last updated