Adopting CIS Level 1 Hardening Standards for Maximum Protection
The adoption of best practice hardening standards is an inexpensive, yet often overlooked measure that can be taken to optimize security on both workstations and servers. At Sandbox Technologies, trained security professionals are equipped with proprietary Group Policy Objects (GPO’s) for automating the implementation of over 1,000 settings used by CIS and the United States Department of Defense.
For optimal device security, businesses should consider incorporating hardening practices into their routine deployments.
Simply stated, device hardening is the application of configuration settings, the disabling of non-essential services, and the implementation of best practice security controls. The purpose of device hardening is to aggressively eliminate or mitigate potential threat vectors that could be used to compromise a machine.
The Center for Internet Security (CIS) publishes an extensive list of device hardening standards recommended for computer workstations and servers. Settings may vary from one device to another based on factors including the device’s operating system and it purpose (e.g., server or workstation)
Examples of hardening include the disabling of unused protocols, the removal of local administrative capabilities (e.g., disallowing the installation of software by the device’s user) and restricting the way in which physical ports can be used. (For example, if a user’s job responsibilities do not require the ability to routinely copy company data to external media, USB ports can be restricted to disallow the use of removable media, while still permitting the use of keyboards, printers, etc.
General steps required to implement device hardening standards for an organization include:
- Identification of target computers (i.e., the computer workstations and servers to be hardened).
- Documenting each device’s operating system, business purpose, and essential software installed.
- Drafting an action plan outline to include any necessary exclusions for particular devices.
- Meeting with the organization’s designated IT contact/approver to present action plan outline, discuss caveats, note revisions and obtain authorization to proceed.
- Edit GPO’s to reflect necessary alterations.
- Deploy GPO’s and confirm successful deployment.
- Follow up with users and organizational management to identify and implement any additional changes required.