Database, OS, Applications and Server; Infra Hardening Guidelines

Attack resistance and regulatory compliance can only be achieved by hardening the IT infrastructure. Computer systems and websites are constantly targeted by hackers using a variety of cyber-attack methods. As cyber-attacks continue to evolve, information systems, particularly servers, must be hardened. Hardening is requested by security teams, but IT Ops are more likely to implement it. If you're in charge of a hardening operation, learn how to automate it.

A server hardening process can be a pain in the neck. If you're reading this, you've probably already figured it out. Despite all of the time, effort, and money put into it, this process frequently results in a production meltdown. Using Extreme Compute, you can harden your servers. EC Cloud's ability to learn your network eliminates the need for lab testing and ensures that there is no downtime in your manufacturing process. It is possible to implement your policies on production efficiently  through EC Cloud. 

Hardening of the major infrastructure layers

Activities are classified into Database, OS, Application and Server Hardening. 

Generally, security is not taken into account in the design of operating systems, servers, applications, or databases. Because the defaults are easier to use, these data assets are more vulnerable to security threats.

Businesses around the world employ the following methods to strengthen their products:

Steps to Take while Hardening a Server
It's the practise of enhancing the security of a server by taking practical steps. Here is a list of high-level server hardening measures that are recommended by the CIS benchmarks. Caution: Never use a hardening impact analysis tool to establish or test hardening procedures in production.

• Installing IIS on a domain controller is not recommended.
• Hotfixes for post-service pack security
• Only install apps on the server if they are absolutely necessary. It's not necessary for the server to run e-mail clients, productivity tools, or utilities.
• Provide your server with two different network interfaces to choose from a pair for the network, and a third for the network manager
• Harden the operating system and applications layers
• Use the server's internal firewall. Linux IPtables, AppArmor, and Windows Firewall
• The use of insecure protocols, especially those that transmit credentials in plain text, should be avoided.
• Make a copy of your data at all times.
• Partitioning with security in mind.
• When hosting multiple applications, make sure each one has its own account.
• Web content directories should never be edited by their users.
• Don't use any of the administrative shares that are sitting there collecting dust.
• Keep an eye out for login attempts that fail. After a certain number of failures, an account should be unable to be opened.
• Don't rename it even though the guest account is disabled
• The local administrator account should be locked.
• Enforce strict password and account policies on the server.
• Accounts cannot be shared between users and administrators.
• If you don't need them, turn off FTP, SMTP, NNTP, and Telnet.
• Set up URLScan.
• Non-public or internal-only sites should use authentication to prevent unauthorised access.
• Anomalies in the web server logs should be investigated on a regular basis. Unusual requests for URLs typically indicate an attempt to exploit vulnerabilities in outdated or unpatched web servers.
• Internet Protocol (IP) addresses can only be accepted by routers and other networking devices if they have human-friendly network destination names (such as a website URL). Every time a server accesses the network, make sure that the DNS software is updated and validated.
• The DNS server can be prevented from being accessed by blocking port 53 or restricting access to the server to one or more external systems.
• When working with anonymous FTP accounts, extreme caution must be exercised.
• Secure FTP is required for authenticated FTP in order to protect the login and password credentials from being sent in clear text.

• All third-party applications should have their vendor fixes applied immediately.
• Remove all simple files from an IIS for added security. Web page designers can use these files as a guide to help them create their own web pages. There are numerous holes and flaws in these sample files, and they should never be used on a live web server.
• It is necessary to delete both the virtual and physical directories to remove the IIS sample application. C:\Inetpub\IISsample is a virtual directory for IIS samples, for example.
• The next step in securing IIS is to configure the web server's files and directories with the proper permissions (ACLs).
• The use of insecure protocols, especially those that transmit credentials in plain text, should be avoided.
• Create a Secure Socket Layer (SSL)
• Install an application firewall for your website (WAF)
• Avoid using outdated network device firmware versions.
• Make sure to keep an eye out for software security alerts.
• Use CHECKSUM and cryptography at times.
• Integrate all of your apps, databases, and systems into a single Active Directory login. PKI, Kerberos, and advanced encryption are all part of this package.

• Non-authorized administration of the TNS is protected by the TNS Listener Password (in encrypted form).
• Disable remote administration by enabling Admin Restrictions.
• Disallow all connections to the database server except for those from the designated host(s).
• If you don't need the XML Database, turn it off.
• Any unnecessary external processes should be disabled.
• Encrypt network traffic with EC Cloud network solutions.
• Lock out unused accounts.
• Establish a set of guidelines for the creation of usernames.
• Create a password policy.
• Organize access rights according to user roles.
• Remove any permissions that are no longer needed from the system.
• Data protection can be enabled to restrict access to sensitive tables.
• Make PL/SQL coding more uniform.
• Every so often, check the security of your database.
• Null sessions have been turned off in all browsers (anonymous logons).
• All critical database patches should be applied as soon as they are released by the vendor.

• Maintain the most up-to-date and secure operating systems possible.
• Update the operating system with the most recent Service Pack.
• Remove unnecessary drivers from your system.
• No more than two Administrator accounts are allowed.
• Annually disable or delete all inactive accounts.
• Unused services should be turned off.
• Make use of Audit Logs to keep track of unauthorised activity, such as failed login attempts and the use of elevated privileges.
• Safety in CMOS.
• Using ACLs and file permissions to protect files and directories.
• Disc Encryption — Encryption of all disc partitions (NTFS in the case of Windows)
• Configure the operating system to keep a log of all operations, warnings, and errors.
• Partitioning with security in mind.
• NTFS/Registry File System Restriction
• NTFS security features can be used to set access control permissions for file-sharing.
• Disable any file sharing that isn't being used.
• Eliminate the creation of any new administrative accounts or passwords.
• Assign services to those accounts that don't have as much access.
• Maintaining secure access to your accounts is essential.

Conclusion
Every new attack on a business networked information system raises new questions about the security of today's dynamic cyber-attacks. Continuous hardening of systems will keep information security configurations regularly evaluated and minimise the attack surface of businesses. When done correctly, hardening can improve the resiliency of an organization's current cyber-security environment. Because of this, companies should conduct Vulnerability Analysis and Penetration Testing on a regular basis to ensure that their systems are secure. They will be able to reduce the frequency and cost of system failures as a result of this. Learn more on how to conduct VAPT in your existing environment.