System Hardening

IT services run in their own virtual environments, vulnerabilities in one service cannot give access to other services. This includes no multiple websites on the same webserver unless they share the same Security Capability Level and purpose, the same applies to databases between different services.

Services run under their own account with minimal necessary privileges . Only necessary services run on production servers, and are only accessible to necessary interfaces using Host-based Firewalls. All services are maintained and kept up-to-date. For each running service on servers, hardening guides are followed and deviations from hardening guides due to business requirements are documented.Local Firewall rules limit service traffic to ports filtered as restrictive as possible.

Default Passwords on any piece of hardware or software are changed before deployment.

Applications and services are configured to not display information that is unnecessary. Functionality is designed and configured to prevent enumeration of information.

IT systems have standard configurations that follow recommended hardening guidelines. Before new systems are taken into production, the systems are tested for adhering to the hardening guidelines. The standard images are tested for security vulnerabilities during regular vulnerability management process and are updated accordingly. Systems are periodically checked against the hardening baseline, preferably automatically.

Document a security configuration baseline for the system based on current best practices from vendors and desired functionality. The baseline must be updated at least annually. Use this baseline for all new and recovered systems.