Institutions typically use commercial off-the-shelf (COTS) software for operating systems and applications, on such diverse platforms as network infrastructure, servers, desktops, laptops, and mobile devices. COTS systems generally provide more functions than are required for the specific purposes for which they are employed. A default installation of a server operating system may include mail, web, and file-sharing services on a system that does not require those functions. Unnecessary software and services represent a potential security weakness. Their presence increases the potential number of discovered and undiscovered vulnerabilities in the system. Additionally, system administrators may not install patches or monitor the unused software and services to the same degree as they would operational software and services. Protection against those risks begins when the systems are constructed and software installed through a process that is referred to as hardening a system.
Management should consult operating system and software vendor-recommended security controls. When deploying COTS applications and systems, management should harden the resulting applications and systems. Hardening can include the following actions:
- Determining the purpose of the applications and systems and documenting minimum software and hardware requirements and services to be included.
- Installing the minimum hardware, software, and services necessary to meet the requirements using a documented installation procedure.
- Installing necessary patches.
- Installing the most secure and up-to-date versions of applications.
- Configuring privilege and access controls by first denying all, then granting back the minimum necessary to each user (i.e., enforcing the principle of least privilege).
- Configuring security settings as appropriate, enabling allowed activity, and prohibiting non-approved activities.
- Enabling logging.
- Creating cryptographic hashesA hash is a fixed-length cryptographic output of variables, such as a message, being operated on by a formula or cryptographic algorithm. of key files.
- Archiving the configuration and checksumsA checksum is a simple error-detection scheme in which each transmitted message is accompanied by a numerical value based on the number of set bits in the message, which allows the receiver to verify the accuracy of the message. in secure storage before system deployment.
- Using secure replication procedures for additional, identically configured systems and making configuration changes on a case-by-case basis.
- Changing all default passwords.
- Testing the system to ensure a secure configuration.
Additionally, the systems should be audited periodically to ensure that the hardware, software, and services are authorized and properly configured.
II.C.10(a) Configuration Management
II.C.10(c) Standard Builds