Preview only show first 10 pages with watermark. For full document please download

Secure Configuration

Rating
Date

October 2018
Size

204.8KB
Views

1,381
Categories

Computers & electronics Software Antivirus security software

Transcript

Secure Configuration Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright © 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital. Secure Configuration Contents 1 Purpose 3 2 Scope 3 3 Applicability 3 4 Guidance 3 4.1 General Approach 3 4.2 Least Privilege 4 4.3 Baseline Configuration 5 4.3.1 Baseline Security Configurations – IT and Network Systems 6 4.3.2 Protective Monitoring 7 4.3.3 Secure State Booting 7 4.4 Host System Lockdown 7 4.5 Operating System Lockdown 9 5 Further Reading and Advice 10 6 Key Words 10 Copyright © 2017 Health and Social Care Information Centre. 2 Secure Configuration 1 Purpose The purpose of the Secure Configuration Good Practice Guide (GPG) is to provide guidance on how IT systems (hardware and software) should be securely configured to maximise the protection of the confidentiality, integrity and availability of data processed. This guidance will enable the organisation to have mechanisms and processes to: • Implement the concept of least privilege. • Implement a baseline configuration. • Lockdown host systems. • Lockdown operating systems. 2 Scope The Secure Configuration GPG relates to all IT systems storing, processing and transmitting NHS and other UK Government information. 3 Applicability The Secure Configuration GPG is applicable to and designed for use by any NHS, health and social care or associated organisations that use or have access to NHS systems and/or information at any level. 4 Guidance The Secure Configuration GPG supplements the Example Policy on producing a Secure Configuration Policy and provides greater detail on how the policy requirements can be achieved. It is not prescriptive and it is realised that different organisations will require different levels of management. This GPG provides the minimum that should be considered. The guidance provided should be scaled according to the size of the organisation. For smaller organisations the GPG may be used to drive contractual requirements or to work with any third party provider to ensure the provided IT systems are securely configured to maximise the protection of the data and information. For smaller organisations it may be prudent to use an independent specialist provider to assess and advise on the secure configuration requirements before discussing with any third party IT provider. 4.1 General Approach • The secure configuration of an organisation’s IT systems, services and its operating systems (including applications) is as important as having the correct applications (business tools) for the organisation’s role and business. If an IT system (hardware or software) is not securely configured it increases the number of vulnerabilities and therefore opportunities of successful attacks to the systems which could result in: • Compromise of the data’s/information’s confidentiality – information/data breaches, unauthorised disclosures, loss of or unauthorised viewing. • Compromise of the data’s/information’s Integrity – unauthorised modification of the information/data. Copyright © 2017 Health and Social Care Information Centre. 3 Secure Configuration • Compromise of the data’s/information’s availability – disruption and denial of service attacks. • Reputational damage – loss of public confidence in the NHS or Health & Social Care’s ability to secure patient information. • IT systems that are not securely configured and effectively managed will be vulnerable to attacks that may have been preventable. • Therefore, all systems should be configured as securely as possible whilst still enabling the functionality and access of users to be at the level that is required; i.e. the secure configuration should not inhibit the ability of the organisation to undertake its role. • There are 4 core elements to implementing secure configurations of IT systems within an organisation; these are: • • • Applying the principle of least privilege. • Identifying and implementing a baseline configuration across the organisation’s IT systems. • Locking down the host systems (hardware – servers and clients). • Locking down the operating system, and where applicable the applications/software running on the operating system. The secure configuration approach aims to: • Prevent the introduction of unauthorised applications/software or malicious code. • Limit the ability for the unauthorised export of data onto peripheral devices or removable media. • Ensure least privilege of access to services and applications. • Improve the efficiency and accuracy of patching and update services. This GPG provides guidance and, where applicable, examples on implementing secure configuration for IT systems. However, the use of the referenced supporting documents and technical documents (NCSC guidance and vendor issued) relevant to the IT (hardware and software) used by the organisation will be required to fully implement the required secure configuration position. 4.2 Least Privilege • Least privilege can be defined as the practice of limiting access to the minimal level that will allow normal functioning. Applied to IT users, the principle of least privilege translates to giving people the lowest level of user access rights and permissions that they can have and still do their role. • Access to IT systems should be on the basis of least privilege and this applies to administrator and user access to: • Hardware – servers and workstations, laptops and tablets. • Software – Operating Systems and Applications. • Data. • Network Configurations. • Protocols. Copyright © 2017 Health and Social Care Information Centre. 4 Secure Configuration • • Security features – e.g. Anti-Virus, Intrusion Detection Systems, Firewalls, Switches and Routers. Organisations should determine what rights and privileges users need to effectively perform their duties using the policy of 'least privilege'. This should consider: • Establishing effective account management processes - manage user accounts from creation, through-life and eventually revocation when a member of staff leaves or changes role. Redundant accounts, perhaps provided for temporary staff or for testing, should be removed or suspended when no longer required. • Establishing policies and standards for user authentication and access control - an organisation wide password policy should be developed, using the NHS GPG on Passwords. For some accounts an additional authentication factor (such as a token) to enable 2-factor authentication may be appropriate. • Limit user privileges - users should be provided with the reasonable minimum rights and permissions to systems, services and information that they need to fulfil their business role. • Limit the number and use of privileged accounts - strictly control the granting of highly privileged system rights and reviewing the ongoing need regularly. Highly privileged administrative accounts should not be used for high risk or day to day user activities, for example web browsing and email. Administrators should use normal accounts for standard business use. • Monitor users - monitor user activity, particularly access to sensitive information and the use of privileged account actions. Respond where activities are outside of normal, expected bounds (such as access to large amounts of sensitive information outside of standard working hours). • Limit access to the audit system and the system activity logs - activity logs from network devices should be sent to a dedicated accounting and audit system that is separated from the core network. Access to the audit system and the logs should be strictly controlled to preserve the integrity of the content and all privileged user access recorded. • Educate users and maintain their awareness - all users should be aware of the policy regarding acceptable account usage in accordance with the organisation’s Acceptable Use Policy and their personal responsibility to adhere to the organisation’s security policies. 4.3 Baseline Configuration • It is recommended that a baseline configuration is scoped, identified and implemented across the organisation to ensure a minimum level of secure configuration is in place. It also ensures that a consistent approach or build configuration is used organisation wide on which specific additional controls etc. can be enforced or invoked. At a minimum, the baseline configuration should be assessed and applied from 3 perspectives: • Baseline security configurations on IT and network systems to ensure a consistent build status. • Protective monitoring put in place to detect any attempt to modify the configuration of client and server systems. • The booting of all client systems to a secure state. It should not be possible to modify the boot configuration. Copyright © 2017 Health and Social Care Information Centre. 5 Secure Configuration • The baseline secure configuration should be regularly assured (checked) through use of regular vulnerability assessments of the network architecture to ensure that the baseline security controls (secure configuration) have been well implemented and are effective. The NHS GPG on Vulnerability Assessment provides guidance on scoping and undertaking vulnerability assessments. 4.3.1 Baseline Security Configurations – IT and Network Systems • The specifics of how the baseline build is designed will be dependent upon the hardware and operating systems to be used. Therefore, use should be made of the specific guidance from NCSC (via the NCSC website https://www.ncsc.gov.uk/) for system or service specific advice, as well as the vendor specific advice. • Whichever hardware and software is being used it is recommended that the below are considered in the design of the baseline secure configuration. It may be helpful to follow recognised network design principles (e.g. ISO 27033) to help define an appropriate network architecture including both the network perimeter, any internal networks, and links with other organisations such as service providers or partners. The network security and secure configuration approach should align with the organisation’s risk management strategy. The fundamentals are: • • Manage the network perimeter - manage access to ports, protocols and applications by filtering and inspecting all traffic at the network perimeter to ensure that only traffic which is required to support the business is being exchanged. Control and manage all inbound and outbound network connections and deploy technical controls to scan for malicious content: • Use firewalls to create a buffer zone between the Internet (and other untrusted networks) and the networks used by the business. The firewall rule set should deny traffic by default and a whitelist should be applied that only allows authorised protocols, ports and applications to exchange data across the boundary. This will reduce the exposure of systems to network based attacks. Ensure you have effective processes for managing changes to avoid workarounds. • Prevent malicious content by deploying malware checking solutions and reputation-based scanning services to examine both inbound and outbound data at the perimeter in addition to protection deployed internally. The antivirus and malware solutions used at the perimeter should ideally be different to those used to protect internal networks and systems in order to provide some additional defence in depth. Protect the internal network by ensuring that there is no direct routing between internal and external networks (especially the Internet), which limits the exposure of internal systems to network attack from the Internet. Monitor network traffic to detect and react to attempted or actual network intrusions. • Segregate networks as sets by identifying, grouping and isolating critical business systems and apply appropriate network security controls to them. • Secure wireless access: All wireless access points should be appropriately secured, only allowing known devices to connect to corporate Wi-Fi services. Security scanning tools may be useful to detect and locate unauthorised or spoof wireless access points. Copyright © 2017 Health and Social Care Information Centre. 6 Secure Configuration • • Enable secure administration: Administrator access to any network component should be properly authenticated and authorised. Make sure default administrative passwords for network equipment are changed. • Configure the exception handling processes: Ensure that error messages returned to internal or external systems or users do not include sensitive information that may be useful to attackers. Monitor the network - network intrusion detection and prevention tools should be deployed on the network and configured by qualified staff. 4.3.2 Protective Monitoring • As part of the baseline configuration the core protective monitoring requirements should be included. The protective monitoring regime should be determined based on the threats, vulnerabilities and risks to the systems and the data hosted by them; it should also be appropriate for the organisation’s information processing requirements and its structure and size. The NHS GPG on Protective Monitoring provides guidance on assessing the monitoring controls. The baseline protective monitoring regime should form the baseline monitoring requirements for the secure baseline configuration. • The aim is to monitor traffic and unusual user activity that could be indicative of an attack. Network intrusion detection and prevention tools should be considered. Any alerts generated by the system should be promptly managed by appropriately trained staff. 4.3.3 Secure State Booting • A fundamental element of any baseline secure configuration is that the start-up (boot configuration) should be secure. The boot sequence should not able to be modified by users and the result of powering on the system should be that it boots to a secure state. If the boot configuration is not secure it can be used as an easy path for an attacker to modify data, remove data and affect the availability of the system. • The boot configuration should particularly ensure that users cannot interrupt the process and/or use their own device (such as a USB drive or CD) to boot from. It thereby reduces the risk of users introducing malware or undertaking nefarious activities. 4.4 Host System Lockdown • Host system lockdown can also be referred to as hardware lockdown or hardware hardening. The specifics of how the hardening is to be implemented will be dependent upon the hardware to be used. Therefore, use should be made of the specific guidance from NCSC (via the NCSC website https://www.ncsc.gov.uk/) as well as the vendor specific advice. It contains a degree of operating system hardening when applied to servers etc. • Whichever host system and server configuration is used the approach outlined in this section is recommended to be used in tandem with specific NCSC and vendor guidance on locking down (or hardening) the host environment. The types of servers or equipment that need hardening include, but are not limited to: • File sharing servers. • Email servers. • Web servers. Copyright © 2017 Health and Social Care Information Centre. 7 Secure Configuration • • FTP servers. • DNS servers. • DHCP servers. • Database servers. • Domain controllers. • Directory servers. • Network devices such as firewalls, routers, and switches. If we look generically at servers then the below approach is recommended; this approach would work for all devices but some of the stages may not be required. • Identify the services that will be required to run on the server; examples include: • DNS. • HTTP. • SMTP. • POP3. • Identify the services running on the server that are not needed and turn them off. • Complete a port scan on the server to test and determine any ports that the server is responding to and: • Close down those with no response. • Close down those that are communicating but not required. • Remove any unnecessary programs, services, and drivers from the server especially those not loaded by default on the server. • Patch the server with the latest patches and patch all services running on the server. • Remove, prevent or limit access to unnecessary physical and logical communications ports (e.g. USB, TCP/IP), removable media (e.g. CD/DVD drives), network communications interfaces (e.g. Infrared, Bluetooth, and Wireless). • Disable or change the password of any default accounts on the server or related to any operating services. • Be sure all passwords used to access the system or used by services on the system meet the minimum requirements in accordance with the organisation’s password policy. • Be sure all users and services have minimum required rights and do not have rights to items not needed. (Least privilege.) • Aim to make file share and file permissions as tight as possible. • Perform a vulnerability assessment scan of the server. • Patch or fix any vulnerabilities found. • Where appropriate, install and run additional security programs (with the latest updates and patches installed) such as: • Anti-virus - Install and perform latest update of software and virus definitions. • Firewall. Copyright © 2017 Health and Social Care Information Centre. 8 Secure Configuration • Intrusion detection software. • Change of system and system files detection. • Enable audit logging to log any unauthorised access. • Potentially perform another vulnerability assessment scan of the server to confirm that the earlier identified vulnerabilities and discrepancies have been addressed. • Take additional account management security measures including: • • Disable the guest account. • Rename default administrator accounts. • Set accounts for minimum possible access. • Be sure all accounts have passwords that meet the organisation’s password policy. Test the server to be sure all the operationally required services are still operating properly post the implementation of the lockdown/hardening process. 4.5 Operating System Lockdown • Operating system (OS) lockdown can also be referred to as OS or hardware hardening and should include applications that sit on the OS. The specifics of how the hardening is to be implemented will be dependent upon the OS and application to be used. Therefore, use should be made of the specific guidance from NCSC (via the NCSC website https://www.ncsc.gov.uk/) as well as the vendor specific advice. Where the OS is on the server it will most likely have been securely configured during the host lockdown process. However, there will still be the requirement to securely configure the OS (and applications) on the end user device. • Whichever OS or application is used the following approach is recommended to be used in tandem with specific NCSC and vendor guidance on locking down (or hardening) the OS/application • Non-essential services - the operating system should only be configured to run the services required to perform the tasks for which it is assigned. • Patches and Fixes – update all operating systems with the latest vendor supplied patches and bug fixes (usually collectively referred to as security updates). • Password Management – enforce strong passwords in accordance with the organisation’s password policy. • Unnecessary accounts – disable or remove guest, unused and unnecessary user accounts from operating systems. It is also vital to keep track of employee turnover so that accounts can be disabled when employees leave an organization. • File and Directory Protection – control access to files and directories through the use of Access Control Lists (ACLs) and file permissions. • File and File System Encryption – where possible consider using the OS provided support for encrypting files and folders. • Enable Logging - ensure that the operating system is configured to log all activity, errors and warnings. • File Sharing - disable any unnecessary file sharing. Copyright © 2017 Health and Social Care Information Centre. 9 Secure Configuration • Vulnerability assessments and reconfiguring, if vulnerabilities are identified, is recommended as best practice to support vulnerability assessment of the host system; it should form part of the same overall assessment from end user device through to the core network. 5 Further Reading and Advice • • In addition to the documents listed under Related References, Links and Documents further details and advice on protective monitoring can be found at https://www.ncsc.gov.uk/. This GPG does not list the particular references as these change on a frequent basis, however, searches under the below headings will help to locate the current applicable HMG policy and standard or an assured provider or mechanism of the technique or technology that may be required: • Least Privilege. • Secure configuration. • Hardware lockdown or hardening. • Operating system lockdown or hardening. • Patching. • Updates. • Protective monitoring. • Auditing. • Logging. This GPG is supported by other GPGs, which should be used in tandem. This includes, but is not limited to: • Protective Monitoring • Patching • Password Management • Hardware and Software Security • Audit Policy • Application Security • Network Security. 6 Key Words Application, Client, Configuration, Hardware, Host System, Least Privilege, Lockdown, Operating System, Protective Monitoring, Server, Software Copyright © 2017 Health and Social Care Information Centre. 10

Secure Configuration

Rating

Date

Size

Views

Categories

Share

Transcript

Forgot your password?.