This is a list of IT-Security resources with the main focus on hardening (i.e. securing by configuration) of operating systems and applications.

Host security is painfull (i.e. you need to secure every host in your enterprise, not only a single third party firewall product). Nevertheless it is very important. Not only for exposed bastion hosts (internet servers), but also for intranet servers and even workstations. There a a lot of good reasons for securing every single host in your network to some extend. First of all, most of your treats will come from insiders anyway, which have unfiltered access to your local lan. In addition to that, you should design your security layered, and design for failure. This means the security of your servers themself is very often the last and only line of defense.

Resources

Generic and Background Information

• [html] Reflections on Trusting Trust This is a very classical text about trust in IT-Systems. This article from <Ken Thompson> is quite important for all areas of IT-Securtiy, but system hardening and host security most notable benefits from the classical "trust no one" approach.

• [html] Unofficial TEMPEST Don't forget, that hardening of important systems does not stop on the software configuration layer. The first step for sure is physical securtiy. And once you start about having hard to crack systware configurations, you should read this ressource to be reminded how easy it might be to spy on you in the physical world.

• [html] CERTs security improvement Each CERT Security Improvement module addresses an important but narrowly defined problem in network security. It provides guidance to help organizations improve the security of their networked computer systems.
  The CERT security practices have been compiled in The Book: "The CERT Guide to System and Network Security Practices" published by Addison-Wesley. Review anyone?

• [html] Mixter's Security Whitepapers educate yourself with Mixter's excellent Security Papers.

Linux/Unix system hardening

• [html] Building a Bastion Host Using HP-UX 10/11 A bastion host is a computer system that is exposed to attack, and may be a critical component in a network security system. Special attention must be paid to these highly fortified hosts, both during initial construction and ongoing operation. <Kevin Steves> a HP consultant presents an up-to-date paper on the methodology for installing bastian hosts.

• [html] Securing a Unix Machine for Beginners This small document describes a way to keep most of Unix' power and flexibility, but to also reduce the maintenance burden by turning off unneeded services.

• [html] Armoring Solaris One of <Lance Spitzner>'s security whitepapers from 2001. Subtitle: preparing Solaris for a firewall. There is also a second edition of this paper from 2002, specially for Solaris 8 64-bit and Checkpoint Firewall-1 ([html])

• [html] Armoring Linux How to armor the Linux operating system. This article by Lance Spitzner presents a systematic method to prepare your system for the Internet. The article from 2000 is based on Redhat 6.0, but should apply to most distributions of Linux.

• [html] GG24-4433-00 Elements of Security: AIX 4.1 This redbook from IBM describes security-related elements of AIX for system administrators.

• [html] Matt'S Unix Security Yet another, but quite informative link list on Unix security.

• [html] Securing Debian This document describes the process of securing and hardening the default Debian installation. It covers some of the common tasks to set up a secure network environment using Debian GNU/Linux. It also gives additional information on the security tools available as well as the work done by the Debian security team.

• [html] SuSE: Installation of a Secure Webserver SuSE's own installation instruction for Internet exposed Web Servers. A must if you dare to run a SuSE Linux Server with Apache.

• [html] Securing Internet Information Servers Older document on how to secure public reachable applications on Unix systems, including FTP, Gopher and older HTTP servers.

• [html] LinuxJournal: Security Tools in Linux Distributions (Part I - RedHat) Beginner level article on monitoring the security of RedHat Linux.

• [html] LinuxJournal: Security Tools in Linux Distributions (Part II - SuSE) Beginner level article on monitoring the security of SuSE Linux.

• [html] CERIAS Hotlist: System Security / Unix This is a link list maintained by The Center for Education and Research in Information Assurance and Security at Purdue University.

• [html] Securing & Optimizing Linux: The Ultimate Solution This is a PDF of a Linux Hardening book.

• [html] Setting up an hardened Debian Log Server A PDF paper from Vince on hardening a Debian server for the purpose of collecting logs in a network. Note: I advise against using a self-compiled ssh, just install the debian package. I also would prefer not to compile programs on the target host, or use an inclomplete homebrown tripwire. Debian has a nice package called integrit, instead. Also, a log server should offer cryptografically secured logging.

• [html] Unix Guru Universe A lot of useful Links for Unix System Administrators.

• [html] The Linux Administrator's Security Guide ...

• [html] Computer Security Information Features general information about computer security. Originally designed by Jessica Kelley, maintained at the Center for Information Technology, National Institutes of Health.

• [html] Trusted Debian This is not the only available secure Linux Distribution. Basically this Link will be replaced with its own collection, including GRC, SELinux etc.

• [html] Debian Read-Only root filesystem Running a system with read-only root enhances the stability of a system for power outages and other unwanted unterruptions. It is therefore a good configuration for routers or firewalls, which do not show many reconfigurations. It is also a security feature to avoid permanent changes to the system on intrusion. This Howto details the steps needed to achieve this on Debian (by Thomas Mood).

Microsoft Windows related

• [html] Building a Windows NT bastion host in practice This paper by <Stefan Norberg> is now used as the base for the Book: "Securing Windows NT/2000 Servers for the Internet".
  See the [html] ORA catalog and book homepage for more info. This is realy a good choice if you dare to use Windows systems connected to hostile networks.

• [PDF] Hardening NT Document from <Micheal Espinola> on hardening Microsoft Windows NT 4.0 systems (workstations and servers) authored 1997.

• [html] NT Security - Frequently Asked Questions This collection of frequently asked questions with answers on NT security issues is last updated in 1997. It contains a lot of general and specific informations you need to know as a NT admin.

• [html] Windoes 2000 Security Configuration Document Windows NT/200 Security Checklist that is designed to provide security administrators with a method of configuring an installation based on the agreed security risk profile of the target system. The security configuration document divides recommendations into levels "Premium", "Standard", and "Basic". <Leigh Purdie, Intersectalliance>

• [html] Terminate System Services = Beenden von Systemdiensten Best (german) article on how to close all Windows 2000 and Windows XP Ports. <Frank Kaune>
  

• [html] Terminate System Services .bat Based on the KSSystems manual, this site features batch files to do the work automatically. Page is in german, .bat files are available for XP and 2000. Thanks to <Torsten Mann>

• [html] CERIAS Hotlist: System Security / Windows This is a link list maintained by The Center for Education and Research in Information Assurance and Security at Purdue University.

• [html] Armoring NT One of <Lance Spitzner>'s security whitepapers from 2000. Subtitle: preparing NT for a firewall.

• [html] windowssecurity.com: White Papers The White Paper Section of windowssecurity.com covers topics like IPSec, hardening, password policy and details on Frontpage Security.

• [html] ntsecurity.com Claims to be the one stop NT security portal.

• [html] Microsoft Security and Privacy This site is provided by Microsoft, nevertheless it should be your first stop while looking for up-to-date information on security related topics for Windows systems and applications.

• [html] Microsoft's Security Operations Guide for Windows 2000 Server Microsoft Technet provides this guide for Windows 2000 admins dealing with topics like patching, intrusion detection and general hardening of the installation.

• [html] Microsoft's Windows Server 2003 Security Center Essential guidelines, references and articles for secure operation of Windows Server 2003 and Windows XP. Especially contains configuration guides and templates for hardening. Running Microsoft Servers is for sure not easy, but without consulting TechNet, it is impossible.

• [html] Windows 2000 und IIS 5.0 härten German online article at Heise security, describing the basic methods to get a more secure Windows 2000 Web Server.

Application hardening

• [html] securing BIND 8.x Whitepaper on how to secure BIND 8.x on OpenBSD or Linux variants.

• [html] WWW Security FAQ maintained at the W3C.

• [html] The Firewall Hardening Guide Some generic and more Checkpoint Firewall-1 specific guidelines for hardening a gateway which is acting as a perimter firewall. This guide is provided by ticm.com.

• [html] SQLSecurity.com Guidelines, Checklists and Hardening Script for MS SQL Server and MSDE.

Broken

• [html] Pretty Secure Linux will create a pretty secure Linux Distribution
• [ftp] Tishina Security Archives

  Send News to