General Hardening Standards
The goal of hardening a system is to make it more secure by reducing the attack surface. This involves removing unnecessary applications, keeping the system up to date, and creating policies that ensure the system remains secure. Collectively, these steps will help lockdown the system and reduce the risk it poses to the rest of the organization.
- Ensure latest supported OS version is installed and connected to the domain.
- All devices shall be joined to the UNFCSD domain to ensure proper automatic upgrades and baseline security standards are applied.
- All Windows client operating systems shall install and configure an agent for SCCM.
- All OSX operating systems shall install and configure an agent for JAMF.
- All Windows server operating systems shall be setup with WSUS.
- All other server operating systems shall be setup with their respective patch manager applications.
- All operating systems shall be setup with automatic updates following the UNF Software Updates and Reboot policy by ensuring they are applied weekly.
- Any programs, drivers, services, file sharing, or functionality that are not being used on the device should be removed or disabled.
- Only properly vetted and secure applications should be installed. Best to use software found in UNF managed locations like Software Center or JAMF Self Service.
- All unused accounts shall be disabled or deleted.
- All local and generic user accounts must follow requirements found in the UNF Access Management standard.
- User accounts should be assigned the least amount of privileged as needed to perform their job.
- If a user needs elevated privileges, they should have a separate account that has been granted these privileges and sign out of this account after performing the administrative task.
- All user accounts that are accessibly from the internet must use multi-factor authentication.
- All server operating systems must install and configure a SIEM agent to ensure logs are sent to a centrally managed ITS server.
- All operating systems should have the latest version of the UNF managed anti-virus application installed and configured.
- All devices shall use encryption standards using strong encryption keys and algorithms following the UNF Safeguarding Data standard.