awesome-security-hardening

A collection of awesome security hardening guides, best practices, tools and other resources. This is work in progress: please contribute by forking, editing and sending pull requests. You may also send suggestions on Twitter to @decalage2, or use https://www.decalage.info/contact

---

Table of Contents

• Security Hardening Guides and Best Practices
  • Hardening Guide Collections
  • GNU/Linux
    • Red Hat Enterprise Linux - RHEL
    • SUSE
    • Ubuntu
  • Windows
  • macOS
  • Network Devices
    • Switches
    • Routers
  • Virtualization - VMware
  • Services
    • SSH
    • TLS/SSL
    • Web Servers
      • Apache HTTP Server
      • Apache Tomcat
      • Eclipse Jetty
      • Microsoft IIS
    • Mail Servers
    • FTP Servers
    • Database Servers
    • Active Directory
    • ADFS
    • LDAP
    • DNS
    • NTP
    • CUPS
  • Authentication - Passwords
  • Hardware - BIOS - UEFI
  • Cloud
• Tools
  • Tools to check security hardening
    • GNU/Linux
    • Network Devices
    • TLS/SSL
  • Tools to apply security hardening
    • GNU/Linux
    • Windows
• Books
• Other Awesome Lists
  • Other Awesome Security Lists

---

Security Hardening Guides and Best Practices

Hardening Guide Collections

• CIS Benchmarks (registration required)
• ANSSI Best Practices
• NSA Security Configuration Guidance
• NSA Cybersecurity Resources for Cybersecurity Professionals and NSA Cybersecurity publications
• US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)
• OpenSCAP Security Policies
• Australian Cyber Security Center Publications
• FIRST Best Practice Guide Library (BPGL)

GNU/Linux

• ANSSI - Configuration recommendations of a GNU/Linux system
• How To Secure A Linux Server - for a single Linux server at home
• nixCraft - 40 Linux Server Hardening Security Tips (2019 edition)
• nixCraft - Tips To Protect Linux Servers Physical Console Access
• TecMint - 4 Ways to Disable Root Account in Linux

Red Hat Enterprise Linux - RHEL

• A Guide to Securing Red Hat Enterprise Linux 7
• DISA STIGs RHEL
• nixCraft - How to set up a firewall using FirewallD on RHEL 8

SUSE

• SUSE Linux Enterprise Server 12 SP4 Security Guide
• SUSE Linux Enterprise Server 12 Security and Hardening Guide

Ubuntu

• Ubuntu documentation - Security
• Ubuntu wiki - Security Hardening Features

Windows

• Microsoft - Windows security baselines
• Microsoft - Windows Server Security | Assurance
• Microsoft - Windows 10 Enterprise Security
• ACSC - Hardening Microsoft Windows 10, version 1709, Workstations
• ACSC - Securing PowerShell in the Enterprise
• Awesome Windows Domain Hardening
• Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
• Microsoft recommended block rules - List of applications or files that can be used by an attacker to circumvent application whitelisting policies

See also Active Directory and ADFS below.

macOS

Network Devices

• NSA - Harden Network Devices - very short but good summary

Switches

• DISA - Layer 2 Switch SRG

Routers

• NSA - A Guide to Border Gateway Protocol (BGP) Best Practices

Virtualization - VMware

• VMware Security Hardening Guides

Services

SSH

• NIST IR 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH)
• ANSSI - (Open)SSH secure use recommendations
• Linux Audit - OpenSSH security and hardening
• Positron Security SSH Hardening Guides - focused on crypto algorithms

TLS/SSL

• NIST SP800-52 Rev 2 (2nd draft) - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations - 2018, recommends TLS 1.3
• Netherlands NCSC - IT Security Guidelines for Transport Layer Security (TLS) - 2019
• ANSSI - Security Recommendations for TLS - 2017, does not cover TLS 1.3
• Qualys SSL Labs - SSL and TLS Deployment Best Practices - 2017, does not cover TLS 1.3
• RFC 7540 Appendix A TLS 1.2 Cipher Suite Black List

Web Servers

• Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd

Apache HTTP Server

• Apache HTTP Server documentation - Security Tips
• GeekFlare - Apache Web Server Hardening and Security Guide
• Apache Config - Apache Security Hardening Guide

Apache Tomcat

• Apache Tomcat 9 Security Considerations / v8 / v7
• OWASP Securing tomcat
• How to get Tomcat 9 to work with authbind to bind to port 80

Eclipse Jetty

• Eclipse Jetty - Configuring Security
• Jetty hardening (2015)

Microsoft IIS

• CIS Microsoft IIS Benchmarks

Mail Servers

FTP Servers

Database Servers

Active Directory

• Microsoft - Best Practices for Securing Active Directory
• "Admin Free" Active Directory and Windows, Part 1- Understanding Privileged Groups in AD
• "Admin Free" Active Directory and Windows, Part 2- Protected Accounts and Groups in Active Directory

ADFS

• adsecurity.org - Securing Microsoft Active Directory Federation Server (ADFS)
• Microsoft - Best practices for securing Active Directory Federation Services

LDAP

• OpenLDAP Security Considerations
• Best Practices in LDAP Security (2011)
• LDAP: Hardening Server Security (so administrators can sleep at night)
• LDAP Authentication Best Practices - retrieved from web.archive.org
• Hardening OpenLDAP on Linux with AppArmor and systemd - slides
• zytrax LDAP for Rocket Scientists - LDAP Security
• How To Encrypt OpenLDAP Connections Using STARTTLS

DNS

• NIST SP 800-81-2 - Secure Domain Name System (DNS) Deployment Guide (2013)
• CMU SEI - Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure
• NSA BIND 9 DNS Security (2011)

NTP

• IETF - Network Time Protocol Best Current Practices draft-ietf-ntp-bcp (2019)
• CMU SEI - Best Practices for NTP Services
• Linux.com - Arrive On Time With NTP -- Part 2: Security Options
• Linux.com - Arrive On Time With NTP -- Part 3: Secure Setup

CUPS

• CUPS Server Security

Authentication - Passwords

• UK NCSC - Password administration for system owners
• NIST SP 800-63 Digital Identity Guidelines

Hardware - BIOS - UEFI

• NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018)
• NSA Tech Report: UEFI Defensive Practices Guidance (July 2017)

Cloud

• NSA Info Sheet: Cloud Security Basics (August 2018)
• DISA DoD Cloud Computing Security

Tools

Tools to check security hardening

GNU/Linux

• Lynis - script to check the configuration of Linux hosts
• OpenSCAP Base - oscap command line tool
• SCAP Workbench - GUI for oscap
• Tiger - The Unix security audit and intrusion detection tool (might be outdated)

Network Devices

• Nipper-ng - to check the configuration of network devices (does not seem to be updated)

TLS/SSL

• Qualys SSL Labs - List of tools to assess TLS/SSL servers and clients

Tools to apply security hardening

GNU/Linux

• Linux Server Hardener - for Debian/Ubuntu (2019)
• Bastille Linux - outdated

Windows

• Hardentools - for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.
• Windows 10 Hardening - A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible.
• Hardening Auditor - Scripts for comparing Microsoft Windows compliance with the ASD 1709 & Office 2016 Hardening Guides
• Windows 10 Initial Setup Script - PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019

Books

Other Awesome Lists

(borrowed from Awesome Security)

Other Awesome Security Lists

• Awesome Security - A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.
• Android Security Awesome - A collection of android security related resources.
• Awesome CTF - A curated list of CTF frameworks, libraries, resources and software.
• Awesome Cyber Skills - A curated list of hacking environments where you can train your cyber skills legally and safely.
• Awesome Hacking - A curated list of awesome Hacking tutorials, tools and resources.
• Awesome Honeypots - An awesome list of honeypot resources.
• Awesome Malware Analysis - A curated list of awesome malware analysis tools and resources.
• Awesome PCAP Tools - A collection of tools developed by other researchers in the Computer Science area to process network traces.
• Awesome Pentest - A collection of awesome penetration testing resources, tools and other shiny things.
• Awesome Linux Containers - A curated list of awesome Linux Containers frameworks, libraries and software.
• Awesome Incident Response - A curated list of resources for incident response.
• Awesome Web Hacking - This list is for anyone wishing to learn about web application security but do not have a starting point.
• Awesome Threat Intelligence - A curated list of threat intelligence resources.
• Awesome Pentest Cheat Sheets - Collection of the cheat sheets useful for pentesting
• Awesome Industrial Control System Security - A curated list of resources related to Industrial Control System (ICS) security.
• Awesome YARA - A curated list of awesome YARA rules, tools, and people.
• Awesome Threat Detection and Hunting - A curated list of awesome threat detection and hunting resources.
• Awesome Container Security - A curated list of awesome resources related to container building and runtime security
• Awesome Crypto Papers - A curated list of cryptography papers, articles, tutorials and howtos.