This is Part 3 of a 'How-To' effort to compile a list of tools (free and commercial) that can help IT administrators comply with SANS’ Security Controls. In Part 1 we looked at Inventory of Authorized and Unauthorized Devices. In Part 2 we looked at Inventory of Authorized and Unauthorized Software. Now we'll move on to Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers.
3-1 Establish and ensure the use of standard secure configurations of your operating systems.
- STIGs - DoD recommended secure systems baselines including phones, applications, OSes, network devices, etc...
None really, that I could recommend, when you have a good STIG!
3-2 Implement automated patching tools and processes for both applications and for operating system software.
- Ninite - While not free, it is DIRT CHEEP. But only patches 3rd party applications listed on its website.
- WSUS - But do you really want to go this way?!? Still have to pay for the Windows license.
- Shavlik - Windows only - Patches Microsoft and a large selection of 3rd party patches.
- LanDesk - ditto.
- Vipre Internet Security - A security all-in-one agent. Includes AV, firewall, patching. Patching limited to small selection of popular 3rd party apps only, does not include OS patching.
3-3 Limit administrative privileges to very few users who have both the knowledge necessary to administer the operating system and a business need to modify the configuration of the underlying operating system.
Refer to the Commercial Tools for control 2-1.
3-4 Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise.
- FOG - Free and Open Source imaging from a central server based on Linux.
3-5 Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible.
The above products can be configured to meet this requirement.
3-6 Negotiate contracts to buy systems configured securely out of the box using standardized images, which should be devised to avoid extraneous software that would increase their attack surface and susceptibility to vulnerabilities.
I've always questioned the need for this control. Why would I do this when I have FOG at my fingertips. I'm assuming the big box chains (Dell, HP, etc...) can offer this through a contract? But again, why spend money when you can do it yourself free...
3-7 Do all remote administration of servers, workstation, network devices, and similar equipment over secure channels.
This is referring to protocols, such as RDP, SSH, etc...
- MRemoteNG - All-in-one for remote access. NOTE - it does NOT support encrypted VNC.
- RDCM - Microsoft tool. Complete with bugs and irritation. Do not recommend for anyone that wants to manage more than 0 RDC sessions.
- UltraVNC - Offers a server and client which can provide encrypted VNC
3-8 Utilize file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered...
This is basically referring to a HIDS.
- AlienVault OSSIM - HIDS, SEIM, Inventory, Service Monitor, and more.
- OSSEC - used in OSSIM, it is just the HIDS portion.
- OpenHIDS - Windows only
- Tripwire - heterogeneous server monitoring across Windows, Linux, Solaris, AIX and HP-UX platforms.
3-9 Implement and test an automated configuration monitoring system that measures all secure configuration elements that can be measured through remote testing using features such as those included with tools compliant with Security Content Automation Protocol (SCAP), and alerts when unauthorized changes occur.
Again, HIDS. See tools above.
3-10 Deploy system configuration management tools, such as Active Directory Group Policy Objects for Microsoft Windows systems or Puppet for UNIX systems that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.
- Salt - Meant for deploying change management to ANY scale. Great for cloud deployments with OpenStack.
- Puppet - GPMC for Linux. Kind of.
- Chef - The Chef client is installed on each server, virtual machine, container, or networking device you manage. The client periodically polls Chef server latest policy and state of your network. If anything on the node is out of date, the client brings it up to date.
- Ansible - Deploy apps. Manage systems. Centrally managed.