Host Security Configuration Assessment

Guard critical servers

Next Steps:

Overview

McAfee Strategic Security Services Host Security Configuration Assessment evaluates the security of your company’s critical servers, the backbone of your technology infrastructure. We analyze the operating system and application-level security issues of your company’s operating environments. McAfee Strategic Security Services checks administrative and technical controls, identifies potential and actual weaknesses, and recommends specific countermeasures.

Host Security Configuration Assessments are critical because they allow us to identify vulnerabilities that cannot be detected through network assessments. These assessments are the most efficient mechanism to comprehensively evaluate the security of your organization’s critical assets.

McAfee Strategic Security Services performs Host Security Configuration Assessments for Microsoft Windows and UNIX environments, including important applications such as IIS, SQL Server, and Apache. We also perform configuration assessments of routers. McAfee Strategic Security Services has performed hundreds of Host Security Configuration Assessments for systems in production environments, including e-commerce web servers, financial databases, and Internet-facing bastion hosts. We have compiled a comprehensive set of audit points based on our experience with penetration testing as well as industry standards such as the CIS benchmarks.

Our knowledge base stays current with emerging technology, so that our Host Security Configuration Assessment checks for the latest security patches and configuration methods for the newest applications and servers. Our experienced consultants accurately determine where the highest-risk problems occur and how to address those issues at a policy level. Finally, our techniques use customized scripts that can be run by your administrators to collect data for assessment.

Key Benefits

  • Evaluate the security of critical servers
  • Analyze the operating system and application-level security of operating environments
  • Check administrative and technical controls, identifying potential and actual weaknesses and securing recommendations for countermeasures
  • Compare your standard images to industry benchmarks

Methodology

McAfee Strategic Security Services' methodology is created from established public guidelines and our consultants’ experience. Foundstone has developed tools to automate the collection of data. We use these scripts to help identify high-risk misconfigurations or omissions in your company’s server builds. Drawing from our experience, we test the overall risk of the host, rather than just check off a list of specific vendor-recommended points. As a result, we are able to identify the controls that most need improvement to reduce the risk faced by the host.

We thoroughly check the adequacy of security controls on the features and functions listed for numerous operating systems and devices, including:

  • Microsoft Windows 2000 and higher
  • Unix (including Solaris, HP-UX, Linux, Tru64, and AIX), and Novell
  • Specific applications such as IIS, SQL Server, and Apache
  • Router and switch hosts

Microsoft Windows and UNIX Hosts
We create a measurement of risk that is comparable between different operating systems and applications. Each host is measured against the security practices from our methodology:

  • Account management and security
    • Password storage mechanisms for adequate restrictions
    • Password generation and management controls
    • Appropriate permissions for users' accounts
    • Unique accounts for all users
    • Identify domain or server account policies for password rules, login time restrictions, and intruder detection and lockout
    • Test password policy using password crackers, such as LOphtcrack or John the Ripper
  • File management and security
    • Correct permissions for system, application, data, and user files
    • Shares do not expose unnecessary data
    • Shares are restricted to appropriate users and groups
    • File integrity is monitored (Tripwire, MD5 Checksum, and others)
    • Anti-virus software is installed, up to date, and functioning
  • Patch level
    • An environment and procedure exists for testing patches before deploying to production systems
    • Security-related patches for the operating system have been applied
    • Security-related patches for applications have been applied
  • Network security
    • No unnecessary protocols are enabled
    • Only business-related services are running
    • Common services have been adequately secured (FTP, HTTP, Network File System, RPC services, X Windows)
    • Host-level firewall or other network access control mechanism is enabled, where appropriate
    • Modem security follows established policy
  • Logging and auditing
    • Default operating system auditing has been augmented
    • Applications configured to generate log data and log files are backed up
    • Logs are periodically assessed for suspicious activity
    • System times are synchronized with a central server
  • General security management
    • Ensure that applications are executed with a least-privilege concept
    • Check potential for start-up executables and scripts that may provide a backdoor vulnerability based on insecure permissions or implementation
    • Identify extent and type of trust relationships between domains
    • Identify extent and type of trust relationships between individual systems
  • Detection of previous intrusion
    • Look for the presence of common Trojans and backdoors
    • Check suspicious file permissions
    • Check suspicious user accounts, such as an account that is unaudited, or has a blank password or excessive rights
  • External controls (where applicable)
    • Physical security
    • Backup strategy
    • UPS
    • Fire suppressions
    • Environment (AC, humidity)

Host Application Assessment — Web & Database Servers
McAfee Strategic Security Services also assesses the installation and configuration of major applications such as Microsoft IIS and SQL Server. These applications often represent a high risk to the network because of their history of vulnerabilities and Internet connectivity. These assessments include in addition to the above, a review of:

  • Secure configuration
  • Separation of privileges
  • Recommended practices
  • Logging and auditing

Router and Switch Host Assessment
These assessments begin with the methodology described above to assess the configuration of the underlying host. Additional checks are performed to assess the particular function of the router and switch. The methodology targets high-level concepts by tracking the following specific, detailed points:

  • Access control lists that restrict packet flow
  • Configurations to prevent or minimize spoofing attacks
  • Filtering rules that restrict traffic destined for the router or firewall
  • Check authentication methods for remote and local access, and determine the adequacy of these controls
  • Determine whether per-port security is enabled to eliminate unauthorized spanning, where applicable (Cisco switches)
  • Examine authentication mechanisms for routing table updates
  • Examine routes, especially static ones, for security concerns
  • Examine the adequacy and security of logging configurations
  • Ensure installation of recent software updates
  • Examine hosts for unnecessary services; check services configuration for appropriate security controls

McAfee Strategic Security Services' methodology not only points out specific areas that should be addressed to reduce a host’s risk exposure, it also provides recommendations for how to bring up the baseline for deploying servers. These risk-reduction recommendations protect the system from known vulnerabilities and often eliminate exposure to zero-day exploits, which reduce the scope of a compromise.