The premise of the hack-proofing in this session is that there is no way to stop a hacker, but you should make it harder for them.
Quick-tips on how to harden a server or workstation:
- Use Windows Server 2008 R2 Core - no user shell, reduced attack surface
- Use AppLocker, which can give granular software restriction policies
- Use biometrics or smart cards, to go beyond a simple password for access
- Use strong passwords, 8 or more characters, and audit password complexity with Cain & Abel or Password Auditor.
- Remove LanManager hashes from Windows XP (this also applies to Windows Server 2003)
- Use a local managed service account for SQL and IIS if possible
- Use UAC, and use Server 2008 R2 as it allows granular UAC levels
- Use Server 2008 R2 auditing capabilities and watch your security logs
- Run the Security Configuration Wizard, and disable unnecessary services.
- Use BitLocker, and use with a TPM if available
- Use Server 2008 R2 NAP
- Run MBSA on every server
- Be aware of social engineering. Resource: http://social-engineering.org. Quote of the day "there is no patch for human stupidity".
- Be aware of the threat landscape, review online resources such as Security Intelligence Report.
- Additional resources: http://network-tools.com http://vulnerabilityassessment.co.uk http://www.gfi.com/network-security-vulnerability-scanner
0 comments:
Post a Comment