Awesome Security Hardening
A collection of awesome security hardening guides, best practices, checklists, benchmarks, tools and other resources. This is work in progress: please contribute by sending your suggestions. You may do this by creating issue tickets or forking, editing and sending pull requests.
Security Hardening Guides and Best Practices
Hardening Guide Collections
- CIS Benchmarks (registration required)
- ANSSI Best Practices
- NSA Security Configuration Guidance
- NSA Cybersecurity Resources for Cybersecurity Professionals and NSA Cybersecurity publications
- US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)
- OpenSCAP Security Policies
- Australian Cyber Security Center Publications
- FIRST Best Practice Guide Library (BPGL)
- Harden the World – a collection of hardening guidelines for devices, applications and OSs (mostly Apple for now).
GNU/Linux
- ANSSI – Configuration recommendations of a GNU/Linux system
- CIS Benchmark for Distribution Independent Linux
- trimstray – The Practical Linux Hardening Guide – practical step-by-step instructions for building your own hardened systems and services. Tested on CentOS 7 and RHEL 7.
- trimstray – Linux Hardening Checklist – most important hardening rules for GNU/Linux systems (summarized version of The Practical Linux Hardening Guide)
- How To Secure A Linux Server – for a single Linux server at home
- nixCraft – 40 Linux Server Hardening Security Tips (2019 edition)
- nixCraft – Tips To Protect Linux Servers Physical Console Access
- TecMint – 4 Ways to Disable Root Account in Linux
- ERNW – IPv6 Hardening Guide for Linux Servers
- trimstray – Iptables Essentials: Common Firewall Rules and Commands
- Neo23x0/auditd – Best Practice Auditd Configuration
Red Hat Enterprise Linux – RHEL
- Red Hat – A Guide to Securing Red Hat Enterprise Linux 7
- DISA STIGs – Red Hat Enterprise Linux 7 (2019)
- CIS Benchmark for Red Hat Linux
- nixCraft – How to set up a firewall using FirewallD on RHEL 8
CentOS
SUSE
- SUSE Linux Enterprise Server 12 SP4 Security Guide
- SUSE Linux Enterprise Server 12 Security and Hardening Guide
Ubuntu
Windows
- Microsoft – Windows security baselines
- Microsoft – Windows Server Security | Assurance
- Microsoft – Windows 10 Enterprise Security
- BSI/ERNW – Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities (2021) – focused on Windows 10 LTSC 2019
- ACSC – Hardening Microsoft Windows 10, version 1709, Workstations
- ACSC – Securing PowerShell in the Enterprise
- Awesome Windows Domain Hardening
- Microsoft – How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
- Microsoft recommended block rules – List of applications or files that can be used by an attacker to circumvent application whitelisting policies
- ERNW – IPv6 Hardening Guide for Windows Servers
- NSA – AppLocker Guidance – Configuration guidance for implementing application whitelisting with AppLocker
- NSA – Pass the Hash Guidance – Configuration guidance for implementing Pass-the-Hash mitigations (Archived)
- NSA – BitLocker Guidance – Configuration guidance for implementing disk encryption with BitLocker
- NSA – Event Forwarding Guidance – Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding
- Windows Defense in Depth Strategies – work in progress
- Endpoint Isolation with the Windows Firewall based on Jessica Payne’s ‘Demystifying the Windows Firewall’ talk from Ignite 2016
See also Active Directory and ADFS below.
macOS
Network Devices
- NSA – Harden Network Devices – very short but good summary
Switches
Routers
IPv6
- ERNW – Developing an Enterprise IPv6 Security Strategy Part 1, Part 2, Part 3, Part 4 – Network Isolation on the Routing Layer, Traffic Filtering in IPv6 Networks
- see also IPv6 links under GNU/Linux, Windows and macOS
Firewalls
- NIST SP 800-41 Rev 1 – Guidelines on Firewalls and Firewall Policy (2009)
- trimstray – Iptables Essentials: Common Firewall Rules and Commands
Virtualization – VMware
- VMware Security Hardening Guides – covers most VMware products and versions
- CIS VMware ESXi 6.5 Benchmark (2018)
- DISA STIGs – Virtualisation – VMware vSphere 6.0 and 5
- ENISA – Security aspects of virtualization – generic, high-level best practices for virtualization and containers (Feb 2017)
- NIST SP 800-125 – Guide to Security for Full Virtualization Technologies – (2011)
- NIST SP 800-125A Revision 1 – Security Recommendations for Server-based Hypervisor Platforms (2018)
- NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection (2016)
- ANSSI – Recommandations de sécurité pour les architectures basées sur VMware vSphere ESXi – for VMware 5.5 (2016), in French
- ANSSI – Problématiques de sécurité associées à la virtualisation des systèmes d’information (2013), in French
Containers – Docker
- How To Harden Your Docker Containers
- CIS Docker Benchmarks – registration required
- NIST SP 800-190 – Application Container Security Guide
- A Practical Introduction to Container Security
- ANSSI – Recommandations de sécurité relatives au déploiement de conteneurs Docker (2020), in French
Services
SSH
- NIST IR 7966 – Security of Interactive and Automated Access Management Using Secure Shell (SSH)
- ANSSI – (Open)SSH secure use recommendations
- Linux Audit – OpenSSH security and hardening
- Positron Security SSH Hardening Guides (2017-2018) – focused on crypto algorithms
- stribika – Secure Secure Shell (2015) – some algorithm recommendations might be slightly outdated
- Applied Crypto Hardening: bettercrypto.org – handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)
- IETF – Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-10 – update to the recommended set of key exchange methods for use in the Secure Shell (SSH) protocol to meet evolving needs for stronger security. This document updates RFC 4250.
- Gravitational – How to SSH Properly – how to configure SSH to use certificates and two-factor authentication
TLS/SSL
- NIST SP800-52 Rev 2 (2nd draft) – Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations – 2018, recommends TLS 1.3
- Netherlands NCSC – IT Security Guidelines for Transport Layer Security (TLS) – 2019
- ANSSI – Security Recommendations for TLS – 2017, does not cover TLS 1.3
- Qualys SSL Labs – SSL and TLS Deployment Best Practices – 2017, does not cover TLS 1.3
- RFC 7540 Appendix A TLS 1.2 Cipher Suite Black List
- Applied Crypto Hardening: bettercrypto.org – handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)
Web Servers
Apache HTTP Server
- Apache HTTP Server documentation – Security Tips
- GeekFlare – Apache Web Server Hardening and Security Guide
- Apache Config – Apache Security Hardening Guide
Apache Tomcat
- Apache Tomcat 9 Security Considerations / v8 / v7
- OWASP Securing tomcat
- How to get Tomcat 9 to work with authbind to bind to port 80
Eclipse Jetty
Microsoft IIS
Active Directory
- Microsoft – Best Practices for Securing Active Directory
- ANSSI CERT-FR – Active Directory Security Assessment Checklist – 2020 (English and French versions)
- “Admin Free” Active Directory and Windows, Part 1- Understanding Privileged Groups in AD
- “Admin Free” Active Directory and Windows, Part 2- Protected Accounts and Groups in Active Directory
ADFS
- adsecurity.org – Securing Microsoft Active Directory Federation Server (ADFS)
- Microsoft – Best practices for securing Active Directory Federation Services
Kerberos
LDAP
- OpenLDAP Software 2.4 Administrator’s Guide – OpenLDAP Security Considerations
- Best Practices in LDAP Security (2011)
- LDAP: Hardening Server Security (so administrators can sleep at night)
- LDAP Authentication Best Practices – retrieved from web.archive.org
- Hardening OpenLDAP on Linux with AppArmor and systemd – slides
- zytrax LDAP for Rocket Scientists – LDAP Security
- How To Encrypt OpenLDAP Connections Using STARTTLS
DNS
- CIS – BIND DNS Server 9.9 Benchmark (2017)
- DISA STIGs – BIND 9.x (2019)
- NIST SP 800-81-2 – Secure Domain Name System (DNS) Deployment Guide (2013)
- CMU SEI – Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure
- NSA BIND 9 DNS Security (2011)
NTP
- IETF – Network Time Protocol Best Current Practices draft-ietf-ntp-bcp (last draft #13 in March 2019)
- CMU SEI – Best Practices for NTP Services
- Linux.com – Arrive On Time With NTP — Part 2: Security Options
- Linux.com – Arrive On Time With NTP — Part 3: Secure Setup
NFS
- Linux NFS-HOWTO – Security and NFS – a good overview of NFS security issues and some mitigations
- Red Hat – A Guide to Securing Red Hat Enterprise Linux 7 – Securing NFS
- Red Hat – RHEL7 Storage Administration Guide – Securing NFS
- NFSv4 without Kerberos and permissions – why NFSv4 without Kerberos does not provide security
- CertDepot – RHEL7: Use Kerberos to control access to NFS network shares
CUPS
Authentication – Passwords
- UK NCSC – Password administration for system owners
- NIST SP 800-63 Digital Identity Guidelines
- OWASP Password Storage Cheat Sheet
Hardware – CPU – BIOS – UEFI
- ANSSI – Hardware security requirements for x86 platforms – recommendations for security features and configuration options applying to hardware devices (CPU, BIOS, UEFI, etc) (Nov 2019)
- NSA – Hardware and Firmware Security Guidance – Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance.
- NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018)
- NSA Tech Report: UEFI Defensive Practices Guidance (July 2017)
Cloud
- NSA Info Sheet: Cloud Security Basics (August 2018)
- DISA DoD Cloud Computing Security
- asecure.cloud – Build a Secure Cloud – A free repository of customizable AWS security configurations and best practices
Tools
Tools to check security hardening
- Chef InSpec – open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements. can run on Windows and many Linux distributions.
GNU/Linux
- Lynis – script to check the configuration of Linux hosts
- OpenSCAP Base – oscap command line tool
- SCAP Workbench – GUI for oscap
- Tiger – The Unix security audit and intrusion detection tool (might be outdated)
- otseca – Open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
- SUDO_KILLER – A tool to identify sudo rules’ misconfigurations and vulnerabilities within sudo
- CIS Benchmarks Audit – bash script which performs tests against your CentOS system to give an indication of whether the running server may comply with the CIS v2.2.0 Benchmarks for CentOS (only CentOS 7 for now)
Windows
- Microsoft Security Compliance Toolkit 1.0 – set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
- Microsoft DSC Environment Analyzer (DSCEA) – simple implementation of PowerShell Desired State Configuration that uses the declarative nature of DSC to scan Windows OS based systems in an environment against a defined reference MOF file and generate compliance reports as to whether systems match the desired configuration
- HardeningAuditor – Scripts for comparing Microsoft Windows compliance with the Australian ASD 1709 & Office 2016 Hardening Guides
- PingCastle – Tool to check the security of Active Directory
Network Devices
- Nipper-ng – to check the configuration of network devices (does not seem to be updated)
TLS/SSL
- Qualys SSL Labs – List of tools to assess TLS/SSL servers and clients
- SSL Decoder – checks the SSL/TLS configuration of a server
SSH
- ssh-audit – SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
Hardware – CPU – BIOS – UEFI
- CHIPSEC: Platform Security Assessment Framework – framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components
- chipsec-check – Tools to generate a Debian Linux distribution with chipsec to test hardware requirements
Docker
- Docker Bench for Security – script that checks for dozens of common best-practices around deploying Docker containers in production, inspired by the CIS Docker Community Edition Benchmark v1.1.0.
Cloud
- toniblyx/my-arsenal-of-aws-security-tools – List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
Tools to apply security hardening
- DevSec Hardening Framework – a framework to automate hardening of OS and applications, using Chef, Ansible and Puppet
GNU/Linux
- Linux Server Hardener – for Debian/Ubuntu (2019)
- Bastille Linux – outdated
Windows
- Microsoft Security Compliance Toolkit 1.0 – set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
- Hardentools – for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.
- Windows 10 Hardening – A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible.
- Disassembler0 Windows 10 Initial Setup Script – PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019
- Automated-AD-Setup – A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening
- mackwage/windows_hardening.cmd – Script to perform some hardening of Windows 10
TLS/SSL
Cloud
- toniblyx/my-arsenal-of-aws-security-tools – List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
Password Generators
- How-To Geek – 10 Ways to Generate a Random Password from the Linux Command Line
- Vitux – 8 Ways to Generate a Random Password on Linux Shell
- SS64 – Password security and a comparison of Password Generators
Other Awesome Lists
- Awesome Cybersecurity Blue Team – A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.
Other Awesome Security Lists
(borrowed from Awesome Security)
- Awesome Security – A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.
- Android Security Awesome – A collection of android security related resources.
- Awesome CTF – A curated list of CTF frameworks, libraries, resources and software.
- Awesome Cyber Skills – A curated list of hacking environments where you can train your cyber skills legally and safely.
- Awesome Hacking – A curated list of awesome Hacking tutorials, tools and resources.
- Awesome Honeypots – An awesome list of honeypot resources.
- Awesome Malware Analysis – A curated list of awesome malware analysis tools and resources.
- Awesome PCAP Tools – A collection of tools developed by other researchers in the Computer Science area to process network traces.
- Awesome Pentest – A collection of awesome penetration testing resources, tools and other shiny things.
- Awesome Linux Containers – A curated list of awesome Linux Containers frameworks, libraries and software.
- Awesome Incident Response – A curated list of resources for incident response.
- Awesome Web Hacking – This list is for anyone wishing to learn about web application security but do not have a starting point.
- Awesome Threat Intelligence – A curated list of threat intelligence resources.
- Awesome Pentest Cheat Sheets – Collection of the cheat sheets useful for pentesting
- Awesome Industrial Control System Security – A curated list of resources related to Industrial Control System (ICS) security.
- Awesome YARA – A curated list of awesome YARA rules, tools, and people.
- Awesome Threat Detection and Hunting – A curated list of awesome threat detection and hunting resources.
- Awesome Container Security – A curated list of awesome resources related to container building and runtime security
- Awesome Crypto Papers – A curated list of cryptography papers, articles, tutorials and howtos.