Security Hardening Resources

Security Hardening

Awesome Security Hardening


A collection of awesome security hardening guides, best practices, checklists, benchmarks, tools and other resources. This is work in progress: please contribute by sending your suggestions. You may do this by creating issue tickets or forking, editing and sending pull requests.

Security Hardening Guides and Best Practices

Hardening Guide Collections

GNU/Linux

Red Hat Enterprise Linux – RHEL

CentOS

SUSE

Ubuntu

Windows

See also Active Directory and ADFS below.

macOS

Network Devices

Switches

Routers

IPv6

  • ERNW – Developing an Enterprise IPv6 Security Strategy Part 1Part 2Part 3Part 4 – Network Isolation on the Routing Layer, Traffic Filtering in IPv6 Networks
  • see also IPv6 links under GNU/Linux, Windows and macOS

Firewalls

Virtualization – VMware

Containers – Docker

Services

SSH

TLS/SSL

Web Servers

Apache HTTP Server

Apache Tomcat

Eclipse Jetty

Microsoft IIS

Active Directory

ADFS

Kerberos

LDAP

DNS

NTP

NFS

CUPS

Authentication – Passwords

Hardware – CPU – BIOS – UEFI

Cloud

Tools

Tools to check security hardening

  • Chef InSpec – open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements. can run on Windows and many Linux distributions.

GNU/Linux

  • Lynis – script to check the configuration of Linux hosts
  • OpenSCAP Base – oscap command line tool
  • SCAP Workbench – GUI for oscap
  • Tiger – The Unix security audit and intrusion detection tool (might be outdated)
  • otseca – Open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
  • SUDO_KILLER – A tool to identify sudo rules’ misconfigurations and vulnerabilities within sudo
  • CIS Benchmarks Audit – bash script which performs tests against your CentOS system to give an indication of whether the running server may comply with the CIS v2.2.0 Benchmarks for CentOS (only CentOS 7 for now)

Windows

  • Microsoft Security Compliance Toolkit 1.0 – set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
  • Microsoft DSC Environment Analyzer (DSCEA) – simple implementation of PowerShell Desired State Configuration that uses the declarative nature of DSC to scan Windows OS based systems in an environment against a defined reference MOF file and generate compliance reports as to whether systems match the desired configuration
  • HardeningAuditor – Scripts for comparing Microsoft Windows compliance with the Australian ASD 1709 & Office 2016 Hardening Guides
  • PingCastle – Tool to check the security of Active Directory

Network Devices

  • Nipper-ng – to check the configuration of network devices (does not seem to be updated)

TLS/SSL

SSH

  • ssh-audit – SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

Hardware – CPU – BIOS – UEFI

Docker

  • Docker Bench for Security – script that checks for dozens of common best-practices around deploying Docker containers in production, inspired by the CIS Docker Community Edition Benchmark v1.1.0.

Cloud

Tools to apply security hardening

GNU/Linux

Windows

  • Microsoft Security Compliance Toolkit 1.0 – set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
  • Hardentools – for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.
  • Windows 10 Hardening – A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible.
  • Disassembler0 Windows 10 Initial Setup Script – PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019
  • Automated-AD-Setup – A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening
  • mackwage/windows_hardening.cmd – Script to perform some hardening of Windows 10

TLS/SSL

Cloud

Password Generators

Other Awesome Lists

Other Awesome Security Lists

(borrowed from Awesome Security)