Security Hardening

A collection of awesome security hardening software, libraries, learning tutorials & documents, e-books, best practices, checklists, benchmarks about hardening in Cybersecurity. Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.

What is Security Hardening?

Hardening, when applied to computing, is the practice of reducing a system’s vulnerability by reducing its attack surface.

Hardening may involve a reduction in attack vectors by culling the pathways, or vectors, attackers would use. It may range from adhering to blanket policies such as Zero Trust, the Principle of Least Privilege (PoLP), or Defense In Depth, but also manifest as certain task lists such as implementing workforce training, segmenting resources, automating security updates, resetting default passwords, hashing passwords, and ceasing to store or transmit data unless it is encrypted.

Table of Contents

• Security Hardening Guides and Best Practices
  • Hardening Guide Collections
  • GNU/Linux
    • Red Hat Enterprise Linux - RHEL
    • CentOS
    • SUSE
    • Ubuntu
  • Windows
  • macOS
  • Network Devices
    • Switches
    • Routers
    • IPv6
    • Firewalls
  • Virtualization - VMware
  • Containers - Docker
  • Services
    • SSH
    • TLS/SSL
    • Web Servers
      • Apache HTTP Server
      • Apache Tomcat
      • Eclipse Jetty
      • Microsoft IIS
    • Mail Servers
    • FTP Servers
    • Database Servers
    • Active Directory
    • ADFS
    • Kerberos
    • LDAP
    • DNS
    • NTP
    • NFS
    • CUPS
  • Authentication - Passwords
  • Hardware - CPU - BIOS - UEFI
  • Cloud
• Tools
  • Tools to check security hardening
    • GNU/Linux
    • Windows
    • Network Devices
    • TLS/SSL
    • SSH
    • Hardware - CPU - BIOS - UEFI
    • Docker
    • Cloud
  • Tools to apply security hardening
    • GNU/Linux
    • Windows
    • TLS/SSL
    • Cloud
  • Password Generators
• Books
• Other Awesome Lists
  • Other Awesome Security Lists

---

Security Hardening Guides and Best Practices

Hardening Guide Collections

• CIS Benchmarks (registration required)
• ANSSI Best Practices
• NSA Security Configuration Guidance
• NSA Cybersecurity Resources for Cybersecurity Professionals and NSA Cybersecurity publications
• US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)
• OpenSCAP Security Policies
• Australian Cyber Security Center Publications
• FIRST Best Practice Guide Library (BPGL)
• Harden the World - a collection of hardening guidelines for devices, applications and OSs (mostly Apple for now).

GNU/Linux

• ANSSI - Configuration recommendations of a GNU/Linux system
• CIS Benchmark for Distribution Independent Linux
• trimstray - The Practical Linux Hardening Guide - practical step-by-step instructions for building your own hardened systems and services. Tested on CentOS 7 and RHEL 7.
• trimstray - Linux Hardening Checklist - most important hardening rules for GNU/Linux systems (summarized version of The Practical Linux Hardening Guide)
• How To Secure A Linux Server - for a single Linux server at home
• nixCraft - 40 Linux Server Hardening Security Tips (2019 edition)
• nixCraft - Tips To Protect Linux Servers Physical Console Access
• TecMint - 4 Ways to Disable Root Account in Linux
• ERNW - IPv6 Hardening Guide for Linux Servers
• trimstray - Iptables Essentials: Common Firewall Rules and Commands
• Neo23x0/auditd - Best Practice Auditd Configuration

### Red Hat Enterprise Linux - RHEL

• Red Hat - A Guide to Securing Red Hat Enterprise Linux 7
• DISA STIGs - Red Hat Enterprise Linux 7 (2019)
• CIS Benchmark for Red Hat Linux
• nixCraft - How to set up a firewall using FirewallD on RHEL 8

CentOS

• Lisenet - CentOS 7 Server Hardening Guide (2017)
• HighOn.Coffee - Security Harden CentOS 7 (2015)

SUSE

• SUSE Linux Enterprise Server 12 SP4 Security Guide
• SUSE Linux Enterprise Server 12 Security and Hardening Guide

Ubuntu

• Ubuntu documentation - Security
• Ubuntu wiki - Security Hardening Features

Windows

• Microsoft - Windows security baselines
• Microsoft - Windows Server Security | Assurance
• Microsoft - Windows 10 Enterprise Security
• BSI/ERNW - Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities (2021) - focused on Windows 10 LTSC 2019
• ACSC - Hardening Microsoft Windows 10, version 21H1, Workstations
• ACSC - Securing PowerShell in the Enterprise
• Awesome Windows Domain Hardening
• Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
• Microsoft recommended block rules - List of applications or files that can be used by an attacker to circumvent application whitelisting policies
• ERNW - IPv6 Hardening Guide for Windows Servers
• NSA - AppLocker Guidance - Configuration guidance for implementing application whitelisting with AppLocker
• NSA - Pass the Hash Guidance - Configuration guidance for implementing Pass-the-Hash mitigations (Archived)
• NSA - BitLocker Guidance - Configuration guidance for implementing disk encryption with BitLocker
• NSA - Event Forwarding Guidance - Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding
• Windows Defense in Depth Strategies - work in progress
• Endpoint Isolation with the Windows Firewall based on Jessica Payne’s ‘Demystifying the Windows Firewall’ talk from Ignite 2016

See also Active Directory and ADFS below.

macOS

• ERNW - IPv6 Hardening Guide for OS-X

Network Devices

• NSA - Harden Network Devices - very short but good summary

Switches

• DISA - Layer 2 Switch SRG

Routers

• NSA - A Guide to Border Gateway Protocol (BGP) Best Practices

IPv6

• ERNW - Developing an Enterprise IPv6 Security Strategy Part 1, Part 2, Part 3, Part 4 - Network Isolation on the Routing Layer, Traffic Filtering in IPv6 Networks
• see also IPv6 links under GNU/Linux, Windows and macOS

Firewalls

• NIST SP 800-41 Rev 1 - Guidelines on Firewalls and Firewall Policy (2009)
• trimstray - Iptables Essentials: Common Firewall Rules and Commands

Virtualization - VMware

• VMware Security Hardening Guides - covers most VMware products and versions
• CIS VMware ESXi 6.5 Benchmark (2018)
• DISA STIGs - Virtualisation - VMware vSphere 6.0 and 5
• ENISA - Security aspects of virtualization - generic, high-level best practices for virtualization and containers (Feb 2017)
• NIST SP 800-125 - Guide to Security for Full Virtualization Technologies - (2011)
• NIST SP 800-125A Revision 1 - Security Recommendations for Server-based Hypervisor Platforms (2018)
• NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection (2016)
• ANSSI - Recommandations de sécurité pour les architectures basées sur VMware vSphere ESXi - for VMware 5.5 (2016), in French
• ANSSI - Problématiques de sécurité associées à la virtualisation des systèmes d’information (2013), in French

Containers - Docker

• How To Harden Your Docker Containers
• CIS Docker Benchmarks - registration required
• NIST SP 800-190 - Application Container Security Guide
• A Practical Introduction to Container Security
• ANSSI - Recommandations de sécurité relatives au déploiement de conteneurs Docker (2020), in French

Services

SSH

• NIST IR 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH)
• ANSSI - (Open)SSH secure use recommendations
• Linux Audit - OpenSSH security and hardening
• Positron Security SSH Hardening Guides (2017-2018) - focused on crypto algorithms
• stribika - Secure Secure Shell (2015) - some algorithm recommendations might be slightly outdated
• Applied Crypto Hardening: bettercrypto.org - handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)
• IETF - Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-10 - update to the recommended set of key exchange methods for use in the Secure Shell (SSH) protocol to meet evolving needs for stronger security. This document updates RFC 4250.
• Gravitational - How to SSH Properly - how to configure SSH to use certificates and two-factor authentication

TLS/SSL

• NIST SP800-52 Rev 2 (2nd draft) - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations - 2018, recommends TLS 1.3
• Netherlands NCSC - IT Security Guidelines for Transport Layer Security (TLS) - 2019
• ANSSI - Security Recommendations for TLS - 2017, does not cover TLS 1.3
• Qualys SSL Labs - SSL and TLS Deployment Best Practices - 2017, does not cover TLS 1.3
• RFC 7540 Appendix A TLS 1.2 Cipher Suite Black List
• Applied Crypto Hardening: bettercrypto.org - handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)

Web Servers

• Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd

Apache HTTP Server

• Apache HTTP Server documentation - Security Tips
• GeekFlare - Apache Web Server Hardening and Security Guide
• Apache Config - Apache Security Hardening Guide

Apache Tomcat

• Apache Tomcat 9 Security Considerations / v8 / v7
• OWASP Securing tomcat
• How to get Tomcat 9 to work with authbind to bind to port 80

Eclipse Jetty

• Eclipse Jetty - Configuring Security
• Jetty hardening (2015)

Microsoft IIS

• CIS Microsoft IIS Benchmarks

Mail Servers

FTP Servers

Database Servers

Active Directory

• Microsoft - Best Practices for Securing Active Directory
• ANSSI CERT-FR - Active Directory Security Assessment Checklist - 2020 (English and French versions)
• "Admin Free" Active Directory and Windows, Part 1- Understanding Privileged Groups in AD
• "Admin Free" Active Directory and Windows, Part 2- Protected Accounts and Groups in Active Directory

ADFS

• adsecurity.org - Securing Microsoft Active Directory Federation Server (ADFS)
• Microsoft - Best practices for securing Active Directory Federation Services

Kerberos

• CIS MIT Kerberos 1.10 Benchmark - 2012

LDAP

• OpenLDAP Software 2.4 Administrator's Guide - OpenLDAP Security Considerations
• Best Practices in LDAP Security (2011)
• LDAP: Hardening Server Security (so administrators can sleep at night)
• LDAP Authentication Best Practices - retrieved from web.archive.org
• Hardening OpenLDAP on Linux with AppArmor and systemd - slides
• zytrax LDAP for Rocket Scientists - LDAP Security
• How To Encrypt OpenLDAP Connections Using STARTTLS

DNS

• CIS - BIND DNS Server 9.9 Benchmark (2017)
• DISA STIGs - BIND 9.x (2019)
• NIST SP 800-81-2 - Secure Domain Name System (DNS) Deployment Guide (2013)
• CMU SEI - Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure
• NSA BIND 9 DNS Security (2011)

NTP

• IETF - Network Time Protocol Best Current Practices draft-ietf-ntp-bcp (last draft #13 in March 2019)
• CMU SEI - Best Practices for NTP Services
• Linux.com - Arrive On Time With NTP -- Part 2: Security Options
• Linux.com - Arrive On Time With NTP -- Part 3: Secure Setup

NFS

• Linux NFS-HOWTO - Security and NFS - a good overview of NFS security issues and some mitigations
• Red Hat - A Guide to Securing Red Hat Enterprise Linux 7 - Securing NFS
• Red Hat - RHEL7 Storage Administration Guide - Securing NFS
• NFSv4 without Kerberos and permissions - why NFSv4 without Kerberos does not provide security
• CertDepot - RHEL7: Use Kerberos to control access to NFS network shares

CUPS

• CUPS Server Security

Authentication - Passwords

• UK NCSC - Password administration for system owners
• NIST SP 800-63 Digital Identity Guidelines
• OWASP Password Storage Cheat Sheet

Hardware - CPU - BIOS - UEFI

• ANSSI - Hardware security requirements for x86 platforms - recommendations for security features and configuration options applying to hardware devices (CPU, BIOS, UEFI, etc) (Nov 2019)
• NSA - Hardware and Firmware Security Guidance - Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance.
• NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018)
• NSA Tech Report: UEFI Defensive Practices Guidance (July 2017)

Cloud

• NSA Info Sheet: Cloud Security Basics (August 2018)
• DISA DoD Cloud Computing Security
• asecure.cloud - Build a Secure Cloud - A free repository of customizable AWS security configurations and best practices

Tools

Tools to check security hardening

• Chef InSpec - open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements. can run on Windows and many Linux distributions.

GNU/Linux

• Lynis - script to check the configuration of Linux hosts
• OpenSCAP Base - oscap command line tool
• SCAP Workbench - GUI for oscap
• Tiger - The Unix security audit and intrusion detection tool (might be outdated)
• otseca - Open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
• SUDO_KILLER - A tool to identify sudo rules' misconfigurations and vulnerabilities within sudo
• CIS Benchmarks Audit - bash script which performs tests against your CentOS system to give an indication of whether the running server may comply with the CIS v2.2.0 Benchmarks for CentOS (only CentOS 7 for now)

Windows

• Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
• Microsoft DSC Environment Analyzer (DSCEA) - simple implementation of PowerShell Desired State Configuration that uses the declarative nature of DSC to scan Windows OS based systems in an environment against a defined reference MOF file and generate compliance reports as to whether systems match the desired configuration
• HardeningAuditor - Scripts for comparing Microsoft Windows compliance with the Australian ASD 1709 & Office 2016 Hardening Guides
• PingCastle - Tool to check the security of Active Directory

Network Devices

• Nipper-ng - to check the configuration of network devices (does not seem to be updated)

TLS/SSL

• Qualys SSL Labs - List of tools to assess TLS/SSL servers and clients
• SSL Decoder - checks the SSL/TLS configuration of a server

SSH

• ssh-audit - SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

Hardware - CPU - BIOS - UEFI

• CHIPSEC: Platform Security Assessment Framework - framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components
• chipsec-check - Tools to generate a Debian Linux distribution with chipsec to test hardware requirements

Docker

• Docker Bench for Security - script that checks for dozens of common best-practices around deploying Docker containers in production, inspired by the CIS Docker Community Edition Benchmark v1.1.0.

Cloud

• toniblyx/my-arsenal-of-aws-security-tools - List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

Tools to apply security hardening

• DevSec Hardening Framework - a framework to automate hardening of OS and applications, using Chef, Ansible and Puppet

GNU/Linux

• Linux Server Hardener - for Debian/Ubuntu (2019)
• Bastille Linux - outdated

Windows

• Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
• Hardentools - for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.
• Windows 10 Hardening - A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible.
• Disassembler0 Windows 10 Initial Setup Script - PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019
• Automated-AD-Setup - A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening
• mackwage/windows_hardening.cmd - Script to perform some hardening of Windows 10

TLS/SSL

• Mozilla SSL Configuration Generator

Cloud

• toniblyx/my-arsenal-of-aws-security-tools - List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

Password Generators

• How-To Geek - 10 Ways to Generate a Random Password from the Linux Command Line
• Vitux - 8 Ways to Generate a Random Password on Linux Shell
• SS64 - Password security and a comparison of Password Generators

Other Awesome Security Lists

• Cybersecurity Android Security - A collection of android security related resources.
• Cybersecurity macOS & iOS Security - A collection of macOS and iOS security related resources.
• Cybersecurity ARM Exploitation - A curated list of Windows & ARM exploitation resources.
• Cybersecurity CTF - A curated list of CTF frameworks, libraries, resources and software.
• Awesome Cyber Skills - A curated list of hacking environments where you can train your cyber skills legally and safely.
• Awesome Personal Security - A curated list of digital security and privacy tips, with links to further resources.
• Cybersecurity Data Privacy - A curated list of digital security and privacy tips, with links to further resources.
• Awesome Honeypots - An awesome list of honeypot resources.
• Cybersecurity Malware Analysis - A curated list of awesome malware analysis tools and resources.
• Awesome PCAP Tools - A collection of tools developed by other researchers in the Computer Science area to process network traces.
• Cybersecurity Penetration Testing - A collection of awesome penetration testing resources, tools and other shiny things.
• Awesome Linux Containers - A curated list of awesome Linux Containers frameworks, libraries and software.
• Cybersecurity Incident Response - A curated list of resources for incident response.
• Awesome Web Hacking - This list is for anyone wishing to learn about web application security but do not have a starting point.
• Cybersecurity Hacking - A curated list of awesome Hacking tutorials, tools and resources
• Awesome Electron.js Hacking - A curated list of awesome resources about Electron.js (in)security
• Cybersecurity Threat Intelligence - A curated list of threat intelligence resources.
• Cybersecurity Threat Detection - A curated list of threat modeling resources.
• Cybersecurity Cryptography - A curated list of cryptography resources.
• Awesome Pentest Cheat Sheets - Collection of the cheat sheets useful for pentesting
• Cybersecurity Industrial Control System Security - A curated list of resources related to Industrial Control System (ICS) security.
• Awesome YARA - A curated list of awesome YARA rules, tools, and people.
• Cybersecurity Threat Detection and Hunting - A curated list of awesome threat detection and hunting resources.
• Cybersecurity Container Security - A curated list of awesome resources related to container building and runtime security
• Awesome Crypto Papers - A curated list of cryptography papers, articles, tutorials and howtos.
• Awesome Shodan Search Queries - A collection of interesting, funny, and depressing search queries to plug into Shodan.io.
• Cybersecurity Digital Forensics - A collection of awesome tools used to counter forensics activities.
• Awesome Security Talks & Videos - A curated list of awesome security talks, organized by year and then conference.

^ back to top ^

License

MIT License & cc license

This work is licensed under a Creative Commons Attribution 4.0 International License.

To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.