A collection of awesome security hardening guides, best practices, tools and other resources. This is work in progress: please contribute by sending your suggestions. You may do this by creating issue tickets or forking, editing and sending pull requests. You may also send suggestions on Twitter to @decalage2, or use https://www.decalage.info/contact
Table of Contents
- Security Hardening Guides and Best Practices
- Hardening Guide Collections
- Network Devices
- Virtualization - VMware
- Containers - Docker
- Authentication - Passwords
- Hardware - BIOS - UEFI
- Other Awesome Lists
Security Hardening Guides and Best Practices
Hardening Guide Collections
- CIS Benchmarks (registration required)
- ANSSI Best Practices
- NSA Security Configuration Guidance
- NSA Cybersecurity Resources for Cybersecurity Professionals and NSA Cybersecurity publications
- US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)
- OpenSCAP Security Policies
- Australian Cyber Security Center Publications
- FIRST Best Practice Guide Library (BPGL)
- ANSSI - Configuration recommendations of a GNU/Linux system
- CIS Benchmark for Distribution Independent Linux
- How To Secure A Linux Server - for a single Linux server at home
- nixCraft - 40 Linux Server Hardening Security Tips (2019 edition)
- nixCraft - Tips To Protect Linux Servers Physical Console Access
- TecMint - 4 Ways to Disable Root Account in Linux
- ERNW - IPv6 Hardening Guide for Linux Servers
Red Hat Enterprise Linux - RHEL
- Red Hat - A Guide to Securing Red Hat Enterprise Linux 7
- DISA STIGs - Red Hat Enterprise Linux 7 (2019)
- CIS Benchmark for Red Hat Linux
- nixCraft - How to set up a firewall using FirewallD on RHEL 8
- SUSE Linux Enterprise Server 12 SP4 Security Guide
- SUSE Linux Enterprise Server 12 Security and Hardening Guide
- Microsoft - Windows security baselines
- Microsoft - Windows Server Security | Assurance
- Microsoft - Windows 10 Enterprise Security
- ACSC - Hardening Microsoft Windows 10, version 1709, Workstations
- ACSC - Securing PowerShell in the Enterprise
- Awesome Windows Domain Hardening
- Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
- Microsoft recommended block rules - List of applications or files that can be used by an attacker to circumvent application whitelisting policies
- ERNW - IPv6 Hardening Guide for Windows Servers
- NSA - Harden Network Devices - very short but good summary
- ERNW - Developing an Enterprise IPv6 Security Strategy Part 1, Part 2, Part 3, Part 4 - Network Isolation on the Routing Layer, Traffic Filtering in IPv6 Networks
- see also IPv6 links under GNU/Linux, Windows and macOS
Virtualization - VMware
- VMware Security Hardening Guides - covers most VMware products and versions
- CIS VMware ESXi 6.5 Benchmark (2018)
- DISA STIGs - Virtualisation - VMware vSphere 6.0 and 5
- ENISA - Security aspects of virtualization - generic, high-level best practices for virtualization and containers (Feb 2017)
- NIST SP 800-125 - Guide to Security for Full Virtualization Technologies - (2011)
- NIST SP 800-125A Revision 1 - Security Recommendations for Server-based Hypervisor Platforms (2018)
- NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection (2016)
- ANSSI - Recommandations de sécurité pour les architectures basées sur VMware vSphere ESXi - for VMware 5.5 (2016), in French
Containers - Docker
- NIST IR 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH)
- ANSSI - (Open)SSH secure use recommendations
- Linux Audit - OpenSSH security and hardening
- Positron Security SSH Hardening Guides - focused on crypto algorithms
- NIST SP800-52 Rev 2 (2nd draft) - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations - 2018, recommends TLS 1.3
- Netherlands NCSC - IT Security Guidelines for Transport Layer Security (TLS) - 2019
- ANSSI - Security Recommendations for TLS - 2017, does not cover TLS 1.3
- Qualys SSL Labs - SSL and TLS Deployment Best Practices - 2017, does not cover TLS 1.3
- RFC 7540 Appendix A TLS 1.2 Cipher Suite Black List
Apache HTTP Server
- Apache HTTP Server documentation - Security Tips
- GeekFlare - Apache Web Server Hardening and Security Guide
- Apache Config - Apache Security Hardening Guide
- Apache Tomcat 9 Security Considerations / v8 / v7
- OWASP Securing tomcat
- How to get Tomcat 9 to work with authbind to bind to port 80
- Microsoft - Best Practices for Securing Active Directory
- "Admin Free" Active Directory and Windows, Part 1- Understanding Privileged Groups in AD
- "Admin Free" Active Directory and Windows, Part 2- Protected Accounts and Groups in Active Directory
- adsecurity.org - Securing Microsoft Active Directory Federation Server (ADFS)
- Microsoft - Best practices for securing Active Directory Federation Services
- OpenLDAP Software 2.4 Administrator's Guide - OpenLDAP Security Considerations
- Best Practices in LDAP Security (2011)
- LDAP: Hardening Server Security (so administrators can sleep at night)
- LDAP Authentication Best Practices - retrieved from web.archive.org
- Hardening OpenLDAP on Linux with AppArmor and systemd - slides
- zytrax LDAP for Rocket Scientists - LDAP Security
- How To Encrypt OpenLDAP Connections Using STARTTLS
- CIS - BIND DNS Server 9.9 Benchmark (2017)
- DISA STIGs - BIND 9.x (2019)
- NIST SP 800-81-2 - Secure Domain Name System (DNS) Deployment Guide (2013)
- CMU SEI - Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure
- NSA BIND 9 DNS Security (2011)
- IETF - Network Time Protocol Best Current Practices draft-ietf-ntp-bcp (2019)
- CMU SEI - Best Practices for NTP Services
- Linux.com - Arrive On Time With NTP -- Part 2: Security Options
- Linux.com - Arrive On Time With NTP -- Part 3: Secure Setup
- Linux NFS-HOWTO - Security and NFS - a good overview of NFS security issues and some mitigations
- Red Hat - A Guide to Securing Red Hat Enterprise Linux 7 - Securing NFS
- Red Hat - RHEL7 Storage Administration Guide - Securing NFS
- NFSv4 without Kerberos and permissions - why NFSv4 without Kerberos does not provide security
- CertDepot - RHEL7: Use Kerberos to control access to NFS network shares
Authentication - Passwords
Hardware - BIOS - UEFI
- NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018)
- NSA Tech Report: UEFI Defensive Practices Guidance (July 2017)
Tools to check security hardening
- Lynis - script to check the configuration of Linux hosts
- OpenSCAP Base - oscap command line tool
- SCAP Workbench - GUI for oscap
- Tiger - The Unix security audit and intrusion detection tool (might be outdated)
- Nipper-ng - to check the configuration of network devices (does not seem to be updated)
- Docker Bench for Security - script that checks for dozens of common best-practices around deploying Docker containers in production, inspired by the CIS Docker Community Edition Benchmark v1.1.0.
Tools to apply security hardening
- Hardentools - for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.
- Windows 10 Hardening - A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible.
- Hardening Auditor - Scripts for comparing Microsoft Windows compliance with the ASD 1709 & Office 2016 Hardening Guides
- Windows 10 Initial Setup Script - PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019
Other Awesome Lists
(borrowed from Awesome Security)
Other Awesome Security Lists
- Awesome Security - A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.
- Android Security Awesome - A collection of android security related resources.
- Awesome CTF - A curated list of CTF frameworks, libraries, resources and software.
- Awesome Cyber Skills - A curated list of hacking environments where you can train your cyber skills legally and safely.
- Awesome Hacking - A curated list of awesome Hacking tutorials, tools and resources.
- Awesome Honeypots - An awesome list of honeypot resources.
- Awesome Malware Analysis - A curated list of awesome malware analysis tools and resources.
- Awesome PCAP Tools - A collection of tools developed by other researchers in the Computer Science area to process network traces.
- Awesome Pentest - A collection of awesome penetration testing resources, tools and other shiny things.
- Awesome Linux Containers - A curated list of awesome Linux Containers frameworks, libraries and software.
- Awesome Incident Response - A curated list of resources for incident response.
- Awesome Web Hacking - This list is for anyone wishing to learn about web application security but do not have a starting point.
- Awesome Threat Intelligence - A curated list of threat intelligence resources.
- Awesome Pentest Cheat Sheets - Collection of the cheat sheets useful for pentesting
- Awesome Industrial Control System Security - A curated list of resources related to Industrial Control System (ICS) security.
- Awesome YARA - A curated list of awesome YARA rules, tools, and people.
- Awesome Threat Detection and Hunting - A curated list of awesome threat detection and hunting resources.
- Awesome Container Security - A curated list of awesome resources related to container building and runtime security
- Awesome Crypto Papers - A curated list of cryptography papers, articles, tutorials and howtos.