markdown-body entry-content container-lg" itemprop="text">

awesome-security-hardening

A collection of awesome security hardening guides, best practices, checklists, benchmarks, tools and other resources. This is work in progress: please contribute by sending your suggestions. You may do this by creating issue tickets or forking, editing and sending pull requests. You may also send suggestions on Twitter to @decalage2, or use https://www.decalage.info/contact

Security Hardening Guides and Best Practices
Tools
Books
Other Awesome Lists
- Other Awesome Security Lists

Security Hardening Guides and Best Practices

Hardening Guide Collections

CIS Benchmarks (registration required)
ANSSI Best Practices
NSA Security Configuration Guidance
NSA Cybersecurity Resources for Cybersecurity Professionals and NSA Cybersecurity publications
US DoD DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs)
OpenSCAP Security Policies
Australian Cyber Security Center Publications
FIRST Best Practice Guide Library (BPGL)
Harden the World - a collection of hardening guidelines for devices, applications and OSs (mostly Apple for now).

GNU/Linux

ANSSI - Configuration recommendations of a GNU/Linux system
CIS Benchmark for Distribution Independent Linux
trimstray - The Practical Linux Hardening Guide - practical step-by-step instructions for building your own hardened systems and services. Tested on CentOS 7 and RHEL 7.
trimstray - Linux Hardening Checklist - most important hardening rules for GNU/Linux systems (summarized version of The Practical Linux Hardening Guide)
How To Secure A Linux Server - for a single Linux server at home
nixCraft - 40 Linux Server Hardening Security Tips (2019 edition)
nixCraft - Tips To Protect Linux Servers Physical Console Access
TecMint - 4 Ways to Disable Root Account in Linux
ERNW - IPv6 Hardening Guide for Linux Servers
trimstray - Iptables Essentials: Common Firewall Rules and Commands
Neo23x0/auditd - Best Practice Auditd Configuration

Red Hat Enterprise Linux - RHEL

CentOS

Lisenet - CentOS 7 Server Hardening Guide (2017)
HighOn.Coffee - Security Harden CentOS 7 (2015)

SUSE

Ubuntu

Windows

Microsoft - Windows security baselines
Microsoft - Windows Server Security | Assurance
Microsoft - Windows 10 Enterprise Security
BSI/ERNW - Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities (2021) - focused on Windows 10 LTSC 2019
ACSC - Hardening Microsoft Windows 10, version 21H1, Workstations
ACSC - Securing PowerShell in the Enterprise
Awesome Windows Domain Hardening
Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
Microsoft recommended block rules - List of applications or files that can be used by an attacker to circumvent application whitelisting policies
ERNW - IPv6 Hardening Guide for Windows Servers
NSA - AppLocker Guidance - Configuration guidance for implementing application whitelisting with AppLocker
NSA - Pass the Hash Guidance - Configuration guidance for implementing Pass-the-Hash mitigations (Archived)
NSA - BitLocker Guidance - Configuration guidance for implementing disk encryption with BitLocker
NSA - Event Forwarding Guidance - Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding
Windows Defense in Depth Strategies - work in progress
Endpoint Isolation with the Windows Firewall based on Jessica Payne’s ‘Demystifying the Windows Firewall’ talk from Ignite 2016

See also Active Directory and ADFS below.

macOS

ERNW - IPv6 Hardening Guide for OS-X

Network Devices

NSA - Harden Network Devices (PDF) - very short but good summary

Switches

DISA - Layer 2 Switch SRG v2r1

Routers

NSA - A Guide to Border Gateway Protocol (BGP) Best Practices

IPv6

NSA - IPv6 Security Guidance (Jan 2023)
ERNW - Developing an Enterprise IPv6 Security Strategy Part 1, Part 2, Part 3, Part 4 - Network Isolation on the Routing Layer, Traffic Filtering in IPv6 Networks
see also IPv6 links under GNU/Linux, Windows and macOS

Firewalls

Virtualization - VMware

VMware Security Hardening Guides - covers most VMware products and versions
CIS VMware ESXi 6.5 Benchmark (2018)
DISA STIGs - Virtualisation - VMware vSphere 6.0 and 5
ENISA - Security aspects of virtualization - generic, high-level best practices for virtualization and containers (Feb 2017)
NIST SP 800-125 - Guide to Security for Full Virtualization Technologies - (2011)
NIST SP 800-125A Revision 1 - Security Recommendations for Server-based Hypervisor Platforms (2018)
NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection (2016)
ANSSI - Recommandations de sécurité pour les architectures basées sur VMware vSphere ESXi - for VMware 5.5 (2016), in French
ANSSI - Problématiques de sécurité associées à la virtualisation des systèmes d’information (2013), in French
VMware - Protecting vSphere From Specialized Malware (2022) - see also Mandiant - Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors

Containers - Docker - Kubernetes

Services

SSH

NIST IR 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH)
ANSSI - (Open)SSH secure use recommendations
Linux Audit - OpenSSH security and hardening
Positron Security SSH Hardening Guides (2017-2018) - focused on crypto algorithms
stribika - Secure Secure Shell (2015) - some algorithm recommendations might be slightly outdated
Applied Crypto Hardening: bettercrypto.org - handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)
IETF - Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-10 - update to the recommended set of key exchange methods for use in the Secure Shell (SSH) protocol to meet evolving needs for stronger security. This document updates RFC 4250.
Gravitational - How to SSH Properly - how to configure SSH to use certificates and two-factor authentication

TLS/SSL

NIST SP800-52 Rev 2 (2nd draft) - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations - 2018, recommends TLS 1.3
Netherlands NCSC - IT Security Guidelines for Transport Layer Security (TLS) - 2021
ANSSI - Security Recommendations for TLS - 2017, does not cover TLS 1.3
Qualys SSL Labs - SSL and TLS Deployment Best Practices - 2017, does not cover TLS 1.3
RFC 7540 Appendix A TLS 1.2 Cipher Suite Black List
Applied Crypto Hardening: bettercrypto.org - handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)

Web Servers

Cipherlist.eu - Strong Ciphers for Apache, nginx and Lighttpd

Apache HTTP Server

Apache Tomcat

Eclipse Jetty

Eclipse Jetty - Configuring Security
Jetty hardening (2015)

Microsoft IIS

CIS Microsoft IIS Benchmarks

Mail Servers

MDaemon - 15 Best Practices for Protecting Your Email - Generic recommandations but based on MDaemon Security Gateway for Email Servers

FTP Servers

JSCAPE - Guide for securing FTP - Generic recommandations but based on JSCAPE MFT Server

Database Servers

Netwrix - MS SQL Server Hardening Best Practices

Active Directory

ADFS

Kerberos

CIS MIT Kerberos 1.10 Benchmark - 2012

LDAP

DNS

NTP

NFS

Linux NFS-HOWTO - Security and NFS - a good overview of NFS security issues and some mitigations
Red Hat - A Guide to Securing Red Hat Enterprise Linux 7 - Securing NFS
Red Hat - RHEL7 Storage Administration Guide - Securing NFS
NFSv4 without Kerberos and permissions - why NFSv4 without Kerberos does not provide security
CertDepot - RHEL7: Use Kerberos to control access to NFS network shares

CUPS

CUPS Server Security

Authentication - Passwords

Hardware - CPU - BIOS - UEFI

ANSSI - Hardware security requirements for x86 platforms - recommendations for security features and configuration options applying to hardware devices (CPU, BIOS, UEFI, etc) (Nov 2019)
NSA - Hardware and Firmware Security Guidance - Guidance for the Spectre, Meltdown, Speculative Store Bypass, Rogue System Register Read, Lazy FP State Restore, Bounds Check Bypass Store, TLBleed, and L1TF/Foreshadow vulnerabilities as well as general hardware and firmware security guidance.
NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018)
NSA Tech Report: UEFI Defensive Practices Guidance (July 2017)

Cloud

NSA Info Sheet: Cloud Security Basics (August 2018)
DISA DoD Cloud Computing Security
asecure.cloud - Build a Secure Cloud - A free repository of customizable AWS security configurations and best practices

Tools

Tools to check security hardening

Chef InSpec - open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements. can run on Windows and many Linux distributions.

GNU/Linux

Lynis - script to check the configuration of Linux hosts
OpenSCAP Base - oscap command line tool
SCAP Workbench - GUI for oscap
Tiger - The Unix security audit and intrusion detection tool (might be outdated)
otseca - Open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
SUDO_KILLER - A tool to identify sudo rules' misconfigurations and vulnerabilities within sudo
CIS Benchmarks Audit - bash script which performs tests against your CentOS system to give an indication of whether the running server may comply with the CIS v2.2.0 Benchmarks for CentOS (only CentOS 7 for now)

Windows

Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
Microsoft DSC Environment Analyzer (DSCEA) - simple implementation of PowerShell Desired State Configuration that uses the declarative nature of DSC to scan Windows OS based systems in an environment against a defined reference MOF file and generate compliance reports as to whether systems match the desired configuration
HardeningAuditor - Scripts for comparing Microsoft Windows compliance with the Australian ASD 1709 & Office 2016 Hardening Guides
PingCastle - Tool to check the security of Active Directory
MDE-AuditCheck - Tool to check that Windows audit settings are properly configured in the GPO for Microsoft Defender for Endpoint

Network Devices

Nipper-ng - to check the configuration of network devices (does not seem to be updated)

TLS/SSL

Qualys SSL Labs - List of tools to assess TLS/SSL servers and clients
CryptoLyzer - Fast, flexible and comprehensive server cryptographic protocol (TLS, SSL, SSH, DNSSEC) and related setting (HTTP headers, DNS records) analyzer and fingerprint (JA3, HASSH tag) generator with Python API and CLI.
SSLyze - Fast and powerful SSL/TLS scanning library.
testssl.sh - Testing TLS/SSL encryption anywhere on any port

SSH

CryptoLyzer - Fast, flexible and comprehensive server cryptographic protocol (TLS, SSL, SSH, DNSSEC) and related setting (HTTP headers, DNS records) analyzer and fingerprint (JA3, HASSH tag) generator with Python API and CLI.
ssh-audit - SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

Hardware - CPU - BIOS - UEFI

CHIPSEC: Platform Security Assessment Framework - framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components
chipsec-check - Tools to generate a Debian Linux distribution with chipsec to test hardware requirements

Docker

Docker Bench for Security - script that checks for dozens of common best-practices around deploying Docker containers in production, inspired by the CIS Docker Community Edition Benchmark v1.1.0.

Cloud

toniblyx/my-arsenal-of-aws-security-tools - List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

Tools to apply security hardening

DevSec Hardening Framework - a framework to automate hardening of OS and applications, using Chef, Ansible and Puppet

GNU/Linux

Linux Server Hardener - for Debian/Ubuntu (2019)
Bastille Linux - outdated

Windows

Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products
Hardentools - for Windows individual users (not corporate environments) at risk, who might want an extra level of security at the price of some usability.
Windows 10 Hardening - A collective resource of settings modifications (mostly opt-outs) that attempt to make Windows 10 as private and as secure as possible.
Disassembler0 Windows 10 Initial Setup Script - PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019
Automated-AD-Setup - A PowerShell script that aims to have a fully configured domain built in under 10 minutes, but also apply security configuration and hardening
mackwage/windows_hardening.cmd - Script to perform some hardening of Windows 10

TLS/SSL

Mozilla SSL Configuration Generator

Cloud

toniblyx/my-arsenal-of-aws-security-tools - List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

Password Generators

Books

Other Awesome Lists

Awesome Cybersecurity Blue Team - A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.

Other Awesome Security Lists

(borrowed from Awesome Security)

Awesome Security - A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.
Android Security Awesome - A collection of android security related resources.
Awesome CTF - A curated list of CTF frameworks, libraries, resources and software.
Awesome Cyber Skills - A curated list of hacking environments where you can train your cyber skills legally and safely.
Awesome Hacking - A curated list of awesome Hacking tutorials, tools and resources.
Awesome Honeypots - An awesome list of honeypot resources.
Awesome Malware Analysis - A curated list of awesome malware analysis tools and resources.
Awesome PCAP Tools - A collection of tools developed by other researchers in the Computer Science area to process network traces.
Awesome Pentest - A collection of awesome penetration testing resources, tools and other shiny things.
Awesome Linux Containers - A curated list of awesome Linux Containers frameworks, libraries and software.
Awesome Incident Response - A curated list of resources for incident response.
Awesome Web Hacking - This list is for anyone wishing to learn about web application security but do not have a starting point.
Awesome Threat Intelligence - A curated list of threat intelligence resources.
Awesome Pentest Cheat Sheets - Collection of the cheat sheets useful for pentesting
Awesome Industrial Control System Security - A curated list of resources related to Industrial Control System (ICS) security.
Awesome YARA - A curated list of awesome YARA rules, tools, and people.
Awesome Threat Detection and Hunting - A curated list of awesome threat detection and hunting resources.
Awesome Container Security - A curated list of awesome resources related to container building and runtime security
Awesome Crypto Papers - A curated list of cryptography papers, articles, tutorials and howtos.

awesome-security-hardening

Table of Contents

Security Hardening Guides and Best Practices

Hardening Guide Collections

GNU/Linux

Red Hat Enterprise Linux - RHEL

CentOS

SUSE

Ubuntu

Windows

macOS

Network Devices

Switches

Routers

IPv6

Firewalls

Virtualization - VMware

Containers - Docker - Kubernetes

Services

SSH

TLS/SSL

Web Servers

Apache HTTP Server

Apache Tomcat

Eclipse Jetty

Microsoft IIS

Mail Servers

FTP Servers

Database Servers

Active Directory

ADFS

Kerberos

LDAP

DNS

NTP

NFS

CUPS

Authentication - Passwords

Hardware - CPU - BIOS - UEFI

Cloud

Tools

Tools to check security hardening

GNU/Linux

Windows

Network Devices

TLS/SSL

SSH

Hardware - CPU - BIOS - UEFI

Docker

Cloud

Tools to apply security hardening

GNU/Linux

Windows

TLS/SSL

Cloud

Password Generators

Books

Other Awesome Lists

Other Awesome Security Lists

decalage2/awesome-security-hardening

About

Topics

Resources

Stars

Watchers

Forks

Contributors 8