8.9. Reinforcement check

8.9.1. Network Devices

  • Check the system version number in time

  • Sensitive service setting access IP/MAC whitelist

  • Enable hierarchical control of permissions

  • Turn off unnecessary services

  • Open operation log

  • Configure exception alarms

  • Turn off ICMP responses

8.9.2. Operating System

8.9.2.1. Linux

  • Useless User/User Group Check

  • Empty password account check

  • User Password Policy

    • /etc/login.defs

    • /etc/pam.d/system-auth

  • Sensitive file permission configuration

    • /etc/passwd

    • /etc/shadow

    • ~/.ssh/

    • /var/log/messages

    • /var/log/secure

    • /var/log/maillog

    • /var/log/cron

    • /var/log/spooler

    • /var/log/boot.log

  • Whether the log is turned on

  • Install patches in a timely manner

  • Auto-start

    • /etc/init.d

  • Check the system clock

8.9.2.2. Windows

  • Abnormal process monitoring

  • Abnormal startup item monitoring

  • Abnormal service monitoring

  • Configure syslog

  • User Account

    • Set password validity period

    • Set password strength limits

    • Set password retries

  • Install EMET

  • Enable PowerShell logging

  • Restrict download and execution of the following sensitive files

    • ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif

  • The limit will call up the wscript suffix

    • bat, js, jse, vbe, vbs, wsf, wsh

  • domain

    • Restrict permissions to join a computer to a domain

    • Domain accounts use the principle of least privilege

    • Reduce the number of unnecessary privileged accounts

8.9.3. Applications

8.9.3.1. FTP

  • Disable anonymous login

  • Modify Banner

8.9.3.2. SSH

  • Whether to disable ROOT login

  • Whether to disable password connections

8.9.3.3. MySQL

  • File write permission settings

  • User authorization table management

  • Whether logging is enabled

  • Is the version up to date

8.9.4. Web Middleware

8.9.4.1. Apache

  • version number hidden

  • Is the version up to date

  • Disable some HTTP verbs

  • Close Trace

  • prohibitserver-status

  • Upload file size limit

  • Directory permission settings

  • Whether to allow route rewriting

  • Whether to allow listing

  • log configuration

  • Configure the timeout period to prevent DoS

  • Non-owner user file read and write restrictions

    • httpd.conf

    • access.log

    • error.log

8.9.4.2. Nginx

  • Disable some HTTP verbs

  • Disable directory traversal

  • Check redirect configuration

  • Configure the timeout period to prevent DoS

8.9.4.3. IIS

  • Is the version up to date

  • log configuration

  • User password configuration

  • ASP.NET function configuration

  • Configure the timeout period to prevent DoS

8.9.4.4. JBoss

  • jmx console configuration

  • web console configuration

8.9.4.5. Tomcat

  • Disable some HTTP verbs

  • Disable listing

  • Disable manager function

  • User password configuration

  • User rights configuration

  • Configure the timeout period to prevent DoS

8.9.5. Password Management Policy

  • At least 8 characters in length

  • does not exist in the existing dictionary

  • Not using knowledge-based authentication