Hardening Checklists

From Framework to Workfloor

This topic works best as a practical framework: clear enough for decision-making and concrete enough for execution.

For Hardening Checklists, applicability is central: decisions that directly translate to backlog, architecture, and operations.

This keeps this chapter from being theory, making it a usable compass for consistent execution.

Immediate measures (15 minutes)

• Use this page to prioritize measures and convert them into backlog items.
• Link each measure to an owner, deadline, and demonstrable evidence.
• Repeat periodically based on risk, changes, and incident lessons.

Why this matters

The core of Hardening Checklists is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.

Windows Server 2022 Hardening

Reference: Network 12 (Windows hardening), Network 04 (AD hardening)

Basic Security

• Windows Update – Configure automatic updates via WSUS or Windows Update for Business. Verify that all critical and security updates are installed. Schedule a monthly patch window.
• Rename local admin – Rename the default Administrator account (SID-500) via GPO. This prevents targeted brute force on known account names.
• Implement LAPS – Install and configure Local Administrator Password Solution (or Windows LAPS in Server 2022+). Verify that passwords are automatically rotated and stored in AD.
• Disable guest account – Verify that the Guest account is disabled. Verify with Get-LocalUser Guest.
• Restricted groups – Use Restricted Groups or GPO Preferences to manage local admin group membership. Prevent domain users from having local admin rights.

Services & Features

• Disable unnecessary services – Disable Print Spooler on servers that do not print. Disable Xbox-related services, Remote Registry, Fax, and SSDP Discovery.
• Remove unnecessary roles – Remove server roles and features that are not in use (IIS, Telnet Server, TFTP Client, Windows Media Player).
• Disable SMBv1 – Remove SMBv1 via Remove-WindowsFeature FS-SMB1 or Disable-WindowsOptionalFeature -FeatureName SMB1Protocol. Verify with Get-SmbServerConfiguration.
• NetBIOS over TCP/IP – Disable NetBIOS on all network interfaces unless explicitly required by legacy applications.
• Disable LLMNR – Disable Link-Local Multicast Name Resolution via GPO to prevent LLMNR poisoning.
• Disable WPAD – Disable Web Proxy Auto-Discovery via GPO if it is not in use.

Network & Firewall

• Windows Firewall – Enable Windows Defender Firewall on all profiles (Domain, Private, Public). Configure default deny inbound.
• Restrict RDP – Allow RDP only from management VLANs. Enable Network Level Authentication (NLA). Consider RDP Gateway for external access.
• SMB signing – Require SMB signing via GPO: Microsoft network server: Digitally sign communications (always) = Enabled. Do the same for the client setting.
• LDAP signing – Require LDAP signing via GPO on domain controllers. Also configure LDAP channel binding.
• Remote management – Restrict WinRM access to management IPs via GPO or local firewall rules. Enable WMI access only for authorized accounts.

Authentication & Credentials

• Credential Guard – Enable Windows Defender Credential Guard on supported hardware (VBS + UEFI lock recommended).
• LSASS protection – Configure LSASS as Protected Process Light (RunAsPPL) via registry: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1.
• Disable NTLMv1 – Set LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM.
• Audit NTLM – Enable NTLM auditing via GPO before fully blocking NTLM. Analyze which applications still use NTLM.
• Password policy – Configure a password policy in accordance with NIST SP 800-63B: minimum 15 characters, no complexity rules, breached password check.
• Account lockout – Configure account lockout after 5-10 failed attempts, with a lockout duration of at least 15 minutes.

Logging & Monitoring

• Audit policy – Configure Advanced Audit Policy via GPO: Account Logon, Logon/Logoff, Object Access, Privilege Use, Process Creation, Policy Change.
• Process creation logging – Enable command line logging for process creation (Event ID 4688) via GPO: Include command line in process creation events.
• Sysmon – Install Sysmon with a community configuration (e.g., SwiftOnSecurity or Olaf Hartong). Forward events to a SIEM.
• PowerShell logging – Enable Script Block Logging (Event ID 4104). Enable Module Logging. Enable Transcription to a secured location.
• Event log forwarding – Configure Windows Event Forwarding (WEF) to a central collector or SIEM.
• Event log size – Increase the default event log size: Security log at least 1 GB, Application and System at least 256 MB.

Endpoint Protection

• Windows Defender – Configure real-time protection, cloud-delivered protection, tamper protection, and automatic sample submission.
• AppLocker or WDAC – Implement an application control policy that blocks unknown executables from user directories (%TEMP%, Downloads, AppData).
• PowerShell Constrained Language Mode – Configure CLM via WDAC or AppLocker for non-admin users. Allow FullLanguage only for administrators.
• BitLocker – Enable BitLocker for all volumes. Store recovery keys in AD or Azure AD. Use TPM + PIN where possible.
• Automatic screen lock – Configure inactivity timeout to a maximum of 15 minutes via GPO.

Ubuntu/Debian Server Hardening

Reference: Network 11 (Linux hardening)

Updates & Patch Management

• Unattended upgrades – Install and configure unattended-upgrades for automatic security updates: apt install unattended-upgrades && dpkg-reconfigure unattended-upgrades.
• Package sources – Verify that only official and trusted repositories are configured in /etc/apt/sources.list and /etc/apt/sources.list.d/.
• Unnecessary packages – Remove unnecessary packages and services: apt autoremove, remove telnetd, rsh-server, xinetd if they are installed.

SSH Hardening

• Disable root login – Set PermitRootLogin no in /etc/ssh/sshd_config. Use sudo instead of direct root access.
• Disable password authentication – Set PasswordAuthentication no and use only SSH key pairs (ed25519 or RSA 4096-bit minimum).
• Disable agent forwarding – Set AllowAgentForwarding no unless explicitly needed. Agent forwarding enables credential theft on compromised hop hosts.
• Disable TCP forwarding – Set AllowTcpForwarding no unless explicitly needed.
• Disable X11 forwarding – Set X11Forwarding no on servers (disabled by default, but verify).
• SSH idle timeout – Configure ClientAliveInterval 300 and ClientAliveCountMax 2 to close inactive sessions after 10 minutes.
• Restrict SSH access – Use AllowUsers or AllowGroups to restrict SSH access to specific accounts or groups.
• SSH port – Consider a non-standard port (not as a security measure but to reduce log noise from scanners).

Firewall & Network

• Firewall (ufw/nftables) – Enable ufw with default deny inbound and default allow outbound: ufw default deny incoming && ufw default allow outgoing && ufw enable.
• Only required ports – Open only the ports that are actually needed. Document each open port with a reason.
• IPv6 – Disable IPv6 if it is not being used: net.ipv6.conf.all.disable_ipv6 = 1 in sysctl.conf.

User Management & Authentication

• Unused accounts – Remove or lock unused accounts. Check /etc/passwd for accounts with UID 0 (only root should exist).
• Password policy – Configure pam_pwquality for password strength. Set maximum age via /etc/login.defs (PASS_MAX_DAYS).
• Sudo configuration – Restrict sudo rights to minimally necessary commands. Use NOPASSWD only where strictly needed. Log all sudo usage.
• Sudo timeout – Set Defaults timestamp_timeout=5 to keep sudo sessions short.
• Login restrictions – Configure pam_faillock or fail2ban for brute force protection.

File System & Kernel

• File permissions – Check permissions on /etc/shadow (640), /etc/passwd (644), /etc/crontab (600), /etc/ssh/sshd_config (600).
• SUID/SGID audit – Run find / -perm -4000 -o -perm -2000 -type f and remove unnecessary SUID/SGID bits with chmod u-s or chmod g-s.
• Sticky bit on world-writable directories – Verify that /tmp and other world-writable directories have the sticky bit: chmod +t /tmp.
• Mount options – Use noexec, nosuid, nodev on /tmp, /var/tmp, and /dev/shm in /etc/fstab.
• Kernel hardening (sysctl) – Configure in /etc/sysctl.d/99-hardening.conf:
  • net.ipv4.ip_forward = 0 (unless router/gateway)
  • net.ipv4.conf.all.accept_redirects = 0
  • net.ipv4.conf.all.send_redirects = 0
  • net.ipv4.conf.all.accept_source_route = 0
  • net.ipv4.conf.all.log_martians = 1
  • kernel.randomize_va_space = 2
  • kernel.dmesg_restrict = 1
  • kernel.kptr_restrict = 2
• Disable core dumps – Add * hard core 0 to /etc/security/limits.conf and fs.suid_dumpable = 0 to sysctl.

Logging & Monitoring

• AppArmor – Verify that AppArmor is active with aa-status. Set profiles to enforce mode. Install apparmor-profiles and apparmor-utils.
• Restrict cron – Restrict cron access via /etc/cron.allow. Check all crontabs for suspicious entries: for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l 2>/dev/null; done.
• Logging (rsyslog/journald) – Configure central logging. Verify that auth, authpriv, kern, and syslog are actively being logged and forwarded to a SIEM.
• Fail2ban – Install and configure fail2ban for SSH and other services: apt install fail2ban. Configure jail-specific settings in /etc/fail2ban/jail.local.
• Audit daemon – Install and configure auditd for detailed system call logging. Use rules from CIS Benchmark or STIG.

Other

• Unnecessary services – Remove or disable services that are not needed: avahi-daemon, cups, rpcbind, nfs-common, rsh-server, telnet.
• Restrict USB storage – Blacklist usb-storage kernel module if USB storage is not needed: echo "blacklist usb-storage" > /etc/modprobe.d/usb-storage.conf.
• Banners – Remove OS information from /etc/issue and /etc/issue.net. Add an authorized-access warning banner.
• NTP – Configure time synchronization via systemd-timesyncd or chrony. Accurate timestamps are essential for log correlation.

nginx Hardening

Reference: Web 11 (Security headers), Web 13 (TLS configuration)

TLS & Encryption

• TLS versions – Use only TLS 1.2 and 1.3: ssl_protocols TLSv1.2 TLSv1.3;. Disable SSLv3, TLSv1.0, and TLSv1.1.
• Cipher suites – Use strong cipher suites. Enable ssl_prefer_server_ciphers on;. Use Mozilla SSL Configuration Generator for the correct configuration.
• HSTS – Add add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;.
• OCSP stapling – Enable OCSP stapling: ssl_stapling on; ssl_stapling_verify on;.
• DH parameters – Generate strong DH parameters: openssl dhparam -out /etc/nginx/dhparam.pem 4096. Configure ssl_dhparam.
• SSL session cache – Configure ssl_session_cache shared:SSL:10m; and ssl_session_timeout 1d;. Disable ssl_session_tickets off;.

Headers & Information Leakage

• Server tokens – Set server_tokens off; in the nginx configuration to hide version information.
• Security headers – Configure in each server block:
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=()
• Content Security Policy – Implement a strict CSP. Start with Content-Security-Policy-Report-Only and tighten gradually.

Access Control & Rate Limiting

• Rate limiting – Configure limit_req_zone and limit_req to mitigate brute force and DDoS: limit_req_zone $binary_remote_addr zone=login:10m rate=5r/s;.
• Connection limiting – Configure limit_conn_zone and limit_conn to set per-IP connection limits.
• Request body size – Set client_max_body_size to an appropriate value (e.g., 10m). Prevent abuse via large uploads.
• Restrict HTTP methods – Allow only required methods. Block TRACE, DELETE, PUT unless needed: if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; }.
• Admin interfaces – Restrict access to admin paths with allow/deny directives or HTTP Basic Auth as an extra layer.

Operational

• Timeout configuration – Set client_body_timeout 10;, client_header_timeout 10;, and send_timeout 10; to mitigate slowloris-style attacks.
• Buffer overflow protection – Limit client_body_buffer_size 1k;, client_header_buffer_size 1k;, and large_client_header_buffers 2 1k;.
• Directory listing – Set autoindex off; (default, but verify in all location blocks).
• Logging – Configure access logs and error logs. Log to a central system. Use a structured log format (JSON).
• Worker process – Run nginx worker processes as a non-root user (default www-data or nginx).
• Block hidden files – Block access to .git, .env, .htaccess, .svn: location ~ /\. { deny all; }.
• Upstream timeouts – Configure proxy_connect_timeout, proxy_read_timeout, proxy_send_timeout to prevent backend issues from leaking to the client.

Apache Hardening

Reference: Web 11 (Security headers), Web 13 (TLS configuration)

TLS & Encryption

• TLS versions – Use only TLS 1.2 and 1.3: SSLProtocol -all +TLSv1.2 +TLSv1.3.
• Cipher suites – Configure strong cipher suites with SSLCipherSuite and SSLHonorCipherOrder On.
• HSTS – Add Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" via mod_headers.
• OCSP stapling – Enable with SSLUseStapling On and SSLStaplingCache "shmcb:logs/ssl_stapling(32768)".
• HTTP to HTTPS redirect – Configure a permanent redirect on port 80: Redirect permanent / https://example.com/.

Headers & Information Leakage

• ServerTokens – Set ServerTokens Prod to show only "Apache" without version number.
• ServerSignature – Set ServerSignature Off to hide server name in error pages.
• Disable ETag – Set FileETag None to prevent information leaks via inode numbers.
• Security headers – Configure via mod_headers:
  • Header always set X-Frame-Options "DENY"
  • Header always set X-Content-Type-Options "nosniff"
  • Header always set Referrer-Policy "strict-origin-when-cross-origin"
  • Header always set Permissions-Policy "camera=(), microphone=()"
• Content Security Policy – Implement CSP via Header set Content-Security-Policy "...".

Modules & Configuration

• Disable HTTP TRACE – Set TraceEnable Off to prevent cross-site tracing (XST) attacks.
• Remove unnecessary modules – Disable unused modules: mod_info, mod_status (or restrict to localhost), mod_autoindex, mod_cgi (unless needed).
• Directory listing – Set Options -Indexes in all <Directory> configurations.
• Symbolic links – Set Options -FollowSymLinks or use Options +SymLinksIfOwnerMatch for safer symlink handling.
• Restrict CGI – Disable CGI unless explicitly needed. Restrict CGI execution to specific directories with ScriptAlias.

Access Control & Limits

• Timeout configuration – Set Timeout 30. Install mod_reqtimeout: RequestReadTimeout header=10-20,MinRate=500 body=10-30,MinRate=500.

• Request body size – Configure LimitRequestBody to an appropriate value per <Directory> or <Location>.

• Request field limits – Set LimitRequestFields 50, LimitRequestFieldSize 8190, LimitRequestLine 8190.

• Access control – Use <RequireAll> and Require ip directives to restrict admin interfaces to management networks.

• Block hidden files – Block access to .git, .env, .svn, .htaccess:

  <FilesMatch "^\.(git|env|svn|htaccess|htpasswd)">
      Require all denied
  </FilesMatch>

• Logging – Enable mod_log_config. Configure a CustomLog with detailed format. Forward to a central log system.

• mod_security – Consider mod_security as a WAF with OWASP ModSecurity Core Rule Set (CRS). Start in DetectionOnly mode.

PostgreSQL Hardening

Reference: Network 14 (MSSQL hardening – principles are equivalent for relational databases)

Authentication & Access

• pg_hba.conf review – Configure host rules with specific IP ranges. Use scram-sha-256 as the authentication method. Never use trust in production.
• Change default password – Change the password of the postgres superuser immediately after installation with a strong password (25+ characters).
• Network binding – Set listen_addresses to only the required interfaces. Do not use * unless all interfaces are necessary.
• Connection limits – Set max_connections to an appropriate value. Configure CONNECTION LIMIT per role to enforce individual limits.
• Password encryption – Set password_encryption = 'scram-sha-256' in postgresql.conf. Migrate existing MD5 hashes.

SSL/TLS

• Enable SSL – Set ssl = on in postgresql.conf. Configure ssl_cert_file, ssl_key_file, and optionally ssl_ca_file.
• Require SSL – Use hostssl in pg_hba.conf instead of host to block unencrypted connections.
• TLS version – Set ssl_min_protocol_version = 'TLSv1.2' to block older TLS versions.
• Cipher suites – Configure ssl_ciphers with a secure set. Use HIGH:!aNULL:!MD5 as a minimum.

Roles & Permissions

• Application-specific roles – Create a separate database role per application with minimal permissions. Never use the postgres superuser for application connections.
• Restrict SUPERUSER – Minimize the number of accounts with SUPERUSER privileges. Audit regularly with SELECT usename, usesuper FROM pg_user WHERE usesuper = true;.
• Restrict CREATEDB/CREATEROLE – Remove CREATEDB and CREATEROLE privileges from application accounts.
• Schema isolation – Use separate schemas for different applications. Revoke CREATE on the public schema: REVOKE CREATE ON SCHEMA public FROM PUBLIC;.
• Row-Level Security – Use RLS for multi-tenant applications to enforce data isolation at row level.
• Default privileges – Configure ALTER DEFAULT PRIVILEGES to assign default minimal permissions for new objects.

Logging & Monitoring

• Connection logging – Set log_connections = on and log_disconnections = on to log all connections.
• Statement logging – Configure log_statement = 'ddl' (minimum) or 'mod' to log DDL and data modification statements.
• Duration logging – Set log_min_duration_statement = 1000 to log queries longer than 1 second (useful for performance and anomaly detection).
• Log destination – Configure log_destination = 'syslog' or 'csvlog' for central log management and SIEM integration.
• pg_stat_statements – Install this extension for query monitoring: CREATE EXTENSION pg_stat_statements;. Detect unusual patterns.

Other

• Extensions audit – Review installed extensions with \dx and remove unused extensions. Watch for extensions with C code that could enable privilege escalation.
• Statement timeout – Configure statement_timeout = '60s' (or an appropriate value) to limit long-running queries and prevent DoS.
• Backup encryption – Encrypt backups with pg_dump | gpg or use an encrypted storage location. Test restore procedures regularly.
• File permissions – Verify that the data directory (default /var/lib/postgresql) has permissions 700 and is owned by the postgres user.

MySQL/MariaDB Hardening

Reference: Network 14 (MSSQL hardening – principles are equivalent for relational databases)

Initial & Basic Security

• mysql_secure_installation – Run mysql_secure_installation after installation. This removes anonymous users, remote root login, and the test database.
• Root password – Set a strong password for the root account (25+ characters). Consider auth_socket plugin for local root access without a password.
• Remove remote root login – Remove all root accounts with remote access. Check: SELECT user, host FROM mysql.user WHERE user='root';. Remove entries with host not equal to localhost.
• Remove unused accounts – Audit all accounts with SELECT user, host FROM mysql.user;. Remove anonymous accounts (''@'localhost') and unnecessary accounts.
• Remove test database – Verify that the test database has been removed: DROP DATABASE IF EXISTS test;.

Network & Encryption

• Network binding – Set bind-address = 127.0.0.1 if only local access is needed. Use the external IP address only if remote access is required.
• Enable TLS/SSL – Configure SSL with require_secure_transport = ON. Generate certificates and configure ssl-cert, ssl-key, ssl-ca.
• Require TLS per user – Use ALTER USER 'appuser'@'%' REQUIRE SSL; for all accounts that connect remotely.
• TLS version – Set tls_version = TLSv1.2,TLSv1.3 to block older versions.

User Management & Permissions

• Application-specific accounts – Create a separate database account per application with minimal permissions. Use GRANT SELECT, INSERT, UPDATE, DELETE ON appdb.* TO 'appuser'@'apphost';.
• Restrict FILE privilege – Remove the FILE privilege from application accounts: REVOKE FILE ON *.* FROM 'appuser'@'%';. This prevents LOAD DATA INFILE and INTO OUTFILE.
• Restrict PROCESS and SUPER – Restrict PROCESS and SUPER privileges to DBA accounts. Application accounts never need these permissions.
• Restrict GRANT OPTION – Never give WITH GRANT OPTION to application accounts. Only DBAs should be able to delegate permissions.
• Password policy – Install validate_password component: INSTALL COMPONENT 'file://component_validate_password';. Configure validate_password.length = 15 and validate_password.policy = MEDIUM.

Configuration & Features

• Disable local-infile – Set local-infile = 0 in my.cnf to disable client-side file loading. This prevents data exfiltration via SQL injection.
• Disable symbolic links – Set symbolic-links = 0 in the [mysqld] section of my.cnf.
• Restrict LOAD DATA LOCAL – Set local_infile = OFF as a server-side setting. This is defense in depth on top of the client setting.
• Strict SQL mode – Configure sql_mode = 'STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION' to prevent unsafe implicit conversions.
• Connection limits – Configure max_connections and max_user_connections to appropriate values per user to prevent resource exhaustion.

Logging & Monitoring

• Error logging – Configure log_error with a fixed location. Forward to a central log system.
• General query log – Disable general query log in production (general_log = OFF) due to performance impact. Use it only for debugging.
• Slow query log – Enable slow query log: slow_query_log = ON, long_query_time = 2. Useful for performance monitoring and anomaly detection.
• Audit plugin – Install and configure the audit plugin. MariaDB: INSTALL SONAME 'server_audit';. MySQL Enterprise: INSTALL PLUGIN audit_log SONAME 'audit_log.so';.
• Binary logs – Check binary log settings. Set binlog_expire_logs_seconds = 604800 (7 days) to manage disk space. Secure binlog files with restrictive permissions.
• File permissions – Verify that the data directory and configuration files are owned by the mysql user with permissions 750 (directory) and 640 (files).

Summary

These checklists are a starting point, not an endpoint. Every system, every environment, and every organization has its own nuances that require adjustments. But the basics — the items that appear on every checklist — should be implemented on every server. No exceptions. No "yes but that's not needed for us." No "the application breaks if we do that" without actually having tested whether the application breaks.

Use these checklists for:

• New server provisioning – go through the relevant checklist before the system goes into production. No server should run production without this baseline.
• Periodic audit – schedule a quarterly check and tick off again. Configuration drift is not a theoretical risk; it is a certainty. Someone added that firewall rule "temporarily." It is still there.
• Incident response – after an incident, verify that all hardening items are still intact. Attackers disable security measures as part of their post-exploitation routine.
• Compliance audits – use the checked-off checklists as evidence for CIS Control 4 (Secure Configuration) and ISO 27001 A.8.9 (Configuration Management).

Combine these checklists with the corresponding Securitymaatregelen.nl chapters for the underlying rationale and detailed configuration examples.

← Previous Compliance & Governance Next → Compliance Mapping Matrix