This tutorial provides guidance on addressing many of the technical needs that if not met, can result in significant vulnerability findings in the network environment. This guidance should become part of a larger organizational policy governing the deployment, updating, and design of IT solutions. Realize that failure to perform this in the past is what resulted in many of the vulnerabilities you are exposed to today. A Microsoft IIS web server properly configured and deployed, following the IIS security checklist, could have its exposure reduced by over 90 percent, depending on the features needed for operation.
Failure to deploy and operate securely could be a result of lack of policy, or lack of resources within the organization to fulfill the current policies. Unfortunately, security is often viewed as an ancillary need because it is difficult to measure ROI. If that is the case, a paradigm shift in priorities may be in order, as a securely deployed system is a stable system, which relates to more time that can be focused on progress and less on remediation.
In the first part of the tutorial, we discuss overall concepts of assessment and hardening; the remainder of this tutorial provides guidance to assess and harden your current running state within specific technologies. Use this information and unique issues within your environment to define a minimum baseline standard for secure configurations within the organization that all deployed systems must meet.