A host compliance audit is a type of security assessment that involves the manual inspection of a workstation, server, or network device by a trained security engineer in order to evaluate the configuration, hardening, and security controls applied to the target. Using a published best practice standard, like the Center for Internet Security (CIS) benchmarks, and any available device-specific security best practices, a host compliance audit will help take a detailed look at what vulnerabilities you may be introducing into your environment due to improper hardening processes. By doing a deep-dive on a specific host or device, issues can be identified, remediated, and baked-into the organization’s published hardening standards so changes can be rolled out across the environment (via group policy or as new assets are put into production). This assessment will identify the security holes and provide specific actions you can take to harden the target and any similar systems in use across the network.
What questions will a host compliance audit help answer?
A host compliance audit is beneficial in a number of ways, and can help answer a number of different questions you may have, including the following:
- Are your workstations, servers, and/or network devices hardened according to published industry standards and security best practices?
- Are there any significant vulnerabilities in your environment due to misconfigurations?
- Are there any inconsistencies in your published host/device hardening standards and what is actually being applied across your network?
- Are your hardening standards up-to-date and maintained appropriately?
- Are you in line with any compliance standards relevant for your organization, such as PCI DSS or HIPAA?
What are some of the things you look for?
A host compliance audit can vary based on the type of device we’re looking at, as we can perform this type of assessment on network devices (switches, routers, firewalls), workstations (individual hosts, group policy sets, gold images), servers (generic server build, web servers, Active Directory), or security-specific devices (IDS/IPS, SIEM, NAC). But in any event, the underlying concepts and issues we’re looking to address remain the same, and include the following:
- Best practice authentication/authorization controls
- Common vulnerabilities introduced by misconfigurations – a great example is when host/servers do not require SMB signing. This is a simple group policy setting that could have significant implications for your network. If system’s do not require SMB signing, they may be vulnerable to SMB Relay Attacks.
- Logging configurations
- Software patching, security control configuration
- Opportunities for improvements in management/maintenance
Many times, a host compliance audit works great as a follow-on to an internal penetration test or in tandem with a best practice gap analysis. And whenever you decide to do this type of assessment, you’ll have a much better understanding of the state of your internal hardening processes and good list of action items to help increase the security baseline of the audited devices.