User:Gdestuynder/principles
|
STATUS: NOT READY The goal of this document is to help operational teams agree on a basic set of principles to set expectations and give overall guidance to secure a service. The Enterprise Information Security team maintains this document as a reference guide for operational teams. Updates to this page should be submitted to the source repository on github. Changes are detailed in the commit history.
|
Least Privilege
Do not present unnecessary services
Do
- List all services presented to the network (Internet and Intranets). Justify the presence of each port or service.
Do not
- OpenSSH Server (sshd) is running but is never used.
- A DNS resolution caching server (dnsmasqd) is running locally but only upstream DNS nameservers are used by clients.
- A file sharing server (samba/smbd) is running but no files are stored or exchanged on the server.
- A web-application propose an administration service that you can login to through the website, but it is not being used.
- A database server (SQL) allows connections from any machine in the same VLAN, even thus only a single machine needs to connect to it.
- The administration login panel of the network switch for the office network is accessible by regular office users.
Do not grant or retain permissions if they're not actively used
Do
- Use role-based access control (allows for easy granular escalation of privileges, only when necessary)
- Expire access automatically when unused.
- Use different accounts for different role types (admin, developer, user, etc.) when no good role-based access control is available.
Do not
- Allow root access (e.g. via 'sudo') to all systems for all operation engineers, regardless of the actual services they maintain.
- Give access "just in case".
- Never revisit access rules for users.
Defense in Depth
Do not allow lateral movement
Do
- Use host-based firewall rules that self-protect the system regardless of the rules from the network equipment, or the location of the system.
- Avoid usage of firewall rules that allow any inbound connection to connect to a listening port (such as OpenSSH, RDP).
- Clearly enforce which team has access to which set of systems.
- Clearly assign administrative roles of different authentication & authorization services to different people.
Do not
- Have system administrators with access to every system/every service.
- Share administrative user access to authentication & authorization systems.
- Allow OpenSSH, RDP connections from any host on any network.
- Allow tools remotely executing code on every system from a centralized location (single Puppet Master, Ansible Tower, Nagios, etc. instance).
Patch Systems
Do
- Establish patching windows.
- Ensure systems can be turned off and back on without affecting availability.
- Turn on automatic patching where possible.
Meet Web Standards
Do
- Achieve the best possible score on Mozilla's Observatory
- Follow the [Security/Guidelines/Web_Security] recommendations.