SIMM 5355-B Office of Information Security Server Hardening Standard

October 2024

Revision history

Revision Date of Release Owner Summary of Changes
v.1 October 2024 Office of Information Security Initial Release
Print page

Purpose

Server hardening is the process of enhancing server security through a variety of methods and practices aimed at reducing vulnerabilities. This process involves assessment and fortification of server configurations, management of operating systems, and implementation of security measures.

The objective of server hardening is to maintain the integrity, confidentiality, and availability of data. Since security threats are constantly evolving, server hardening is a continuous process that demands consistent monitoring and updating to adapt to new security challenges and
evolving threats.

This standard outlines the minimum baseline security standards necessary for server hardening.
State entities are recommended to adopt additional context-specific controls where necessary.

Scope

The Server Hardening Standard applies to all California state entities, including agencies, departments, divisions, bureaus, boards, and commissions as defined in Government Code Section 11546.1.

Compliance

Government Code Section 11549.3 authorizes the Office of Information Security (OIS) to create, issue, and maintain policies, standards, and procedures; oversee information security risk management for state entities; provide information security and privacy guidance; and ensure compliance with State Administrative Manual (SAM) Chapter 5300 and Statewide Information Management Manual (SIMM) section 5300.

State entities must adhere to OIS-issued information security and privacy policies and all relevant laws, regulations, rules, and standards governing their entity. Non-compliance may affect audit findings and maturity metrics.

The inability to implement the minimum server hardening requirements must be logged as a risk on the RRPOAM. Refer to Appendix A for a summary of controls.

Definitions

    • Hardening – A defense strategy to protect against attacks by removing vulnerable and unnecessary services, patching security holes, and securing access controls.
    • Least Privilege – The principle that a security architecture is designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function, and users are granted access to only those information assets they need to perform their official duties.
    • System Security Plan (SSP) – A formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements

Minimum Baseline Standards

The minimum baseline standards for server hardening follow the core functions of the NIST Cybersecurity Framework (CSF) 2.0. They enable entities to systematically approach and mitigate cybersecurity risk by governing, identifying, protecting, detecting, responding to, and recovering vulnerabilities and threats associated with server administration. Each requirement is mapped to the applicable CSF 2.0 category.

Note: The CSF 2.0 functions Respond and Recover are not applicable to the server hardening standards.

I. Govern

CSF Category Requirement Description Requirement
GV.RM Risk Management Strategy Establish a risk management plan and conduct testing to understand the current state of your server security. PM-4
GV.RR Roles, Responsibilities, and Authorities Ensure security management staff are involved in server planning, implementation, and administration. SA-3
GV.PO Policies, Processes, and Procedures Create a System Security Plan (SSP) PL-2

II. Identify

CSF Category Requirement Description Requirement
ID.AM Asset Management Maintain inventories of hardware, software, services, and information systems managed by the organization. Prioritize assets based on classification, criticality, resources, and impact on the mission. CM-8
Ensure information systems, hardware, software, and services are managed throughout their life cycle. SA-3
ID.RA Risk Assessment Develop and periodically update a plan of action and milestones and conduct risk assessments for the system to identify security gaps and the best ways to address them. CA-5, RA-3

III. Protect

CSF Category Requirement Description Requirement
PR.AA) Identity Management, Authentication, and Access Control Verify identities and credentials for authorized users, services, and hardware are managed by the organization. IA-5
Ensure users, services, and hardware are authenticated. IA-2
Provide a host-based firewall capability to limit incoming and outgoing traffic, with a focus on securing nonsecure ports and protocols. This entails restricting the use of browsers on the server unless it is essential for its primary functions. CM-7, CM-7(1), SC-7, SC-7(5), SC-8
Incorporate the principles of least privilege, the ability to granularly restrict administrative or root-level activities to authorized users only, and the ability to granularly control access to data on the server. AC-6, AC-6(1), AC-6(2), AC6(5), AC-6(10), CM-5, CM-5(5)
Confirm access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed. Typical files to which access should be restricted include:
  • Configuration files
  • Files related directly to security mechanisms (password hash files, cryptographic key materials, etc.),
  • System audit files
  • Security logs
AC-3, AC-3(7), AC-3(8), AC3(11)
(PR.DS) Data Security Implement support for strong authentication protocols and encryption algorithms AC-17, AC-18
Use Federal Information Processing Standards (FIPS) validated cryptographic implementations when using cryptography to protect stored data and data communications. AC-17, AC-18
Partition the system for physical or logical separation of components. SC-32
(PR.PS) Platform Security Apply secure baseline configuration (hardening), configuration management, and change control best practices. The Resources section provides suggested baseline configuration resources. CM-2, CM-3, CM-6, CM-6(1)
Patch and update the Operating System (OS) and installed software. SI-2, SI-2(4) SIMM 5345-A
Perform frequent Vulnerability Scanning. RA-5 SIMM 5345-A
Configure Automated Time Synchronization. SC-45
Have DoS attack protection. This includes:
  • Control/configure the maximum number of server processes and/or network connections that the server should allow.
    SC-5, SC-5(2), SC-5(3), SC-7, SC-7(3)
    Ensure software and hardware are maintained, replaced, and removed commensurate with risk. MA-2
    Ensure installation and execution of unauthorized software is prevented. CM-7, CM-7(2), CM-7(5)
    Configure warning banners to users before granting access to the system. AC-8
    (PR.IR) Technology Infrastructure Resilience Ensure networks and environments are protected from threats and unauthorized physical and logical access/usage. Examples include:
    • Physical security protection mechanisms (Locks, card reader access, cameras, etc.)
    • Environmental controls (humidity and temperature controls, fire containment equipment, hardening against natural disasters)
    • Backup power (Uninterrupted Power Supply (UPS))
    PE-3, PE-11, PE-13, PE-14
    Ensure servers are backed up periodically. CP-9
    Perform occasional penetration testing. CA-8

    IV. Detect

    CSF Category Requirement Description Requirement
    DE.CM Continuous Monitoring Ensure computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events. Note: State entities are recommended to use CDT’s statewide SOC as a Service (SOCaaS) if they do not have 24/7 monitoring capabilities. CA-7, CA-7(4) SIMM 5355-A

    APPENDIX A – Summary of Controls

    NIST Cybersecurity Framework & 800-53 Controls
    Govern GV.RM: Risk Management Strategy PM-4: Plan of Action and Milestones Process
    GV.RR: Roles, Responsibilities, and Authorities SA-3: System Development Life Cycle
    GV.PO: Policies, Processes, and Procedures tPL-2: System Security and Privacy Plans NIST 800-18: Guide for Developing Security Plans for Federal Information Systems
    Identify ID.AM: Asset Management CM-8: System Component Inventory SA-3: System Development Life Cycle
    ID.RA: Risk Assessment CA-5: Plan of Action and Milestones RA-3: Risk Assessment
    Protect PR.AA: Identity Management, Authentication, and Access Control AC-3: Access Enforcement
    • AC-3(7) Role-based Access Control
    • AC-3(8) Revocation of Access Authorizations
    • AC-3(11) Restrict Access to Specific Information Types
    AC-6: Least Privilege
    • AC-6(1) Authorize Access to Security Functions
    • AC-6(2) Non-privileged Access for Nonsecurity Functions
    • AC-6(5) Privileged Accounts
    • AC-6(10) Prohibit Non-privileged Users from Executing Privileged
    CM-5: Access Restrictions for Change
    • CM-5(5) Privilege Limitation for Production and Operation
    CM-7: Least Functionality
    • CM-7(1) Periodic Review
    IA-2: Identification And Authentication
    IA-5: Authenticator Management
    SC-7: Boundary Protection
    • SC-7(5) Deny by Default — Allow by Exception
    SC-8: Transmission Confidentiality and Integrity
    PR.DS: Data Security AC-17: Remote Access
    • AC-17(2) Protection of Confidentiality and Integrity Using Encryption
    AC-18: Wireless Access
    SC-7: Boundary Protection
    • SC-7(4) External Telecommunications Services
    SC-32: System Partitioning
    PR.PS: Platform Security AC-8: System Use Notification
    AC-17: Remote Access
    • AC-17(2) Protection of Confidentiality and Integrity Using Encryption
    AC-18: Wireless Access
    CM-2: Baseline Configuration
    CM-3: Configuration Change Control
    CM-6: Configuration Settings
    • CM-6(1) Automated Management, Application, and Verification
    CM-7: Least Functionality
    • CM-7(2) Prevent Program Execution
    • CM-7(5) Authorized Software — Allow-by exception
    MA-2: Controlled Maintenance
    RA-5: Vulnerability Monitoring and Scanning
    SC-5: Denial Of Service Protection
    • SC-5(2) Capacity, Bandwidth, and Redundancy
    • SC-5(3) Detection and Monitoring
    SC-7: Boundary Protection
    • SC-7(3) Access Points
    SC-32: System Partitioning
    SC-45: System Time Synchronization
    SI-2: Flaw Remediation
    • SI-2(4) Automated Patch Management Tools
    SIMM 5345-A: Vulnerability Management Standard
    PR.IR: Technology Infrastructure Resilience CA-8: Penetration Testing
    CP-9: System Backup
    PE-3: Physical Access Control
    PE-11: Emergency Power
    PE-13: Fire Protection
    PE-14: Environmental Controls
    Detect DE.CM: Continuous Monitoring CA-7: Continuous Monitoring
    • CA-7(4) Risk Monitoring