Hardening for U-M Systems | safecomputing.umich.edu

Hardening is the process of securing systems and the data stored on them against possible attack, theft, and accidental loss by following best practices and mitigating known vulnerabilities. It is also a part of Information Security Risk Management, and crucial to IT security at U-M. You are expected to harden systems to meet the requirements outlined in Minimum Information Security Requirements for Systems, Applications, and Data.

Hardening with CIS-CAT

Information Assurance (IA) recommends that you begin the process of hardening university servers, workstations, or databases by running the Center for Internet Security's Configuration Assessment Tool—CIS-CAT. The tool will scan your system, compare it to a preset benchmark, and then generate a report to help guide further hardening efforts.

To get started with CIS-CAT:

Download CIS-CAT from IA's Dropbox location. (U-M login is required. CIS-CAT is available for use to faculty, staff, and students.)
View the CIS-CAT Pro Assessor User Guide from the CIS website.

U-M units are free to use any of the CIS tools provided by IA on their U-M systems. CIS-CAT may also be used on personal systems that are used for university business.

IA recommends units achieve 80% compliance or better with the CIS-CAT benchmark for any given system.

Note: CIS-CAT does not check for compliance with federal and state laws and U-M policies and standards regarding specific types of sensitive data. If your systems contain sensitive regulated U-M data, you are also required to meet any additional legal, contractual, or policy requirements for that data, regardless of how your system scores against the CIS-CAT benchmarks.

Tip: Use CIS-CAT to check for system drift. Small changes add up over time, creating "drift" that moves systems away from the original configuration you checked with CIS-CAT. You can use CIS-CAT to perform monthly drift checks automatically by scheduling it to run a CIS-CAT Pro Assessor scan. Doing so will provide insight into the system's ongoing hardening profile and help satisfy the NIST SP 800-53 control CM-3, Configuration Change from the list of common controls. You can learn more about the Configuration Management controls IA prioritizes in the RECON Common Controls slides. (U-M login required)

If you can't run CIS-CAT on your system or meet a benchmark: If you cannot run CIS-CAT on a particular system, or you are unable to get a passing score of 80% or better or complete a required hardening item, please contact IA through the ITS Service Center for assistance.