Hardening is the process of securing systems and the data stored on them against possible attack, theft, and accidental loss by following best practices and mitigating known vulnerabilities. It is also a part of Information Security Risk Management, and crucial to IT security at U-M. You are expected to harden systems to meet the requirements outlined in Minimum Information Security Requirements for Systems, Applications, and Data.
Configuration Assessment Tools
Information Assurance (IA) recommends that you begin the process of hardening university servers, workstations, or databases by utilizing the IA-supported CrowdStrike Configuration Assessment tool. The CrowdStrike tool is the preferred method of scanning at this time.
IA also supports the use of Tenable's Compliance Scanning tool. Please note that Tenable recently released updates for reporting compliance scores, which IA is currently testing. You may need to calculate your compliance score from Tenable manually in some situations.
Lastly, if there are reasons you cannot use the CrowdStrike or Tenable tools, please contact IA through the ITS Service Center. Note that IA no longer provides or supports custom versions of CIS-CAT.
CrowdStrike, Tenable, and CIS-CAT all use benchmarks recommended by the Center for Internet Security (CIS), and can be used on University of Michigan owned devices. IA recommends units achieve 80% compliance or better for any given system regardless of the tool used.
Hardening with CrowdStrike
CrowdStrike Falcon is licensed only for use on UM-owned systems and can not be installed on personal computers.
In order to use CrowdStrike you must have the appropriate permissions within the system. CrowdStrike Falcon console accounts are available to unit staff who have an IT security role or who will be monitoring and managing system hardening. The SUL for a unit can request console access for these staff members by submitting an Enhanced Endpoint Protection ticket to the ITS Service Center.
CrowdStrike’s Configuration Assessment tool is available for RHEL, MAC, and Windows, however not all versions of the platforms are supported. To see the current list of supported operating systems versions please visit the vendor documentation for Configuration Assessment (Requires Falcon console access)
Data already captured by the Falcon Sensor Agent installed on your system is compared against a configuration assessment policy that is setup and maintained within CrowdStrike by each unit. Detailed information on the supported platform versions, how to configure policies, and how to view benchmark results can be found in the End User Guide for CrowdStrike Configuration Assessment. Once set up, benchmark scores for devices are automatically updated in the console by the Falcon Agent on a regular basis enabling you to view the current hardening score at any time. NOTE: Benchmark scores update automatically every ~4 hours, but you can manually refresh a system’s benchmark review to see real-time hardening progress.
Hardening with Tenable
Tenable Scanning is certified by CIS, and available to be run on any U-M owned device. U-M units are free to use the CIS Compliance benchmark scanning provided by Tenable. Upon request, IA will set up a Tenable scan of your device for you. After a scan is complete, Tenable produces an output of the results with recommendations for improving the hardening of your system. To request a CIS scan using Tenable please contact IA through the ITS Service Center and mention Tenable. We will need to know what systems you would like to have scanned, which benchmark you would like to use, and where the results should be sent.
Contact Us
Please contact IA through the ITS Service Center if any of the following apply to a particular system:
- You cannot install the CrowdStrike Falcon Sensor.
- The CrowdStrike Falcon Sensor is installed, but you prefer to use the Tenable Scanning tool for security hardening, and are encountering issues installing or running the Tenable agent.
- You are unable to get a passing score of 80% or better.
- You are unable to complete a required hardening item.