What is Hardening (Configuration Management)?
Hardening is the process of securing systems and the data stored on them against possible attack, theft, and accidental loss by following best practices and mitigating known vulnerabilities. It is at the core of compliance with IT standards like Information Security Risk Management (DS-13) and Vulnerability Management (DS-21) , and is crucial to IT security at U-M. A key part of hardening is configuration management: comparing a system's configuration against a known set of best practices in order to achieve a baseline of security. From that baseline, systems can be further hardened to meet the requirements outlined in Minimum Information Security Requirements for Systems, Applications, and Data. IA uses the Center for Internet Security (CIS) benchmarks for configuration management assessments.
Changes to Hardening at U-M
In the past, IA has recommended and provided customized templates for the CIS tool known as CIS-CAT. However, both CrowdStrike and Tenable, which already have widespread deployment, both include similar functionality natively. In order to simplify our environment, IA now recommends using one of these two tools. IA will no longer provide and support a customized CIS-CAT version.
Moving forward:
- IA recommends the use of CrowdStrike Falcon's configuration assessment tool as the primary means of benchmarking configurations.
- IA will also provide and support Tenable's assessment capability.
- If there are reasons your unit cannot use the CrowdStrike or Tenable tools, please contact IA through the ITS Service Center.
Please share this information with any IT staff that may be impacted. If you or your staff have questions about this change, or about any IA provided capability, please contact Information Assurance through the ITS Service Center.