Wishes baseline policy for system hardening

Updated 12/28/24

General

Systems and servers are depended upon to deliver data in a secure, reliable fashion. There must be assurances that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use and disruptions in service.

Applicability

The purpose of this policy is to describe the requirements maintenance of the security integrity of the server and application software. It applies to all responsible team members.

User Configuration

Only approved Wishes team members as appointed by our CTO can maintain and  update Wishes Security. All approval for access must go through the CTO. The CTO in combination with the leadership team will regularly perform audits of the administrator groups. Wishes uses a password policy that addresses password complexity, expiration, history, and account lockout. Forcing screensavers and idle time logouts. Prevent users from modifying settings, accessing dangerous websites, sharing files within their profile. Giving Administrators primary control almost over everything and users with only access for what they need.

Mandatory Access Control Configuration (features and roles)

Administrators have primary control over server configuration, sensitive files, services, security tools, and more. Permissions are role based to enforce security on critical systems and only give access to who needs it.

Service Configuration

Using CIS Benchmarks we monitor and identify which systems need updates and in order to minimize risk and improve overall security and system performance

Logging and Auditing

Logging is reviewed weekly and monthly. Audits will be performed on systems and servers. Security incidents will be logged and addressed.

Remote Access Hardening

Remote access to Wishes systems is only available to Wishes team members. We enforce strict password requirements. Secure and monitor SSH, disable elevated privileges where possible, and use a non-elevated account when possible.

Software Configuration (i.e. databases)

We’ve implemented role-based access, and maintain regular software update practices. We follow the benchmarks for our systems. Hardening these applications are just as important as hardening the OS itself as they both are the backbone of your production environment.

Access, Authentication, and Authorization

We ensure the systems are physically secured. We’ve set up custom roles and strong passwords. We delete or do not have unnecessary operating system users, and avoid the use of root or “super admin” accounts with excessive privileges. We limit membership of admin groups. Grant elevated privileges on an as-needed basis and use multi factor authentication access for all tools and systems.

Cloud Configuration

We’ve locked down our security groups and limit all ingress and egress traffic as needed. We have set up alerts across all systems. We are monitoring volume changes or hardware changes that may suddenly impact a system’s performance.

Network Time Protocol Configuration

We have reviewed our NTP configuration and have removed or disabled any unnecessary NTP servers.

Network Configuration

Most operating systems and network devices, including routers and switches, come equipped with services turned on when they are received from the manufacturer. Disabled services cannot be exploited by an adversary therefore, all unnecessary services should be disabled if they cannot be turned off considering blocking them at the firewall. We’ve ensured DNS redundancy.

Firewall Configuration

We keep your Firewalls up to date. We have strong non-default passwords, audit account access regularly and remove unnecessary access.