Why a Build Review is Essential
System hardening aims to configure a system securely by eliminating unnecessary functionalities. Every superfluous application, service, driver, feature, and setting can introduce potential security vulnerabilities. Once a system is fortified and integrated into an environment, it's pivotal to ensure its security robustness by regular updates and patches. Both internal and cloud build reviews help benchmark system builds against recognized standards, including CIS, ISO, SANS, or NIST.
Servers often contain sensitive information, making them prime targets for attackers. The assessment process we adopt for server build reviews can also be applied to auditing other devices. For more detailed information on network device configuration reviews, please see our 'Firewall Rule and Configuration' section.
To assess your server's security, we require:
An account with local administrator privileges.
A management login channel, tailored to the specific systems under review.
Using host-based audit tools, custom scripts, and manual checks, we examine your systems through the top three layers of the defense in depth model: Host, Application Layer, and Data. By employing this comprehensive approach, we ensure every aspect of your build has been meticulously assessed and fortified.
- Defence in Depth: Host
Focused on the operating system and core services, this phase aims to detect vectors that might empower an attacker.
- Defence in Depth: Application
This layer delves into software or services central to the server's role, from web servers to database software or even broader applications like Active Directory.
- Defense in Depth: Data
The pinnacle of our review ensures that data stored remains protected and is suitable for the protection level the system offers.
Guidelines and Practices
While numerous hardening guidelines are available, we typically reference standards from NIST, CIS, software publishers like Microsoft, and CESG. Recognizing the unique needs of each organization, we also offer custom build reviews tailored to your specific business requirements.
Upon completion, you'll receive a detailed technical report, highlighting all identified issues, recommended solutions, and an executive summary. We prioritize immediate notification of severe vulnerabilities to ensure a collaborative relationship with our clients.
ProCheckUp Engagement lifecycle
Procheckup utilises a standard engagement model for all engagements which is defined below: -
Offering - Activities that take place before the execution of a consultancy assignment:
- Pre-sales and identification of client needs;
- Creation of an agreement, typically covering: - Context of the work - Services and deliverables - Approach and work plan - Roles and responsibilities.
Execution - Delivery of the services agreed at the offering stage to satisfy the client:
- Refining the work plan;
- Implementing the agreed work plan;
- Assignment of staff, management and mentoring;
- Approval and acceptance.
Closure - Activities that take place at the end of a consultancy assignment:
- Final client evaluation and agreement that the service has been delivered;
- Conclusion of obligations;
- Finalising payment;
- Any subsequent improvements to the service.
Please contact us for more information on how Build Review Services can help you.