Hardening the PRA Engine Host
This topic discusses best practices for hardening Privileged Remote Access (PRA) engine servers.
PRA engines do not store any passwords, PII, or user data in any configuration files.
General Hardening Steps
Restrict Incoming Port Access to All PRA Engine Servers
PRA engines do not require any open incoming ports.
-
Allow an SSH proxy port coming from the user's LAN.
-
Block all other incoming ports.
Remove Unnecessary User Groups
For administrator user groups:
-
Remove default domain admins, administrator and unused/unnecessary groups.
-
Create one group that is going to have access to the PRA engine server(s)
-
Disable the built-in local administrator user.
Rename Default Accounts
-
Change the names of all administrator and guest accounts to names that do not indicate their permissions.
-
Create a new locked and unprivileged "administrator" user name as bait.
Disable Services
Disable these services:
-
None
Restrict Network Protocols
-
None
SSL/TLS Settings
Keep your server SSL/TLS settings up to date. Among other settings, the different protocols and cipher suites can be vulnerable to different attacks on SSL/TLS.
-
Disable SSL 2.0
-
Disable SSL 3.0
-
Disable TLS 1.0
-
Disable TLS 1.1
-
Enable TLS 1.2