SEM Hardening and Configuration review

This is a very open-ended question are we talking about endpoints or the SEM itself?

For SEM itself

-change the CMC SSH password if you have not from the default.

-enableTLS

-replace certificate you proper domain certs.

-enable the active directory and SSO configuration so logins are listed in AD

-depending on deployment if virtual make a VM replicated for secondary backup or set HA config.

-Changing the standard ports of SEM agent communicates from the standard so it is no public knowledge.

-If SEM will be accessed via Public Internet recommend Reverse Proxy for addition protections.

-Create a read-only admin account for SEM if it only monitoring 

-Try to use TCP syslog when possible.

-Configure retention policies and backups as required.

-Update email templates for more information. 

For Endpoints

-Make sure connection dependencies are configured before deployment Loss of the log collection requires a registry file update to pull data.  For the Syslog pull make sure to point to the right logs.

-USB-Defender add-on

-Check for agent versions are updated 

-Monitor device check-ins for proper operations.

-Enable more logging via GPO for Windows as some are turned off by default. (aka powershell Logging)

Health

-Make sure you monitor the Memory and storage for your device either by widgets on the dashboard or by creating rules to alert you.  

-If running only a single instance does not hurt to enable log forwarding to a secondary syslog.

-Reporting schedule reports to the distro list for people who do not need direct access to the platform 

-Recommend virtualization of SEM for better system monitoring and replication 

-Export all custom rules for archiving and change management controls. 

This is the basic recommendation to start and customize the rest to meet your needs.

Let me know if this helps.

Hi Patterson, 

Thank you for your insightful response. I'm seeking hardening requirements for the FIM server at OS level and FIM software configuration: access, rules, and also endpoints configuration. do you have any guidelines, best practices documents or checklists covering the specified hardening requirements ?

Thank you

SEM connectors do not track all event ids but the majority.  So I recommend looking at the connect config file on end point to determine which event id is tracks.  Next step is to ensure that enhanced auditing via goo or local policy is enable for event listed.  This increase visibility into you system.

As for is hardening start off with ms baselines if windows server as a starting point.  

FIM I recommend if any file share are control by network security groups instead of local users.

Be carefully on what folders you add as this can cause a lot of noise in logs.  

good practice to disable built in administrator account use another with different name.

If computer is accessible via remote RDP enable terminal serices connector and setup event logs.  If ssh check auditd logs catch sessions.  If powershell enable transcription in gpo.

if you have own CA  enroll computer for certificate move away from self-sign.

It would l help if you mention and regulator requirements you need to meet because this will make it more complex.