• ANSSI - Configuration recommendations of a GNU/Linux system
• CIS Benchmark for Distribution Independent Linux
• nixCraft - 40 Linux Server Hardening Security Tips (2019 edition)
• nixCraft - Tips To Protect Linux Servers Physical Console Access
• TecMint - 4 Ways to Disable Root Account in Linux
• ERNW - IPv6 Hardening Guide for Linux Servers
• trimstray - The Practical Linux Hardening Guide - practical step-by-step instructions for building your own hardened systems and services. Tested on CentOS 7 and RHEL 7.
• trimstray - Linux Hardening Checklist - most important hardening rules for GNU/Linux systems (summarized version of The Practical Linux Hardening Guide)
• How To Secure A Linux Server - for a single Linux server at home
• Neo23x0/auditd - Best Practice Auditd Configuration
• ANSSI - Configuration recommendations of a GNU/Linux system
• CIRCL TR-83 - Linux Boot Hardening HOWTO - How to secure the boot sequence of your Linux based distribution (2024)
• ERNW - IPv6 Hardening Guide for Linux Servers

Red Hat Enterprise Linux - RHEL

• DISA STIGs - Red Hat Enterprise Linux 7
• CIS Benchmark for Red Hat Linux
• nixCraft - How to set up a firewall using FirewallD on RHEL 8
• Red Hat - A Guide to Securing Red Hat Enterprise Linux 7
• Red Hat - A Guide to Securing Red Hat Enterprise Linux 7

CentOS

• Lisenet - CentOS 7 Server Hardening Guide
• HighOn.Coffee - Security Harden CentOS 7

SUSE

• SUSE Linux Enterprise Server 12 Security and Hardening Guide

Ubuntu

• Ubuntu wiki - Security Hardening Features

Ubuntu

• Microsoft - Windows security baselines
• Microsoft - Windows Server Security | Assurance
• Microsoft - Windows 10 Enterprise Security
• BSI/ERNW - Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities - focused on Windows 10 LTSC 2019
• ACSC - Hardening Microsoft Windows 10, version 21H1, Workstations
• ACSC - Securing PowerShell in the Enterprise
• Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
• Microsoft recommended block rules - List of applications or files that can be used by an attacker to circumvent application whitelisting policies
• ERNW - IPv6 Hardening Guide for Windows Servers
• Windows Defense in Depth Strategies - work in progress
• Endpoint Isolation with the Windows Firewall
• Microsoft - How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
• Awesome Windows Domain Hardening
• NSA - AppLocker Guidance - Configuration guidance for implementing application whitelisting with AppLocker
• NSA - Pass the Hash Guidance - Configuration guidance for implementing Pass-the-Hash mitigations (Archived)
• NSA - BitLocker Guidance - Configuration guidance for implementing disk encryption with BitLocker
• NSA - Event Forwarding Guidance - Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding
• ZeroSec - Paving The Way to DA - red teaming techniques and how to prevent them
• ERNW - IPv6 Hardening Guide for Windows Servers
• Microsoft recommended block rules - List of applications or files that can be used by an attacker to circumvent application whitelisting policies

Ubuntu

• ERNW - IPv6 Hardening Guide for OS-X
• ERNW - IPv6 Hardening Guide for OS-X

Ubuntu

• NSA - Harden Network Devices - very short but good summary

Switches

• DISA - Layer 2 Switch SRG v2r1

Routers

• NSA - A Guide to Border Gateway Protocol (BGP) Best Practices

IPv6

• NSA - IPv6 Security Guidance
• Part 1 - an-enterprise-ipv6-security-strategy-part-2-network-isolation-on-the-routing-layer/), [Part 3](https://www.insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-3-traffic-filtering-in-ipv6-networks-i/), [Part 4](https://insinuator.net/2015/12/developing-an-enterprise-ipv6-security-strategy-part-4-traffic-filtering-in-ipv6-networks-ii/) - Network Isolation on the Routing Layer, Traffic Filtering in IPv6 Networks

Firewalls

• NIST SP 800-41 Rev 1 - Guidelines on Firewalls and Firewall Policy
• trimstray - Iptables Essentials: Common Firewall Rules and Commands

Firewalls

• VMware Security Hardening Guides - covers most VMware products and versions
• CIS VMware ESXi 6.5 Benchmark
• DISA STIGs - Virtualisation - VMware vSphere 6.0 and 5
• ENISA - Security aspects of virtualization - generic, high-level best practices for virtualization and containers (Feb 2017)
• NIST SP 800-125 - Guide to Security for Full Virtualization Technologies - (2011)
• NIST SP 800-125A Revision 1 - Security Recommendations for Server-based Hypervisor Platforms
• NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection
• ANSSI - Recommandations de sécurité pour les architectures basées sur VMware vSphere ESXi - for VMware 5.5 (2016), in French
• ANSSI - Problématiques de sécurité associées à la virtualisation des systèmes d’information
• VMware - Protecting vSphere From Specialized Malware - see also [Mandiant - Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors](https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening)
• ANSSI - Recommandations de sécurité pour les architectures basées sur VMware vSphere ESXi - for VMware 5.5 (2016), in French
• ANSSI - Problématiques de sécurité associées à la virtualisation des systèmes d’information
• NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection

Firewalls

• How To Harden Your Docker Containers
• CIS Docker Benchmarks - registration required
• NIST SP 800-190 - Application Container Security Guide
• A Practical Introduction to Container Security
• ANSSI - Recommandations de sécurité relatives au déploiement de conteneurs Docker
• Kubernetes Security Checklist
• Kubernetes Role Based Access Control Good Practices
• Kubernetes Multi-tenancy
• Kubernetes blog - A Closer Look at NSA/CISA Kubernetes Hardening Guidance
• ANSSI - Recommandations de sécurité relatives au déploiement de conteneurs Docker
• ReynardSec - Docker Security – Step-by-Step Hardening (Docker Hardening)

SSH

• NIST IR 7966 - Security of Interactive and Automated Access Management Using Secure Shell (SSH)
• ANSSI - (Open)SSH secure use recommendations
• Linux Audit - OpenSSH security and hardening
• Positron Security SSH Hardening Guides - 2018) - focused on crypto algorithms
• stribika - Secure Secure Shell - some algorithm recommendations might be slightly outdated
• IETF - Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-10 - update to the recommended set of key exchange methods for use in the Secure Shell (SSH) protocol to meet evolving needs for stronger security. This document updates RFC 4250.
• Gravitational - How to SSH Properly - how to configure SSH to use certificates and two-factor authentication
• ANSSI - (Open)SSH secure use recommendations

TLS/SSL

• Netherlands NCSC - IT Security Guidelines for Transport Layer Security (TLS) - 2021
• NIST SP800-52 Rev 2 (2nd draft) - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations - 2018, recommends TLS 1.3
• ANSSI - Security Recommendations for TLS - 2017, does not cover TLS 1.3
• Qualys SSL Labs - SSL and TLS Deployment Best Practices - 2017, does not cover TLS 1.3
• RFC 7540 Appendix A TLS 1.2 Cipher Suite Black List
• ANSSI - Security Recommendations for TLS - 2017, does not cover TLS 1.3
• Applied Crypto Hardening: bettercrypto.org - handy reference on how to configure the most common services’ crypto settings (TLS/SSL, PGP, SSH and other cryptographic tools)

Web Servers

• Cipherlist.eu - Strong Ciphers for Apache, nginx and Lighttpd
• Apache HTTP Server documentation - Security Tips
• GeekFlare - Apache Web Server Hardening and Security Guide
• Apache Config - Apache Security Hardening Guide
• Apache Tomcat 9 Security Considerations - 8.0-doc/security-howto.html) / [v7](https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html)
• OWASP Securing tomcat
• How to get Tomcat 9 to work with authbind to bind to port 80
• Eclipse Jetty - Configuring Security
• Jetty hardening
• CIS Microsoft IIS Benchmarks

Mail Servers

• MDaemon - 15 Best Practices for Protecting Your Email - Generic recommandations but based on MDaemon Security Gateway for Email Servers

FTP Servers

• JSCAPE - Guide for securing FTP - Generic recommandations but based on JSCAPE MFT Server

Database Servers

• Netwrix - MS SQL Server Hardening Best Practices

Active Directory

• Microsoft - Best Practices for Securing Active Directory
• ANSSI CERT-FR - Active Directory Security Assessment Checklist - [other version with changelog](https://www.cert.ssi.gouv.fr/uploads/ad_checklist.html) - 2022 (English and French versions)
• "Admin Free" Active Directory and Windows, Part 1- Understanding Privileged Groups in AD
• "Admin Free" Active Directory and Windows, Part 2- Protected Accounts and Groups in Active Directory
• "Admin Free" Active Directory and Windows, Part 1- Understanding Privileged Groups in AD

ADFS

• adsecurity.org - Securing Microsoft Active Directory Federation Server (ADFS)
• Microsoft - Best practices for securing Active Directory Federation Services

Kerberos

• CIS MIT Kerberos 1.10 Benchmark - 2012

LDAP

• OpenLDAP Software 2.4 Administrator's Guide - OpenLDAP Security Considerations
• Best Practices in LDAP Security
• LDAP: Hardening Server Security (so administrators can sleep at night)
• LDAP Authentication Best Practices - retrieved from web.archive.org
• Hardening OpenLDAP on Linux with AppArmor and systemd - slides
• zytrax LDAP for Rocket Scientists - LDAP Security
• How To Encrypt OpenLDAP Connections Using STARTTLS

DNS

• CIS - BIND DNS Server 9.9 Benchmark
• DISA STIGs - BIND 9.x
• NIST SP 800-81-2 - Secure Domain Name System (DNS) Deployment Guide
• CMU SEI - Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure

NTP

• IETF - Network Time Protocol Best Current Practices draft-ietf-ntp-bcp
• CMU SEI - Best Practices for NTP Services
• Linux.com - Arrive On Time With NTP -- Part 3: Secure Setup
• Linux.com - Arrive On Time With NTP -- Part 2: Security Options

NFS

• Linux NFS-HOWTO - Security and NFS - a good overview of NFS security issues and some mitigations
• Red Hat - RHEL7 Storage Administration Guide - Securing NFS
• NFSv4 without Kerberos and permissions - why NFSv4 without Kerberos does not provide security
• CertDepot - RHEL7: Use Kerberos to control access to NFS network shares

CUPS

• CUPS Server Security

CUPS

• UK NCSC - Password administration for system owners
• NIST SP 800-63 Digital Identity Guidelines
• OWASP Password Storage Cheat Sheet
• ANSSI - Recommendations on multi-factor authentication and passwords
• ANSSI - Recommendations on multi-factor authentication and passwords

CUPS

• ANSSI - Hardware security requirements for x86 platforms - recommendations for security features and configuration options applying to hardware devices (CPU, BIOS, UEFI, etc) (Nov 2019)
• NSA Info Sheet: UEFI Lockdown Quick Guidance (March 2018)
• NSA Tech Report: UEFI Defensive Practices Guidance (July 2017)
• ANSSI - Hardware security requirements for x86 platforms - recommendations for security features and configuration options applying to hardware devices (CPU, BIOS, UEFI, etc) (Nov 2019)

CUPS

• NSA Info Sheet: Cloud Security Basics (August 2018)
• DISA DoD Cloud Computing Security
• asecure.cloud - Build a Secure Cloud - A free repository of customizable AWS security configurations and best practices

CUPS

• Chef InSpec - open-source testing framework by Chef that enables you to specify compliance, security, and other policy requirements. can run on Windows and many Linux distributions.

GNU/Linux

• Lynis - script to check the configuration of Linux hosts
• OpenSCAP Base - oscap command line tool
• SCAP Workbench - GUI for oscap
• Tiger - The Unix security audit and intrusion detection tool

Windows

• PingCastle - Tool to check the security of Active Directory

TLS/SSL

• Qualys SSL Labs - List of tools to assess TLS/SSL servers and clients

TLS/SSL

• Mozilla SSL Configuration Generator

Cloud

• DevSec Hardening Framework - a framework to automate hardening of OS and applications, using Chef, Ansible and Puppet

GNU/Linux

• Bastille Linux - outdated

Windows

• mackwage/windows_hardening.cmd - Script to perform some hardening of Windows 10
• Microsoft Security Compliance Toolkit 1.0 - set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products

Cloud

• How-To Geek - 10 Ways to Generate a Random Password from the Linux Command Line
• Vitux - 8 Ways to Generate a Random Password on Linux Shell
• SS64 - Password security and a comparison of Password Generators
• Awesome Cybersecurity Blue Team - A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.

Cloud

• Awesome Honeypots - An awesome list of honeypot resources.
• Android Security Awesome - A collection of android security related resources.
• Awesome CTF - A curated list of CTF frameworks, libraries, resources and software.
• Awesome Hacking - A curated list of awesome Hacking tutorials, tools and resources.
• Awesome Malware Analysis - A curated list of awesome malware analysis tools and resources.
• Awesome PCAP Tools - A collection of tools developed by other researchers in the Computer Science area to process network traces.
• Awesome Linux Containers - A curated list of awesome Linux Containers frameworks, libraries and software.
• Awesome Incident Response - A curated list of resources for incident response.
• Awesome Crypto Papers - A curated list of cryptography papers, articles, tutorials and howtos.
• Awesome Security - A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.