Skip to main content
Skip table of contents

Appliance Hardening

Overview

Hardening is the process of reducing the attack surface of an operating system or an application by enforcing a set of configurations in line with security best practices.

From V6.29 onwards, Nexthink Appliances are hardened following the Center for Internet Security (CIS) benchmark for CentOS 7 L1 v2.2.0.

Level 1 (L1) security controls are intended to provide a clear security benefit while having a minor impact on performance and maintaining usability.

Every fresh installation of the Appliance has L1 settings automatically applied.

In addition to that, we also recommend following these procedures:

The Appliance requires additional communication ports to be open depending on the Nexthink server component (if any) that is installed along with the system packages.

The automatic hardening procedure opens the ports needed by the Portal, the Engine, or both when they are installed on top of the Nexthink Appliance.

In the last sections of this article, you will learn how to open additional ports in the Appliance that you may need for your specific setup and how to enforce security hardening in existing Appliances.

Because the hardening procedure is only automatic for fresh installations of the Appliance, you may find these sections useful if you are upgrading your Nexthink Appliances.

Hardening measures

ISO CIS hardening

Some hardening checks cannot be applied globally for all customers as they depend on customers’ internal policies and/or network configuration.

We leave it to each customer to choose how to configure those checks, if needed, to be fully compliant with the CIS standard.

Contact Nexthink Support to request the list of exceptions.

ISO CIS exceptions

Some hardening checks cannot be applied globally for all customers as they depend on customers’ internal policies and/or network configuration.

We leave it to each customer to choose how to configure the following checks, if needed, to be fully compliant with the CIS standard.

Except for the NTP configuration performed through the Web Console, please inform the Nexthink support of any changes so that we can track them and give you better support if needed.

Portal

The following ports are open by default when installing the Portal on the Appliance:

TCP 443 and 80


After federating your Appliances, these additional communication channels with the Engine are open as well, but they are only accessible to the host names or IPs of the federated Engines:

TCP 7000, 7001, 7002, and 7003


Therefore, the federation is mandatory in hardened Appliances to enable real-time communication between the Portal and the Engines. Because of this, it is not possible to work in compatibility mode.

If Collector Assignment rules are used, these additional communication channels with the Engine are open as well:

  • TCP 8300, 8301, and 10402

  • UDP 8301

Engine

The following ports are open by default when installing the Engine on the Appliance:

TCP 99, 22, 443, 999, and 1671


If Collector Assignment rules are used, these additional communication channels with the Portal and peer Engines are open as well:

  • TCP 8300, 8301

  • UDP 8301

Enabling additional ports

The automatic hardening only enables the default ports or, for those Engine ports that are configurable, it enables the ports for which you have changed the default number.

Third-party applications other than Nexthink installed in the Appliance may require additional communication ports. To enable additional ports in the Engine or the Portal Appliances, even when hardening is turned on:

  1. Log in to the Web Console of either the Portal or the Engine Appliance.

  2. Select the APPLIANCE tab at the top of the Web Console.

  3. Click Security on the left-hand side menu.

  4. Under Custom ports:

    • Type in the additional UDP ports required inside the UDP ports box. Separate each port number by a new line.

    • Type in the additional TCP ports required inside the TCP ports box. Separate each port number by a new line.

      CustomPortsWebConsole.png
  5. Click SAVE.

Enforce hardening from the Web Console

Only fresh installations of a V6.17 or higher Appliance are hardened. From V6.18 onwards, you can protect upgraded Appliances with the same security settings of a fresh V6.17 or higher Appliance from the Web Console. Keep in mind that the Appliances must be federated before enforcing their hardening.

To harden your upgraded Appliances from the Web Console:

  1. Log in to the Web Console of either the Portal or the Engine Appliance.

  2. Select the APPLIANCE tab at the top of the Web Console.

  3. Click Security on the left-hand side menu.

  4. Under Security hardening, tick the option Keep appliance secure.

    SecurityHardeningWebConsole.png
  5. Click SAVE.


RELATED TASKS

RELATED REFERENCES

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.