System Hardening Guidelines for 2021: Critical Best Practices

Oleg Zlotnik
March 5, 2021

Wouldn’t it be amazing if our laptops were as secure as Fort Knox? Where it’s so hard for bad actors to access your sensitive data, that they don’t even try? 

It’s a dream shared by cybersecurity professionals, business and government leaders, and just about everyone else – other than cybercriminals. But that’s all it is, and will likely ever be. While operating systems, like Microsoft Windows, have become more secure over time, they’re nowhere close to being impenetrable. That’s why enterprises need to be hyper-vigilant about how they secure their employees’ devices. Those devices, as we all know, are the gateways to company data that you don’t want to become public.  That also makes them the darling of cyber attackers. 

In 2021 this has become a significant issue. IT admins can no longer rely on in-office solutions like traditional end-point security situations, and browser isolation solutions can be a blocker on productivity when your team can’t access the websites or applications they need.

Operating System Hardening 

With endpoint attacks becoming exceedingly frequent and sophisticated, more and more enterprises are following operating system hardening best practices, such as those from the Center for Internet Security (CIS), to reduce attack surfaces. The hardening checklist typically includes:

  • Automatically applying OS updates, service packs, and patches
  • Removing or disabling non-essential software, drivers, services, file sharing, and functionality, which can act as back doors to the system 
  • Requiring all users to implement strong passwords and change them on a regular basis  
  • Logging all activity, errors, and warnings
  • Restricting unauthorized access and implementing privileged user controls

These are all very important steps. However, they’re not enough to prevent hackers from accessing sensitive company resources. The majority of malware comes from users clicking on emails, downloading files, and visiting websites that, unbeknownst to them, load viruses onto their systems. Once inside the operating system, attackers can easily gain access to privileged information. 

To help combat this, some enterprises lock down users’ devices so they can’t access the internet, install software, print documents remotely, and more. However, this makes employees, and thus the business, much less productive. It’s also incredibly frustrating to people just trying to do their jobs. As a result, users sometimes try to bypass those restrictions without understanding the implications. 

IT teams trying to harden the endpoint OS, therefore, continually struggle between security and productivity requirements, especially in 2021 when so much of the workforce is working remotely. To eliminate having to choose between them, IT admins are turning to OS isolation technology. 

Want to learn more about system hardening and isolating endpoint risk in 2021? Sign up for our webinar How to isolate risky or untrusted activities on user endpoints.

OS Isolation Improves System Hardening, and Productivity 

OS isolation technology gives you the benefits of an extremely hardened endpoint without interrupting user productivity. It works by splitting each end-user device into multiple local virtual machines, each with its own operating system. Everything an end-user does happens in prescribed operating systems, which run side-by-side with complete separation. 

To enhance system hardening and productivity, you may run two zones: One is dedicated for privileged use and is extremely hardened. It’s fully locked down and limited to accessing sensitive data and systems. The other is reserved for general corporate work and has more relaxed security restrictions. It’s open to the internet, used for email, chat applications, and non-privileged information.  

Any cyber criminals that infiltrate the corporate zone are contained within that operating system. They cannot reach the privileged zone or even see that it exists. You can also configure that corporate zone to be non-persistent so that it’s wiped clean at specified intervals for added protection.

Hysolate pioneered OS isolation. Our isolation platform, Workspace, enables security teams to further harden the privileged OS running in ways that they couldn’t before, because doing so would interrupt business too much.  

With Hysolate Workspace, users are empowered to do all of the below (and more) in the less restricted corporate zone, without putting the privileged zone at risk:

  • Full web browsing to any website
  • Use any browser and any browser extension 
  • Use any third-party app needed for productivity, such as Zoom/Webex/Google Drive/Dropbox, etc.
  • Access potentially risky email attachments and links
  • Use external USB devices and print from remote locations
  • Provide local admin rights that are useful for developers and power users, and enable them to install software on that corporate OS

Looking for a free solution for System Hardening? Try Hysolate Free for a Sandbox on Steroids for Windows10.

 

Written in March 2020, updated for accuracy in April 2021.

Oleg Zlotnik

Oleg is a Software Engineer and Cyber Security veteran, with over 15 years of experience. At Hysolate, Oleg led an engineering team for several years, after which he joined as an architect to the CTO's office and has pioneered the next-gen products. Prior to Hysolate, Oleg worked at companies such as Google and Cellebrite, where he did both software engineering and security research. He began his career in the intelligence unit 8200 of the IDF and holds a B.Sc in Computer Science, Cum Laude, from the Technion.