Wouldn’t it be amazing if our laptops were as secure as Fort Knox? Where it’s so hard for bad actors to access your sensitive data, that they don’t even try?
While operating systems, like Microsoft Windows, have become more secure over time, they’re nowhere close to being impenetrable. That’s why enterprises need to be hyper-vigilant about how they secure their endpoints. Endpoints like employee workstations, servers and cloud VMs are the gateways to your corporate network, which can and will be exploited by attackers.
System hardening is an even bigger challenge as we go into 2022, as more sensitive devices move outside the secure office environments—and employees and contractors log in to sensitive corporate assets via unsecured or untrusted personal devices, or corporate devices that they use for mixed usage, and therefore also have a high level of risk.
What is a Hardened System?
Hardened systems are computing systems that are secured, with the goal of making them hack-proof. The process of hardening devices and systems involves eliminating or mitigating vulnerabilities. The term vulnerability refers to software flaws and weaknesses, which may occur in the implementation, configuration, design, or administration of a system. Threat actors exploit these vulnerabilities to hack into devices, systems, and networks.
Hardening techniques typically involve locking down configurations, achieving a balance between operational functionality and security. Vulnerability management and change control is another critical component of this effort. It introduces visibility and controls that can help you maintain a hardened build standard.
How Does System Hardening Reduce the Attack Surface?
The term “attack surface” refers to all potential flaws that threat actors can exploit to hack into a technological device, system, or network. The purpose of system hardening tools and techniques is to mitigate as many vulnerabilities as possible and reduce the attack surface.
There are several ways in which vulnerabilities may occur. Unpatched firmware and software, for example, can be exploited by attackers. Password vulnerabilities, such as hardcoded and default passwords or any credentials stored in plain text, can also create an exploitable attack surface.
Additional common vulnerabilities include unencrypted data-at-rest or network traffic, missing or poorly configured access controls, and misconfiguration of BIOS, ports, servers, firewalls, routers, switches, or any other infrastructure component. System hardening identifies these vulnerabilities and remediates them, thereby minimizing and hopefully eliminating the system’s attack surface.
Benefits of Systems Hardening
While system hardening requires a large, continuous effort, it provides substantial benefits for organizations. Here are several notable benefits:
- A higher level of security—the main purpose of system hardening techniques and tools is to reduce the attack surface. This translates into a significantly lower risk of malware, unauthorized access, data breaches, or other malicious activity.
- Better system functionality—system hardening best practices often involve reducing the amount of programs and functionality. This translates into less operational issues, reduced chance of misconfiguration which can affect user operations, less incompatibilities, and also reduced change of cyber attacks, which in themselves hurt user functionality.
- Simplified compliance and auditing—system hardening techniques can help turn a complex environment into a simpler one with less programs and accounts, and stable, predictable configuration. This translates into a more straightforward and transparent environment which is simpler to monitor and audit.
Server Hardening and OS Hardening Best Practices
This strategy focuses on securing the operating system of a workstation or server. You can maintain a hardened state for an operating system by automating updates and patches. While operating systems are also a form of software, operating system hardening differs from regular application hardening in that the software here is responsible for granting permissions to other applications.
Operating system hardening methods include:
- Applying the latest updates released from the operating system developer (i.e. Microsoft, Apple)
- Enabling built-in security features such as Microsoft Defender or using 3rd party EPP/EDR software
- Deleting unneeded drivers and updating the ones that are used
- Restricting the peripherals that are allowed to be connected
- Encrypting the host drive using a hardware TPM
- Enabling Secure Boot
- Restricting system access privileges
- Using biometrics or FIDO authentication on top of passwords
Additional methods for hardening server systems include establishing a strong password policy, protecting sensitive data with AES encryption or self-encrypting drives, implementing firmware resilience technology and multi-factor authentication.
Software Application Hardening Best Practices
This involves implementing software-based security measures to protect any standard or third-party application installed on a server. While server hardening seeks to secure the overall server system by design, application hardening focuses on securing specific applications, such as web browsers, spreadsheet programs, or custom software.
Application hardening techniques may include:
- Allowing installation only from trusted application repositories such as the Microsoft Store
- Automated patches of standard and third-party applications
- Firewalls, antivirus, and malware or spyware protection programs
- Software-based data encryption
- Password encryption and management applications such as LastPass
Network Hardening Best Practices
This approach secures the communication infrastructure for multiple systems and servers. You can achieve a hardened network state by implementing an intrusion prevention or detection system (IPS/DPS), which identifies suspicious network traffic.
These network hardening methods, when combined with an IPS or IDS, can help reduce the network’s attack surface:
- Proper configuration of network firewalls
- Audits of network rules and access privileges
- Disabling unneeded network ports and network protocols
- Disabling unused network services and devices
- Network traffic encryption
- Intrusion prevention and detection systems (IPS/IDS)
Database Hardening Best Practices
This is the process of securing the contents of a digital database as well as the database management system (DBMS), which allows users to store and analyze the data in the database.
Database hardening techniques may include:
- Restricting administrative privileges
- Implementing role-based access control (RBAC) policies
- Maintaining regular software updates for the database and DBMS
- Restricting unnecessary database functions
- Locking database accounts with suspicious login activity
Using System Hardening Standards
An important first step when hardening a system is to establish a baseline. The baseline is a hardened state of the system, which you should aim to achieve, and then monitor the system to detect any deviation from this hardened state.
Usually, the hardening baseline is determined using a benchmark—a set of security best practices provided by security researchers. There are many reference sources for security benchmarks, including the SANS Institute, the National Institute of Standards and Technology (NIST), Microsoft, and Oracle. There are also many guides and forums on the Internet for hardening best practices. However, these different sources can provide inconsistent advice in an inconsistent format.
Which Benchmark Should You Use?
Many organizations are focusing their hardening baselines on the Internet Security Center (CIS) benchmarks. The CIS Benchmarks are a set of best practice configuration standards developed through consensus among various cybersecurity experts.
There are over 100 benchmarks available—covering most operating systems, server software, databases, desktop software, printers, and public cloud infrastructure. Because they have wide coverage and are highly authoritative, CIS benchmarks are an ideal starting point for hardening yous sytems.
Using a Benchmark to Harden Your Systems
The first step to using a benchmark is to perform an assessment of the target system, to understand how well the current configuration matches the relevant CIS benchmark. This initial assessment lets you identify areas where the system is not aligned with the required hardening baseline.
Manual assessment can be time consuming, especially for complex systems, but automated tools have been developed for many CIS benchmarks, which can allow you to test systems automatically.
Based on the assessment, you should modify system configuration to meet security recommendations.
Hardening a system to meet benchmark standards is only the first step. You should conduct periodic follow-up assessments to ensure that the system is still aligned with the hardening baseline. Any configuration or file changes could make it vulnerable to attack.
In order to maintain a hardened state, you should constantly re-evaluate and remediate any change to the system that violates the security benchmark.
8-Step System Hardening Checklist
System hardening differs between computing systems, and there may be different hardening procedures for each component of the same system (for example, for a BIOS, operating system and a database running on the same machine). However, there are general hardening tasks applicable to most computing systems. Here is a list of the most important tasks:
- Manage access—ensure the system is physically secured, and staff are informed about security procedures. Set up custom roles and strong passwords. Delete unnecessary operating system users, and avoid the use of root or “super admin” accounts with excessive privileges. Limit membership of admin groups. Grant elevated privileges on an as-needed basis.
- Control network traffic—install hardened systems behind a firewall, or if possible, isolated from public networks. Require VPN or reverse proxy to connect. Encrypt communications. Set firewall rules to restrict access to known IP ranges.
- Patch vulnerabilities—keep operating systems, browsers and any other applications up to date and apply all security patches. Keep track of security advisories from vendors and latest CVEs.
- Remove unnecessary software—uninstall any unnecessary software, remove redundant operating system components, disable unneeded services, and turn off any component or application feature that is not required and could expand the threat surface.
- Ongoing monitoring—regularly review logs for anomalous activity, with a special focus on authentications, user access, and privilege escalation. Mirror logs to a separate location to protect log integrity and avoid tampering. Perform regular vulnerability and malware scans, and if possible, conduct an external audit or penetration test.
- Secure communications—encrypt data transfer using strong ciphers. Close all but essential network ports, and disable insecure protocols like SMBv1, Telnet, and HTTP.
- Regular backups—hardened systems are by definition sensitive resources, and must be regularly backed up using the 3-2-1 rule (three copies of the backup, on two types of media, with one copy stored off site).
- Harden remote sessions—if you must allow SSH, ensure it uses a secure password or certificate, do not use the default port, and disable elevated privileges for SSH access. Monitor SSH logs to identify anomalous use or privilege escalation.
Related content: Read our blog post about OS security
Challenges of System Hardening
System hardening is complex and labor intensive. Frustratingly, it is often not enough to prevent hackers from accessing sensitive company resources. The majority of malware comes from users clicking on emails, downloading files, and visiting websites that, unbeknownst to them, load viruses onto their systems. Once inside the operating system, attackers can easily gain access to privileged information.
To help combat this, some enterprises lock down users’ devices so they can’t access the internet, install software, print documents remotely, and more. However, this makes employees, and thus the business, much less productive. It’s also incredibly frustrating to people just trying to do their jobs. As a result, users sometimes try to bypass those restrictions without understanding the implications.
IT teams trying to harden the endpoint OS, therefore, continually struggle between security and productivity requirements, especially in 2021 when so much of the workforce is working remotely.
Want to learn more about system hardening and isolating endpoint risk when users are out of the office?? Watch our webinar How to isolate risky or untrusted activities on user endpoints.
OS Isolation: One-Step System Hardening without Hurting Productivity
OS isolation technology gives you the benefits of an extremely hardened endpoint without interrupting user productivity. It works by splitting each end-user device into multiple local virtual machines, each with its own operating system. Everything an end-user does happens in prescribed operating systems, which run side-by-side with complete separation.
To enhance system hardening and productivity, you may run two zones: One is dedicated for privileged use and is extremely hardened. It’s fully locked down and limited to accessing sensitive data and systems. The other is reserved for general corporate work and has more relaxed security restrictions. It’s open to the internet, used for email, chat applications, and non-privileged information.
Any cyber criminals that infiltrate the corporate zone are contained within that operating system. They cannot reach the privileged zone or even see that it exists. You can also configure that corporate zone to be non-persistent so that it’s wiped clean at specified intervals for added protection.
This approach has two main advantages:
Reduces the burden of hardening end-user devices, because it can provide full system hardening benefits even on an unsecured device.
- Identical user experience to a non-hardened device, providing users all the software and system functionality they are used to, while providing all the security benefits of hardening.
Hysolate provides a full OS isolation solution, so Security and IT can “harden” an OS on a employee or contractor’s untrusted device. With Hysolate Workspace, users are empowered to do all of the below (and more) in the less restricted corporate zone, without putting the privileged access OS at risk:
- Full web browsing to any website
- Use any browser and any browser extension
- Use any third-party app needed for productivity, such as Zoom/Webex/Google Drive/Dropbox, etc.
- Access potentially risky email attachments and links
- Use external USB devices and print from remote locations
- Provide local admin rights that are useful for developers and power users, and enable them to install software on that corporate OS.
Looking for a free solution for System Hardening? Try Hysolate Free, a sandbox on steroids for Windows 10 and Windows 11.
Written in March 2020, updated for accuracy in September 2021.