System Hardening Guidelines for 2020: Critical Best Practices

By Oleg Zlotnik. March 19, 2020

Wouldn’t it be amazing if our laptops were as secure as Fort Knox? Where it’s so hard for bad actors to access the crown jewels that they don’t even try? 

It’s a dream shared by cybersecurity professionals, business and government leaders, and just about everyone else – other than cybercriminals. But that’s all it is, and will likely ever be. While operating systems, like Microsoft Windows, have become more secure over time, they’re nowhere close to being impenetrable. That’s why enterprises need to be hyper-vigilant about how they secure their employees’ devices. Those devices, as we all know, are the gateways to the corporate crown jewels. That also makes them the darling of cyber attackers. 

Operating System Hardening 

With endpoint attacks becoming exceedingly frequent and sophisticated, more and more enterprises are following operating system hardening best practices, such as those from the Center for Internet Security (CIS), to reduce attack surfaces. The hardening checklist typically includes:

  • Automatically applying OS updates, service packs, and patches
  • Removing or disabling non-essential software, drivers, services, file sharing, and functionality, which can act as back doors to the system 
  • Requiring all users to implement strong passwords and change them on a regular basis  
  • Logging all activity, errors, and warnings
  • Restricting unauthorized access and implementing privileged user controls

These are all very important steps. However, they’re not enough to prevent hackers from accessing sensitive company resources. The majority of malware comes from users clicking on emails, downloading files, and visiting websites that, unbeknownst to them, load viruses onto their systems. Once inside the operating system, attackers can easily gain access to privileged information. 

To help combat this, some enterprises lock down users’ devices so they can’t access the internet, install software, print documents remotely, and more. However, this makes employees, and thus the business, much less productive. It’s also incredibly frustrating to people just trying to do their jobs. As a result, users sometimes try to bypass those restrictions without understanding the implications. 

IT teams trying to harden the endpoint OS, therefore, continually struggle between security and productivity requirements. To eliminate having to choose between them, IT shops are turning to OS isolation technology. 

OS Isolation Improves System Hardening and Productivity 

OS isolation technology gives you the benefits of an extremely hardened endpoint without interrupting user productivity. It works by splitting each end-user device into multiple local virtual machines, each with its own operating system. Everything an end-user does happens in prescribed operating systems, which run side-by-side with complete separation. 

To enhance system hardening and productivity, you may run two zones: One is dedicated for privileged use and is extremely hardened. It’s fully locked down and limited to accessing sensitive data and systems. The other is reserved for general corporate work and has more relaxed security restrictions. It’s open to the internet, used for email and non-privileged information.  

Any cyber criminals that infiltrate the corporate zone are contained within that operating system. They cannot reach the privileged zone or even see that it exists. You can also configure that corporate zone to be non-persistent so that it’s wiped clean at specified intervals for added protection.

Hysolate pioneered OS isolation. Our isolation platform enables security teams to further harden the privileged OS running in ways that they couldn’t before, because doing so would interrupt business too much.  

With Hysolate, users are empowered to do all of the below (and more) in the less restricted corporate zone, without putting the privileged zone at risk:

  • Full web browsing to any website
  • Use any browser and any browser extension 
  • Use any third-party app needed for productivity, such as Zoom/Webex/Google Drive/Dropbox, etc.
  • Access potentially risky email attachments and links
  • Use external USB devices and print from remote locations
  • Provide local admin rights that are useful for developers and power users, and enable them to install software on that corporate OS

Want to future-proof your system hardening? Learn how Hysolate provides secure access, without restricting user experience. Start your free trial here.


About the Author

Oleg is a Software Engineer and Cyber Security veteran, with over 15 years of experience. At Hysolate, Oleg led an engineering team for several years, after which he joined as an architect to the CTO's office and has pioneered the next-gen products. Prior to Hysolate, Oleg worked at companies such as Google and Cellebrite, where he did both software engineering and security research. He began his career in the intelligence unit 8200 of the IDF and holds a B.Sc in Computer Science, Cum Laude, from the Technion.

Share this article: