Most operating systems are not very secure out of the box and favor convenience and ease of use over security. IT Security professionals may not agree with a vendor’s user friendly approach to their OS, but that does not mean they have to accept it. There are steps that can be taken to harden a system and eliminate as many security risks as possible
System Hardening Examples
The most basic hardening procedure is to change the vendor default user name and password. You would be surprised how many vendor default access codes can found with a simple Google search!
System hardening can include configuration settings to remove unnecessary services, applying firewall rules, enforcing password complexity, setting failed login thresholds, and system idle time outs.
System hardening can also include installing an anti-virus program, forwarding logs to a centralized log management solution, and applying vendor released system patches.
Basically system hardening is a way to lock down the Operating System before the system goes into production. The hardening guides can not only detail the steps to follow to secure a system, but can complement any system deployment guides. Along with the list of procedures to follow to improve system security the hardening guides can reference vendor best practices, and industry standard security requirements such as NIST or the PCI requirements, and how those standards can be meet as part of the overall system hardening process.
Keys to System Hardening and Hardening Guides
- Review your inventory of the network connected systems and understand what you have and how it’s at risk before you can completely implement any hardening procedures. This includes reviewing current deployment and operational processes and understanding the threats and vulnerabilities to the various deployed systems and addressing any discovered security gaps.
- The hardening guides shouldn’t be interpreted as one-size-fits-all solution. There may need to be separate guides for the servers versus workstations, or for different OS’s being run in the environment. Specific hardening guides may need to be developed depending on the systems function and criticality along with its placement in the environment.
- If your company places an importance on security and there is C level buy in for security it can still be balancing act to secure your systems and to do what is right for the business.
- The hardening guides are a baseline to secure your systems and no matter how tight the systems are locked down they’re still going to be exploitable in some way. It is important to never let your guard down and not get into the mindset of everything is secure because of the procedures you have followed in the hardening guides.
- Hardening guides should be a “living document” and should be reviewed and updated whenever there are changes to your internal policies or procedures, or when there are changes to any followed external policies or standards.
- The guides should not only document how to deploy a secure system, but how to maintain a secure system with continued vulnerability management and system patching.
To review, system hardening is the process of enhancing security through an assortment of methods which results in a more secure operating system environment, and system hardening is another defense layer to protect resources and data.