System Hardening (Security Hardening)
The goal of system hardening (or security hardening) is to reduce the attack surface. It includes reducing security risks and removing potential attack vectors. By removing superfluous programs, accounts functions, applications, ports permissions access etc., the reduced attack surface means the underlying system will be less vulnerable, making it harder for attackers or malware to gain a foothold within your IT ecosystem.
A certain system in the corporate network has an unnecessary service/open port, has weak credentials, any other low hanging fruit from the attacker’s perspective, or lacks the security patches that are an open invite for data breaches. Therefore, when it comes to protecting against cyber attacks and breaches, security hardening becomes the first and foremost step an organisation must take seriously.
System hardening is one of the fundamental steps of good security architecture. It is one of the cheapest and best ROI’s when compared to all other security initiatives as it delivers in the long run.
In this article, we’ll discuss the basics of systems hardening, a few hardening examples and industry-recommended standards, benchmarks and frameworks for system hardening, and as well as have a brief discussion on why you should have internal hardening baselines to avoid a large number of risks during penetration testing.
What is hardening?
System hardening is a collection of tools, techniques, and best practices to reduce vulnerability in technology applications, systems, infrastructure, firmware and other areas. The goal of system hardening aims to reduce security risk by eliminating potential attack vectors. By removing superfluous programs, accounts functions, applications and applications, ports, permissions, access, etc., attackers and malware have fewer opportunities to gain a foothold within your IT ecosystem. There are several hardening activities, including Application hardening, server, database hardening and network hardening. Systems hardening also requires mandates such as PCI DSS, ISO27001 or any specific regulations such as HIPAA in healthcare. These are often the areas considered during secure configuration build reviews.
System hardening process
It requires critical analysis and a methodological approach to audit, identifies and control potential system vulnerabilities and misconfiguration. Digital infrastructure hardening is divided into several categories, which include, but is not limited to:
- Application hardening
- Operating system hardening (OS hardening)
- Server hardening
- Database hardening
- Network hardening
Purpose of system hardening
Security hardening aims to reduce the attack surface. The attack surface is all the different points where an attacker can attack, compromise the server and/or damage the server. The attack surface includes all network interfaces, open ports and software installed on the operating system. By removing applications and software that are not needed and configuring the remaining applications to maximum security, closing unnecessary open ports, applying operating system level security patches etc., the attack surface can be reduced to a great extent.
What is Server Security Hardening?
Server Security Hardening is a process and a set of techniques and steps taken to improve the security posture of an organisation’s servers. Server hardening becomes a requirement when organisations wish to become ISO and PCI-DSS compliant. Sometimes it’s done at the OS level, known as OS hardening or part of the wider configuration management process.
We have 100+ tips on how to secure a server along with server security best practices. Read it here.
Server hardening involves the steps taken to make sure that:
- Administrative access controls and permissions are set up and implemented
- The location of the data centres where the servers are present is properly secured
- Server shutdown is prevented without administrative login
Server hardening becomes easy when you understand the security vulnerabilities with associated risks. The default configuration of operating systems is not designed to keep security in mind. Any server deployed in its default state focuses more on user-friendliness, usability, functionality and lacks basic security defence, which makes it imperative to harden the server so that it may have the potential to defend against the APTs and implement user controls, and other attacks against the organisation.
Benefits of System Hardening
OS hardening or Server Hardening has absolute benefits, some of which are:
Having less software or less hardware means that you won’t have to spend money on patches and updates and malware removal in the future. Also, having less bloatware means more memory space, thereby saving expenses of buying additional memory.
Enhanced Performance and System Functionality
Fewer programs and applications mean fewer chances of operational issues, misconfigurations and compromise.
Hardening reduces attack radius and vulnerability surface, improving security and minimising the probability of an attack, breach, unauthorised access and/or data leakage.
Having less hardware and software leads to a simplified infrastructure which makes auditing simple and relatively easier.
Eliminates Access Points
Having fewer programs, applications, and servers reduces the number of access points or assets an attacker can access.
What are Hardening Guidelines?
System hardening can be an extensive process, and some important stuff can be missed while hardening systems and servers, therefore it is recommended to follow hardening guidelines and industry-recommended best practices and frameworks to harden your environment.
What is a Security Hardening Standard?
A hardening standard is a checklist that helps in setting up a baseline configuration for each system. As a requirement by the ISO27001 and the PCI-DSS compliance standards for information security, every new system introduced into the digital environment must abide by the hardening standards.
Many system hardening standards and guidelines, benchmarks, and checklists are present on the internet that can walk you through to harden your digital assets and improve your organisation’s security posture.
- Centre of Internet Security (CIS) Industry Standards: The Centre for Internet Security (CIS) is one industry standard that provides benchmarking for various operating systems and applications. CIS benchmarks are a popular way of starting from basic hardening guidelines in an internal environment all the way up to enterprise-level CIS benchmarks, including products.
- National Institute of Standards and Technology (NIST): The National Institute of Standards and Technology’s (NIST) Special Publication 800-123 Guide to General Server Security is another standard that is used to assist organisations in hardening their servers
- National Cyber Security Centre (NCSC): The National Cyber Security Centre’s (NCSC) End-User Device (EUD) Security is a framework developed by the UK Government to help organisations assist in securing their End-User Devices (EUDs).
- European Union Agency for Network and Information Security (ENISA): The European Union Agency for Network and Information Security’s (ENISA) Technical Guidelines for the Implementation of Minimum Security Measures for Digital Service Providers is another industry-recommended standard to assist organisations in hardening their digital infrastructure.
- Microsoft Windows Hardening Guideline: Microsoft maintains its own documentation for hardening Windows Operating Systems and Windows Servers that can be used as a baseline guide to hardening Windows Servers and Operating Systems. These guidelines aim more at the operating system hardening process and do not necessarily target systems or other interfaces such as applications or networks.
Why are system hardening standards important?
Hardening is a critical phase in improving the overall security state of an organisation. Hardening standards provide baseline configurations and checklists that an organisation can follow to harden their systems. Any deviation from these standards can result in a complete organisational breach.
A recent example of this is the Solar Winds attack. Therefore, any hardening guideline you may follow would suggest that you keep a strong and complex password for your servers, user accounts and workstations. One of the file servers of Solar Winds had the password ‘solarwinds123’, which is an extremely weak and easily guessable password.
Server Hardening Examples
Any hardening checklist or guideline that you follow may include requirements related, but not limited to:
- Physical Security
- Operating Systems
- Networks and Services
- System Auditing and Monitoring
- Access Controls
- Data Encryption (SSL/TLS, Data at rest)
- Patching and OS Updates
- System Backups
- Custom checks around system components and configurations containing text-readable or text files to remove any credentials, sensitive data stored in clear text
The most basic hardening example is to change the default username and password for a service or an application. Server hardening can include configuration settings to remove unnecessary services, closing unnecessary network ports, applying certain firewall rules to restrict traffic, setting up idle session timeouts, account lockout mechanisms etc.
How can vulnerability scanning help server hardening?
Vulnerability scanning helps identify missing patches, security updates, and misconfiguration, leaving a server vulnerable and prone to an attack. Unnecessary open ports are usually a way into the network, and vulnerability scans can tell you what port is left open, and you can see if that port needs to be open; if yes, then proper security controls have to be applied to prevent an attacker from getting into your network using that open port. If you are new to this process, here is a good guide to vulnerability scanning.
How is Server Hardening done?
Server hardening is a dynamic and variable process and requires a critical analysis of the digital assets and their risks to an organisation.
One of the best ways to start system hardening is to do a vulnerability scan of your servers and follow a system hardening guideline or checklist, such as those published by CIS or NIST, then follow along and make changes in configurations that pertain to your environment.
Although system hardening is quite an extensive process, part of it can be automated. For example, an organisation can use automated vulnerability scanners to see if new and updated applications do not pose new security threats to the organisation. In addition, patch management software can be used to push security patches and updates to systems and servers automatically.
Below are some guidelines that may be taken as an example to start the system hardening practices:
Separating Server Roles
Hardening a server is relatively easier when the server has one specific job to do. For example, a server hosting a web application must be connected to the internet, but a database server does not. Therefore, database servers only need to communicate with the application servers or web servers.
Vulnerability Management and Patching
Results from vulnerability scans can tell you if and what security patch is missing. Having an automated system to regularly scan your network and servers for missing patches, sometimes service packs and then push the updates automatically helps with the vulnerability and patch management portion of system hardening.
Implementing Strict Access Controls
Implementing the Principle of Least Privilege is the best option when applying and hardening your server’s access controls. It is a fundamental principle of security architecture. The Principle of Least Privilege states that a user should have the minimum access or permissions he needs to perform his job. This principle can also be applied to servers, where the servers are restricted to perform multiple tasks. For instance, file-sharing or file and print sharing utilising SMB ports may not be required in certain network segments. Therefore, it needs to be acted upon system hardening process.
Networks and Firewalls
Ensure only the ports required by applications are open, and no unnecessary ports are left open. Apply correct and firewall rules to restrict network communication with the internet. Encrypt all the data in transit.
Securing Remote Access
One of the most commonly attacked protocols on the network is the Remote Desktop Protocol (RDP). RDP access to corporate servers should only be allowed via a VPN, plus IP addresses should be white-listed to allow connections from specific IP addresses only.
Deploying End-Point Security
End-point security solutions such as antivirus, intrusion detection and prevention systems, and host-based firewalls should be deployed to further protect individual systems from malware.
User Accounts and Passwords
As part of a system hardening policy, password policies should be implemented to enforce users to keep strong, complex and lengthy passwords. In addition, account lockout policies and idle session timeouts should be set.
Stale, unrequired and temporary user accounts should be disabled and deleted.
Server hardening means hardening the operating system a server is running and the application it is hosting. For example, default passwords to admin panels and application interfaces should be changed, and vulnerabilities within the application should also be fixed to minimise the probability of an attack.
Carry out penetration testing, vulnerability assessment, and configuration and build assessment regularly to audit your systems and servers for misconfigurations, vulnerabilities and missing security fixes. Conduct security audit assessments against
For code level hardening or software development security, please refer to our guide on PHP security:
System hardening is a dynamic and continuous process that should be implemented via a system hardening policy. Every organisation that wishes to comply with the ISO and the PCI-DSS standards must undergo a system and server hardening process. Every new system introduced into the network should undergo a system hardening checklist and be tested against security assessment frameworks like NIST and CIS.
The underlying principle for system hardening is the defence-in-depth approach, i.e. building defence in multiple layers to reduce the attack surface primarily while maintaining usability and functionality of the systems are not negatively impacted.
Get in touch for a free consultation or discuss your security concerns.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.