Best Practices for System Hardening in 2022
Billy McCaw
Dec 20, 2021 2:19:20 PM
Despite the fact that operating systems like Windows have gotten more secure, they are still vulnerable to attack. As a result, organisations must exercise extraordinary caution when it comes to securing their endpoints. To acquire access to your corporate network, attackers will target endpoints such as employee workstations, servers, and cloud VMs.
System hardening will become even more important in 2022 as more sensitive devices are moved outside of the office and employees and contractors have access to critical business assets via unprotected or untrusted personal devices or corporate devices with mixed usage.
A Hardened System
Systems that have been hardened to prevent hacking are known as hardened systems. Devices and systems can be hardened by eliminating or minimising their vulnerabilities. Implementation, configuration, design and administration flaws are only some of the various types of security flaws that exist. These vulnerabilities are exploited by criminals to get access to computers, networks, and other systems.
Hardening is the process of safeguarding a system while yet allowing it to function normally. This strategy also covers risk management and change control. Builds become easier to monitor thanks to it.
Reduced attack surface makes systems more resistant to attacks.
The word "attack surface" refers to the area on which a threat actor can get access to a system, network, or device. Tools and techniques for system hardening are designed to reduce the attack surface and mitigate flaws.
There are numerous ways in which a system can become weak. For example, attackers can exploit unpatched software and firmware. Default and hardcoded passwords, as well as passwords that are stored in plain text, can be exploited.
Unencrypted data at rest and network traffic, as well as missing or incorrectly configured access restrictions, are all examples of critical infrastructure weaknesses. As these vulnerabilities are discovered and fixed as part of a system hardening effort, the attack surface of the system is reduced or eliminated altogether.
System hardening is a win for everyone.
Enterprises reap the benefits of system hardening, even if it requires time and effort. The following are some of the most significant advantages:
This method safeguards the operating system of a workstation or server. The hardening of an operating system is facilitated by automating updates and fixes. Permissions can be granted to applications by operating systems, unlike apps.
Hardening the operating system includes:
Instructions for Strengthening Software
Using software-based security measures, this protects any standard or third-party software installed on a server. Web browsers, spreadsheet programmes, and other specialised software can all benefit from application hardening.
The following are a few instances of application hardening in action:
With an IPS or IDS, following measures can help reduce the attack surface:
Users can store and analyse their data in digital databases, which are protected by the database management system (DBMS).
The following are safeguards for a database:
Hardening Standards can be used.
It's essential that you establish a baseline before you can begin to protect your system and then monitor any departures from it.
To put it simply, a benchmark is an established set of best practises in the field of cybersecurity. There are a number of security testing organisations, including the SANS Institute and NIST. To further harden recommended practises, there are numerous online materials available. There are, however, considerable discrepancies in advice from these various sources.
Which Benchmark Is the Best??
The CIS standards are used by many organisations as a starting point for their security hardening efforts. A group of cyber experts developed the CIS Benchmarks, which are a collection of best practise configuration standards.
Over 100 benchmarks cover a wide spectrum of software, hardware, and services. Comprehensive and trustworthy CIS benchmarks are ideal for securing your systems.
Using a Benchmark to Strengthen Systems
First, confirm the target system's settings against the applicable CIS benchmark before using it. When the system is not hardened properly, this initial examination identifies these areas.
Many CIS benchmarks contain automated tools that allow you to test systems automatically. Manual assessment takes time, especially for complex systems. As a result of the findings, make adjustments to your system's security settings.
The process of making a system suitable for benchmarking is just the beginning. Do a periodic check to make sure the hardening baseline is still being met. In any case, any modifications to the configuration or files could expose it. Regularly reviewing and correcting any modifications that deviate from the security baseline is essential to maintaining a secure system.
Steps to Hardening
Even within a single computer system, the methods used to harden it differ from one system to the next (for example, for a BIOS, operating system and a database running on the same machine). However, there are several common computer hardening tasks. Listed here are the most important tasks:
Opportunistic Barriers to System Strengthening
It takes a long time to harden a system. We all know that it's not always possible to prevent hackers from getting their hands on critical company information. In most cases, consumers unintentionally download malware when they open attachments in emails, download files, or browse the Internet. Once within the operating system, an attacker has easy access to sensitive data.
Some organisations restrict internet access, software installation, printing from a remote location, and more in order to combat this issue. The problem is that this lowers productivity for both employees and businesses. It annoys those who are simply doing their jobs. To get around these restrictions, some people try to find a workaround. '
Security and productivity must be balanced regularly by IT teams attempting to secure endpoint OS, with so many employees working from home.
System Hardening: One-Step Isolation of the Operating System
A highly secure endpoint can be achieved without compromising user productivity thanks to OS isolation technology. An individual operating system is installed on each end-user device. Operating systems are independent of one other.
The hardening and productivity of a system can be enhanced by two zones: one that is privileged and extremely hardened. It can only access sensitive information and systems. Other than that, it's just a standard corporate work environment that doesn't have the same level of protection. Email, chat, and non-privileged data can all be accessed via the internet.
This operating system is designed to catch any hackers that try to get into the business network. They're unable to see the designated area at all. A more secure option is to wipe the corporate zone clean at regular intervals.
The main advantages of this strategy:
Because it can also protect unsecured devices, it reduces the burden of hardening end-users' devices.
In order to "harden" an OS on an untrusted hardware, Isolate provides total OS isolation. Extreme Compute allows users to do the following in the less restricted corporate zone (amongst other things):
System hardening will become even more important in 2022 as more sensitive devices are moved outside of the office and employees and contractors have access to critical business assets via unprotected or untrusted personal devices or corporate devices with mixed usage.
A Hardened System
Systems that have been hardened to prevent hacking are known as hardened systems. Devices and systems can be hardened by eliminating or minimising their vulnerabilities. Implementation, configuration, design and administration flaws are only some of the various types of security flaws that exist. These vulnerabilities are exploited by criminals to get access to computers, networks, and other systems.
Hardening is the process of safeguarding a system while yet allowing it to function normally. This strategy also covers risk management and change control. Builds become easier to monitor thanks to it.
Reduced attack surface makes systems more resistant to attacks.
The word "attack surface" refers to the area on which a threat actor can get access to a system, network, or device. Tools and techniques for system hardening are designed to reduce the attack surface and mitigate flaws.
There are numerous ways in which a system can become weak. For example, attackers can exploit unpatched software and firmware. Default and hardcoded passwords, as well as passwords that are stored in plain text, can be exploited.
Unencrypted data at rest and network traffic, as well as missing or incorrectly configured access restrictions, are all examples of critical infrastructure weaknesses. As these vulnerabilities are discovered and fixed as part of a system hardening effort, the attack surface of the system is reduced or eliminated altogether.
System hardening is a win for everyone.
Enterprises reap the benefits of system hardening, even if it requires time and effort. The following are some of the most significant advantages:
- The goal of system hardening is to limit the number of points of attack on the system. There will be fewer malware, unauthorised access, data breaches, and other unwanted activity as a result of this.
- The greatest way to harden a system is to reduce the number of programmes and functionalities it has. For example, this means less operational concerns, less incompatibilities, and less cyber threats affecting user functionality.
- Complex settings can be made simpler by implementing system hardening measures that reduce the number of programmes and user accounts while also increasing the predictability of configuration. As a result, there will be a simpler, more visible, and easier-to-monitor and audit environment.
This method safeguards the operating system of a workstation or server. The hardening of an operating system is facilitated by automating updates and fixes. Permissions can be granted to applications by operating systems, unlike apps.
Hardening the operating system includes:
- Running the most recent software updates.
- Using a 3rd party EPP/EDR application
- Updating old drivers with new features
- Using hardware to encrypt the host disc Encrypted TPM Boot Enable
- Restricting user access to the computer system
- The use of biometrics or FIDO as a form of password security
Instructions for Strengthening Software
Using software-based security measures, this protects any standard or third-party software installed on a server. Web browsers, spreadsheet programmes, and other specialised software can all benefit from application hardening.
The following are a few instances of application hardening in action:
- Allowing only reputable software shops to be downloaded
- Patches for applications that are automatically generated
- Antivirus, firewalls, and spyware protection are all included in a single package.
- A programme for encrypting data.
- LastPass and other password management and encryption applications
With an IPS or IDS, following measures can help reduce the attack surface:
- Putting together a network's defences
- Audits of network privileges and rules
- Disabling unnecessary protocols and ports on the network
- Services and devices on a network are turned off.
- Network intrusion detection and prevention systems should be protected by encryption.
Users can store and analyse their data in digital databases, which are protected by the database management system (DBMS).
The following are safeguards for a database:
- Restricting admin powers
- RBAC policies can be used
- Updates to databases and database management systems
- Restriction of unneeded database functions
- Suspicious database account login behaviour tracking
Hardening Standards can be used.
It's essential that you establish a baseline before you can begin to protect your system and then monitor any departures from it.
To put it simply, a benchmark is an established set of best practises in the field of cybersecurity. There are a number of security testing organisations, including the SANS Institute and NIST. To further harden recommended practises, there are numerous online materials available. There are, however, considerable discrepancies in advice from these various sources.
Which Benchmark Is the Best??
The CIS standards are used by many organisations as a starting point for their security hardening efforts. A group of cyber experts developed the CIS Benchmarks, which are a collection of best practise configuration standards.
Over 100 benchmarks cover a wide spectrum of software, hardware, and services. Comprehensive and trustworthy CIS benchmarks are ideal for securing your systems.
Using a Benchmark to Strengthen Systems
First, confirm the target system's settings against the applicable CIS benchmark before using it. When the system is not hardened properly, this initial examination identifies these areas.
Many CIS benchmarks contain automated tools that allow you to test systems automatically. Manual assessment takes time, especially for complex systems. As a result of the findings, make adjustments to your system's security settings.
The process of making a system suitable for benchmarking is just the beginning. Do a periodic check to make sure the hardening baseline is still being met. In any case, any modifications to the configuration or files could expose it. Regularly reviewing and correcting any modifications that deviate from the security baseline is essential to maintaining a secure system.
Steps to Hardening
Even within a single computer system, the methods used to harden it differ from one system to the next (for example, for a BIOS, operating system and a database running on the same machine). However, there are several common computer hardening tasks. Listed here are the most important tasks:
- Ascertain whether or not the system is physically secure and that staff members are aware of security procedures. Add your own roles and passwords to the system. Avoid using "super admin" or root credentials on the operating system. Limit the membership of the admin group. As needed, grant further privileges.
- If you can, put firewalled systems in place to protect them from the outside world. Use a virtual private network (VPN) or a reverse proxy to connect. Messages should be encrypted before being sent. Block known IP ranges with firewall rules.
- Regular updates to operating systems, browsers, and other software are necessary to keep them secure. Keep an eye out for CVEs and vendor security notifications.
- Deactivate or uninstall any components or applications that aren't absolutely necessary and may increase the risk of a security breach.
- Authentication, user access, and privilege escalation are all important areas to keep an eye out for in your logs. For the sake of security, store all logs in a separate location. She's been doing a lot of scanning for viruses and vulnerabilities. External audit or penetration test should be performed if at all possible for security reasons.
- Use robust cyphers to encrypt data in transit. Rethink using SMBv1 and Telnet, and less secure like using HTTP.
- Regular backups of hardened systems are essential according to the 3-2-1 rule (three copies of backup, stored on two types of media, with one copy being stored off-site).
- A secure password or certificate is required for SSH access, and the default port should not be used or elevated capabilities granted. Check the SSH logs for any suspicious activity.
Opportunistic Barriers to System Strengthening
It takes a long time to harden a system. We all know that it's not always possible to prevent hackers from getting their hands on critical company information. In most cases, consumers unintentionally download malware when they open attachments in emails, download files, or browse the Internet. Once within the operating system, an attacker has easy access to sensitive data.
Some organisations restrict internet access, software installation, printing from a remote location, and more in order to combat this issue. The problem is that this lowers productivity for both employees and businesses. It annoys those who are simply doing their jobs. To get around these restrictions, some people try to find a workaround. '
Security and productivity must be balanced regularly by IT teams attempting to secure endpoint OS, with so many employees working from home.
System Hardening: One-Step Isolation of the Operating System
A highly secure endpoint can be achieved without compromising user productivity thanks to OS isolation technology. An individual operating system is installed on each end-user device. Operating systems are independent of one other.
The hardening and productivity of a system can be enhanced by two zones: one that is privileged and extremely hardened. It can only access sensitive information and systems. Other than that, it's just a standard corporate work environment that doesn't have the same level of protection. Email, chat, and non-privileged data can all be accessed via the internet.
This operating system is designed to catch any hackers that try to get into the business network. They're unable to see the designated area at all. A more secure option is to wipe the corporate zone clean at regular intervals.
The main advantages of this strategy:
Because it can also protect unsecured devices, it reduces the burden of hardening end-users' devices.
In order to "harden" an OS on an untrusted hardware, Isolate provides total OS isolation. Extreme Compute allows users to do the following in the less restricted corporate zone (amongst other things):
- Make use of a browser extension of your choice.
- You can use tools like Zoom/Webex, etc. to improve productivity.
- Notice harmful attachments and links in your emails.
- USB devices are used to print from distant locations.
- Install programmes on the corporate OS utilising local admin access for developers and power users.