OS Hardening – the extra bit needed
What is OS Hardening
OS hardening (which is short for operating system hardening) refers to adding extra security measures to your operating system in order to strengthen it against the risk of cyberattack.
All mainstream modern operating systems are designed to be secure by default, of course. But on most systems, you can add extra security features and modify the default configuration settings in ways that make the system less vulnerable to attacks than it would be with a default install alone.
OS Hardening Considerations
According to our experience majority of operating systems versions are outdated and Proper patch management is critical to protect client data and uptime. In order to provide clients with peace of mind, safeguard their sensitive information and differentiate your security services from the competition, here are following ways to harden customers’ operating systems:
While different operating systems have their own intricacies, there are recommended hardening practices that apply universally. This list is not all-inclusive and you may implement additional system hardening best practices when applicable. However, in order to minimize clients’ risk of suffering a cyber-attack, adhere to the following protocol:
1. Programs clean-up – Remove unnecessary programs. Every program is another potential entrance point for a hacker. Cleaning these out helps you limit the number of ways in. If the program is not something the company has vetted and “locked down,” it shouldn’t be allowed. Attackers look for backdoors and security holes when attempting to compromise networks. Minimize their chances of getting through.
2. Use of service packs – Keep up-to-date and install the latest versions. It’s that simple. No one thing ensures protection, especially from zero-day attacks, but this is an easy rule to follow.
3. Patches and patch management – Planning, testing, implementing and auditing patch management software should be part of a regular security regimen. Make sure the OS is patched regularly, as well as the individual programs on the client’s computer.
4. Group policies – Define what groups can or can’t access and maintain these rules. Sometimes, it’s simply user error that leads to a successful cyber attack. Establish or update user policies and ensure all users are aware and comply with these procedures. For example, everyone should be implementing strong passwords, securing their credentials and changing them regularly.
5. Security templates – Groups of policies that can be loaded in one procedure; they are commonly used in corporate environments.
6. Configuration baselines – Baselining is the process of measuring changes in networking, hardware, software, etc. To create a baseline, select something to measure and measure it consistently for a period of time. Establish baselines and measure on a schedule that is acceptable to both your standard for maintaining security and meeting your clients’ needs.
7. Firewall Configuration –Your operating system may or may not have a firewall set up by default. Even if it does have a firewall running, the firewall rules may not be as strict as they could be. For this reason, OS hardening should involve reviewing firewall configurations and modifying them so that traffic is accepted only from the IP addresses and on the ports from which it is strictly needed. Any non-essential open ports are an unnecessary security risk
8. Access Control –Windows, Linux and OS X all provide user, group and account management features that can be used to restrict access to files, networking and other resources. But these features are often not as strict as they could be by default. Review them to make sure that access to a given resource is granted only to users who truly need it. For example, if you have a Linux server where each user account has read access to other users’ home directories, and this access is not actually required for the use case that the server supports, you would want to change file permissions to close off the unnecessary access.
9. Anti-virus –Depending on the type of system you are hardening and the workloads running on it, you may want to install and configure anti-virus software to detect and remediate malware. For example, if you are hardening a Windows workstation where users will be opening email messages, having anti-virus software in place provides useful extra security in case users open a malicious file attachment
10. Hardening Frameworks – Some operating systems provide frameworks that are designed for the specific purpose of adding extra access control and anti-buffer-overflow features to the system and the applications it hosts. AppArmor and SELinux are examples of this type of software on Linux. In general, installing or enabling these tools is a good system hardening best practice.
11. Data and Workload Isolation –For OS hardening, it is a good idea to isolate data and workloads from one another as much as possible. Isolation can be achieved by hosting different databases or applications inside different virtual machines or containers, or restricting network access between different workloads. That way, if an attacker is able to gain control of one workload, he won’t necessarily be able to access others as well.
12. Software Updates – Be sure to determine whether the operating system that you are hardening will install security updates automatically, and then change that setting as needed. In most cases, automatic software updates are a good idea because they help keep your system ahead of security threats as they emerge. But in certain situations, you may want to avoid auto-updates and instead require administrators to approve software changes manually in order to minimize the risk of an update that could disrupt a critical service