System hardening means securing and configuring a system in such a way that it reduces its surface of vulnerability to a great extent. This is done largely by removing unnecessary software, hardening default credentials, disabling unnecessary services, and modifying other configuration parameters from default values so that the system works securely for a focused set of services.
Hardening is usually done by following industry standard configuration guidelines, such as from CIS (Centre for Internet Security) and/or vendor hardening guidelines. These need to be carefully modified to ensure that the functionality of the system is not impacted.
Security software such as antivirus, spyware blockers prevent malicious software from running on the machine. Even with these security measures in place, computers will be vulnerable to outside access. System hardening or OS minimizes these security vulnerabilities. Its purpose is to eliminate as many security risks as possible by removing all non-essential software programs and utilities from the computer. While these programs offer useful features to the user, they can also act as backdoors to the system; hence they must be removed during system hardening.
Advanced system hardening might involve reformatting the hard disk; installing the bare necessities only for required functioning. For example, file and print sharing might be turned off if not necessary. For authorized security access, various measures are typically taken.
Usually, guest account is disabled; administrator account is renamed and secure passwords are created for all user login. Auditing features are enabled to monitor unauthorized access attempts. These steps are done in tandem with other configuration hardening measures that security and system administrators do to boost system security.
The underlying principle for all security hardening measures is defence-in-depth, i.e. building security in multiple layers so that surface area of exposure is reduced and at the same time the primary functionality of the system is not negatively impacted.
Our teams have worked with numerous technology platforms across operating systems such as Windows, Sun Solaris, HP-UX, IBM AIX, Databases such as MS SQL Server, Oracle, Sybase, Web Servers, Mail Servers, Network Devices, as well as security devices such as Firewalls, IPS, WAF, etc. and are therefore, very well-versed with hardening standards and processes.
- CIS Security Benchmarks
- NSA Security Configuration Guides
- Microsoft Baseline Security Analyzer
- Database Hardening Guidelines - Berekeley Security