What is System Hardening?

System hardening is a step by step process of securely configuring a system to protect it against unauthorized access, while also taking steps to make the system more reliable. Generally anything that is done in the name of system hardening ensures the system is both secure and reliable.

System hardening is necessary since "out of the box", some operating systems tend to be designed and installed primarily to be easy to use rather than secure. Most but not all systems can have security measures enabled that will make them suitable for high security, high reliability environments.

I'm an executive, why should I care?

• If you are in the United States, you now have a mandate to care. As part of the United States homeland security initiative, President Bush has challenged all business leaders to do their part to protect their business sectors.

• If you are in another country, it is possible that your business partners may not want to do business with you unless you can provide assurances that you have a system hardening process in place;

• your support may be necessary so that your technologists can do their job;

• your organization may hold you personally accountable if proper steps were not taken;

• your investors may require full disclosure of results from a security audit, and so might your insurance company.

• Without an understanding of the issues it will be difficult for you to make the proper investment decisions.

Why should I harden my system?

There are many reasons why taking the steps to harden your system is worth it.

• You can have more confidence in the integrity of your data;
• performance improvements can be experienced since unnecessary services are removed, and inefficiencies in system configuration are detected;
• if there is a system failure, you can recover faster;
• The company's reputation is protected;
• Clients are happier as a result of fewer system failures or delays;
• To prevent lawsuits. Your organization may have a legal liability to secure the private information of your employees, customers or research subjects.

What are the chances that something bad would happen if I didn't harden my system?

• Hackers move quickly. Most unprotected systems are compromised within 72 hours from the time they are installed according to results from the honey net project;
• Your system might be hijacked without your knowledge, and then used to attack another system, or spread viruses, or distribute illegal content such as pornography or software;
• Your company's proprietary information could be stolen;
• money could be wasted paying employees to sit around, unable to do their work while the system is down;

What are the main steps to take when hardening a system?

Step 1. Ensure that the hardware is robust

• Is it new enough to be considered reliable

• Identify the weak links and strengthen them (redundant disks, server clustering etc.)

• Ensure the environment is computer friendly (climate, location etc.)

• Provide physical security to eliminate tampering or theft

Step 2. Select and install a solid operating system

• New operating systems have not been massively probed by hackers. Mature operating systems are a known quantity. While the risks are known, so are the fixes.

• Features that are important include the ability to support fault tolerant measures such as uninterruptible power supply support (UPS), RAID disk arrays, logging, and access control measures including log on authentication and file protection.

•  Strip down the OS to support only essential services

• Disable unnecessary protocols and subsystems

• Remove, disable, or rename known “target” accounts

• Require strong local and remote authentication for access

• Strictly manage users and groups to control inappropriately powerful rights and memberships (Least Privilege)

• Enable auditing to track important events

• Install a 3rd party firewall and monitor the logs

• Apply all relevant hot-fixes, patches and service packs
  

Step 3. Install and configure the file system

• Configure Access Control Lists (ACL) to eliminate inappropriately powerful rights and permissions (Least Privilege);

• Enable auditing to track important events;

• Begin by fully locking down all directories and then providing controlled access to user groups;

• Access to specific users should only be made on an exception basis.
  

Step 4. Configure applications/services

• Install only essential applications and services;

• Install only tested and approved software;

• Remove or disable any unneeded applications and services that are installed by default – remove the files where possible;

• Set access control within applications/services where applicable;

• Apply all relevant hot-fixes, patches and service packs;

• Remove any sample data (scripts, sample web pages, etc).
  

Step 5. Configure server side applets/scripts

• Install only essential applications, applets and scripts;

• Install only tested and approved software;

• Verify that applets and scripts perform only their intended function;

• Apply all relevant hot-fixes, patches and service packs.
  

What else should I be concerned about?

System hardening is only part of a secure computing environment. 

• Usage policies are other important elements, but policy does not prevent anything from happening, it only provides a reference against which decisions can be made.

• Standard procedures provide the actual steps that are to be followed in support of policy.

• On the technical side, the network is the weak link that can expose a secure system to additional risks. Good network design and firewall architecture can reduce the vulnerabilities.

Reprints, links or forwarding these articles is encouraged providing that the following credit line is used: © Copyright 2002, Wayne McKinnon, ITcoach.com. For more information contact us at ITcoach.com, Suite 531, 900 Greenbank rd., Ottawa, Ontario, Canada K2J 4P6, (613) 860-1384, 1-888-712-6224, FAX (613) 825-4895, info@ITcoach.com A copy of the publication in which the article appears would be appreciated.

Copyright 2002 by ITcoach.com. All rights reserved.