In the following paragraphs we’ll discuss what hardening means, the benefits and disadvantages it brings, and where to begin in the process of securing an operating system. Let’s first understand what the hardening process is. The concept of hardening, in relation to computing, is when the system is made more secure through the use of restricting policies, enforcing configurations, and using tools to detect and reduce the system’s vulnerabilities. Hardening can be performed at any time but it is best practice to harden your operating system prior to deploying to production or connecting it to a network.
What are the Benefits of Operating System (OS) Hardening & Why is it Important?
Hardening the operating system improves security and reduces the system’s attack surface. When the system’s attack surface is smaller, the risk of exploitation, malware being injected, or an attacker gaining entry into an entity’s environment is smaller as well.
Well-architected systems can have design gaps and vulnerabilities. Default settings on out-of-the-box operating systems are made to cater to the largest customer base. Therefore, hardening includes researching and updating default settings to better fit the organization. Hardening is expansive and includes performing modifications to the system based on the risk of the system, the organization, the industry, etc.
What Should Be Done to Harden Your Operating System?
In order to reduce the system’s attack surface, a reasonable understanding of the system’s vulnerabilities should be understood. Similar to a control environment risk assessment for a SOC 2 report, a risk assessment for your operating system should be performed. Identify areas of your operating system with the most risk along with which operating system risks keep you up at night. Gaps should also be detected through vulnerability assessments and penetration testing to determine if there are risks unique to the environment.
Once the risks of your system are assessed, consider the extent of hardening that is appropriate for the organization. As a plan is developed to harden the system, rank the level of impact on business operations and day-to-day usage for each change being made. Organize the hardening changes into categories of low, medium, and high impact. The processes which have a low impact should be implemented, while the processes with a higher impact should be investigated thoroughly prior to making the changes.
The level of impact will be unique to each entity, however, here are examples:
- Low Impact: Enable encryption and set up a strong passphrase.
- Medium Impact: Implement two-factor authentication, install a password manager tool, and restrict removable media and USB devices.
- High Impact: Configure exploit protection and calibrate network activity.
Learn more about vulnerability and penetration testing from our related blogs:
- External Penetration Testing & SOC 2 Reports: How Are They Related?
- Types of Penetration Tests: A Look at Different Pentest Techniques & Tools
- Vulnerability Scanning: Importance of Vulnerability Scans in SOC 2 Audits
- Vulnerability Management Program: Insights From an Auditor
- Vulnerability Management Maturity Model, Procedures, Threats, & More
What are the Disadvantages of OS Hardening?
While securing a system is beneficial, it is also important to remember that no system is 100% secure. Hardening is intended to lower your risk, not remove it entirely. Understand the potential consequences before making changes. Some of these potential consequences could include:
- Lessening the convenience of using the operating system.
- Increased time to monitor and maintain the configurations, settings, and tools installed.
- Purchasing tools and allocating time toward hardening can be expensive.
- Existing systems may function differently after hardening.
What is the Difference Between OS Hardening & Patching?
Patching is a component within the concept of hardening. While patching is an important aspect, hardening includes additional security-related tasks such as the following:
- Limiting access.
- Disabling unnecessary default features.
- Enabling only the ports and services which are required.
What is a System Hardening Checklist?
While there isn’t a single checklist to apply to all environments, similar concepts can be used as a baseline when hardening your operating system. Below are three example topics of hardening.
Default Programs and Features
Less is more when it comes to default settings. There are legacy programs and features which come enabled on your operating system. Each program that is not used, but left enabled, is a potential entry point for inappropriate users and hackers. Consider eliminating anything that is not necessary to run your operating system. Default services may have known or unknown vulnerabilities, but by disabling them, the risk is mitigated for that service in particular.
In addition to lessening the risk of your system, turning off unnecessary programs and features lowers storage requirements and power consumption. If the relevancy of the feature is undetermined, consider turning it off until it is required. An example on Windows OS is the default feature of AutoPlay is enabled. However, this can be disabled to prevent [potentially malicious] files from automatically opening when a USB is plugged in.
While unnecessary programs and features are turned off during hardening, there are features to consider enabling in order to harden your operating system. Enabling audit policies can be helpful by logging activity and authentication attempts. The act of hardening is primarily enforcing preventative processes, but by enabling detective logging of user activity the system can be more secure with the ability to review historical trends and detect if brute force attacks are being attempted. However, the storage to retain logs and the responsibility of reviewing them should be evaluated.
Access and Authentication
The concept of “least privilege” isn’t just for administrators. Access should be restricted for administrators and non-administrative users by evaluating access to files and folders individually. When managing access, shared accounts create a blind spot for accountability and should not be used. Default passwords should be changed, especially those with the purpose of management or maintenance. Also, enabling the use of multi-factor authentication adds additional security.
Assess the relevance of default accounts. Unnecessary default accounts should be disabled. For example, the operating system may come standard with a guest account, which may not be necessary. If an account is required consider disabling interactive logins if the account is only needed to run services. During the investigation of access points, consider disabling unused ports as well.
Learn more about password issues and best practices from our related blogs:
Patching
By patching the operating system, it will remain up to date with the latest security features and bug fixes. Each environment is different, so evaluate if automated patching is appropriate. Regardless of whether patching is automated or manual, ensure it follows the patch management process established by the organization.
Summary
Hardening is a vast topic and should be tailored to the environment in which the operating system resides. Research and investigation into the hardening processes, along with their impact on the environment should be performed by appropriate individuals. Additionally, there are checklists available for common system configuration baselines for cybersecurity through companies such as the Center for Internet Security (CIS).
Linford & Company is an independent CPA firm that specializes in a variety of audit services, including SOC 1 and SOC 2 audits. If you have further questions please review our website and contact us to see how we can further assist you and your organization.
Check out our other related articles on security:
- What is Endpoint Security? Why is it Important?
- Enterprise Security — 5 Steps to Enhance Your Organization’s Security
- What is Containerization? Security & Benefits
Hilary has eight years of IT audit and assurance experience. Prior to starting at Linford & Co, Hilary worked for Deloitte managing audit readiness assessments, Sarbanes-Oxley 404 and SOC examinations, and complex remediation procedures. Hilary is a certified information systems auditor (CISA), holds a Master’s Degree in Accounting from the University of Colorado-Denver and a Bachelor’s in Business Administration from Colorado State University.