System Hardening Standards

When it comes to securing a network, organizations will often deploy several technical controls and processes to create a “layered defense” approach. This approach helps to limit single points of failure and exposure. However, one important process that is often overlooked is system hardening which includes making configurational changes to default system settings so that the system is more secure against information security threats. In addition, this process helps to reduce the amount of inherent vulnerabilities which exist in all systems.

A system hardening process should be in place for all devices that are attached to a network. This includes workstations, servers, network devices, printers, etc. If your organization does not currently have a system hardening process in place, below are some general recommendations on what a strong system hardening process should include.

Four Steps to Include in Your System Hardening Process

1.) Rename or Disable Built-in Accounts

Disabling or renaming default credentials for built-in accounts is fundamentally one of the most important steps in system hardening. The Internet contains hundreds of thousands of default credentials that can be obtained with a few keystrokes and mouse clicks. This is generally the first attack vector an attacker will try when attempting to compromise a system. Renaming or disabling built-in accounts will make unauthorized system access more difficult.

Avoid using a naming convention that discloses the account has administrative rights. Renaming the built-in account “administrator” to “itadmin” is helpful, however, would prove to be ineffective if an attacker is able to make the system enumerate, or list, user accounts. An attacker is likely going to target accounts that disclose they have administrative privileges first. Instead, rename built-in accounts using unique and non-descriptive account names.

Lastly, ensure the newly renamed accounts use complex passwords. A complex password is generally considered one that includes the use of mixed-case alphanumeric and non-alphanumeric characters and is at least eight characters in length. Don’t forget to rotate these passwords on a regular basis.

2.) Determine Necessary Protocols

Systems will generally come preconfigured with default protocol settings. One example is the Simple Network Management Protocol (SNMP) which is enabled on virtually every system. SNMP is often configured with the default community string value of “PUBLIC” or “PRIVATE.” If this community string value is used in a production network, an attacker may be able to obtain sensitive information or make unauthorized changes to the system, thus negatively impacting business operations.

Another area of concern is systems that are configured to use unencrypted protocols. Common unencrypted protocols include HTTP, TELNET, and FTP. If a system is using an unencrypted protocol, sensitive information such as usernames and passwords could be sent in clear text over the network. An attacker who is monitoring network traffic could potentially intercept this information.

As part of the system hardening process, an organization should determine what protocols are needed for business operations. If possible, default protocol values should be changed to something unique and not easily guessed. Unencrypted protocols should be disabled in favor of encrypted protocols which include HTTPS, SSH, and FTPS.

3.) Protect Basic Input/Output Systems (“BIOS”)

All operating systems have a boot-up management solution also known as “BIOS.” BIOS allow for changes to be made to a system including the boot-up sequence. This is another way for an attacker to compromise a system. For example, an attacker could change the boot-up sequence from the hard-drive to a USB device to boot to a malicious operating system. To increase network security, system hardening should include configuring a complex password to access BIOS.

4.) Identify and Remove Unnecessary Applications and Services

Systems that are purchased from “big-box stores” are notorious for being pre-installed with “bloatware” applications. These applications require critical system resources to run and can hinder the system’s performance. In addition, “bloatware” applications often allow services to run in the background. This puts a system at risk for unwanted security vulnerabilities and increases the different compromise vectors. To reduce potential attack vectors, system hardening should include the identification and removal of applications and services that are not necessary for business operations.

Documenting the System Hardening Process

A key component of a strong system hardening process is to ensure the process is thoroughly documented. This helps to not only ensure that each system is configured and deployed correctly, but also creates a higher level of accountability within the organization.

Testing the Effectiveness of the System Hardening Process

There are several tools (some of which are free and even automated) that can be used to ensure system hardening processes are effective. Other resources include vulnerability management solutions and penetration testing. All of these resources help organizations determine the effectiveness of their system hardening process.

The system hardening process should not be a “one and done” event. As new vulnerabilities and issues are identified, an organization should ensure their system hardening process is updated accordingly.

Implementing and enforcing a system hardening process can seem like a daunting task for any organization. However, system hardening is a critical “layer of defense” to ensure an organization’s systems and information remain secure.