When we want to strengthen the security of the system, we we need to follow some basic guidelines. For hardening or locking down an operating system (OS) we first start with security baseline. Then we have to make sure that we’re using file systems that supports security, keep our OS patched and remove any unneeded services, protocols or applications.
In general, we should install firewalls, antivirus software, intrusion detection software or other types of security services that may be necessary to provide the protection we need for our environment. These could be installed on the OS itself or may be installed around the OS to protect the communication coming into the system.
We should also configure access control to restrict access only to authorized users and to deny access to unauthorized users. We should also configure auditing to track all activities in the environment. Also, we must make sure that we review the audit trails to look for unwanted or malicious types of actions or action patterns.
We should disable or reconfigure any default accounts may be present on the system. We should configure reliable, regular backups and also test those backups often to make sure we are protected from the system failure.
We should maintain documentation about our system and configuration. This will help simplify the hardening process and the upgrade process in the future.
Security baseline is an organizational security policy that establishes a common foundational set of basic security requirements that all systems in our organization must comply with. So, baseline is a security template which is used to configure systems or which is used to analyze system against a required standard.
Baselines may describe security mechanisms as well as the actual configuration. We should deploy security baseline for any operating systems we want to secure.
File System Security
We should make sure we’re using a file system that supports security mechanisms. In Windows environment, we should use the NTFS file system (New Technology File System). Features it supports include access control list on individual objects and folders, auditing on each object, and supports Encrypted File System (EFS). EFS allows for encryption of individual files. Windows OS also supports the FAT file system or File Allocation Table file system. FAT does not support any type of security features whatsoever.
In addition to making sure we use a file system that support security, we should also follow the principle of least privilege when assigning access to files and resources on the system. The principle of least privilege states that we should grant the user rights and privileges they need to perform their work tasks, and nothing else.
When hardening OS, we should also address system updates or security updates. We should make sure that when security updates are released we apply them as soon as possible. But, we should always test updates on a nonproduction system before they are deployed on production systems. Just because a patch has been released, it does not mean it won’t damage our environment or cause a problem with our system.
There are several types of patches or updates available. One type is a hot fix, which addresses a single issue. Service pack is a collection of hot fixes that acts as a single deployable patch that we can apply to address multiple issues all at once. Service packs are usually thoroughly tested and are less likely to cause damage to our system.
Another way to harden our OS is to remove unneeded services. We should uninstall or disable any software that is not required. If we don’t need an application, service or protocol or any other type of software, we should get rid of it. Every additional piece of software on the system is another possible vulnerability, another possible communication path that can enable an attack. However, when removing services we have to make sure to check dependencies before moving any services that are required by other services in order to function.
Network hardening should be organized around our organization security policy. From this we can design and create a security baseline that establishes the minimum requirements you want to deploy across the entire environment.
We should always remove any unneeded protocols, application and services on all the systems that are inside the network. We should keep our servers and workstations on the network secure as well.
We should maintain physical access control over all points in the network. We should deploy communication and border security controls, like remote access services, secure PBX systems, firewalls, intrusion detection software, etc.
We should audit all activity going across the network and monitor the activity for unwanted patterns of attacks. We should also consider controlling Internet access, since Internet is a large source of intrusion attempts or attack attempts.
Keep in mind that some network devices, like routers and switches, may require firmware updates in order to provide the best security. However, we should always test it before we deploy them in a production environment.
We should try to avoid single points of failures when we design our network so that when a single device ever fails, our entire network is not grounded to a halt.
We should use access control list on our network devices in order to control access to protocols, ports and systems.