Hardening is the process of strengthening the security of an operating system by eliminating vulnerabilities and implementing security controls.

What is Hardening?

Hardening is the practice of configuring an operating system in a way that reduces its attack surface and improves its security by eliminating unnecessary services, applying patches, and configuring security controls.

Hardening Principles

Principle of Least Privilege

  • Users: Minimum necessary privileges
  • Services: Run with minimum privileges
  • Processes: Limit process capabilities
  • Access: Restrict access to resources

Defense in Depth

  • Multiple layers: Multiple security layers
  • Redundant controls: Multiple controls
  • Detection: Multiple detection systems
  • Response: Multiple response mechanisms

Security by Design

  • Secure configuration: Secure configuration by default
  • Validation: Input validation
  • Encryption: Encryption of sensitive data
  • Monitoring: Continuous monitoring

Windows Hardening

System Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Disable unnecessary services
Set-Service -Name "Telnet" -StartupType Disabled
Set-Service -Name "FTP" -StartupType Disabled
Set-Service -Name "IIS" -StartupType Disabled

# Configure firewall
New-NetFirewallRule -DisplayName "Block Inbound" -Direction Inbound -Action Block
New-NetFirewallRule -DisplayName "Allow Outbound" -Direction Outbound -Action Allow

# Configure password policies
net accounts /minpwlen:12
net accounts /maxpwage:90
net accounts /minpwage:1
net accounts /lockoutthreshold:5

Registry Configuration

1
2
3
4
5
6
7
8
9

# Disable autologon
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AutoAdminLogon" -Value 0

# Disable script execution
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value 1

# Configure auditing
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol /set /category:"Object Access" /success:enable /failure:enable

Network Configuration

1
2
3
4
5
6
7
8

# Disable unnecessary protocols
Disable-NetAdapterBinding -Name "Ethernet" -ComponentID "ms_tcpip6"
Disable-NetAdapterBinding -Name "Ethernet" -ComponentID "ms_lltdio"

# Configure TCP/IP
netsh int ipv4 set global autotuninglevel=normal
netsh int ipv4 set global rss=enabled
netsh int ipv4 set global chimney=enabled

Linux Hardening

System Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

# Disable unnecessary services
systemctl disable telnet
systemctl disable ftp
systemctl disable rsh
systemctl disable rlogin

# Configure firewall
ufw enable
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow http
ufw allow https

# Configure iptables
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

User Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Create user with limited privileges
useradd -m -s /bin/bash user
usermod -aG sudo user

# Configure sudo
echo "user ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart apache2" >> /etc/sudoers

# Configure passwords
passwd -x 90 user
passwd -n 1 user
passwd -w 7 user

Network Configuration

1
2
3
4
5
6
7
8

# Disable IPv6 if not needed
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf

# Configure network parameters
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf

Hardening Tools

Windows

  • Microsoft Security Compliance Toolkit: Microsoft tools
  • CIS-CAT: CIS tool
  • Nessus: Vulnerability scanner
  • OpenSCAP: Compliance tool

Linux

  • CIS-CAT: CIS tool
  • OpenSCAP: Compliance tool
  • Lynis: Security auditor
  • AIDE: Intrusion detector

Automation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

# Hardening script for Linux
#!/bin/bash

# Disable unnecessary services
systemctl disable telnet
systemctl disable ftp
systemctl disable rsh

# Configure firewall
ufw enable
ufw default deny incoming
ufw default allow outgoing

# Configure network parameters
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf

# Apply changes
sysctl -p

Hardening Standards

CIS Benchmarks

  • Windows: CIS Controls for Windows
  • Linux: CIS Controls for Linux
  • Docker: CIS Controls for Docker
  • Kubernetes: CIS Controls for Kubernetes

NIST Guidelines

  • SP 800-53: Security controls
  • SP 800-70: Configuration guides
  • SP 800-123: Server hardening guide
  • SP 800-147: BIOS hardening guide

ISO 27001

  • A.8.1: Asset management
  • A.9: Access control
  • A.10: Cryptography
  • A.12: Development security

Monitoring and Auditing

Monitoring Tools

1
2
3
4
5
6
7
8
9

# Monitor changes in critical files
aide --init
aide --check

# Monitor processes
ps aux | grep -E "(telnet|ftp|rsh)"

# Monitor ports
netstat -tuln | grep -E "(23|21|514)"

Security Logs

1
2
3
4
5
6
7

# Configure logging
echo "*.info /var/log/messages" >> /etc/rsyslog.conf
echo "auth.* /var/log/auth.log" >> /etc/rsyslog.conf

# Monitor logs
tail -f /var/log/auth.log
tail -f /var/log/messages

Best Practices

Initial Configuration

  • Base image: Use secure base image
  • Updates: Apply all updates
  • Services: Disable unnecessary services
  • Users: Configure users appropriately

Continuous Maintenance

  • Patches: Apply patches regularly
  • Monitoring: Monitor changes
  • Audits: Perform regular audits
  • Documentation: Keep documentation updated

Automation

  • Scripts: Automate repetitive tasks
  • Configuration: Configuration management
  • Deployment: Automated deployment
  • Validation: Automatic validation

References