Limiting the points of entry in an environment to as few as possible reduces the number of points that can be targeted for attacks, making that environment easier to secure. The same principle applies to system hardening standards. To implement them effectively, it’s critical to understand NIST’s recommendations and tailor your baseline to your organization’s needs.
What is System Hardening?
The National Institute of Standards and Technology (NIST) defines system hardening as reducing the attack surface of a system “by patching vulnerabilities and turning off nonessential services.” Implementing robust security measures without addressing system vulnerabilities and nonessential components is like installing a security system that only protects the primary entrance of a facility.
Even if the entrances aren’t immediately obvious, each one creates unnecessary security risks.
Likewise, system vulnerabilities and unused services increase the attack surface of a system, creating potential points of entry for attackers. The NIST Guide to General Server Security provides guidelines on how to secure systems, covering best practices for patching, hardening, and configuring.
How to Harden a Server
Hardening requires you to use a dedicated host whenever possible and install, deploy, and patch the operating system in a secure environment. It is preferable to use a minimal installation and manually install the necessary components afterward. Since hardening involves removing unnecessary components, installing the operating system with minimal configurations will simplify the process later on.
After the operating system has been installed and deployed, identify vulnerabilities and apply any necessary patches, updates, and permanent fixes. Follow an established, documented process to mitigate mistakes that result in security risks and ensure the server is fully patched and updated before proceeding to system hardening.
Remove Nonessential Components
A minimal installation will reduce the amount of work that needs to be done to harden the system. However, regardless of the installation, you should audit the system to identify and remove any services, applications, protocols, and other components that aren’t needed.
If there are any nonessential components that can’t be removed, disable them.
Removal is ideal because it prevents unused components from being maliciously or accidentally reactivated, but it’s not always an option. Consider implementing additional measures to further mitigate risks of disabled components. The NIST hardening guide recommends removing all:
- Directory services
- Email services
- File sharing services
- Language compilers and libraries
- Network management tools
- Printer sharing services
- Remote access programs
- Remote control programs
- System development tools
- System management tools
- Web servers and services
- Wireless networking services
Following the system hardening standards NIST recommends will prevent services from being compromised and weaponized, improving the security of your organization’s system.
It also provides additional benefits, including:
- Improving component compatibility – Eliminating unnecessary services, applications, and protocols will reduce the risk of incompatibilities and defective components, resulting in a more robust system environment.
- Freeing up host resources – Only implementing essential components will eliminate the need to make unnecessary hardware and software configurations, reducing vulnerabilities and wasted resources.
- Facilitating system monitoring – Fewer components mean fewer logs, so when something does go wrong it will be easier to detect and respond swiftly.
Assess needs and identify what components will be needed before setting up servers to determine and facilitate the most effective hardening process to minimize security risks.
Configure User Authentication
Proper identity management and user authentication configuration are essential to prevent unauthorized server access. NIST details steps for authenticating users, including the following:
- Remove or disable nonessential accounts – Remove or disable unnecessary guest, administrator, and other accounts that are included in the default installation. Restrict access to those that need to be renamed and reset their associated names and passwords to prevent attacks.
- Disable non-interactive accounts – Disable service-type accounts that are required by the system but don’t require login by a human user.
- Use groups to manage rights – Avoid assigning rights to individual users. Create groups, assign rights to those groups and add users based on their access needs. This will be more scalable, manageable, and secure than trying to manage the rights of each individual user.
- Configure time synchronization – Some protocols require time synchronization to work properly, so configure automated time synchronization to facilitate effective authentication.
- Implement a robust password policy – Set a robust password policy based on best practices and follow it carefully when setting account passwords. Store passwords securely and account for factors such as complexity, length, age, and reuse. Configure the system to deter password guessing and mitigate unauthorized access.
- Implement multifactor authentication – Require an additional form of authentication to keep user accounts more secure. Options include biometrics, authenticator apps, and secret questions.
Following these protections will optimize control at the level of user accounts and behavior.
Configure Resource Controls
Prevent unauthorized access to files and other system resources by setting access controls:
- Provide minimum access – Limit user access to only the resources and privileges they need to perform tasks by assigning them to the appropriate user groups. Limiting access and privileges will protect data and prevent unauthorized users from making changes to system configurations.
- Monitor activity – Perform system audits to detect unauthorized attempts to access resources or make changes to system configurations.
- Consider virtual environments – Running the server in a virtual environment isolates activities and mitigates the impact of malicious activity. Assess the server environment and needs of the organization to determine if this sort of setup will be beneficial.
Make Additional Security Configurations
Default installations are unlikely to be enough to adequately secure your organization’s server. Identify, implement and maintain additional controls as needed to secure the system, such as:
- Antimalware tools
- Intrusion detection and prevention systems
- Patch and vulnerability management tools
Assess needs and available resources when implementing these additional security measures. Reevaluate and modify them as needed over time to protect against emerging threats.
Test Implemented System Hardening Standards
It’s essential to perform security tests to ensure that hardening and other security measures are implemented properly and remain effective over time. When planning a test, consider the impact the process may have on the system or any sensitive data to decide whether to test on the production server or a test server.
Two common testing options are vulnerability scanning and penetration testing.
This testing option usually relies on an automated vulnerability scanner to identify well-known weaknesses that could be exploited. Tasks these scanners can perform include:
- Identifying operating systems and active hosts, services, and applications
- Identifying vulnerabilities connected to those operating systems, hosts, services, and applications
- Testing the host for compliance with security and usage policies
Vulnerability scanning is essential, but results aren’t always accurate and aren’t comprehensive enough to be relied on as a sole means of testing. Use it in conjunction with other testing methods and auditing tools to maintain your organization’s system.
Penetration testing is a form of “ethical hacking” in which an attack is simulated to gauge how a real attacker would operate. It’s a demanding process that requires care to prevent exposing the system to real threats while examining simulated ones. When carried out properly, it offers many benefits:
- Testing how hardened the system is using real-world attack methods
- Identifying and confirming system vulnerabilities
- Illustrating the importance of following system hardening standards for servers
- Testing the efficacy of security measures beyond the scope of technical controls
Though it is a complex process, penetration testing provides invaluable data to inform system security policies and decisions. It offers hard-hitting cybersecurity insights, in real-time.
Harden Your Organization’s System Against Security Threats
Removing nonessential services, applications, protocols, accounts, and other components is central to system hardening, and implementing additional security controls is essential to bolster the efficacy of this process. By assessing the server environment and following the server hardening standards NIST recommends, your organization will be able to establish and maintain a system that can resist current and future security threats.
Contact RSI Security today to assess your organization’s system hardening standards.