Hardening is a term used in the security industry to take something from a particular state or often its default state to a more secure and hardened state by reducing the attack surface and reducing the vulnerabilities. This can be either an operating system or an application. Any object that’s taken from one state to a more secure state is a process of hardening and the hardening process would commonly include things like-
- Removing unnecessary software and services from an operating system
- Changing or removing or disabling default passwords
- Disabling or removing unused accounts
- Enabling security software and configurations
- Patching the kernel
Hardening attempts to prevent or remove configuration-based vulnerabilities like for example if you are hardening an operating system you may set it to have a password policy where the user must enter a complex password. If a system had a policy where the user could enter no password or simple passwords that would be a configuration based vulnerability.
The hardening process needs to be a specific process for a specific operating system version or application version plus this is important it needs to be specific to what the OS or the application is being used for and the threats that it faces. So, for example, the steps to harden a Linux server that is acting as a public web server using Apache and Tomcat or something like that versus hardening a Mac desktop would be a completely different process. They have different threats and they have different needs and even if we were to compare say a Linux server that was a web server and a Linux server that was say a database server again they would have different profiles on how they would be hardened. And so there is no general method of hardening and there is no one process of hardening however there are general things that you tend to do and that is the removing of unnecessary things and reducing the things that can be attacked.
To do hardening manually is quite a laborious task as it requires quite a detailed and uptodate understanding of what it is you are hardening. So if we go back to the example of the web server, if you were to harden the web server there are multiple layers that need to be hardened.
First of all you’ve got the operating system itself. Then you have Apache which also needs to be hardened and Apache may be running some sort of application server like maybe WordPress and that too would need to be hardened. Then there would be the code that would be running the application and that would need to be written securely. So there are multiple layers to hardening a system.
Issues that arise when hardening
Hardening an operating system will prevent the OS from functioning as it would do normally or as it was doing in its default state so it can introduce conflicts and issues. In fact it’s a big problem when you do harden things especially if you use things like GR security and other security frameworks. You have to expect it to break and you have to monitor the system to work out how it will successfully function in a hardened state because operating system hardening is very specific to operating system versions.
Unfortunately we can’t go into all the fine details in this article of how to harden every thing in every way. And in fact that wouldn’t actually be that useful to you anyway because hardening is not a process that you would want to do to manually anyway and it also needs to be kept up to date so in a few days or maybe in a few weeks there may be some other things or change which you need to make to a system to keep it hardened. So it would require a separate tutorial for each operating system version.
There are many standards that have been developed that in most cases you would use as your basis for hardening because there is no point in reinventing the wheel when it comes to hardening. Whatever it is that you want to harden there is very likely to be some sort of good research standard that is available and is out there. It is best to find and use good hardening standards where you can atleast use one as a base to start from.
Often they provide good guidance on why certain settings are being set. And then you can make an informed choice on whether or not you want do that or not and often importantly there are scripts that are used in combination. You have scripts that audit the system to understand what its current state is and you have scripts that provide remediation and harden the system to the state that you want it. And this saves the labor of manually going through all the settings which you would have to go through to harden the system or the application.