How well are your systems hardened? If you can’t answer this question immediately and specifically, you should perform a hardening audit! In this guide, you’ll learn how to do this on Windows and Linux – with a free tool.
Why a hardening audit is necessary
Software manufacturers deliver operating systems and applications with maximum compatibility and a wide range of functions as standard. This means that many potentially vulnerable components and unnecessary functionalities are activated.
For example, Windows 10 or Windows 11 has “out of the box” only a low level of compliance with current and established hardening standards such as the CIS benchmarks or the BSI SiSyPHuS recommendations.
It is therefore extremely important that you configure your systems securely and thus subject them to System Hardening. This is required by an increasing number of regulations and standards, for example:
In order to continuously monitor the status of your System Hardening, you must perform regular hardening audits. These should be an integral part of regular, more comprehensive security audits.
How can you check the quality of your System Hardening?
Performing a hardening audit can be a very time-consuming process – but only if it is done manually. This usually requires several IT security and hardening experts (internal and/or external) to check and document thousands of settings.
In large and complex system landscapes, this is a seemingly endless challenge. In addition, the system landscape is constantly changing. Hardening audits then become a resource-consuming Sisyphean task.
This means that the most sensible solution is to use professional hardening tools that allow you to perform a hardening audit. One such tool is the free AuditTAP.
What does AuditTAP offer for your hardening audit?
AuditTAP (Audit Test Automation Package) is ideal for conducting a thorough check of your systems. This open source software is extremely versatile.
✅ On the one hand, it can be used to check the security-related settings of individual applications such as browsers and Microsoft Office programs.
✅ On the other hand, you have the option of performing a hardening audit on Windows 10, Windows 11, various Windows Server systems, and common Linux derivatives without spending a lot of time.
✅ During an AuditTAP hardening audit, your system configuration is compared with the specifications of current and proven hardening standards – for example, from Microsoft, CIS, BSI, and DISA.
Instructions: Hardening check of a Windows system
AuditTAP makes it very easy to perform a Windows hardening check. To do so, proceed as follows:
➡ Download the free tool from Github
➡ Unzip the file into a folder
➡ You now have several options for installing AuditTAP
➡ One option is to use the PowerShell Gallery
➡ Another option is to copy the files to the PowerShell module folder
➡ You can also start the installation using Setup.exe
Each type of installation has its own advantages. These depend, among other things, on your preferences, your expertise, your system rights, and the availability of the Internet.
➡ Now go to the installation folder
➡ Start AuditTAP via PowerShell
➡ Select the desired check from the list displayed
➡ After a short time, you will receive a detailed hardening audit report
Detailed instructions and tips for installing AuditTAP can be found in this video:
Linux Hardening Audit: How to perform the check
Do you want to harden your Linux systems? Great idea! The best way to start is with an analysis of the current situation, followed by the appropriate optimizations.
You can implement the Linux Hardening Audit with AuditTAP as follows:
➡ AuditTAP requires PowerShell, which is not always available on Linux
➡ Therefore, you must first set up the program manually via the terminal
➡ You can download a prompt overview here: fb-pro.com/linux-prompts
➡ Then download the AuditTAP source code from Github
➡ Unzip the download via the terminal
➡ The two folders “ATAP Auditor” and “ATAP Html Report” are important
➡ Move these to the Powershell module directory
➡ Example: /opt/microsoft/powershell/7/Modules/ (requires sudo rights!)
➡ The directories require the correct permissions and owner (root)
➡ Start PowerShell as root
➡ Run AuditTAP – you can find the command in the GitHub repository
➡ After a few minutes, you will receive a detailed Linux hardening report
Are you having problems installing and starting AuditTAP on Linux? Then take a look at this tutorial video:
What the AuditTAP report says in detail
After the hardening check, you will find the report in HTML format in the AuditTAP folder. It is divided into several pages.
Page 1: Benchmark compliance
The first tab of the report contains a summary of how many of the security settings checked meet various hardening standards. Here you can see at a glance the extent to which they comply with the BSI specifications, the CIS benchmarks, or the Microsoft security baselines.
Good to know: On a “normal” Windows system, compliance with established hardening standards is usually low, which is why the AuditTAP report often shows the status “critical.” This highlights the significant need for improvement on unhardened systems.
Page 2: Security Base Data
Here you will find detailed technical information about the hardware and software used in your system. You will also receive a comprehensive overview of security-related settings, which are divided into different areas. In a Windows hardening audit report, these include:
-
- Platform Security
- Windows Base Security
- PowerShell Security
- Connectivity Security
- Application Control
Page 3: AuditTAP Risk Score
The AuditTAP Risk Score provides a visual representation of how critical or non-critical the results of your compliance check are. The security of your system is assessed from two important perspectives:
1️⃣ Quantity
This dimension indicates how many configuration recommendations from the selected hardening standard have been implemented on your audited system.
2️⃣ Severity
How well are the individual, particularly security-critical configurations implemented on your system? The “severity” illustrates the quality and importance of the implemented settings and provides the answer.
Below the risk score, you will find a detailed list of all relevant parameters that were included in the overall assessment, along with their individual criticality. This provides you with a transparent basis for targeted improvement measures.
Page 4: Hardening Settings
This page lists all hardening measures found by AuditTAP in detail. This allows you to see which measures are required by which benchmarks and which are already fulfilled by your System Hardening.
A special feature are the hash values in the upper area. These are calculated by AuditTAP from all the parameters set. They make it easier to compare different hardening checks and track changes to your system configurations over time.
Page 5: About Us
On the last page of the your Windows or Linux hardening audit report, you will find contact information if you have suggestions for improving AuditTAP or need support with your System Hardening.
What is important after the hardening audit?
You now know which adjustments you need to make to improve your OS Hardening in general or your Office Hardening in particular. Now proceed strategically and deliberately to implement a sustainable System Hardening process! Pay attention to the following aspects:
Rely on proven standards
Don’t develop your own hardening setup! Instead, follow the comprehensive and established benchmarks. These include countless tried and tested settings. Observe the requirements of the numerous regulations and standards, especially those that apply to your sector or industry.
No manual System Hardening
When you combine multiple standards, you can quickly end up with 1,000 configuration changes or more – per system! Manually implementing System Hardening measures on dozens or even hundreds of systems is extremely time-consuming and resource-intensive. Given the complexity and dynamics of modern IT infrastructures, you probably cannot afford to take on this challenge.
PowerShell automation instead of GPOs
Attempting to harden IT infrastructures using group policies (GPOs) often leads to inflexible and unsatisfactory results. A better option is automated System Hardening using PowerShell scripts or PowerShell Desired State Configuration (DSC). You have to implement these yourself, which takes just as much time. Or you can use Enforce Administrator as a “shortcut.”
Establish hardening processes
Integrate System Hardening into your processes! There are various approaches to this – for example, Rapid Hardening, Layered Hardening, and Lifecycle Hardening. Lifecycle Hardening is a good option, for example, if you are already carrying out a Windows 11 rollout project.
Continuous improvement
System Hardening is not a one-time project, but rather a continuous process. This is because your IT landscape and the threat landscape are constantly changing. Your hardening measures must therefore be continuously monitored and adjusted. Enforce Administrator is also the ideal solution for meeting these requirements.
⏬ Download: Enforce Administrator Product Brochure (PDF)
Don’t overdo it
Be aware that it is impossible to achieve 100% compliance with the hardening benchmarks! Extreme System Hardening would severely restrict the usability of your systems or even render them unusable. The aim is rather to strike a well-considered balance between security and usability.
Conclusion
System Hardening is not a one-time project, but rather a continuous process. It is one in which you must gradually improve your measures.
A hardening audit provides you with the necessary overview of the current status of your systems and identifies specific areas for action. Tools such as AuditTAP support you in efficiently and transparently comparing your systems with established standards.
Would you like to learn more about System Hardening? Or would you like to know how you can use Enforce Administrator to automate System Hardening and implement it in your company? Contact us. Our experts are happy to help!
💬 Interested? Get in touch with us!
Images: Freepik, FB pro