There are various ways in which you can implement System Hardening in your company. Here we present the special features as well as the advantages and disadvantages of Rapid Hardening, Layered Hardening and Lifecycle Hardening.
A guest article from TEAL Technology Consulting
Cyber security without System Hardening? Please don’t!
System Hardening is not a “nice to have”, but a “must have”! This should be clear to anyone who deals with IT security or cyber security.
On the one hand, it is necessary for companies to increase the level of IT security in order to better protect themselves against increasing cyber threats. On the other hand, the topic of “System Hardening” is also becoming increasingly important with regard to common standards and certifications. Standards such as ISO 27001, the Teletrust standard, which defines the “state of the art techniques“, as well as regulations and laws require a specific concept for hardening systems.
What makes the hardening of IT system landscapes more difficult
Many companies are now looking for ways to implement System Hardening efficiently, cost-effectively and without major problems. One obstacle to implementation is often the complexity of historically grown IT infrastructures, which can have numerous misconfigurations.
In addition, unclear responsibilities for certain services or the use of outdated operating systems and applications that no longer comply with current security standards make the implementation of hardening projects more difficult. These factors must be taken into account when planning a System Hardening project, as they can significantly delay the progress of the project.
In this article, we present three tried-and-tested methods for overcoming these challenges: Layered Hardening, Rapid Hardening and Lifecycle Hardening.
How Layered Hardening works
Layered Hardening involves much more than “just” hardening systems according to current specifications. The first step is a threat analysis to classify the assets and determine the protection requirements. This involves classifying systems into “tiers” according to criticality.
The aim is to identify the systems that are particularly worthy of protection. These are then isolated and secured with technical and organizational measures. As a result, attackers may be able to penetrate the company systems, but can no longer easily access critical components and thus take over the entire environment.
How we implement Layered Hardening
Like FB Pro, we at TEAL specialize in System Hardening. We also ensure that the way in which companies administer and secure their IT infrastructure is improved. Procedures such as Microsoft’s Enhanced Secure Administration Environment (ESAE) and Securing Privilege Access, CIS Security Controls and BSI Baseline protection play a central role in this.
We typically start with a security assessment for our customers by analyzing the current situation and identifying weaknesses in the environment. The assessment is completed by a security roadmap in which we present the results in detail, but also make suggestions to improve the overall security of the infrastructure.
During practical implementation, we first harden the assets that require the highest level of protection (= Tier 0). We apply the highest possible protection standards by disabling insecure protocols such as SMB v1 or outdated cipher suites and restricting the use of Ntlm.
However, this has many side effects, as older applications in particular sometimes rely on precisely these outdated protocols and no longer work after hardening. This means that you actually have to go through, harden and test system by system. This increases the workload, but also ensures that the systems are appropriately secured and protected.
What is important: step by step to the goal
After the Tier 0 layer, we turn our attention to the next critical assets, the Tier 1 systems. These are typically servers such as database servers, web servers or servers that are used as terminal servers or documentation storage. The procedure for Tier1 is similar to that for the particularly critical Tier0 systems: A security benchmark that is as restrictive as possible is defined and rolled out system by system.
If there are incompatibilities with applications, the specifications can be softened slightly if necessary. In other words, a Tier 1 system may be hardened less restrictively than a Tier 0 system following a risk assessment.
Finally, we harden the Tier2 or end-user devices so that they also have the smallest possible attack surface. It is important to pay attention to “everyday usability”. For example, Bluetooth must remain switched on on end-user devices so that employees can continue to use their headsets and cameras for video conferences.
Layered Hardening: the advantages
- The primary advantage is obvious: once the hardening project has been successfully completed, the critical systems have the best possible protection and therefore the smallest possible attack surface in the environment.
- You inevitably have to deal with the legacy issues in the system landscape. Many infrastructure-relevant aspects must be considered and a system inventory overview must be created or updated.
- Layered Hardening therefore has the great advantage of significantly increasing the level of security.
Layered Hardening: the disadvantages
- The procedure of hardening the systems one after the other and individually leads to relatively long project runtimes and corresponding costs.
- It is time-consuming to introduce restrictive hardening rates.
When should you use Layered Hardening?
Layered Hardening is a very good method if you really need to sustainably increase your IT security level and treat it very restrictively. This is especially true if your company has already been the victim of a cyberattack or if the probability of a cyberattack is very high.
We also recommend this approach if you are in a highly regulated or sensitive industry. This applies to companies and organizations that are classified as CRITIS (critical infrastructure), among others.
What makes Rapid Hardening special
As the name suggests, Rapid Hardening focuses on the speed of implementation. The aim is to equip as many systems as possible with basic protection as quickly as possible. As always, this basic protection should be based on industry standards. However, only the necessary and non-critical settings that are “easy” to implement without a lot of troubleshooting are implemented.
Rapid Hardening in practice: an example
First, hardening is defined with 200 to 300 settings. Rapid Hardening then concentrates on starting with the client systems (Tier2) and rolling out the hardening to tens of systems per week. The process then looks like this:
- Create the hardening set
- Roll out on five to ten pilot systems
- Testing the applications and functions
- Rollout on further systems (100 to 500 systems per week)
How you proceed depends on your requirements. Rollout cycles by operating system version, by department or by location are conceivable.
Once the client operating systems have been provided with basic protection, the focus is on the server systems and these are also equipped with a hardening set that is as uncritical as possible. This creates a solid hardening and reduces the attack surface.
The main difference to Layered Hardening is that you can achieve basic protection more quickly with Rapid Hardening. However, critical systems are only processed at a later stage, as they require more complex hardening. A higher level of security is therefore gradually achieved.
Rapid Hardening: the advantages
- The biggest advantage of Rapid Hardening is the speed and the number of systems that can be secured.
- The iterative approach means that more systems are protected from the outset than with other approaches. The attack surface is reduced across the entire environment right from the start.
- You achieve results quickly. This helps you to demonstrate and anchor the topic of “System Hardening” in your company.
- It is quite possible to roll out the hardening configurations alongside normal day-to-day business without a separate project.
Rapid Hardening: the disadvantages
- Critical systems in particular are only equipped with basic protection during Rapid Hardening. Critical settings such as Smbv 1, for example, cannot be switched off from the outset.
- The hardening settings must be continuously improved following the initial rollout.
- The impression can arise that the IT system landscape is already secure just because basic protection has been rolled out.
When should you use Rapid Hardening?
If you need to present results quickly, for example to a cyber insurance company or an authority, Rapid Hardening is a good idea. Auditors like to see that companies have started hardening and accept that the solution is not yet perfect. Nevertheless, your company must draw up a solid plan! This must answer how you intend to continuously improve IT security as a whole.
Furthermore, Rapid Hardening is a good method for starting with System Hardening, gaining initial experience and, if necessary, reducing internal concerns.
What is Lifecycle Hardening?
In addition to Layered Hardening and Rapid Hardening, Lifecycle Hardening has proven its worth. Hardening is combined with lifecycle management.
For example, if you are about to switch to Windows Server 2022, you can link the project with hardening of the systems. You are free to decide whether to start Lifecycle Hardening with restrictive or basic hardening. Rapid Hardening and Layered Hardening approaches are therefore conceivable.
It is important that you combine the hardening and, above all, testing efforts with the lifecycle efforts. Here too, rollout scenarios based on operating system versions, branches or similar criteria are conceivable.
Lifecycle Hardening: the advantages
- The combination of testing and rollout efforts is the greatest added value of this approach.
- Combining lifecycle projects with System Hardening can help to advance the security-relevant topic.
- It is possible to increase system security enormously and effectively reduce the attack surface.
Lifecycle Hardening: the disadvantages
- A lifecycle project is not planned every year, but is always linked to corresponding operating system cycles.
- This can easily lead to increased costs.
When should you think about Lifecycle Hardening?
Do you have a lifecycle project coming up in the near future? Or perhaps one has already started? Then it is advisable to check whether the topic can be expanded to include System Hardening.
Layered Hardening, Rapid Hardening or Lifecycle Hardening: which method is better?
There is no general answer to this question. You have to find out individually which method is best suited to your company and its situation.
It turns out that Layered Hardening can be used to secure critical systems very effectively. However, the costs are relatively high and the project duration is quite long. We can recommend Rapid Hardening if you need to show results quickly or combine it with Lifecycle Hardening.
To help you decide, here is a graphic overview of the strengths and weaknesses of the three hardening methods. Click on the image for a larger view.
Effective hardening procedures with Enforce Administrator
We implement the three hardening procedures described above with a special hardening tool: the Enforce Administrator. This is because the Enforce Administrator centralizes the management of your IT systems’ hardening settings. Preconfigured baselines are used to define settings tailored to each system.
Using integrated rollout and rollback procedures, the baselines can be safely distributed to individual systems and tested with the Enforce Administrator. Accidental changes to your hardening settings are a thing of the past thanks to integrated self-monitoring. What’s more, the integrated reporting engine provides a detailed overview of the hardening applied to each system.
The Enforce Administrator therefore helps all small, medium-sized and large companies that want centralized management and reporting of the hardening settings on their clients and servers. Deviations from hardening settings are centrally visible within minutes. This enables a rapid response to any vulnerabilities. Regular updates of the supplied standards guarantee that new security vulnerabilities are taken into account.
About the author:
TEAL Technology Consulting GmbH ist specialized in infrastructure security projects in the on-premises and cloud environment. TEAL is also one of the leading providers for the adaptation of the Microsoft ESAE model for secure infrastructure administration. As a hardening partner, TEAL complements the portfolio of FB Pro GmbH.
Images: Freepik, Pexels, Teal