To ensure that company-relevant information is protected in the best possible way, those responsible must rely on system hardening, among other things. Here we explain exactly what that is.
What does system hardening mean?
System hardening, simplified as hardening, is the secure configuration of IT systems. The goal is to close security gaps and take other measures to reduce the attack surfaces for cyberattacks.
What are the benefits of system hardening?
Since highly sensitive information of a company as well as personal data is processed and stored on IT systems, the systems used must be subjected to special protective measures.
System hardening is a very effective security measure. It secures the operating system, regardless of whether it is a physical, virtual or cloud-based system. It also makes applications such as office programs and browsers more secure – for example, against data theft.
Hardening IT systems: It all depends on the configuration
Common operating systems such as Microsoft Windows, Windows Server or Linux are configured by their manufacturers for the greatest possible compatibility and the broadest possible feature set. The systems are therefore equipped with potentially vulnerable components.
In other words, by default, operating systems do not have restrictive security configurations applied. It is these often unused and unconfigured functionalities that attackers such as hackers often exploit as an attack vector.
During the hardening process at the server or client level, such vulnerable functionalities and their exposed interfaces are disabled or even uninstalled.
Is there 100% system hardening?
In theory there is, but in practice it doesn’t make sense. If you configure your operating systems and applications so strictly that they are considered 100% hardened, you can only use them in a very limited way or not at all.
That doesn’t make sense. Therefore, you need to find a compromise between security and usability. You can find out how well you have managed this compromise by checking with AuditTAP.
The Risk Score of the AuditTAP report shows you how well you have hardened your checked system. Here is an example:
What threats exist
The main threats to non-hardened IT systems are:
- Identity theft, e.g. attacks on the central identity management structure
- Data manipulation of personal data and sensitive company data
- Data leakage, e.g. hackers copy entire databases
- Manipulation of applications or related systems
- Sabotage or espionage of operational and production processes
- Infiltration and distribution of malware.
As current figures show (like the Cyberthreat Report 2021), many companies are affected by hacker attacks, data theft and espionage. That’s why information security and system hardening is more important than ever!
Examples: How good is System Hardening really?
We have already investigated this question several times. Among other things, we tested two almost identical Windows 10 computers – as you can read in this article. There was only one difference – one system was hardened, the other was not. Several checks, including with HOLM Security Scanner, showed a clear picture: the hardened Windows 10 had significantly fewer vulnerabilities than a “normal” system.
But system hardening is not only about the secure configuration of a complete operating system. Restricting individual services can also contribute to more data protection and privacy. For example, we found out in a test that an ordinary Windows 10 transmits numerous telemetry data to Microsoft.
With a hardened system, this “radio traffic” is stopped. No telemetry data ends up at Microsoft.
Which companies need to deal with system hardening?
All of them!
Regardless of whether you are a solo entrepreneur, a startup, a medium-sized company or a corporate group: IT systems everywhere should be hardened in the best possible way. Because vulnerabilities can have serious consequences for any size of company.
How well hardened are your systems?
Find out – with AuditTAP! The free tool automatically documents the configuration of your systems and compares them with the current recommendations from Microsoft, BSI, DISA, CIS benchmarks and other proven standards.
See how to create a report with AuditTAP in this video:
System-hardening: examples of measures
System hardening is a technical building block to reduce possible weaknesses (“vulnerabilities”) of IT systems and IT infrastructures. The free handout from the german association TeleTrust recommends e.g. the following measures:
- Regularly reviewing the need for enabled services
- Operate running services only with minimal rights
- If possible: operate running services in an isolated environment
- Minimal assignment of rights for maintenance interfaces and accesses
- Restrict access to operating system configuration files
- Changing all existing default passwords with passwords according to a company-internal password policy
- Disabling of
- error or debug messages for end users
- insecure, obsolete, and/or unneeded interfaces
- unneeded autostart mechanisms
- unnecessary operating system components incl. background services
- a screen saver with password protection
- strong user account control (UAC)
- the antivirus program during the boot process
- the logging
- the CPU security functions
- the BIOS access password
- a specified boot sequence
Recommended reading: For more advice, check out these posts:
Hardening servers: What needs to be considered?
TeleTrust says: “A large part of the hardening measures listed above is feasible through technical settings. These settings can be automatically distributed to all server systems in the company via a hardening package (for example, using scripts).”
In addition, the following applies: new server systems should be provided with the appropriate standardized configuration immediately after the installation is completed, and exceptions to hardening should be managed centrally.
Recommended reading: Our guide “Hardening Windows Servers: Background, Measures and Tips” provides you with further information.
What should be considered when hardening Linux?
Linux or its numerous derivatives are sometimes strikingly different from a Windows system. Therefore, many of the tips mentioned here for system hardening are only conditionally applicable.
Nevertheless, hardening is also extremely important for a Linux system, especially in the business environment!
Recommended reading: Useful advice can be found in our guide “Hardening Linux: System hardening for Ubuntu, Debian, Fedora & Co.“
#NoCodeHardening: The solution for automated system hardening.
The hardening of IT systems is very complicated and, in the case of large companies, also very complex. Normally, the system administrators have to make thousands of settings manually – which eats up time. And it ties up a lot of resources that are needed elsewhere.
Nevertheless, system hardening must not be neglected under any circumstances! Otherwise, the probability increases that cyber criminals will succeed with their cyber attacks.
How can an IT department reduce its time spent on system hardening? Via automation! Self-programmed scripts ensure that many system hardening processes run independently. But developing and customizing the code also takes time.
To reduce this effort as well, the #NoCodeHardening initiative was born. The alliance of several IT companies, which includes FB Pro GmbH, is advancing the automation of system hardening through specialised hardening tools. Tools like the Enforce Administrator, which is a part of the powerful Enforce Suite.
Need more information?
Our experts will be happy to advise and support you in auditing and hardening your IT systems according to the latest standards and specifications.