Many people believe they know exactly what System Hardening means and what (not) to do here. However, these ideas are often based on half-truths or misunderstandings. This article dispels the biggest myths surrounding the topic and shows why System Hardening is more than is sometimes believed.
Myth #1: “Microsoft has delivered my Windows securely”
No! Microsoft operating systems are configured “ex works” in such a way that they can be used by as many users as possible without any problems. This is why there are numerous convenience functions and all kinds of services running in the background that are actually superfluous.
Every function, every application and every service represents a potential attack surface for hackers. They should therefore be reduced by means of a Secure Configuration or System Hardening.
Myth #2: “Linux systems are absolutely secure, there’s no need for hardening”
Linux may be designed to be more secure than many other operating systems. But even here there are vulnerabilities due to misconfigurations or outdated and insecure applications. This means that Linux Hardening must be carried out, especially in the business environment, which individually hardens the respective distribution and its adaptations.
Myth #3: “Our employees are careful”
Human behavior is unpredictable. And in stressful everyday working life, careless mistakes can easily creep in. People simply click on an email attachment or open a third-party USB stick. System Hardening ensures that many attacks come to nothing. This is the best way to compensate for the human factor.
We also think: An accountant, for example, should not have to worry about information security – that’s not his job. He must be able to trust that his system has been properly secured by professionals.
Myth #4: “We don’t need System Hardening – we work in the cloud”
Unfortunately, this way of thinking is wrong. For one thing, nobody works 100% in the cloud! There are numerous applications in every company that run on a computer or server. Secondly, although cloud providers ensure secure operation, they are not responsible for the Secure Configuration of the “content”. This responsibility lies with the respective customer.
This means that if you use an external cloud solution (IaaS, PaaS, etc.), you must harden it yourself! Because only if you figuratively lock your house can burglars get in!
Myth #5: “System hardening is just a firewall setup, nothing more”
A firewall is an important part of the security architecture. It blocks unnecessary ports and filters out harmful network packets. Nevertheless, a firewall does not protect against vulnerabilities in the operating system or in “holey” applications.
Nevertheless, a firewall is a useful component in the overall cybersecurity concept. This is because it reduces the attack surfaces reduced by System Hardening even further.
Myth #6: “My antivirus programs take over System Hardening”
While System Hardening is considered a preventive protective measure in the NIST Cyber Security Framework, an antivirus program is “only” a solution for detecting attacks.
And: An antivirus program only detects known malware patterns and therefore offers no protection against zero-day exploits. Many suites are also powerless against polymorphic malware.
Myth #7: “We have an XDR system in use”
MDR and XDR systems are very good at detecting different types of threats, but they cannot eliminate fundamental vulnerabilities. This is because MDR and the like are merely attack detection and defense systems – nothing more. System Hardening, among other things, provides preventive protection so that as few (successful) cyber attacks as possible have to be detected.
A hardened system therefore reports significantly fewer “red alerts” to the SOC, as the attackers are stopped at the “gateway”. This takes the pressure off the security operations teams and ensures that they can detect really relevant anomalies.
Myth #8: “We have adjusted 30 settings – that’s enough”
No, a few dozen settings are definitely not enough! If you follow the recommendations of Microsoft, BSI, CIS, DISA and ACSC, you need to make hundreds of security settings – per device!
In our daily hardening practice, we often find ourselves adjusting over 1,000 settings on a single workstation. Yes, Windows 10 Hardening alone is a major challenge!
Myth #9: “All settings are easy to make by hand”
Here, too, we say quite clearly: No! As mentioned in the last point, if you look at your entire IT system landscape, you have to make thousands of configuration changes. And you have to do this all the time, as your system landscape is constantly changing and adjustments have to be made accordingly. This is not something that can be done manually!
What is the solution? Rely on automated System Hardening with Enforce Administrator! With the Hardening tool, you can harden both small and complex IT system landscapes centrally and fully automatically – always on the basis of globally recognized standards.
Myth #10: “We do System Hardening via Group Policies”
Group Policies are a great thing, but they are only suitable for effective System Hardening to a limited extent. This is because GPOs lack important functionalities and focus on relevant things. These include sensible Group Policy Management, monitoring and auditing of settings, comprehensive or role-oriented configurations and uniform and infrastructure-wide reporting.
You can find out more reasons why Group Policy Objects are unsuitable for professional hardening in our article “Group Policies vs. System Hardening: Why GPOs do not provide sustainable security”.
Myth #11: “A hardened system is invulnerable”
System Hardening works – we have already proven this in numerous tests and examples. Attack surfaces can be significantly reduced so that many cyberattacks come to nothing. But: No system is absolutely secure! There are always loopholes that can be exploited.
It also makes no sense to configure computers and servers so “hard” that many business applications become unusable as a result. After all, you need them for your business operations.
Myth #12: “No one can force me to harden my systems”
From NIS 2 and ISO 27001 to DORA and VAIT to TISAX and PCI DSS 4.0: more and more laws, regulations and standards require a Secure Configuration – in other words, hardening. This sets minimum standards to guarantee the state of the art. It also increases the resilience of your IT systems, which is extremely important in the current “cyber war”.
If you do not adhere to the requirements or implement them inadequately, you may face hefty fines. You also run the risk of your systems being hijacked and damaged. This can result in expensive downtime, loss of image and even insolvency.
Myth #13: “We’ve hardened our systems – now we’re done”
Wrong thinking! Hardening your systems must be an ongoing project with no end in sight. On the one hand, there are constantly new threats and regulatory requirements that you need to respond to. On the other hand, your system landscape is subject to constant change.
Due to these facts, you should set up your hardening processes professionally and sustainably – including through Lifecycle Hardening. This includes, for example, complete documentation and monitoring tools. Enforce Administrator can also provide you with the best support here.
💠 Enforce Administartor: more information
Conclusion
System Hardening is not just a short IT project, but an essential part of any security strategy. The myths presented here show how lightly the topic is often treated. However, a comprehensive and continuous approach is the only way to effectively protect your infrastructure.
Need more information? Our hardening experts will also be happy to support you with the design and implementation of effective System Hardening.