Does system hardening really solve many security vulnerabilities? And is 100% system hardening possible? We provide a few insights and examples in this article.
How well does system hardening work in practice?
Are standard systems hardened “ex works”? And what is the real benefit of system hardening in the end? We investigated these questions with several tests that we conducted together with the company Trovent Security GmbH.
The colleagues from Trovent are experts in the fields of Penetration Testing, Managed Detection & Response and forensic appliance, among others. They supported us with the compliance scans.
To generate the evidence, we rely on the following test environment:
- We installed and configured an “off-the-shelf” ActiveDirectory
- Two systems were set up with Windows 10 21H1 and two were set up with Windows Server 2019 (Standard) 1809
- Each system had the September update installed
- One Windows 10 and one Windows Server computer each had the default configuration from Microsoft
- The other two systems were given a hardening configuration based on various recommendations including deliberately configured deviations
The test setup then looked like this:
|w/o system hardening||hardened system|
|System 1||Windows 10|
|System 2||Windows 10|
|System 3||Windows Server 2019|
|System 4||Windows Server 2019|
To summarize, we had two unhardened and two hardened computers competing in our comparison.
How was the configuration created?
We implemented the security configuration management using the Enforce Administrator. Enforce Administrator provides the ability to “merge” multiple hardening recommendations and resolve the conflicts (partially) automatically.
Our hardening configuration for these tests used the specifications from CIS, BSI, DISA and Microsoft.
The distribution – the actual configuration management – is usually performed subsequently on hundreds or even thousands of target systems on a role-based basis. In our scenario, it was only test systems.
How did we generate the proofs?
The legally required proofs can be generated in many ways. For example, by using vulnerability scanners or with special tools such as AuditTAP for auditing hardening standards.
For our test, Trovent’s experts use HOLM Security’s scanner. This checks for hardening compliance based on the Center for Internet Security (CIS) specifications.
What did the results of our hardening tests show?
The reports were clear: The hardened systems passed significantly more tests of the checks than the non-configured operating systems!
Here are the summary reports of the test computers with Windows 10:
System 1: Windows 10 with standard configuration
System 2: Windows 10 with system hardening
And we got these evaluations on the two systems running Windows Server 2019:
System 3: Windows Server 2019 without system hardening
System 4: Windows Server 2019 with system hardening
Theory vs. practice: The evaluation of the reports
The differences in the reports are clear. Nevertheless, a few questions remain unanswered. We would like to highlight the most important points here.
“That’s so many settings!”
… is one of the first reactions we often encounter. This is understandable and correct.
Standards-based system hardening involves far (!) more settings than configuring Microsoft updates and turning on the firewall. It goes much deeper and covers many built-in Microsoft components.
From there: yes, there are indeed several hundred, dedicated settings required for a system to be securely configured according to industry-proven recommendations.
“Despite hardening, still so many ‘bugs'”?
Why are so many settings on hardened systems not compliant with what the scanner checks? This is due to the following two reasons, among others:
Reason 1: 100% compliance is unrealistic
The expectation that a server or workstation operating system and/or the associated middleware layer can be configured to be fully compliant with a hardening standard belongs, in our view, to the realm of security myths.
System hardening as a measure must always be appropriate and respect the three protection goals of confidentiality, integrity and availability. Accordingly, it can neither make sense nor be necessary to configure a system in such a way that access to important company data becomes impossible afterwards!
What is meant by this is illustrated by the following practical example: Current hardening recommendations, for example for Windows Server hardening or for Windows 10 hardening, expect, among other things, the disabling of Bluetooth as well as the disabling of microphone and camera access. But in the age of remote work, work from home and the like, these very technologies need to work, including for web-based video calls.
Reason 2: Deeper analysis needed or “you never stop learning…”
We strongly believe that some of the supposed errors fall into the category of “false positives”. This means: the configuration is exactly as expected on the test system, yet the report reports a “Non Compliance”.
Here are two examples of this (click images to enlarge):
Example 1: Actually, LAPS is installed on the test system, as can be easily seen on the right side.
Example 2: On our workstation with Windows 10 definitely no web server was installed.
In addition, Microsoft, as a manufacturer of operating systems and software, sometimes has the habit of making a setting configurable in two (sometimes even more) places. It therefore happens that a check is performed at location 1, but the system was configured at location 2. Here, further analysis is necessary, which we usually perform together with Trovent.
Our conclusion to the test results
System hardening works, definitely! After all, most systems are configured “ex works” so that users can make the best possible use of them – but the security aspect suffers as a result.
This was shown, for example, by another test of ours. We checked how much data the telemetry service of Windows 10 and Windows 11 spies out – and that on unhardened and hardened systems. The results turned out as expected: Only when an operating system was configured securely was there no telemetry data transmission to Microsoft.
What you always have to keep in mind, however: There is no such thing as the absolutely perfect hardened system! Checks or audits against a hardening standard usually result in a red audit report. Often it even turns out deep red.
Why? The individual settings for the respective company are not recorded and role/application-specific settings are not taken into account.
It is easier with a security configuration management solution such as Enforce Administrator. In addition to simple configuration, distribution and regular monitoring, it also offers audit reports that take the individual configurations into account.
AuditTAP also displays a risk score. This shows at a glance how critical the settings are. Here is an example:
Don’t forget: Information security requires system hardening!
Information security, data protection and IT compliance do not work without a special mix of technical and organizational measures!
In addition to infrastructural measures, secure configuration of IT systems (hardening) and updating (patching) are the most effective ways to close vulnerabilities in IT systems.
The benefits of system hardening are many:
- easily vulnerable targets are eliminated,
- liability risks are reduced,
- and the state of the art is implemented.
If professional enterprise hardening tools such as Enforce Administrator are used, the effort required to permanently harden systems can be significantly reduced. And there are legally compliant reports for verification requirements (audits).
Why you need to take information security seriously
It can’t be said often enough: information security and data protection are extremely important – for every company!
Creating documentation (guidelines, protocols, etc.) and regularly monitoring the measures were something that companies of all sizes had to pay attention to even before the Europe-wide General Data Protection Regulation (GDPR) came into force.
The need for structured information security is increasing. On the one hand, fueled by extremely successful cyber attacks visible almost daily in the press; on the other hand, by stricter legislation whose potential for sanctions will expand in the future.
Now, all companies that take information security and data protection in particular lightly are threatened with penalties. Even more weighty are the direct problems, for example the costs of business interruption or damage to image and reputation. This dangerous mix of consequences has the potential to jeopardize the future of a business.
IT security is a matter for the boss!
It is not enough to plead ignorance. It is the responsibility of the management or the board of any company to take care of the objective assessment of weak points in the IT infrastructure. Among other things, this enables enterprise-wide risk management.
The management or the board of directors must create suitable framework conditions so that those responsible for IT security can systematically record and eliminate possible weak points.
Would you like to learn more about the Enforce Administrator?
… or experience a show case via video conference? Then contact us by mail without any obligation!
PS: The Enforce Administrator is also available as a managed service. This means that the specialists at FB Pro look after the system hardening of your complete IT system architecture and are continuously available to you as consultants.