Does system hardening really solve many security vulnerabilities? And is 100% system hardening possible? We provide some insights in this article.
Why you need to take information security seriously
It can’t be said often enough: information security and data protection are extremely important – for any business!
Creating documentation (policies, protocols, etc.) and regularly monitoring the measures were something companies of all sizes had to pay attention. An that even before the pan-european General Data Protection Regulation (GDPR) came into force.
The need for structured information security is increasing. On the one hand, fueled by extremely successful cyber-attacks visible almost daily in the press; on the other hand, by stricter legislation whose potential for sanctions will expand in the future.
Now, all companies that take information security and data protection in particular lightly are threatened with penalties. Even more weighty are the direct problems, for example the costs of business interruption or damage to image and reputation. This dangerous mix of consequences has the potential to jeopardize the future of a business.
IT security is a matter for the boss!
It is not enough to plead ignorance. It is the responsibility of the management or the board of directors of every company to take care of the objective assessment of weak points in the IT infrastructure. Among other things, this enables enterprise-wide risk management.
Management or the board of directors must create suitable framework conditions so that those responsible for IT security can systematically identify and eliminate possible weak points.
Information security requires system hardening
Information security, data protection and IT compliance do not work without a special mix of technical and organizational measures!
In addition to infrastructural measures, secure configuration of IT systems (“hardening”) as well as updating (“patching”) are the most effective ways to close vulnerabilities in IT systems.
The benefits of system hardening are many and varied:
- Easily vulnerable targets are eliminated,
- liability risks are reduced,
- and state of the art technology is implemented.
If tools such as Enforce Administrator are used, the effort required to harden systems permanently can be significantly reduced. And there are legally compliant reports for verification requirements (audits).
How well does system hardening work in practice?
How well are standard systems hardened? And what is the real benefit of system hardening in the end? We investigated these questions with a test that we conducted together with the company Trovent Security GmbH.
Trovent’s goal: to increase cyber security before a crisis occurs and to sustainably reduce IT risks and attack surface. The Trovent specialists supported us in configuring the compliance scans.
We rely on the following test environment to generate the evidence:
- A “commercially available” ActiveDirectory is installed and configured.
- Two Windows 10 systems are added to the AD domain.
- The configuration for target system 1 looked like this:
- Operating system: Windows 10 21H1
- Patch level: updated incl. September update.
- Hardening: No, default configuration from Microsoft.
- Target system 2 had this initial situation:
- Operating system: Windows 10 21H1
- Patch level: updated incl. September update.
- Hardening: Yes. The hardening configuration was based on various hardening recommendations incl. deliberately configured deviations.
Note: We have implemented the Security Configuration Management with the Enforce Administrator. The Enforce Administrator offers the option of “merging” multiple hardening recommendations with each other and resolving the conflicts (partially) automatically. Our hardening configuration for this test uses the specifications from CIS, BSI and Microsoft (e.g. for browser hardening).
How is the configuration distributed?
The distribution – the actual “configuration management” – is normally carried out subsequently on a role-based basis to hundreds or even thousands of target systems. In our test scenario, there were only the two target systems mentioned.
How were the proofs generated?
The legally required proofs can be generated in many ways. For example, by using vulnerability scanners or with specialized tools such as AuditTAP for auditing hardening standards.
For our test, we use the vulnerability scanner from HOLM Security. This checks for hardening compliance based on the Center for Internet Security (CIS) specifications.
After selecting the scan targets, the scan could begin. After about 30 minutes, the reports were generated.
Attention: The scan duration can vary greatly depending on the number of targets, the network infrastructure, etc.!
The result was clear, as shown by these two screenshots.
Excerpt – Report target system 1 (standard configuration):
Excerpt – Report Target System 2 (Hardened):
Theory vs. practice: The evaluation of the reports
The differences in the two reports are clear. Nevertheless, a few questions remain unanswered. We highlight the most important points here:
“That’s so many settings!”
… is one of the first reactions we often encounter. It is understandable and correct.
Standards-based system hardening involves far (!) more settings than configuring Microsoft updates and turning on the firewall. It goes much deeper and covers many built-in Microsoft components.
From there: Yes, around 400 to 500 dedicated settings are indeed necessary for a system that is to be configured securely according to industry-proven recommendations.
“Despite hardening, still so many ‘errors'”?
Why are so many settings in the hardened system not compliant with what the scanner checks? This is due to the following two reasons, among others:
Reason 1: 100% compliance is unrealistic
The expectation that a server or workstation operating system and / or the associated middleware layer can be configured to be fully compliant with any of the hardening standards belongs, in our view, to the realm of security myths.
System hardening as a measure must always be appropriate and observe the three protection goals of confidentiality, integrity and availability. Accordingly, it can neither make sense nor be necessary to configure a system in such a way that access to important company data becomes impossible afterwards!
The following practical example illustrates what is meant by this: Current hardening recommendations expect, among other things, Bluetooth to be switched off and microphone and camera access to be deactivated. But in times of New Work, Remote Work, Home Office and the like, exactly these technologies have to work, among others for web-based video calls and Bluetooth headsets.
Reason 2: Deeper analysis needed or “you never stop learning…”
We strongly believe that some of the alleged errors fall into the category of “false positives”. This means: the configuration is exactly as expected on the test system, yet the report reports a “Non Compliance”.
Here are two examples (click images to enlarge):
Example 1: Actually, LAPS is installed on the test system, as can be easily seen on the right side.
Example 2: Definitely no web server was installed on our workstation with Windows 10.
Furthermore, Microsoft as a manufacturer of operating systems and software sometimes has the habit of making a setting configurable in two (sometimes even more) places. Therefore, it happens that the system is checked at position 1, but the system was configured at position 2. Further analyses are necessary here, which we will carry out with Trovent and ideally also together with the manufacturer Holm.
System hardening works, definitely! After all, most systems are configured “ex works” so that users can make the best possible use of them – but the security aspect suffers as a result.
Another important point: There is no such thing as the absolutely perfectly hardened system! Tests or audits against a hardening standard usually result in a red audit report. Often it even turns out to be deep red.
Why? The individual settings for the respective company are not recorded and role/application-specific settings are not taken into account.
It gets easier with a security configuration management solution like Enforce Administrator. In addition to simple configuration, distribution and regular monitoring, it also offers audit reports that take individual configurations into account.
Where specifically would system hardening help?
In the next blog post, we’ll shed some light on where system hardening would help. Stay tuned!
Want to learn more about the Enforce Administrator?
… or experience a show case via video conference? Then contact us by mail without any obligation!
PS: The Enforce Administrator is also available as a managed service. This means that the specialists at FB Pro GmbH look after the system hardening of your complete IT system architecture and are always available to you as consultants.