Operating System Hardening & Network Hardening
Operating
System Hardening
The hardening of operating systems
involves ensuring that the system is configured to limit the possibility of
either internal or external attack. While the methods for hardening vary from
one operating system to another the concepts involved are largely similar
regardless of whether Windows, UNIX, Linux, MacOS X or any other system is
being baselined. Some basic hardening techniques are as follows:
- Non-essential services - It is important that an operating system only be configured to run the services required to perform the tasks for which it is assigned. For example, unless a host is functioning as a web or mail server there is no need to have HTTP or SMTP services running on the system.
- Patches and Fixes - As an ongoing task, it is essential that all operating systems be updated with the latest vendor supplied patches and bug fixes (usually collectively referred to as security updates).
- Password Management - Most operating systems today provide options for the enforcement of strong passwords. Utilization of these options will ensure that users are prevented from configuring weak, easily guessed passwords. As an additional levels of security include enforcing the regular changing of passwords and the disabling of user accounts after repeated failed login attempts.
- Unnecessary accounts - All guest, unused and unnecessary user accounts must be disabled or removed from operating systems. It is also vital to keep track of employee turnover so that accounts can be disabled when employees leave an organization.
- File and Directory Protection - Access to files and directories must be strictly controlled through the use of Access Control Lists (ACLs) and file permissions.
- File and File System Encryption - Some filesystems provide support for encrypting files and folders. For additional protection of sensitive data it is important to ensure that all disk partitions are formatted with a file system type with encryption features (NTFS in the case of Windows).
- Enable Logging - It is important to ensure that the operating system is configured to log all activity, errors and warnings.
- File Sharing - Disable any unnecessary file sharing.
Network
Hardening
Network hardening can be achieved using a number of different techniques:
- Updating Software and Hardware - An important part of network hardening involves an ongoing process of ensuring that all networking software together with the firmware in routers are updated with the latest vendor supplied patches and fixes.
- Password Protection - Most routers and wireless access points provide a remote management interface which can be accessed over the network. It is essential that such devices are protected with strong passwords.
- Unnecessary Protocols and Services - All unnecessary protocols and services must be disabled and, ideally, removed from any hosts on the network. For example, in a pure TCP/IP network environment it makes no sense to have AppleTalk protocols installed on any systems.
- Ports - A hardened network should have any unneeded ports blocked by a firewall and associated services disabled on any hosts within the network. For example, a network in which none of the hosts acts as a web server does not need to allow traffic for port 80 to pass through the firewall.
- Wireless Security - Wireless networks must be configured to highest available security level. For older access points WEP security should be configured with 128-bit keys. Newer routers should implement WPA security measures.
- Restricted Network Access - A variety of steps should be taken to prevent unauthorized access to internal networks. The first line of defense should involve a firewall between the network and the internet. Other options include the use of Network Address Translation (NAT) and access control lists (ACLs). Authorized remote access should be enabled through the use of secure tunnels and virtual private networks.