What is OS hardening?
Operating system (OS) hardening, a facet of system hardening, involves the implementation of security measures of operating systems like Windows, Linux, or macOS (aka OS X) to bolster their defenses against cyberattacks. The primary aim of addressing security risks for hardening security measures of these applications is to ensure they are protected against potential vulnerabilities.
What are OS hardening standards?
Center for Internet Security (CIS) Benchmarks: CIS for OS security provides a set of consensus-based security configuration recommendations for various operating systems, applications, and devices. The CIS benchmarks are widely used as a reference for hardening OS. You can find their benchmarks for different operating systems on the CIS website.
National Institute of Standards and Technology (NIST) Special Publication 800-53: NIST SP 800-53 for OS compliance outlines a framework for securing information systems, including guidelines for operating system hardening. NIST is a trusted source of security standards in the United States. You can access NIST SP 800-53 documentation on the NIST website.
Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs): DISA provides STIGs for various operating systems, which are detailed configuration guides for achieving a high level of security. These are often used in government and military environments. You can find STIGs on the DISA website.
Payment Card Industry Data Security Standard (PCI DSS): While primarily focused on securing payment card data, PCI DSS also includes requirements for securing the underlying operating systems. The PCI Security Standards Council provides guidance on OS hardening as part of its standard. You can find more information on the PCI SSC website.
Vendor-Specific Recommendations: Operating system vendors often provide their own security guidelines and best practices for hardening their respective OSs. For example, Microsoft offers the “Security Baseline” guides for Windows operating systems, while the Linux community and Apple provide documentation and recommendations for securing Linux and macOS systems.
20 Operating system hardening best practices
Ensuring the resilience of digital systems involves a multi-faceted approach that includes application hardening, which fortifies software against potential vulnerabilities, and database hardening, which secures the core repositories of sensitive information.
Network hardening safeguards the connections between devices, preventing unauthorized access and potential threats. To streamline these efforts, hardening frameworks provide structured methodologies and tools for implementing robust security measures across various components of a system.
While each operating system possesses distinct attributes, several hardening practices are universally applicable across different platforms. Below, you’ll find 20 essential OS hardening best practices to enhance the security of an operating system:
- Regular OS Patch Management: Keep the OS and all installed software up to date with security patches and updates to address known vulnerabilities.
- User Account Management: Implement strong password policies, including password complexity and regular password changes.
- Restrict Creation of User Accounts: Restrict user privileges to the minimum necessary for their tasks and remove or disable unused and unnecessary user accounts.
- Access Control: Implement the principle of least privilege and configure access control lists (ACLs) and file permissions to restrict unauthorized access to files and directories.
- Enabling only the necessary ports and services: Disable or remove unnecessary services and processes to reduce the attack surface.
- File System and Registry Permissions: Set strict file system and registry permissions to prevent unauthorized access and modification of critical files and system settings.
- Logging and Auditing: Enable and configure logging and auditing mechanisms to monitor system activities and security events.
- Monitoring: Regularly review and analyze logs to identify and respond to security incidents.
- OS Updates and Configuration Review: Periodically review and update the security configuration to adapt to new threats and security best practices.
- Vulnerability Scanning: Regularly scan the system for vulnerabilities and weaknesses and address them promptly.
- Software Whitelisting: Allow only authorized and trusted software to run on the system and block or restrict unapproved applications.
- Incident Response Planning: Develop an incident response plan to address and recover from security incidents effectively.
- Encryption: Implement encryption for data at rest and data in transit to protect sensitive information.
- Vendor-Specific Recommendations: Follow the OS vendor’s security guidelines and best practices for the specific operating system in use.
- Firewall Configuration: Use firewalls to filter network traffic and control access to the system.
- Network Configuration: Limit open ports and services to minimize exposure to the network.
- Communications Protocol: Implement secure communication protocols and disable insecure ones.
- Antivirus and Anti-malware: Install and maintain antivirus and anti-malware software to detect and remove malicious software.
- Data Resilience: Regularly backup critical system data and configuration settings and store them in an offline or secure location to ensure data recovery in case of system compromise or failure.
- Awareness Programs: Educate system users and administrators about security best practices, common threats, and how to recognize and respond to security incidents
OS Hardening Checklist
By automating the OS hardening process, IT professionals can reduce the time and effort required for server hardening, while also improving its security posture and compliance with regulatory requirements.
This OS hardening checklist can serve as a useful tool to guide IT professionals in this process, providing a starting point for setting up secure configurations and keeping track of progress:
Section 1: User Secure Configuration
Establish and maintain a secure configuration process for various enterprise assets, including:
- End-user devices like laptops, smartphones, tablets (including portable and mobile devices).
- Non-computing and IoT devices
Implement secure configuration settings for software components:
- Operating systems
- Software Applications
Regularly review and update the configuration process documentation:
- Conduct an annual review of the established configuration process.
- Update documentation and sensitive data when significant enterprise changes occur.
- Ensure the configuration process aligns with changing security requirements and technologies.
Section 2: Network Configuration
- Develop and sustain a secure configuration process dedicated to network access and devices.
- Periodically assess and enhance the process documentation:
- Perform an annual documentation review.
- Promptly update documentation when substantial enterprise modifications are made that might affect the established safeguard.
- Ensure that the configuration process remains aligned with evolving security demands and alterations in the enterprise environment.
Section 3: Configure Automatic Locking for Enterprise Devices
- Set up automatic session locking on enterprise assets following a specified period of user inactivity.
- Adhere to specific time limits for different types of devices:
- For general-purpose operating systems, the idle period should not surpass 15 minutes.
- On mobile end-user devices, the idle period should not go beyond 2 minutes.
Section 4: Server Firewall Configuration
- Deploy and oversee a firewall on servers, utilizing available options.
- Potential implementations encompass:
- Virtual firewall setup.
- Operating system firewall configuration.
- Integration of a third-party firewall agent.
Section 5: End-User Device Firewall Configuration
- Set up and oversee a host-based firewall or port-filtering tool on end-user devices.
- Enforce a default-deny rule that blocks all network traffic, except for explicitly permitted services and ports.
Section 6: Device and Software Configuration
- Implement secure management practices with restricted access for enterprise assets and software.
- Employ methods like version-controlled infrastructure-as-code for configuration management.
- Access administrative interfaces using secure network protocols, such as SSH and HTTPS.
- Avoid utilizing insecure management protocols like Telnet and HTTP, unless they are operationally necessary.
Section 7: Control Default Accounts
- Administer default accounts on enterprise assets and software, which encompass accounts like root, administrator, and pre-configured vendor accounts.
- Implement various approaches, such as:
- Disabling default accounts.
- Rendering default accounts unusable.
Section 8: Minimize Unnecessary Services
- Remove or deactivate redudent services on enterprise assets and software.
- Examples of these services include:
- Unused file sharing services.
- Web application modules that are not in use.
- Service functions that are unnecessary.
Section 9: Trusted DNS Server Configuration
- Set up reliable DNS servers on enterprise assets.
- Implementations might involve:
- Configuring assets to rely on DNS servers managed by the enterprise.
- Using well-regarded externally accessible DNS servers.
Section 10: Portable End-user Device Lockout Configuration
- Implement an automatic device lockout mechanism after a specific number of local authentication failures on portable end-user devices.
- Set thresholds as follows:
- For laptops, trigger lockout after no more than 20 failed authentication attempts.
- For tablets and smartphones, initiate lockout after no more than 10 failed authentication attempts.
- Illustrative implementations encompass tools like Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.
Section 11: Portable End-user Remote Device Lockout Configuration
- Enable remote data wiping for enterprise-owned portable end-user devices, based on specific situations like:
- Lost or stolen devices.
- Individuals no longer associated with the enterprise.
- Initiate the remote wipe process when appropriate.
- Ensure that this capability is aligned with enterprise policies and security needs.
Section 12: Isolate Enterprise Workspaces on Mobile Device Configuration:
- Establish distinct enterprise workspaces on mobile end-user devices, leveraging supported capabilities.
- Implementations can involve techniques like:
- Utilizing Apple Configuration Profile or Android Work Profile.
- Ensure that enterprise applications and data are isolated from personal applications and data within these separate workspaces.