OS hardening 20 Best Practices

What is OS hardening?

Operating system (OS) hardening, a facet of system hardening, involves the implementation of security measures of operating systems like Windows, Linux, or macOS (aka OS X) to bolster their defenses against cyberattacks. The primary aim of addressing security risks for hardening security measures of these applications is to ensure they are protected against potential vulnerabilities.

What are OS hardening standards?

Center for Internet Security (CIS) Benchmarks: CIS for OS security provides a set of consensus-based security configuration recommendations for various operating systems, applications, and devices. The CIS benchmarks are widely used as a reference for hardening OS. You can find their benchmarks for different operating systems on the CIS website.

National Institute of Standards and Technology (NIST) Special Publication 800-53: NIST SP 800-53 for OS compliance outlines a framework for securing information systems, including guidelines for operating system hardening. NIST is a trusted source of security standards in the United States. You can access NIST SP 800-53 documentation on the NIST website.

Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs): DISA provides STIGs for various operating systems, which are detailed configuration guides for achieving a high level of security. These are often used in government and military environments. You can find STIGs on the DISA website.

Payment Card Industry Data Security Standard (PCI DSS): While primarily focused on securing payment card data, PCI DSS also includes requirements for securing the underlying operating systems. The PCI Security Standards Council provides guidance on OS hardening as part of its standard. You can find more information on the PCI SSC website.

Vendor-Specific Recommendations: Operating system vendors often provide their own security guidelines and best practices for hardening their respective OSs. For example, Microsoft offers the “Security Baseline” guides for Windows operating systems, while the Linux community and Apple provide documentation and recommendations for securing Linux and macOS systems.

20 Operating system hardening best practices

Ensuring the resilience of digital systems involves a multi-faceted approach that includes application hardening, which fortifies software against potential vulnerabilities, and database hardening, which secures the core repositories of sensitive information.

Network hardening safeguards the connections between devices, preventing unauthorized access and potential threats. To streamline these efforts, hardening frameworks provide structured methodologies and tools for implementing robust security measures across various components of a system.

While each operating system possesses distinct attributes, several hardening practices are universally applicable across different platforms. Below, you’ll find 20 essential OS hardening best practices to enhance the security of an operating system:

Regular OS Patch Management: Keep the OS and all installed software up to date with security patches and updates to address known vulnerabilities.
User Account Management: Implement strong password policies, including password complexity and regular password changes.
Restrict Creation of User Accounts: Restrict user privileges to the minimum necessary for their tasks and remove or disable unused and unnecessary user accounts.
Access Control: Implement the principle of least privilege and configure access control lists (ACLs) and file permissions to restrict unauthorized access to files and directories.
Enabling only the necessary ports and services: Disable or remove unnecessary services and processes to reduce the attack surface.
File System and Registry Permissions: Set strict file system and registry permissions to prevent unauthorized access and modification of critical files and system settings.
Logging and Auditing: Enable and configure logging and auditing mechanisms to monitor system activities and security events.
Monitoring: Regularly review and analyze logs to identify and respond to security incidents.
OS Updates and Configuration Review: Periodically review and update the security configuration to adapt to new threats and security best practices.
Vulnerability Scanning: Regularly scan the system for vulnerabilities and weaknesses and address them promptly.
Software Whitelisting: Allow only authorized and trusted software to run on the system and block or restrict unapproved applications.
Incident Response Planning: Develop an incident response plan to address and recover from security incidents effectively.
Encryption: Implement encryption for data at rest and data in transit to protect sensitive information.
Vendor-Specific Recommendations: Follow the OS vendor’s security guidelines and best practices for the specific operating system in use.
Firewall Configuration: Use firewalls to filter network traffic and control access to the system.
Network Configuration: Limit open ports and services to minimize exposure to the network.
Communications Protocol: Implement secure communication protocols and disable insecure ones.
Antivirus and Anti-malware: Install and maintain antivirus and anti-malware software to detect and remove malicious software.
Data Resilience: Regularly backup critical system data and configuration settings and store them in an offline or secure location to ensure data recovery in case of system compromise or failure.
Awareness Programs: Educate system users and administrators about security best practices, common threats, and how to recognize and respond to security incidents

OS Hardening Checklist

By automating the OS hardening process, IT professionals can reduce the time and effort required for server hardening, while also improving its security posture and compliance with regulatory requirements.

This OS hardening checklist can serve as a useful tool to guide IT professionals in this process, providing a starting point for setting up secure configurations and keeping track of progress:

Section 1: User Secure Configuration

Establish and maintain a secure configuration process for various enterprise assets, including:

End-user devices like laptops, smartphones, tablets (including portable and mobile devices).
Non-computing and IoT devices
Servers

Implement secure configuration settings for software components:

Operating systems
Software Applications

Regularly review and update the configuration process documentation:

Conduct an annual review of the established configuration process.
Update documentation and sensitive data when significant enterprise changes occur.
Ensure the configuration process aligns with changing security requirements and technologies.

Section 2: Network Configuration

Develop and sustain a secure configuration process dedicated to network access and devices.
Periodically assess and enhance the process documentation:
Perform an annual documentation review.
Promptly update documentation when substantial enterprise modifications are made that might affect the established safeguard.
Ensure that the configuration process remains aligned with evolving security demands and alterations in the enterprise environment.

Section 3: Configure Automatic Locking for Enterprise Devices

Set up automatic session locking on enterprise assets following a specified period of user inactivity.
Adhere to specific time limits for different types of devices:
- For general-purpose operating systems, the idle period should not surpass 15 minutes.
- On mobile end-user devices, the idle period should not go beyond 2 minutes.

Section 4: Server Firewall Configuration

Deploy and oversee a firewall on servers, utilizing available options.
Potential implementations encompass:
- Virtual firewall setup.
- Operating system firewall configuration.
- Integration of a third-party firewall agent.

Section 5: End-User Device Firewall Configuration

Set up and oversee a host-based firewall or port-filtering tool on end-user devices.
Enforce a default-deny rule that blocks all network traffic, except for explicitly permitted services and ports.

Section 6: Device and Software Configuration

Implement secure management practices with restricted access for enterprise assets and software.
Employ methods like version-controlled infrastructure-as-code for configuration management.
Access administrative interfaces using secure network protocols, such as SSH and HTTPS.
Avoid utilizing insecure management protocols like Telnet and HTTP, unless they are operationally necessary.

Section 7: Control Default Accounts

Administer default accounts on enterprise assets and software, which encompass accounts like root, administrator, and pre-configured vendor accounts.
Implement various approaches, such as:
- Disabling default accounts.
- Rendering default accounts unusable.

Section 8: Minimize Unnecessary Services

Remove or deactivate redudent services on enterprise assets and software.
Examples of these services include:
- Unused file sharing services.
- Web application modules that are not in use.
- Service functions that are unnecessary.

Section 9: Trusted DNS Server Configuration

Set up reliable DNS servers on enterprise assets.
Implementations might involve:
- Configuring assets to rely on DNS servers managed by the enterprise.
- Using well-regarded externally accessible DNS servers.

Section 10: Portable End-user Device Lockout Configuration

Implement an automatic device lockout mechanism after a specific number of local authentication failures on portable end-user devices.
Set thresholds as follows:
- For laptops, trigger lockout after no more than 20 failed authentication attempts.
- For tablets and smartphones, initiate lockout after no more than 10 failed authentication attempts.
Illustrative implementations encompass tools like Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.

Section 11: Portable End-user Remote Device Lockout Configuration

Enable remote data wiping for enterprise-owned portable end-user devices, based on specific situations like:
- Lost or stolen devices.
- Individuals no longer associated with the enterprise.
Initiate the remote wipe process when appropriate.
Ensure that this capability is aligned with enterprise policies and security needs.

Section 12: Isolate Enterprise Workspaces on Mobile Device Configuration:

Establish distinct enterprise workspaces on mobile end-user devices, leveraging supported capabilities.
Implementations can involve techniques like:
- Utilizing Apple Configuration Profile or Android Work Profile.
Ensure that enterprise applications and data are isolated from personal applications and data within these separate workspaces.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.