What is System Hardening?


System hardening involves identifying and addressing security vulnerabilities across hardware, firmware, software, applications, passwords, and processes.


Compatibility allows most applications to work smoothly, but securing a system requires additional steps known as system hardening best practices, which are crucial for protection against advanced threats.


Microsoft emphasizes server security and provides comprehensive hardening techniques and best practices tailored to various platforms. System hardening involves intricate steps, such as configuring admin accounts, user groups, and guest account settings, to mitigate unauthorized access. Given the complexity and susceptibility to errors, automating the hardening process is essential.


What is a system hardening process?


The Center for Internet Security (CIS) provides its own security benchmarks to help safeguard systems, software, and network traffic against today's evolving cyber threats. Each CIS benchmark recommendation references one or more controls that were developed to help organizations improve protection against cyber threats. CIS controls map to frameworks like PCI DSS, HIPPA, ISO 27000, and others.


The CIS benchmarks are divided into Level 1 and Level 2 security settings to help organizations implement them. Level 1 settings are considered the minimum requirements to which every system should be configured, and they aren't likely to cause application compatibility issues or interrupt service. Level 2 settings are recommended for systems that need better protection and where some reduction in functionality might be accepted.


The primary objective behind system hardening is to minimize security vulnerabilities by removing potential entry points that attackers could exploit and limiting the number of components or areas that are exposed to threats.



protected data


Auditing Security Settings for System hardening


The initial step in ensuring the proper security of your servers involves understanding their configuration and network hardening best practices. A frequently used tool for uncovering system configurations is PowerShell.


However, depending solely on PowerShell may not provide the best outcomes, especially when dealing with aspects beyond registry-based settings and management systems. Automation for comparing your systems configuration to security benchmark standards demands more intricate coding, particularly when addressing areas such as application hardening, patching and updating, data breaches, database hardening, network hardening, network traffic, software applications, user accounts, and access controls.


Account Policies

The first set of recommendations in the security benchmarks for system hardening standards are settings for account policies like Enforce password history and Maximum password age. If you have an Active Directory domain, these settings are configured in the Default Domain GPO and are propagated to all domain-joined devices, assuming an out-of-the-box domain configuration. The Get-ADDefaultDomainPasswordPolicy PowerShell cmdlet can be used to audit domain password settings but it does not audit the setting configured on each endpoint.


Auditing Registry-Based Settings


Settings that are backed by a registry key are easier to audit. For example, the Allow indexing of encrypted files setting for Windows Search is set in the HKLM hive of the system registry using the AllowIndexingEncryptedStoresOrItems value. HKEY_LOCAL_MACHINESearch:AllowIndexingEncryptedStoresOrItems.


By default, the Allow indexing of encrypted files setting is disabled and the AllowIndexingEncryptedStoresOrItems value doesn't exist in the registry. Disabled is the recommended CIS benchmark setting for Windows Server hardening.


If the value of AllowIndexingEncryptedStoresOrItems is 1 (true), then indexing of encrypted files has been enabled. A zero value (false), indicates that indexing has been explicitly disabled. If the value doesn't exist in the registry, PowerShell will return an error.


All settings backed by a documented registry key can be audited in the same way. For example, AllowCloudSearch is backed by the following value in the registry:



The policy should be set to Enabled: DisableCloud Search and results in the AllowCloudSearch value being set to zero. The default setting in Windows Server is Enabled: Enable Cloud Search but there is no registry value present out-of-the-box because it isn't required.


Remediating System Security Settings


Manually comparing server settings with CIS benchmarks is tedious. For continuous monitoring and aligning with security benchmarks, an automated solution for system hardening is recommended.


Before remediating a setting, document the current value and test reverting it. Some settings require a reboot to take effect, as mentioned in the related Group Policy setting documentation.


Altering production system settings can disrupt operations and cause compatibility issues. Test changes in a pre-production setup and have a rollback plan. Automating this process is efficient and prudent, ensuring configuration changes do not impact operational stability on live systems.


Monitoring Changes to System Configuration


A product with real-time monitoring and automatic remediation offers a more secure solution, addressing vulnerabilities and ensuring a secure configuration more effectively.


Even with system hardening best practices for Active Directory, configuration changes can still occur without robust change control processes. Malware can also modify server settings, highlighting the importance of hardware hardening and hardening best practices.


Without proper change control procedures, configuration drift occurs, causing servers to deviate from their intended configuration. This complicates support and heightens the risk of compromise by exposing vulnerabilities.



Auditing and the Systems Event Log


System hardening auditing, the built-in technology for monitoring changes to system configuration, can be configured to monitor registry keys.


Global Object Access Auditing is a way to configure auditing for system hardening that makes it easier to set up auditing. You can use Global Object Access Auditing to set Security Access Control Lists (SACL) per server rather than on each part of the registry that you want to audit. But you still need to know what to look for in the Event Log, extract events that indicate a change to specific registry values, and then alert someone to the change.


Real-Time Monitoring


Tracking changes to settings that don't have documented registry settings can be done by exporting the local security database using secedit and then comparing before and after values. You can use PowerShell to create objects from the text files exported by secedit and then use arrays to compare the information.


CIS Controls: Everything You Need to Know


Generating Reports on System Hardening Configuration


Generating reports from text-based files isn't always straightforward, like from files generated by secedit. Although it's worth noting that you can process information with PowerShell using the Import-Csv cmdlet, and files that use delimiters other than a comma by adding the Delimiter parameter.


Formatting reports making them easy to read is also important. For example, you could export Windows Event Log security events to an HTML file by piping the results of Get-EventLog into ConvertTo-HTML like this:


Get-EventLog -LogName “Security” | ConvertTo-Html > c:\temp\securityevents.html


Select-Object is used to format the results in a table displaying only the Source, EventID, InstanceId, and Message properties for each event.

Get-EventLog -LogName Application -Source Outlook | Where-Object {$_.EventID -eq 63} | Select-Object -Property Source, EventID, InstanceId, Message


Using PowerShell to generate HTML reports is possible but to have complete control over how your reports look, some experience in working with HTML and Cascading Style Sheets (CSS) would be required.


Automate your system hardening


By applying security standards for OS hardening and securing the infrastructure, overall security is greatly enhanced. This approach not only strengthens systems and reduces the potential for attacks but also highlights the importance of automated system hardening. To ensure servers remain secure, it is crucial to constantly audit configurations and automate the remediation of changed settings.

You might be interested