Most corporate network administrators and security officers are well aware of the need for hardening servers and workstations. Home users on the other hand, will often accept a system configured by the vendor, and just plug it in and start working. This is a dangerous scenario on today’s Internet connected world.
So, what is system hardening? Hardening is the process of reducing the attack surface of a computer or communications system. I add communications systems, like switches, routers and cable modems, as they can benefit from hardening efforts as well. Simply by nature of operation, the more functions a system performs and services offered, the larger the attack surface.
The reduction of attack vectors is accomplished by removing any software, user accounts or services that are not actually required for system operation. It is important to realize that a system shipped pre-installed will be most likely shipped with the most insecure configuration possible. This is not necessarily an indicator of malicious intention by the vendor, rather, the vendor typically wants the user to have a simple, easy and convenient experience with the PC, so leaving everything enabled, unprotected, and using default settings adds convenience at the expense of security.
The granular “how-to” steps of system hardening will vary from platform to platform and operating system to operating system, however they follow a common process. Here is a checklist that will enable you to perform system hardening activities. If you don’t know how to accomplish a particular task for your operating system of choice, simply look it up on Google or use the resources provided at the bottom of this article, and in the process, learn a little bit more about your operating system of choice. A few handy resources are included at the end, including the “FreeFire” project, which offers tools to automate or simplify most hardening efforts.
- Backup your current configuration. (An optional step, but recommended to enable restoring to default)
- Prepare your system for hardening. (Gather CDs and tools, download patches, install a new hard drive, add any other components, disconnect from the Internet.)
- Perform initial operating system (O/S) installation. Stick the DVD into the drive and follow the prompts. (I recommend FDISK and a complete format to ensure as clean a system as possible.)
- Setup an administrator account, and give it a lengthy, complex password. (Pick the first letter from each word of your favorite book, quote or other memorable phrase. Substitute some numbers, add some symbols, and you are rocking. Example: “When you can’t find the answer, Google is great!” = wUcfta,GiG! makes a pretty good password. You get the idea.)
- Setup your everyday user account. DO NOT give it administrator rights, but do pick another DIFFERENT complex and lengthy password. If you use the correct account for the correct purpose you will protect yourself from many malicious programs and attackers.
- After O/S installation, install all updates and patches. (If you downloaded them in advance, kudos, you are more secure.)
- Install only the software you need. Most systems ship with a set of useful (and not so useful) software packages (called bloatware by some). Do your testing later, for now just install what you know you will need.
- Disable guest accounts, and remove unnecessary usernames and passwords. Disable all remote and support accounts, and all accounts related to services which are not going to be used. For all accounts, ALWAYS change the default passwords.
- Install your Anti-Virus, Personal Firewall, and other security tools of choice.
- Reconnect to the Internet. You will undoubtedly need to get back online to gather the last few O/S updates, A/V updates, and the next step, patching all of your installed applications.
- Apply any additional security and functionality patches for everything that is installed on the system. You are now current!
- Disable or remove unnecessary services. Removing all of the services which are not needed will seriously reduce your vulnerability to attack. If you find that something doesn’t work, it is a simple matter to re-enable the service. If you are uncertain what services to leave enabled or disabled, consult with your O/S vendor’s website.
- At this stage, it is probably prudent to consider whole-disk encryption. When used properly, if someone steals your home computer, they get the hardware, but do not gain access to your personal information or anything that you might be working on at home. I recommend it, but it does add some minor performance overhead, typically increasing bootup times.
- Run a vulnerability scan. Pick your favorite scanner, (Microsoft still provides MBSA, and Secunia offers a good one, both are free! http://sectools.org/vuln-scanners.html). Perform a full scan including dangerous scans. Read through the results and analyze them. Fix what is required.
- If no Vulnerabilities are discovered (or there are no remotely exploitable vulnerabilities at least!), the system is ready for use. You have successfully hardened the system!
- Consider reading and implementing some of the additional guidance provided by NIST and other recognized security bodies.
- Backup the new configuration.
- Install any additional software that you want to test, examine or are curious about. Don’t forget to patch these new programs, and if you decide not to use them, you can restore the system with the backup you made. (Installing software and then removing it may leave your system with “stubs” in the registry, or other issues that may over time, slow the system down.)
- Once you have it all configured securely, working like a charm, and everything installed, do one more backup.
- Finally, consider signing up for security mailing lists that are relevant to your O/S, software, and interests. Stay current with patches and aware of threats to your online security.