A Process Checklist for System Hardening

October 20, 2009 by ADMIN

Share |

By Bozidar Spirovski, CISSP, MCSA, MCP

Most administrators and security officers are well aware of the necessity of system hardening for corporate systems.

Hardening is the process of securing a system by reducing its surface of vulnerability. By the nature of operation, the more functions a system performs, the larger the vulnerability surface.

Since most systems are dedicated to one or two functions, reduction of possible vectors of attack is done by the removal of any software, user accounts or services that are not related and required by the planned system functions.

System hardening is vendor specific process, since different system vendors install different elements in the default install process.

However, all system hardening efforts follow a generic process.

So here is a checklist and diagram by which you can perform your hardening activities.

Perform initial System Install - stick the DVD in and go through the motions.

Remove unnecessary software - all systems come with a predefined set of software packages that are assumed to be useful to most users. Depending on your target use of the system, you should remove all software that is not to be used like graphics and office packages on a web server.

Disable or remove unnecessary usernames and passwords - most systems come with a lot of predefined user accounts for all kinds of purposes - from remote support to dedicated user accounts for specific services. Remove all remote and support accounts, and all accounts related to services which are not to be used. For all used accounts, ALWAYS change the default passwords.

Disable or remove unnecessary services - just as the two previous points, remove all services which are not to be used in production. You can always just disable them, but if you have the choice remove them altogether. This will prevent the possible errors of someone activating the disabled service further down the line.

Apply patches - after clearing the ‘mess’ of the default install, apply security and functionality patches for everything that is left in the system - especially the target services.

Run Nessus Scan - update your Nessus scanner and let her rip. Perform a full scan including dangerous scans. Do the scan without any firewalls on the path of the scan. Read through the results, there will always be some discoveries, so you need to analyze them.

If no Vulnerabilities are discovered, use system - after the analysis of the results, if there is noting significant discovered, congratulations! You have a hardened system ready for use.

Author: Bozidar Spirovski of Information Security Short Takes

Occupation: Information Security Expert
CISSP #301565
MCSA, MCP ID# 2448347
Send comments, requests or general inquiry to shortinfosec _at_ gmail dot com
Visit my LinkedIn profile at http://www.linkedin.com/in/spirovskibozidar

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.