back to the list of other resources
Security Resource Center
System Hardening - Frequently Asked Questions (FAQ)
Click here to return to "The ITcoach"
Home page | or click here to go back to the
list of other resources
What is System
System hardening is a step by step process of securely
configuring a system to protect it against unauthorized access, while also
taking steps to make the system more reliable. Generally anything that is
done in the name of system hardening ensures the system is both secure and
System hardening is necessary since "out of the
box", some operating systems tend to be designed and installed
primarily to be easy to use rather than secure. Most but not all systems can
have security measures enabled that will make them suitable for high
security, high reliability environments.
an executive, why should I care?
If you are in the United States, you now
have a mandate to care. As part of the United States homeland security initiative,
President Bush has challenged all business leaders to do their part to
protect their business sectors.
If you are in another country, it is
possible that your business partners may not want to do business with
you unless you can provide assurances that you have a system hardening
process in place;
your support may be necessary so that
your technologists can do their job;
your organization may hold you personally
accountable if proper steps were not taken;
your investors may require full
disclosure of results from a security audit, and so might your insurance
Without an understanding of the issues it
will be difficult for you to make the proper investment decisions.
should I harden my system?
There are many reasons why taking the steps
to harden your system is worth it.
- You can have more confidence in the
integrity of your data;
- performance improvements can be
experienced since unnecessary services are removed, and inefficiencies
in system configuration are detected;
- if there is a system failure, you can recover faster;
- The company's reputation is protected;
- Clients are happier as a result of fewer system failures or delays;
- To prevent lawsuits. Your organization may have a legal liability to
secure the private information of your employees, customers or research
What are the
chances that something bad would happen if I didn't harden my system?
- Hackers move quickly. Most unprotected systems are compromised within
72 hours from the time they are installed according to results from the
honey net project;
- Your system might be hijacked without your knowledge, and then used to
attack another system, or spread viruses, or distribute illegal content
such as pornography or software;
- Your company's proprietary information could be stolen;
- money could be wasted paying employees to sit around, unable to do
their work while the system is down;
What are the
main steps to take when hardening a system?
Step 1. Ensure that the hardware is robust
Is it new enough to be considered reliable
Identify the weak links and strengthen them (redundant
disks, server clustering etc.)
Ensure the environment is computer friendly (climate,
Provide physical security to eliminate tampering or
Step 2. Select and install a solid operating system
New operating systems have not been massively probed by
hackers. Mature operating systems are a known quantity. While the risks
are known, so are the fixes.
Features that are important include the ability to
support fault tolerant measures such as uninterruptible power supply
support (UPS), RAID disk arrays, logging, and access control measures
including log on authentication and file protection.
Strip down the OS to support only essential services
Disable unnecessary protocols and subsystems
Remove, disable, or rename known “target” accounts
Require strong local and remote authentication for access
Strictly manage users and groups to control inappropriately powerful rights and memberships (Least Privilege)
Enable auditing to track important events
Install a 3rd party firewall and monitor the logs
Apply all relevant hot-fixes, patches and service packs
Step 3. Install and configure the file system
Configure Access Control Lists (ACL) to eliminate inappropriately powerful rights and permissions (Least Privilege);
Enable auditing to track important events;
Begin by fully locking down all directories and then providing controlled access to user
Access to specific users should only be made on an exception basis.
Step 4. Configure applications/services
Install only essential applications and services;
Install only tested and approved software;
Remove or disable any unneeded applications and services that are installed by default – remove the files where possible;
Set access control within applications/services where applicable;
Apply all relevant hot-fixes, patches and service packs;
Remove any sample data (scripts, sample web pages, etc).
Step 5. Configure server side applets/scripts
Install only essential applications, applets and scripts;
Install only tested and approved software;
Verify that applets and scripts perform only their intended function;
Apply all relevant hot-fixes, patches and service packs.
else should I be concerned about?
System hardening is only part of a secure
Usage policies are other important
elements, but policy does not prevent anything from happening, it only
provides a reference against which decisions can be made.
Standard procedures provide the actual
steps that are to be followed in support of policy.
On the technical side, the network is the
weak link that can expose a secure system to additional risks. Good
network design and firewall architecture can reduce the vulnerabilities.
links or forwarding these articles is encouraged providing that the
following credit line is used: © Copyright 2002, Wayne McKinnon,
ITcoach.com. For more information contact us at ITcoach.com, Suite
531, 900 Greenbank rd., Ottawa, Ontario, Canada K2J 4P6, (613)
860-1384, 1-888-712-6224, FAX (613) 825-4895, info@ITcoach.com
A copy of the publication in which
the article appears would be appreciated.
Copyright 2002 by ITcoach.com. All