Hardening is the practice of making an operating system (OS) or application more secure from its default installation. If you’re planning on taking the Security+ exam, you should have a basic understanding of system hardening for security.
For example, can you answer this question?
Q. Your organization wants to improve the security posture of internal database servers and protect against zero-day vulnerabilities. Of the following choices, what provides the BEST solution?
A. Opening ports on a server’s firewall
B. Disabling unnecessary services
C. Keeping systems up to date with current patches
D. Keeping systems up to date with current service packs
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
OS and Application Hardening
An important first step when hardening operating systems and applications is to read the directions. The vendor documentation and guidelines include important details on steps you can take to secure them, but they’re only useful when someone reads them and applies the knowledge.
Many vendors approach application development with a goal of usability over security. The application will be easy to set up and configure, but it may have gaping security holes. Other vendors value security over usability. It’s secure when you install it, but it may not work as desired.
Interestingly, it’s only when applications value security over usability that administrators are forced to read the documentation. If security settings prevent the application from working as desired, they have to dig into the documentation to modify the settings. In contrast, if they install it and it works out of the box, they may be called away to fight another crisis before checking the documentation for security issues.
Disabling Unnecessary Services
A core principle associated with hardening a system includes disabling or removing all unnecessary services. If a service is not running on a system, attackers cannot attack it, and it reduces the overall attack surface of the system. For example, an expert on exploiting File Transfer Protocol (FTP) vulnerabilities will be unsuccessful using these techniques on a server that is not running the FTP service. It doesn’t matter how vulnerable a service is. If it’s not running, attackers cannot exploit any of its vulnerabilities.
When you disable a service, you often remove access to the associated protocol. For example, if you disable the FTP service, you disable the FTP protocol. Some protocols, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), are necessary for connectivity within a network and cannot be disabled. Other protocols, such as FTP, Remote Desktop Protocol (RDP), and Simple Mail Transfer Protocol (SMTP), are optional application protocols supporting related services. If the server needs them, you’d enable them. For example, you’d enable SMTP on an email server, but would disable it on a server not sending or receiving email.
Disabling unnecessary services and removing unneeded protocols provide several key benefits, including the following:
- Improves the overall security posture of systems. Systems that are running only required services and protocols are less susceptible to attacks, which improves their overall security posture.
- Reduces the attack surface. Disabled services and protocols are not vulnerable to attacks, so by disabling unnecessary services and protocols, you reduce the system’s attack surface. Both known attack methods and previously unknown zero-day vulnerability attack methods are unsuccessful when the services and protocols are disabled or removed. This includes known attack methods and previously unknown zero-day vulnerability attacks.
- Reduces risks associated with open ports. If an attacker does a port scan, the port scan fails on the associated port. For example, disabling the RDP service on a server causes a port scan on port 3389 to fail on the server, even if the port is open on a firewall between the attacker and the server.
Remember this
Hardening a server makes it more secure from its default installation. Disabling unnecessary services and protocols reduces the attack surface of a system and improves its overall security posture.
Q. Your organization wants to improve the security posture of internal database servers and protect against zero-day vulnerabilities. Of the following choices, what provides the BEST solution?
A. Opening ports on a server’s firewall
B. Disabling unnecessary services
C. Keeping systems up to date with current patches
D. Keeping systems up to date with current service packs
Answer is B. Disabling unnecessary services helps reduce threats, including threats from zero-day vulnerabilities.
It also reduces the threat from open ports on a firewall if the associated services are disabled, but opening ports won’t reduce threats.
Keeping systems up to date with patches and service packs protects against known vulnerabilities and is certainly a good practice.
However, by definition, there aren’t any patches or service packs available for zero-day vulnerabilities.