OS Hardening Basics

What is OS Hardening?

Operating system (OS) hardening, a type of system hardening, is the process of implementing security measures and patching for operating systems, such as Windows, Linux, or Apple OS X, to strengthen them against cyberattacks. The goal is to protect sensitive computing systems, reducing the system’s attack surface, in order to lower the risk of:

• Data breaches
• Unauthorized access
• Systems hacking
• Malware

Practices for OS Hardening

• Following security best practices and ensuring secure configuration.
• Updating the operating system, and automatically applying patches and service packs.
• Establishing strict access rules, limiting and authenticating system access permissions, and restricting user account creation.
• Deploying additional security measures, such as firewalls and endpoint protection systems.
• Using operating system security extensions, such as AppArmor for Linux.
• Removing unnecessary applications, services, and device drivers.
• Enabling only the required ports and services.
• Encrypting the HDD or SSD hosting the OS.

OS Hardening Security Benefits

Key benefits of hardening operating systems include:

1. Improved security and reduced attack surface.
2. Lowered risk of data breaches, unauthorized access, and malware.
3. Protection of sensitive computing systems running mission-critical workloads.
4. Support for compliance with industry-specific regulations and standards.
5. Increased system stability and reliability by removing unused services and applications.
6. Minimized IT support costs due to fewer security incidents.

15 Operating System Hardening Best Practices

Although each operating system has unique characteristics, the following best practices are common to all:

OS Updates

1. OS Updates and Service Packs
   • Keep operating systems and programs up to date by installing the latest versions.
   • Use service packs to dramatically reduce vulnerabilities.
2. Patch Management
   • Plan, test, implement, and audit patches to ensure systems and programs are always updated.
3. Remove Unnecessary Applications and Services
   • Audit and eliminate unused software and services to reduce the attack surface.
4. Enable Only Required Ports and Services
   • Close unused ports and disable unnecessary services.
5. Uninstall Unnecessary Device Drivers
   • Identify and remove unused or old device drivers to prevent vulnerabilities.

Secure Configuration

1. Clean Programs
   • Regularly delete unnecessary or unapproved programs to minimize risks.
2. Establish Strict Access Rules
   • Restrict access to files, networks, and resources according to the principle of least privilege.
3. Limit User Account Creation and Regularly Review Accounts
   • Only create necessary user accounts and deactivate or revoke unused accounts promptly.
4. Group Policies
   • Define privileges for user groups to limit potential damage and update policies regularly.
5. Security Templates
   • Use templates to manage and enforce security configurations consistently across systems.

Additional Security Measures

1. Firewall Configuration
   • Review and modify firewall rules to allow traffic only from known, approved IP addresses and ports.
2. Hardening Frameworks
   • Use frameworks like AppArmor and SELinux to enhance security.
3. Endpoint Protection
   • Leverage endpoint protection solutions like Windows Defender and advanced EPP platforms.
4. Data and Workload Isolation
   • Run sensitive databases or applications in isolated virtual machines or containers.
5. Encrypt the OS Storage Drive
   • Encrypt HDD/SSD to prevent unauthorized access to data, especially on mobile devices.

Center for Internet Security (CIS) Benchmarks for OS Security

The Center for Internet Security (CIS) provides benchmarks and best practices for securely configuring systems. CIS benchmarks:

• Serve as configuration baselines.
• Include recommendations and controls mapped to compliance standards, such as ISO 27000, PCI DSS, HIPAA, NIST CSF, and NIST SP 800-53.

CIS Hardened OS Images

CIS offers pre-configured and hardened OS images on major cloud providers. These images are pre-configured with security best practices and limit security vulnerabilities.

CIS Benchmarks and Hardened Images for Popular OS

Microsoft Windows

• Security Benchmark Available For Versions:
  2017 RTM, 2019 STIG, 2019, 2016 STIG, 2012 R2, 2012, 2008 R2, 2008, 2003
• Hardened OS Image Available On:
  AWS, Azure, Google Cloud Platform, Oracle Cloud

Ubuntu Linux

• Security Benchmark Available For Versions:
  20.04 LTS, 18.04 LTS, 16.04 LTS, 14.04 LTS, 14.04 LTS Server, 12.04 LTS Server, 16.04 LTS
• Hardened OS Image Available On:
  AWS, Azure, Google Cloud Platform, Oracle Cloud

Red Hat Enterprise Linux (RHEL)

• Security Benchmark Available For Versions:
  8, 7 STIG, 7, 6, 5
• Hardened OS Image Available On:
  AWS, Azure, Google Cloud Platform

Apple OS X (MacOS)

• Security Benchmark Available For Versions:
  11.0, 10.15, 10.14, 10.13, 10.12, 10.9, 10.8, 10.12, 10.11, 10.10
• Hardened OS Images:
  Not available

Resources

• CIS Benchmarks: Link
• CIS Hardened OS Images: Link

Implementing OS hardening alongside a robust data backup process can reduce the risk of successful cyberattacks and ensure recovery in case of failure.