DSBP - System Hardening (Lesson)
System Hardening
Host Based Defensive Tools Presentation
You have learned in a previous lesson how every system has multiple vulnerabilities that can be used by hackers in their attacks. In this lesson, you will learn about the best practices to harden a system to mitigate against these attacks.
Hardening limits potential weaknesses that make systems vulnerable to cyber attacks. “Hardening a System” or “System Hardening” are both terms describing the process of securing the host system through a series of configuration steps.
However, there is a lot of information out there about how to implement security. How do we know what information is safe and valuable and what information is garbage or even dangerous? Cybersecurity professionals use benchmarks or lists of recommended configuration settings, compiled and shared by government and/or industry groups.
Benchmarks are a way of identifying secure configurations without having the expertise to research them yourself. Center for Internet Security (CIS) Benchmarks are recommended technical settings for operating systems, middleware and software applications, and network devices.
CIS Benchmark Tool Video
Scan to Get Advice
However, it is not possible to manually identify all the configuration changes needed to secure a system. A vulnerability assessment tool is used for this task.
Basic Hardening Steps
There are hardening steps that are recommended for most systems, such as:
- Configure regular backups.
- Set up automatic or enterprise-managed updates.
- Set up Windows Defender Security Center settings.
- Set up User Account Control (UAC), which is a security feature designed to protect the operating system from unauthorized changes.
- Set local security policies.
- Disable unnecessary services that may enable vulnerabilities.
Backups
Recommended practice is the 3-2-1 rule:
- 3 copies of the data.
- 2 copies stored on different devices. One device is the original system, and the other device can be an external hard-drive, a network drive, or even a USB drive.
- 1 copy offsite or in the cloud.
Having several copies is known as redundancy. This is the BEST way to survive a Ransomware infection. ONE backup is not enough!
Syncing services such as Google Drive or Microsoft One Drive are not backups because if you delete a file from the local system, then that file is also deleted in the cloud. A backup is a static snapshot of data.
Updates
Updates are one of the most important things you can do to secure a system. If a user is going to choose only ONE action to secure their system, then Updates should be it by a mile! Note that this applies to all devices - smartphones, Wi-Fi routers, printer drivers, and even the software in your car!
There are different update types:
- Update or Patch is a tweak to the OS code that will fix an issue in how it runs or compatibility with devices and applications.
- Hotfix is a patch for a very specific issue that is not released through automatic updates.
- Critical fix is for a bug that is affecting OS functionality.
- Security fixes a vulnerability in the OS code to stop exploits.
You can use Windows Search to open the Windows Update Settings and check the status of your device. This is what your Update page SHOULD look like!
What if you get this message? It means your device is vulnerable because security fixes are missing! Users often do not even realize that they are not current with updates because they have allowed necessary restarts or perhaps used the Pause feature.
Windows Security Settings
The Windows Security section provides a monitoring system for important security components. It lets you know if the security components are not turned on, out of date, or not configured properly. It provides directions on how to resolve
the alerts. Check to make sure you have green checks in these 3 areas:
- Virus & Threat Protection
- Firewall & Network Protection
- Apps & Browser Control
You can use Windows Search to open the Windows Update Settings and check the status of your device. Your results should look like this:
Users as a Vulnerability
While Operating System flaws are at the top of the list of vulnerabilities, users are a close second because they must have access to the system. One method of securing user access is to apply settings that will limit user actions on the system.
The following questions should be addressed by the IT team:
- What happens if a bad application tries to install on the system?
- Does the user have a strong password?
- What if someone tries to log in with password guessing?
- How will we know who used a computer?
Best Way to Secure the System
Obviously neither of these is a serious solution, so we have to find different solutions to the user access problem. For example, if changes require administrator-level permissions, User Access Control (UAC) prevents the user from making changes and notifies the administrator to either approve or deny requested changes. Users should be allowed to access only areas related to their job responsibilities.
Therefore, UAC is an automatic check for two things:
- Is this action being initiated by a user or by malware?
- Does the user who asked for this action have the appropriate privileges on this machine?
Seems annoying, huh? But it performs a valuable service! It is the BEST protection against malware that tries to install code like a backdoor or bot. Often our computers are infected or breached because we, the users, click on a link, download a Trojan, or go to a sketchy website -- and when we do, malicious code will try to take some action on our computer. UAC may be our only hope that it will be stopped!
Local Security Policies
All operating systems have methods of enforcing rules. The Windows “Local Security Policies” tool makes it possible to apply rules to some very important user interactions. We can force the user to have a strong password and to reset it at regular intervals. We can make sure they don’t reuse the same password. And if someone tries to brute force the password by trying to guess it, then we can lock them out after a certain number of tries. Why, yes, sometimes we lock out the real user but they need to remember their password, duh!
Password Account Policies
- Length = how many characters
- Complexity = what characters are used
- Age = when it needs to be reset
- History = no reuse
Account Lockout Policies
- Threshold = how many bad tries
- Duration = how long locked out
- Reset counter time = same as duration
Other than enforcing passwords and blocking brute force attacks, there are many other ways that security policies can be used to protect the system. For example, the logs may show the username jsmith with multiple login attempts sequentially over a short time period. That means someone kept trying the same username with different passwords, possibly indicating a brute force attack.
- Audit Policy is about what actions you keep track of on the system. Who logged into the device and when?
- User Rights Assignments is what type of user is allowed to take certain actions with the PC? Who can log on from the network? Who can shut down the system?
- Security Options are what restrictions are put on settings or user actions. They prevent users from installing device drivers.
- Services are built-in applications that make it possible for your PC to perform certain functions. This function involves interaction with other computers, which means opening up a port and possibly creating an avenue for attack. It is important to identify what services are running and turn off any that are not necessary.
- Applications are third-party programs installed by users to provide additional functions. The apps below are the most common sources of attack vectors:
- Adobe Reader
- Adobe Flash
- Printer and device drivers
- Games
Here are some key questions to ask about each application:
- Why is it here? What function did it add to our system?
- Who determined this application was needed? Did a user install it?
- Does this application have any vulnerabilities? What can go wrong due to these flaws?
If the application is not truly needed, it must be removed!
We have explored some basic settings. However, the number and complexity of the possible settings can make it very confusing, so this is where benchmarks become very useful.
Vulnerability Scanning
While general settings are very important, each device will have some differences for lots of reasons, such as where it is being used, what applications are installed, or how old it is. Before trying to harden a system beyond basic settings, it is a good idea to first perform a vulnerability scan.
Many organizations use the free CIS-CAT tool from the Center for Internet Security (CIS), which uses the CIS benchmark documents to provide a report on recommended changes. The recommendations from the scan are based on Microsoft or industry best practices. The IT administrator will run these scans regularly to identify any insecure configurations. Security administrators may also use a vulnerability scanner like the Microsoft Baseline Analyzer to identify the secure settings needed for specific Operating Systems.
Here is how you perform a vulnerability scan:
- Perform an initial scan which will use the benchmarks to look for insecure configurations and known software vulnerabilities (CVEs). Remember those from a previous lesson? This will produce a score.
- Go through recommended steps to apply benchmark hardening.
- Perform a new scan to check for an improved score that indicates device is hardened.
Reflection and Wrap-up
In this lesson, you have learned about various host-based defensive tools you can use to harden and restrict access to your system. Also, you have learned about various hardening policies and approaches information technology (IT) professionals use to identify vulnerabilities and implement cybersecurity precautions.
What steps will YOU take today to make it more difficult for malicious actors to mess with you and your system?
[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON.