What does Host Hardening mean?
Providing various means of protection to any system known as host hardening. Often the protection is provided in various layers which is known as defense in depth.
In system hardening we try to protect it in various layers like physical level, user level, OS level, application level, host level and other sublayers.
We use different types of security in each level. We can easily determine that a hardened system is way more secure as it has defense in depth; protection in many levels. When we install any OS with default option, it’s going to install many unnecessary programs which we might never use or update. Many of those applications have loose permission and configurations which might lead to an easy access for an attacker. These types of vulnerabilities create a large attack surface vector.
What is an attack surface vector?
A vector, in computer security terms, is a method in which a malicious code such as virus grows itself and infect a computer.
An attack surface vector is the sum of different points or attack vectors where an attacker can try to insert or export data from a network or a system.
The key is to keep the attack surface as small as possible so that an attacker won’t get enough space to insert any data or the virus won’t get required environment to grow itself.
Steps for Host Hardening
- Remove unused application
There are number of background processes and services are running right now on your device as you are reading this article. Sometimes it gets so discoursing to remove those apps for many reasons. Sometimes we don’t know of they are useful for the OS itself or not.
There are some free scanners available which we can use and determine which apps are completely useless and remove them. If it’s a large organization then we need to careful about our vendors as well as inside employees so that they can have those apps, whoever needs it. We can always check if any other apps can do the same work.
Server installations do not require any user apps so we can remove those apps from server. It’s a good idea to use console only installations as it enhances performance and security. Also eliminate unnecessary accounts and privileges throughout IT infrastructure.
- Patch systems regularly
Almost every application vendors and OS vendors release patches once in few weeks as they discover new bugs in software. Human writes software code and we all know we make mistakes. So, software is not completely out of threat. It’s a really good practice to update systems whenever the updates are available. All those updates contain patches for bugs and vulnerabilities so if you skip it then you’re putting your system into a threat.
Keep antivirus and/or anti spyware installed with updated definitions.
If you are a big organization then it’s hard to spend time on updates every week or even every month but you need to understand that even though it’s time consuming, it keeps the system up to date. If it’s so annoying for you to install manual updates, then consider turning on the automatic updates.
New systems should be installed on isolated environment first. It should be well protected from any security attack. Your servers become vulnerable the moment you launch it to untrusted environment like the internet. Only release after fully patching and testing.
Also, keep periodic imaging(cloning) and deployment. You can use software like Ghost or smartdeploy for that. With the use of those tools we can create a copy of our system and keep as a backup as well. It will keep all the system files compressed and install it back on the system whenever required.
- Controlling network services
Always check what are the services that can be accessed over you network and who are accessing it. That will give you a good idea of your users and their regular use of apps and services. Create an alert when any user tries to access restricted services for multiple time.
Also, use port scanners like Nmap. That will tell you what the open ports in the network are. Nmap is a free opensource tool for vulnerability scan. You can use it to identify devices running on the system, available hosts and services they offer, all open ports and it can also detect some security risks.
In Windows server OS you can use Server management console which is a management console in Windows Server that helps manage both local and remote Windows-based servers from desktops, without requiring either physical access to servers, or the need to enable Remote Desktop protocol (rdP) connections to each server.
In Linux, we can use few commands like netstat. It means network statistics, is a Command Prompt command used to display very detailed information about how your computer is communicating with other computers or network devices.
Also, we can use /etc/init.d/. init.d is the sub-directory of /etc directory in Linux file system. init.d basically contains the bunch of start/stop scripts which are used to control (start,stop,reload,restart) the daemon while the system is running or during boot. If you look at /etc/init.d then you will notice all the scripts for different services of your system.
- Disable following windows services and ports at all cost
NetBIOS – older MS protocol announcing machine name and IP address for example UDP 137, 138 TCP 137, 139. Also, WINS – Windows name lookup service that was used to register name and IP address.
Legacy apps require these services for network discover, for example file and print sharing. Several CVEs exist for NetBIOS in National Vulnerability Database. Server Message Block (SMB) is another MS protocol for file sharing, network discovery and printer discovery/sharing and the ports are TCP ports 139, 445, Versions 1, 2, and 3 (only Ver. 3 supports encryption) that runs over TCP/IP with or without NetBIOS. Older versions vulnerable to ransomware (“Wannacry”) and redirection attacks (“Stuxnet”). So, disable older versions, Firewall block outbound access for SMB authentication, patch systems.
- Disable remote services like these
Windows: Remote desktop (RDP), Terminal services, remote registry and Unix: rlogin, rsh, Telnet
In older unencrypted remote services, we have to be fearful about eavesdropping attacks. If you want to use remote login then use RDP and SSH. They are encrypted options for remote login.
Remote services like rsh allow systems to connect without a password. It establishes trust relationship before the command execution. Whereas SSH allows login by using cryptography keys without requiring username/password. For e.g., allowing 3rd party users for temporary access.
Trust relationships can be spoofed if there are no cryptography checking. Not disabling obsolete keys is key reason for insider attacks using SSH. In general, disable all those remote services if they are not required.