Operating System Hardening
Operating system hardening is the process of reducing the attack surface of an operating system.
- involves enabling or disabling specific features and restricting access to sensitive areas of the system
- includes
- disabling unnecessary services
- limiting user privileges
- patching the operating system
- etc.
- best-practice hardening guides include:
The sum of openings through which a system can be attacked is called the attack surface.
6 Ways to Decrease Operating System Attack Surface
- Remove unnecessary software
- Remove unneeded services
- Alter default accounts
- Use principles of least privilege
- Perform updates
- Implement logging and auditing
Remove All Unnecessary Software
- Each piece of software installed on your OS adds to the attack surface
- Install the bare minimum needed software
Remove All Unessential Services
Services are software that load automatically when the system starts.
Many OS ship with a wide variety of services that:
- share information over the network
- locate other devices
- synchronize the time
- allow you to access or transfer files
- and more
Turning off services can be difficult because:
- names don’t indicate their actual function
- requires time investment in research
Best way to start to turn off services is to determine the network ports on which the system is listening for network connections.
- this can give clues as to what might be on the backend of the open port
To see open ports you can use:
- netstat (Windows default)
- Nmap
Alter Default Accounts
Many OS come with standard accounts:
- guest account
- administrator account
- potentially others
Default accounts are a risk because they often have:
- excessively liberal permissions
- a weak default password or no password
You can typically turn off guest and support accounts without issue.
Admin accounts cannot be removed without issue.
- change the password to something secure
- change the name of the account
Apply the Principle of Least Privileges
The principle of least privileges dictates that you should allow a party only the absolutely minimum permission needed for it to carry out its function.
Most OS separate tasks into those need require admin permissions and those that don’t.
- Unix and Linux-like OS don’t allow admin/root/superuser permssions for standard users by default
- but the user can elevate their privilege
- Windows OS typically does allow admin permissions for standard users making it more vulnerable
Perform Updates
Perform regular and timely updates to OS and applications to protect against vulnerabilities.
- Most crucial time to ensure system is patched is directly after installation
- best practice is to download a patch onto a removable media and patch the system before connecting it to the network
Turn on Logging and Auditing
Key information for logging:
- Log files
- User activity
- Network traffic
Turn on activity logging for:
- failed login attempts
- usage of admin privileges
- users logging in to and out of the system itself
- changes to the operating system
- similar such events
Could also install 3rd party apps and tools for logging, monitoring, and auditing.
Reviewing logs is an important part of the process.