Pricing
Contact
Login
Start Free Trial
Back

Hardening

Nov 22, 2022

Hardening is the process of bringing our OS, application, etc. to a more secure state, by configuring the system aside from its default (or previous) settings by reducing the attack surface.

This process can (and will) usually include removing software/services from the OS, removing/changing default password, patching, and so on.

The process of hardening has for its aim to remove configuration vulnerabilities.

For example, you can place a password policy on your OS, so that the user has to enter more complex password, than no or a simple password which would classify as a configuration-based vulnerability.

The hardening process should be specific for the OS and the threats you’re attempting to control. It would not be the same for a Linux-based server that’s for example a public webserver and for a Windows desktop. This would be different because of the nature of the threats you’re going up against, i.e., you’d need to have different profiles for each of those.

This implies that there’s no general way to harden systems, however, there are things that you will tend to do that will hold for all those cases. Like, as I already mentioned, removing unnecessary stuff, reducing your attack surface by controlling what could be attacked better, etc.

Hardening is not a trivial task, as it requires in-depth understanding of a system you’re hardening. To make an extreme example – you could set your firewall to block all inbound traffic by default and you would be quite safe, but then again, the reason for that safety would be due to the fact you’ve rendered one of the (main) functionalities of that system unusable – Accessing the Internet. Thus, you really need to pay attention in order to strike that middle ground between usability and security in a sensible way. You don’t want to have issues with using your daily driver OS, and you don’t want to break it.

 

Layers

 

Its helpful to think of layers when hardening your systems. One such example can be the webserver I already mentioned. You would have the OS layer, thus you’d need to harden the OS itself, then if your, for example, Apache runs an app server, you’d need to harden that as well. Finally, if you have an application that’s running there – the code for that application would need to be written securely.

This is just an illustration, so that you have a general idea of what to think about when thinking about hardening, but I want to focus more on OSes (if necessary, I will create another OS dedicated article about hardening).

 

 

Standards

 

There are standards out there for mostly anything you’d like to harden, and it’s best to follow these. Similar to let’s say secure coding best practices, or any other type of best practices.

Also, there are scripts that can audit or remediate your system to a state you wanted, this not only saves you time, but it will also provide you with a good way to avoid any human-based errors, while hardening your system.

The standards can be called baselines, benchmarks, policies, standards, etc. Just an fyi. They still describe the same thing… also, note that these benchmarks are made by a community of security professionals, which is what we want.

One such hardening standard is the CIS Benchmarks. As you can see on the link, they offer hardening for Mobile Devices, Network Devices, Server/Desktop Software, Cloud, and more, aside from the OS benchmarks, and it’s a good place to start. Once you’ve found your target system you’d like to harden, you can click on the link for it and download the associated .pdf file for that specific benchmark. (You will need to fill out a form, but after that, you’ll be sent a link where you’ll be able to access all the available .pdfs and download them, for free).

Note that the standards needn’t necessarily align with your needs, so even these standards are not a silver bullet that you can implement blindly. Read it, understand it, and assess what you will need before going forward with the implementation.

Another one of these baselines is the NIST Configuration Baseline, but it’s a bit dated (offering only for Windows 7 and Red Hat – but if you have Red Hat in your environment, it might be useful to you). Regardless, it’s a good resource to skim through so you can learn a bit more on the topic.

One more standard/baseline is the Securiity Technical Implementation Guides (STIGs), from the DoD Cyber Exchange Team. These are up to date, and cover the latest OSes (mostly) and their respective security standards for hardening them. Do note that these are geared more towards the DoD and their requirements, so there might be some things in there that won’t be useful for your case. However, these are something I’d recommend anyone who wants to harden their system(s) to look at and think of them as general hardening guidelines. To view these, you’ll also need a STIG viewer, as they are in an XCCDF format.

Although this might be a bit of a hassle, it’s worth it because it will give you a very nicely laid out interface with recommended settings, references, information, and more – all related to the hardening of system(s).

 

SCAP – Security Content Automation Protocol

 

This is a NIST standard, and from their website, it’s about:

The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.

And

NIST's security automation agenda is broader than the vulnerability management application of modern day SCAP. Many different security activities and disciplines can benefit from standardized expression and reporting. We envision further expansion in compliance, remediation, and network monitoring, and encourage your contribution relative to these and additional disciplines.

The SCAP standard consists of the following components:

  • XCCDF

  • OVAL

  • DataStream

  • ARF

  • CPE

  • CVE

And is XML-based.

Simply put, SCAP is a protocol/standard that enables to create human and machine-readable security documents, that you can use with automated tools to audit/harden a target system.

Open SCAP is the implementation of SCAP. This is a bundle of tools, security policies, and is based on the SCAP standard. Be sure to check out the SCAP Workbench – This tool allows users to perform configuration and vulnerability scans on a single local or a remote system, perform remediation of the system in accordance with the given XCCDF or SDS file. Workbench can generate reports, in multiple formats, containing the results of a system scan.

It will both help you in case all of this is a bit confusing, and you can also run a test on your system, by inputting of the said standards in it and it will run it against that and tell you if your system passed/failed and if it has any vulnerabilities.

Unfortunately, Open SCAP is more focused on Linux systems (particularly Red Hat systems – CentOS/Fedora), but there is some (very minimal) MacOS and Windows support.

 

Conclusion

 

This is an extensive topic, and I hope my intro into it has attracted your attention. In the coming articles I will try to cover at least the OS portion of hardening – for Windows, Mac, and Linux.

Stay tuned!

Cover image by Ian Battaglia

#hardening #OS #application #SCAP #standard

 

 

Tags

  • #application

  • #vicarius_blog

  • #hardening

  • #OS

  • #SCAP

  • #standard

users/photos/cl09w23tf2efa0mpf8sov0k5q.jpg

Written by

acephale 4w

Recent Posts

  • 1

    Unauthenticated RCE in Centos Web Panel 7 (CWP)  - CVE-2022–44877

    Mohammad Hussam Alzeyyat January 26, 2023
  • 2

    New Reboot & Message Box Popups

    Shahar Reichman January 17, 2023
  • 3

    JWT Arbitrary Command Execution - CVE-2022–23529

    Mohammad Hussam Alzeyyat January 12, 2023
  • 4

    When the Target is Also the Threat

    Paul Lighter January 11, 2023
  • 5

    The Uncomfortable Implications of the LastPass Attack

    Paul Lighter January 06, 2023

Related Posts

By Mohammad Hussam Alzeyyat
Jan 26, 2023

Unauthenticated RCE in Centos Web Panel 7 (CWP)  - CVE-2022–44877

In this blog, we are going to break down the Centos Web Panel RCE, dive deep into the dynamic and static analysis, also trying to simulate the backend code.
By Shahar Reichman
Jan 17, 2023

New Reboot & Message Box Popups

New restart popup window and custom message for your end user.
By Mohammad Hussam Alzeyyat
Jan 12, 2023

JWT Arbitrary Command Execution - CVE-2022–23529

I'm trying to analyze JsonWebToken CVE-2022–23529 and see if there is a possibility or how I may proceed to find a way to achieve full RCE, however, after the analysis, I'm not sure if this is possible.
last_chanse_02.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 14-day trial
Get a Demo
Start Free Trial!

Have questions?

By submitting this form, you agree to be contacted about TOPIA and other Vicarius products.

Vicarius develops an autonomous vulnerability remediation platform to help security teams protect their assets against software exploitation. Consolidating vulnerability assessment, prioritization, and remediation, Vicarius strengthens cyber hygiene and proactively reduces risk.
We're hiring!

Support

support@vicarius.io

Sales

sales@vicarius.io

Marketing

info@vicarius.io
Product
Product Overview
Vulnerability Management
Patch Management
Patchless Protection
Auto Actions
Network Scanner
xTags
0-Day Detection
Solution
Solution Overview
Case Studies
Knowledge
Research Center
Apps & OS Patch Catalog
Videos
Articles
Docs
Company
About
Investors
Partners
Trust
Careers
Pricing
Pricing
Compare
TOPIA vs. Automox
TOPIA vs. ManageEngine
TOPIA vs. Rapid7
TOPIA vs. Tenable
TOPIA vs. Tanium
TOPIA vs. RMMs
TOPIA vs. Vulcan
TOPIA vs. PDQ

Copyright © Vicarius. All rights reserved 2022. Privacy Policy and Terms of Use