System Hardening Process Checklist

Most administrators and security officers are well aware of the necessity of system hardening for corporate systems.

Hardening is the process of securing a system by reducing its surface of vulnerability. By the nature of operation, the more functions a system performs, the larger the vulnerability surface.

Since most systems are dedicated to one or two functions, reduction of possible vectors of attack is done by the removal of any software, user accounts or services that are not related and required by the planned system functions. System hardening is vendor specific process, since different system vendors install different elements in the default install process.


However, all system hardening efforts follow a generic process. So here is a checklist and diagram by which you can perform your hardening activities.

  1. Perform initial System Install - stick the DVD in and go through the motions.
  2. Remove unnecessary software - all systems come with a predefined set of software packages that are assumed to be useful to most users. Depending on your target use of the system, you should remove all software that is not to be used like graphics and office packages on a web server.
  3. Disable or remove unnecessary usernames and passwords - most systems come with a lot of predefined user accounts for all kinds of purposes - from remote support to dedicated user accounts for specific services. Remove all remote and support accounts, and all accounts related to services which are not to be used. For all used accounts, ALWAYS change the default passwords.
  4. Disable or remove unnecessary services - just as the two previous points, remove all services which are not to be used in production. You can always just disable them, but if you have the choice remove them altogether. This will prevent the possible errors of someone activating the disabled service further down the line.
  5. Apply patches - after clearing the 'mess' of the default install, apply security and functionality patches for everything that is left in the system - especially the target services.
  6. Run Nessus Scan - update your Nessus scanner and let her rip. Perform a full scan including dangerous scans. Do the scan without any firewalls on the path of the scan. Read through the results, there will always be some discoveries, so you need to analyze them.
  7. If no Vulnerabilities are discovered, use system - after the analysis of the results, if there is noting significant discovered, congratulations! You have a hardened system ready for use.

Here is the described checklist as a process diagram


Talkback and comments are most welcome

Related posts

Checking web site security - the quick approach
Protecting from Meddling Web Applications
Strategic Choice - Proper Selection of Web Hosting
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Rules for good Corporate Web Presence

6 comments:

nukeit said...

A very simple, and clear method. The only thing that I disagree with is the specific use of Nessus. If the person doing the audit is concerned with licensing issues, they might wish to choose OpenVAS (a FOSS Nessus fork).
http://www.openvas.org/

Bozidar Spirovski said...

Ofcourse, OpenVAS is much more clear on the licensing issues, but it is still heavily developed and supports only several Linux distros. One has to think about the windows admins - which are plentiful. I choose nessus as the middle ground between commercial products and open source - best of both worlds. My preferred product would be eEye Retina, but it's EXPENSIVE

Gunslingor said...

That's great, but I still don't understand how to determine what services are required and which can be deleted. Is there a process for this. I need assistance. I have been posting all over the place and no one can give me any information on how to determine which services are required and which can be deleted. How do I determine what software uses which services?

Michael said...

Came across this link and noticed the question of Gunslingor. Although outdated, the answer might be useful for future visitors: make a baseline of the tools and processes you really need. This could be done by creating a very small install and trying to disable every single process (until it breaks). Or you could read the description of each process and determine what is still useful.

Secondly I suggest hardening and auditing tools. Although biased, for Linux systems you could try my hardening tool Lynis

Festival Blog said...

Happy diwali Images
Happy Dhanteras
happy diwali photos
happy diwali quotes
happy Diwali image
happy Diwali Picture
Diwali images

hannahamueller said...

good the attributes and also facilities of Mobdro application. https://imobdroapp.com With the overflow of individuals, often Mobdro web best.

Designed by Posicionamiento Web