OS hardening is a critical best practice in an age when cybersecurity attacks are steadily increasing in frequency.
But is OS hardening sufficient on its own to keep data safe from attackers? The short answer is no. For the long answer, and an explanation of where OS hardening fits within an overall data security strategy, keep reading.
What Is OS Hardening?
OS hardening (which is short for operating system hardening) refers to adding extra security measures to your operating system in order to strengthen it against the risk of cyberattack.
All mainstream modern operating systems are designed to be secure by default, of course. But on most systems, you can add extra security features and modify the default configuration settings in ways that make the system less vulnerable to attacks than it would be with a default install alone.
OS hardening is especially important in situations where a system faces above-average security risks, such as a Web server that is exposed to the public Internet or a data server that contains data that is subject to strict regulatory privacy requirements. However, given the high rate of cyberattacks today, operating system hardening is a best practice even in cases where servers or data face only average security risks. The time it takes to harden an OS is often well worth it, because, as they say, an ounce of prevention equals a pound of cure.
You can think of OS hardening as akin to adding a security system to your home or installing deadbolts on your doors. Although your house was built to be basically secure, these extra security measures provide additional confidence that intruders won't be able to break past your home's basic defenses.
The exact steps that you take to harden an operating system will vary depending on the type of operating system, its level of exposure to the public Internet, the types of applications it hosts and other factors.
However, the following OS hardening checklist is a good place to start when hardening any type of operating system:
- Firewall configuration. Your operating system may or may not have a firewall set up by default. Even if it does have a firewall running, the firewall rules may not be as strict as they could be. For this reason, OS hardening should involve reviewing firewall configurations and modifying them so that traffic is accepted only from the IP addresses and on the ports from which it is strictly needed. Any non-essential open ports are an unnecessary security risk.
- Access control. Windows, Linux and OS X all provide user, group and account management features that can be used to restrict access to files, networking and other resources. But these features are often not as strict as they could be by default. Review them to make sure that access to a given resource is granted only to users who truly need it. For example, if you have a Linux server where each user account has read access to other users' home directories, and this access is not actually required for the use case that the server supports, you would want to change file permissions to close off the unnecessary access.
- Anti-virus. Depending on the type of system you are hardening and the workloads running on it, you may want to install and configure anti-virus software to detect and remediate malware. For example, if you are hardening a Windows workstation where users will be opening email messages, having anti-virus software in place provides useful extra security in case users open a malicious file attachment.
- Software updates. Be sure to determine whether the operating system that you are hardening will install security updates automatically, and then change that setting as needed. In most cases, automatic software updates are a good idea because they help keep your system ahead of security threats as they emerge. But in certain situations, you may want to avoid auto-updates and instead require administrators to approve software changes manually in order to minimize the risk of an update that could disrupt a critical service.
- Hardening frameworks. Some operating systems provide frameworks that are designed for the specific purpose of adding extra access control and anti-buffer-overflow features to the system and the applications it hosts. AppArmor and SELinux are examples of this type of software on Linux. In general, installing or enabling these tools is a good system hardening best practice.
- Data and workload isolation. For OS hardening, it is a good idea to isolate data and workloads from one another as much as possible. Isolation can be achieved by hosting different databases or applications inside different virtual machines or containers, or restricting network access between different workloads. That way, if an attacker is able to gain control of one workload, he won't necessarily be able to access others as well.
- Disable unnecessary features. It is also a best practice to disable any operating system or application features that you are not using. For example, if your Linux server runs a graphical interface by default but you will only be accessing the system through an SSH client, you should disable (or, better, uninstall completely) the graphical interface. Similarly, if your Windows workstation has Skype installed by default but the users will actually be running Skype, disable or uninstall the program. In addition to consuming system resources unnecessarily, features that are not being used create potential security holes.
Addressing all of the areas above will do much to harden your operating system against cyberattack.
That said, it is impossible to guarantee immunity against attack. Even a computer that is totally disconnected from the Internet could be compromised via malicious software that is installed from a thumbdrive, tracking software embedded within the system firmware or other vulnerabilities. Just as no amount of home security defenses can completely guarantee that a burglar can't find a way to break into your house, no computer can be taken to be completely secure.
That is why it is essential to back up your data, even if you also perform extensive operating system hardening. After all, unlike OS security, data backups are something that can come close to deliver a virtual guarantee against attacks. As long as you set up an effective backup strategy and maintain your backup systems appropriately, you can have a very high degree of confidence that your data will always be protected, even if they systems that host the data in production are compromised.
In this sense, you can think of data backups as an insurance policy for your house. If you insure your home and the things inside it, you will be guaranteed to be compensated in the event that, despite your best efforts to secure the house, someone is able to break in and steal your things. In a similar way, an effective data backup plan ensures that no matter what happens to your systems, you will always have a backup in place in the event that ransomware, DDoS or another type of attack breaks past your OS hardening features.
Devoting a little time to operating system hardening can save you a great deal of time in the long run by lowering the risk of a successful cyberattack against your systems and data.
Still, it is impossible to prevent attacks completely. No OS hardening strategy is sufficient unless it is accompanied by a data backup strategy, which serves as your final line of defense in case something goes wrong.