OS Hardening: 15 Best Practices

What is OS Hardening?

Operating system (OS) hardening, a type of system hardening, is the process of implementing security measures and patching for operating systems, such as Windows, Linux, or Apple OS X, to strengthen them against cyberattacks. The goal is to protect sensitive computing systems, reducing the system’s attack surface, in order to lower the risk of data breaches, unauthorized access, systems hacking, or malware. 

OS hardening can include practices such as:

• Following security best practices and ensuring secure configuration.
• Updating the operating system, and automatically applying patches and service packs. This is typically done via software applications that MSPs or IT admins run on the system to install updates.
• Establishing strict access rules, limiting and authenticating system access permissions, and limiting creation of user accounts.
• Deploying additional security measures such as firewalls and endpoint protection systems.
• Using operating system security extensions such as AppArmor for Linux.
• Removing unnecessary applications and services and uninstalling unnecessary device drivers.
• Turning on only the ports and services required
• Encrypting the HDD or SSD that stores and hosts the OS

This is part of a series of articles about System Hardening.

OS Hardening Security Benefits

Here are a few key benefits of hardening operating systems:

• Improve security and reduce a system’s attack surface, minimizing a computer’s exposure to threats.
• Lower the risk of data breaches, unauthorized access, systems hacking, or malware.
• Protect sensitive computing systems that run mission critical workloads or store sensitive data.
• Supports compliance with industry-specific regulations and standards.
• Increases system stability and reliability by removing unused services and applications.
• Minimizes IT support costs and frequency of support calls due to fewer security incidents.

15 Operating System Hardening Best Practices

Although each operating system has its own unique characteristics, there are several hardening practices common to all operating systems. Here are ten best practices that can help you enhance security for your operating systems.

OS Updates

1. OS updates and service packs—keep operating systems and programs up to date and install the latest version. No single action can protect against all attacks, especially against a zero-day attack, but using service packs dramatically reduces these risks
2. Patch management—includes planning, testing, timely implementation, and continuously auditing, to ensure that operating systems and individual programs on client computers are always patched with the latest updates.
3. Removing unnecessary applications and services—involves regularly auditing and eliminating unused or unneeded software applications and system services. This reduces the attack surface, because each application and service may contain vulnerabilities.
4. Turning on only the ports and services required—unused ports should be closed or disabled as they can serve as potential entry points for attackers. Similarly, any services that aren’t required for the system’s operation should be turned off. 
5. Uninstalling unnecessary device drivers—this involves identifying unused or old device drivers and removing them. These can contain vulnerabilities that, if left unpatched, could be exploited by an attacker to gain unauthorized access to the system.

Secure Configuration

6. Clean programs—delete unnecessary and unused programs. Any program installed on your device should be evaluated regularly, as it is a potential entry point for malicious attackers. If software has not been approved or reviewed by the company, it should not be allowed. This technique can help you find and fix security holes and minimize risk.
7. Establishing strict access rules—use features that restrict access to files, networks, and other resources. Access control management features for users and groups are provided by all major operating systems, including Windows, Linux, and OS X. The default settings are usually less strict than needed, so you should limit and authenticate system access according to the principle of least privilege, and provide access only to those who really need it, when they need it.
8. Limit creation of user accounts and regularly review accounts—only allow creation of user accounts if they are absolutely necessary for the operations of the system. The more user accounts there are, the larger the attack surface, as each account could potentially be compromised. Deactivate temporary accounts immediately after use, revoke access to employees who left the company or switched roles, and periodically review user accounts.
9. Group policies—assign users to groups, and define strict privileges for each group, to limit the damage that can be done by careless or malicious users. Continuously update the user policy, and communicate it to end users, to ensure they understand and comply with access privileges.
10. Security templates—use templates to manage and enforce security configurations in a centralized manner. Templates can be used to manage group policies and ensure consistency across the organization.

Additional Security Measures

11. Firewall configuration—not all operating systems have a firewall configured by default, and if a firewall is running—the firewall rules may not be strict enough. To ensure the firewall is running as needed, you should review and modify your firewall configuration. Ideally, you should set it to allow only traffic from known, approved IP addresses and ports. Unnecessary open ports represent a security risk.
12. Hardening frameworks—use frameworks like AppArmor and SELinux to add improved access control and protect against attacks like buffer overflow and code injection. These frameworks can automatically apply a large number of effective security best practices.
13. Endpoint protection—Windows comes with an advanced endpoint protection solution called Windows Defender. Beyond this solution, there is a selection of mature endpoint protection platforms (EPP) that provide several layers of protection for operating systems – including malware protection, email and social engineering protection, detection of malicious processes, and automated isolation of an OS in case of infection.
14. Data and workload isolation—ensure that sensitive databases or applications run in their own virtual machines or containers, to isolate them from other workloads and reduce the attack surface. Alternatively, you can isolate applications by restricting network access between different workloads. In this way, if attackers take control of one workload, they cannot get access to another.
15. Encrypting the HDD/SSD that stores the OS—this is a crucial step for preventing unauthorized access to the system’s data. Even if an attacker is able to physically access the drive, without the decryption key, the data remains protected and inaccessible. This is particularly important for mobile devices like laptops, which can be lost or stolen.

OS hardening can help you reduce the risk of a successful cyber attack. However, to be truly effective, your OS hardening strategy should be implemented alongside a data backup process. This ensures that you have copies of your data and operational systems, and can use them to restore operations if failure occurs.

Beyond the Basics: Center for Internet Security (CIS) Benchmarks for OS Security

The Center of Internet Security (CIS) is a non-profit organization whose mission is to “identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.” It is a collaborative effort by security and computing experts from governments, universities, and the private sector. The center develops security benchmarks and best practices with broad applicability, using a consensus model.

A CIS benchmark serves as a configuration baseline and also as a best practice for securely configuring systems. A benchmark consists of multiple recommendations, each consisting of one or more controls that can be implemented by organizations to improve security for a certain computing system. The recommendations and controls are mapped to compliance standards including ISO 27000, PCI DSS, HIPAA, NIST CSF, and NIST SP 800-53.

For operating systems, CIS provides a series of benchmarks that cover secure configuration, with a dedicated benchmark for all major versions of all popular operating systems – including Windows, Windows Server, OS X, and all common Linux distributions.

CIS also offers pre-configured and hardened OS images, which you can access via major cloud providers. Hardened images are pre-configured with security best practices, and greatly limit security vulnerabilities that may lead to network attacks.

The following are CIS benchmarks and hardened images for common operating systems:

Microsoft Windows Service

• Security Benchmark Available For Versions: 2017 RTM, 2019 STIG, 2019, 2016 STIG, 2012 R2, 2012, 2008 R2, 2008, 2003
• Hardened OS Image Available On: AWS, Azure, Google Cloud Platform, Oracle Cloud

Ubuntu Linux

• Security Benchmark Available For Versions: 20.04 LTS, 18.04 LTS, 16.04 LTS, 14.04 LTS, 14.04 LTS Server, 12.04 LTS Server, 16.04 LTS
• Hardened OS Image Available On: AWS, Azure, Google Cloud Platform, Oracle Cloud

Red Hat Enterprise Linux (RHEL)

• Security Benchmark Available For Versions: 8, 7 STIG, 7, 6, 5
• Hardened OS Image Available On: AWS, Azure, Google Cloud Platform

Apple OS X (MacOS)

• Security Benchmark Available For Versions: 11.0, 10.15, 10.14, 10.13, 10.12, 10.9, 10.8, 10.12, 10.11, 10.10
• Hardened OS Images: N/A

To access the CIS benchmarks and hardened OS images:

• CIS benchmarks are here (filter by Operating Systems)
• CIS hardened OS images are here

Another Way to Think About System Hardening with Perception Point Advanced Browser Security 

The web has become cybercriminals’ attack surface of choice. Thus, providing internet access to users while protecting against web attacks is the most persistent security challenge organizations face today. One way to harden enterprise networks and systems is to protect the enterprise browser ensuring that no malicious content ever penetrates the endpoint. 

Perception Point Advanced Browser Security adds enterprise-grade security to standard browsers like Chrome, Edge, and Safari. The solution fuses advanced threat detection with browser-level governance and DLP controls providing organizations of all sizes with unprecedented ability to detect, prevent and remediate web threats including sophisticated phishing attacks, ransomware, exploits, Zero-Days, and more.

By transforming the organizational browser into a protected work environment, the access to sensitive corporate infrastructure and SaaS applications is secure from data loss and insider threats. The solution is seamlessly deployed on the endpoints via a browser extension and is managed centrally from a cloud-based console. There is no need to tunnel/proxy traffic through Perception Point.

An all-included managed Incident Response service is available for all customers 24/7. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.

Customers deploying the solution will experience fewer breaches, while providing their users with a better experience as they have the freedom to browse the web, use SaaS applications that they require, and access privileged corporate data, confidently, securely, and without added latency. 

Contact us for a demo of the Advanced Browser Security solution.