Part 2 of 15: Operating System Hardening
What Is It?
Operating System hardening is an extension of some of the other strategies discussed earlier. In the Essential Eight we talk about Patching Operating Systems. In the Necessary Nine we talk about Generic Exploit Mitigation. Even the last article I published spoke of Server Application Hardening. To some degree, many of the other articles and mitigation strategies touch on this from managing administrative privileges to network segmentation, so why concentrate on Operating System Hardening now?
This is where we get down into the weeds into the heart of the systems on our networks. While some of the other components we spoke of earlier such as patching and managing permissions, here we focus on the core of what makes the system tick. Operating system hardening extends to network devices as well and emphasises use of a Standard Operating Environment (SOE) where uniform configuration across like platforms disables unnecessary functionality such as RDP, Auto Run, Lan Man, SMB/NetBIOS (which should be long gone), Link-Local Multicast Name Resolution (LLMNR), and even Web Proxy Auto-Discovery (WPAD).
Generally, I try to emphasise that unless you ABSOLUTELY need it, get rid of it, shut it off, or don’t install it in the first place. Don’t leave anything to chance or something in place “just in case” you “might need it one day”. Your SOE can apply if you have dozens of servers, hundreds of workstations or laptops, and many network appliances of the same type. Think consistency. Instead of making one change on hundreds of individual systems, you make one change per unique SOE and then replicate it. Yes, I know, it sounds easier than it is, but when you think about it, you’re further reducing the options an attacker has. They don’t need to compromise all your systems; just one will suffice.
It’s also an exercise in better understanding your environment intimately. Imagine having a detailed inventory of not just how many devices you have on the network, but extremely specific details about how they’re built. Also imagine that instead of having dozens or hundreds of unique configurations to sort out, you only have a few. Less variation when applying patches. Simplified replacement of failed equipment or more rapid deployment of new systems, all with fewer vulnerabilities.
Where Do I Start?
Since this one can be a lot more technical, I’d recommend getting your platform experts involved. These are your team members with the in-depth and intimate knowledge of the operating systems you will be hardening. Windows. Cisco iOS. ComWare. Linux. UNIX. Whichever. If you have good links to the vendors, don’t be afraid to use them. Systems integrators often have experts on staff and consultants that can help. Never be afraid to put up your hand and ask for help. Also, don’t try to do everything at once.
Start looking into the dark, poorly-lit corners of the operating system. Look at the registry and file permissions and try to limit the damage caused by misusing system tools and services against you. Limit the ability to create scheduled tasks and execute them, possibly as a system account with elevated privileges. Evaluate your libraries (sometimes known as DLL files) and control where they are located and how they are loaded. Disable NetBIOS…we shouldn’t ever need that again and if we do, it’s time to look at what uses them and try to replace or eliminate these dependencies. The same holds true for SMB.
LLMNR, which I mentioned above, may serve a purpose but by bypassing a proper DNS server, could be used to propagate an attack or reconnaissance activities that could possibly be avoided. It seems to exist to allow legacy systems to communicate. Use your judgement, but I’d recommend disabling it.
While on the topic of name resolution, which can quickly throw accelerant on a burning flame, it may be worthwhile to configure a DNS record specifically for your proxy to explicitly set one if you use a proxy. If compromised, your traffic can get routed to places you don’t want it. If you don’t use a proxy, turn this off completely.
Some other tips include displaying file extensions so that the file appears in its true format and doesn’t try to masquerade as something harmless. ASD use the example of a known file type extension, such as exe, being hidden. It may display as “file.txt” when in reality it’s “file.txt.exe” You can see how quickly it would be to overlook!
There are a lot of ways you can harden your operating system and the internet is full of suggestions, good, bad, and ugly. If you can, check with the vendor or work with vendor-certified and reputable organisations. I could go on for pages, but you get the idea. Supplementing your patch management and other strategies, you will improve your security posture.
How do I make It Work?
Rather than worrying about this on a case by case basis, perhaps consider this strategy as part of your operating system refresh and develop your SOE with the hardening already integrated. Trying to go back and fix systems that have been running for potentially years can be more work than its worth. Rather than being reactive, consider this in the context of being proactive. This way, you have plenty of time to build, test, and fine-tune your new operating system deployment before it gets pushed out.
Many of you are still on Windows 7 (or older!) deployments, so it may be a good idea to make this a part of your Windows 10 upgrade. Microsoft is doing tremendous work going forward with improving the security of their platforms but like most operating systems, they must strike a balance with security and functionality; the actual configuration for the nuances of your environment is up to you.
For what it’s worth, apply the same approach to new SOE builds of servers, and if you are using non-Windows builds, the same principals apply of hardening the OS. Even for network equipment, especially if you have many the same type of devices enterprise-wide. Secure SOEs are just better all around. And yes, I know some of you have highly customised environments, so you may have a longer process before you to address the larger variety of configurations.
Some will tend to get over exuberant with locking down their operating systems, so please remember to balance security with functionality. Also remember that rare is the environment where you can only have 1 SOE for all workstations or servers. Some servers and workstations require different settings and depending on the hardware, the physical device may react differently to the hardened settings.
Ghosts in the Machine?
Be aware that sometimes there may be a bugbear that just won’t accept a specific setting. You can have identical settings on identical machines and still have a problem. Human error makes its way into everything including hardware and software. It’s kind of like the old joke where you never wanted to buy a car built on a Friday afternoon or a Monday morning.
Take your time. Please. This strategy is rated as “Very Good” and if you are using a defence-in-depth strategy that includes the Essential Eight and Necessary Nine, many of the risks may already be mitigated. That said, always….ALWAYS…remain vigilant!
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock