Host hardening is the process of providing various forms of protection to any system. Defense in depth is a term used to describe how protection is delivered at multiple tiers.
We try to safeguard it at several stages, such as the physical level, the user level, the OS level, the application level, the host level, and other sublayers.
At each level, we employ various forms of security. We can immediately see that a hardened system is far more secure since it provides defense-in-depth, or protection on multiple levels. When we install an operating system using the default settings, it will install several unneeded programs that we may never use or update. Many of these programs have sloppy permissions and setups, making it easy for an attacker to gain access. These kinds of flaws result in a large attack surface vector.
What is the definition of an attack surface vector?
In computer security, a vector is a way by which malicious code, such as a virus, spreads and infects a computer.
An attack surface vector is a collection of sites or attack vectors through which an attacker can attempt to import or export data from a network or system.
The idea is to make the attack surface as small as possible so that an attacker does not have enough room to enter data or the virus does not have the necessary environment to thrive.
Host Hardening Procedures
Remove any applications that are no longer in use.
While you are reading this article, a variety of background programs and services are operating on your device. For a variety of reasons, it can be difficult to remove those apps. We don’t always know whether they’re useful for the OS or not.
There are some free scanners that we may use to figure out which apps are utterly useless and delete them. If it’s a large company, we need to be cautious of our vendors as well as internal staff so that those apps are available to whoever needs them. We can always see if any other apps can perform the same function.
Because server installations do not necessitate the installation of any user apps, we can delete those apps from the server. Console-only deployments are a fantastic solution because they improve performance and security. Remove any unneeded accounts and privileges from your IT infrastructure as well.
Patching systems regularly is essential.
Almost all application and operating system providers offer patches every few weeks as new software flaws are discovered. We all know that humans make mistakes when writing software code. As a result, the software is not safe. It’s always a good idea to upgrade systems as soon as they become available. All of those updates contain bug and vulnerability patches, so if you don’t install them, you’re putting your machine at risk.
Keep your antivirus and/or anti-spyware software up to date.
It may be difficult for a large firm to devote time to updates every week or even every month, but you must recognize that, while time-intensive, it keeps the system current. If manually installing updates is inconvenient for you, consider enabling automatic updates.
New systems should be installed initially in a controlled setting. It should be well-defended against any security threats. When you expose your servers to an untrustworthy environment, such as the internet, they become vulnerable. Only after thorough testing and patching should a product be released.
Maintain regular imaging (cloning) and deployment. You can do this with applications like Ghost or smart deploy. We can generate a copy of our system and keep it as a backup with the help of such programs. It will keep all of the system files compressed and reinstall them whenever they are needed.
Network service management
Always keep an eye on what services can be accessed over your network and who is doing so. This will offer you a solid picture of your users and how they utilize apps and services regularly. When a user tries to access restricted services multiple times, create an alert.
Use port scanners like Nmap as well. This will show you all of the network’s open ports. Nmap is a free and open-source vulnerability scanner. It can be used to identify operating devices on the system, available hosts and services they provide, all open ports, and some security risks.
The server management console is a management dashboard in Windows Server that allows you to manage both local and distant Windows-based servers from a desktop without requiring physical access to the servers or enabling Remote Desktop Protocol (RDP) connections to each server.
We can utilize a few commands in Linux, such as netstat. It is a Command Prompt command that displays very precise information about how your computer communicates with other computers or network devices. It stands for network statistics.
We can also use /etc/init.d/. In the Linux file system, init.d is a subdirectory of the /etc directory. Init.d is a collection of start/stop scripts that are used to control the daemon (start, stop, reload, restart) when the system is running or during boot. If you check at /etc/init.d, you’ll see all of the scripts for your system’s many services.
At all costs, disable the following Windows services and ports.
NetBIOS — an earlier Microsoft protocol for broadcasting a machine’s name and IP address, such as UDP 137, 138, and TCP 137, 139. WINS – Windows name lookup service – was also used to record the user’s name and IP address.
These services are required by legacy apps for network discovery, such as file and print sharing. In the National Vulnerability Database, NetBIOS has several CVEs. SMB (Server Message Block) is a Microsoft protocol for file sharing, network discovery, and printer discovery/sharing that operates over TCP/IP with or without NetBIOS and uses TCP ports 139, 445, Versions 1, 2, and 3 (only Ver. 3 enables encryption). Ransomware (“Wannacry”) and redirection attacks (“Stuxnet”) are vulnerabilities in older versions. As a result, earlier versions should be disabled, firewalls should restrict outbound access for SMB authentication, and systems should be patched.
Remote services such as these should be disabled.
Remote desktop (RDP), Terminal Services, and remote registry are all available on Windows. Unix: Telnet, rlogin, rsh
We must be concerned about eavesdropping threats in older unencrypted remote services. If you wish to log in remotely, utilize RDP and SSH. They are remote login possibilities that are encrypted.