Security Best Practices - Learning Module

Loading content...

0/240

Security Hardening

Proactive Defense: Eliminating Attack Surface

Vulnerability management addresses known weaknesses. But what about the attack surface that exists simply because systems ship with insecure defaults—unnecessary services running, permissive configurations enabled, legacy protocols active?

Security Hardening is the practice of proactively configuring systems to minimize attack surface before vulnerabilities even appear. It transforms the question from "How do we fix what's broken?" to "How do we ensure there's less to break in the first place?"

Consider a fresh operating system installation:

Dozens of services running by default, most unused
Permissive file permissions that exceed actual needs
Legacy protocols enabled for compatibility with systems you don't have
Logging insufficient for forensic investigation
No restrictions on shell access, process execution, or network activity

Each unnecessary component is potential attack surface. Each permissive default is a misconfiguration waiting to be exploited. Hardening systematically addresses these before they become incidents.

What You Will Learn

By the end of this page, you will understand hardening philosophy and the principle of minimization, master CIS Benchmarks and DISA STIGs as hardening standards, implement practical hardening for Linux and Windows systems, develop automated hardening pipelines, and balance security restrictions with operational requirements.

Hardening Philosophy and Principles

Hardening is guided by the principle of minimization: every component, service, permission, and protocol that isn't explicitly required for the system's function should be removed or disabled.

Core Hardening Principles

1. Minimal Installation Install only packages and components required for the system's role. A web server doesn't need a C compiler. A database server doesn't need a GUI.

2. Disable Unnecessary Services Every running service increases attack surface. If a service isn't actively used, disable it. If it's needed occasionally, start it on-demand rather than at boot.

3. Restrict Permissions Apply the principle of least privilege to file permissions, process capabilities, and network access. Default to deny; explicitly permit only what's needed.

4. Secure Defaults Replace vendor defaults with secure configurations. Default passwords, example configurations, and debug settings must be changed.

5. Enable Logging and Auditing Comprehensive logging enables detection and forensics. Hardening includes ensuring sufficient logging for security-relevant events.

6. Remove or Protect Management Interfaces Administrative interfaces (SSH, RDP, web consoles) are high-value targets. Restrict network access, require strong authentication, and consider removing if not needed.

Hardening Standards and Frameworks
Standard	Source	Coverage	Use Case
CIS Benchmarks	Center for Internet Security	OS, applications, cloud	Industry standard, audit-ready
DISA STIGs	Defense Information Systems Agency	DoD systems	US Government compliance
NIST SP 800-123	National Institute of Standards	Server hardening	Federal guidance
Microsoft Security Baselines	Microsoft	Windows, Office, Edge	Windows environments
OpenSCAP	Red Hat/NIST	Automated compliance	Linux automation

Linux System Hardening

Linux hardening encompasses kernel parameters, service configuration, file permissions, and authentication settings. The following demonstrates key hardening areas.

linux_hardening.sh
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/bin/bash
# Linux Security Hardening Script
# Based on CIS Benchmark recommendations
 
set -euo pipefail
echo "=== Linux Security Hardening ==="
 
# === Kernel Hardening (sysctl) ===
cat > /etc/sysctl.d/99-hardening.conf << 'EOF'
# Network hardening
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
 
# Kernel hardening  
kernel.randomize_va_space = 2
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.yama.ptrace_scope = 2
kernel.core_uses_pid = 1
kernel.sysrq = 0
 
# File system hardening
fs.suid_dumpable = 0
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
EOF
sysctl -p /etc/sysctl.d/99-hardening.conf
 
# === Disable Unnecessary Services ===
SERVICES_TO_DISABLE="
avahi-daemon bluetooth cups rpcbind nfs-server
autofs vsftpd telnet.socket rsh.socket rlogin.socket
"
for svc in $SERVICES_TO_DISABLE; do
    systemctl disable --now "$svc" 2>/dev/null || true
done
 
# === SSH Hardening ===
cat > /etc/ssh/sshd_config.d/hardening.conf << 'EOF'
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowTcpForwarding no
AllowAgentForwarding no
Protocol 2
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
EOF
systemctl reload sshd
 
# === File Permission Hardening ===
chmod 600 /etc/shadow /etc/gshadow
chmod 644 /etc/passwd /etc/group
chmod 700 /root
chmod 600 /etc/ssh/sshd_config
find /var/log -type f -exec chmod 640 {} ;
 
# === Remove SUID/SGID where unnecessary ===
chmod u-s /usr/bin/newgrp 2>/dev/null || true
chmod u-s /usr/bin/chsh 2>/dev/null || true
chmod u-s /usr/bin/chfn 2>/dev/null || true
 
# === Password Policy ===
cat >> /etc/security/pwquality.conf << 'EOF'
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
maxrepeat = 3
EOF
 
# === Enable Audit Logging ===
cat > /etc/audit/rules.d/hardening.rules << 'EOF'
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k actions
-a always,exit -F arch=b64 -S execve -F euid=0 -k privileged
EOF
augenrules --load
 
echo "Hardening complete. Reboot recommended."

Windows System Hardening

Windows hardening leverages Group Policy, security baselines, and PowerShell for configuration. Microsoft provides Security Baselines that implement CIS and DISA recommendations.

windows_hardening.ps1
PowerShell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Windows Security Hardening Script
# Based on CIS Benchmarks and Microsoft Security Baselines
 
Write-Host "=== Windows Security Hardening ===" -ForegroundColor Cyan
 
# === Disable Unnecessary Services ===
$servicesToDisable = @(
    'RemoteRegistry', 'Fax', 'XboxGipSvc', 'XblAuthManager',
    'XblGameSave', 'XboxNetApiSvc', 'WSearch'
)
foreach ($svc in $servicesToDisable) {
    Set-Service -Name $svc -StartupType Disabled -ErrorAction SilentlyContinue
    Stop-Service -Name $svc -Force -ErrorAction SilentlyContinue
}
 
# === Disable SMBv1 ===
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
 
# === Enable Windows Defender Features ===
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -PUAProtection Enabled
Set-MpPreference -EnableControlledFolderAccess Enabled
 
# === Configure Windows Firewall ===
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Set-NetFirewallProfile -Profile Public -DefaultInboundAction Block
 
# === Disable Remote Desktop (if not needed) ===
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
                                            - Name "fDenyTSConnections" -Value 1
 
# === Password Policy via Security Policy ===
# Minimum length 14, history 24, complexity enabled
secedit /export /cfg C:\Windows\Temp\secpol.cfg
                                    (Get - Content C: \Windows\Temp\secpol.cfg) - replace`
    'MinimumPasswordLength = \d+', 'MinimumPasswordLength = 14' | `
    Set- Content C: \Windows\Temp\secpol.cfg
secedit / configure / db C: \Windows\Security\local.sdb / cfg C: \Windows\Temp\secpol.cfg
 
# === Enable Audit Policies ===
                        auditpol / set / category: "Logon/Logoff" / success: enable / failure: enable
auditpol / set / category: "Account Logon" / success: enable / failure: enable
auditpol / set / category: "Privilege Use" / success: enable / failure: enable
auditpol / set / category: "System" / success: enable / failure: enable
 
# === Credential Guard(Windows 10 / 11 Enterprise) ===
# Enable Virtualization Based Security
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
Set - ItemProperty - Path $regPath - Name "EnableVirtualizationBasedSecurity" - Value 1
Set - ItemProperty - Path $regPath - Name "RequirePlatformSecurityFeatures" - Value 1
 
Write - Host "Hardening complete. Restart required." - ForegroundColor Green

Automated Compliance Checking

Manual hardening verification doesn't scale. Automated compliance tools continuously validate that systems remain hardened and drift hasn't occurred.

OpenSCAP is the industry-standard tool for automated SCAP (Security Content Automation Protocol) compliance checking on Linux.

openscap_compliance.sh
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/bin/bash
# Automated Compliance Checking with OpenSCAP
 
# Install OpenSCAP
dnf install openscap- scanner scap - security - guide - y
 
# List available profiles
oscap info / usr / share / xml / scap / ssg / content / ssg - rhel8 - ds.xml
 
# Run CIS Level 1 Server benchmark scan
oscap xccdf eval \
                --profile xccdf_org.ssgproject.content_profile_cis_server_l1 \
                --results scan - results.xml \
                --report scan - report.html \
                /usr/share / xml / scap / ssg / content / ssg - rhel8 - ds.xml
 
# Generate remediation script for failed checks
oscap xccdf generate fix \
    --profile xccdf_org.ssgproject.content_profile_cis_server_l1 \
        --output remediate.sh \
        scan - results.xml
 
# Apply remediations(review first!)
# chmod + x remediate.sh && ./ remediate.sh
 
echo "Scan complete. Review scan-report.html"

Compliance Automation Tools
Tool	Platform	Standards Supported	Deployment
OpenSCAP	Linux	CIS, DISA STIG, PCI-DSS	Open source, CLI
Microsoft SCT	Windows	CIS, Microsoft baselines	Free, GPO integration
Chef InSpec	Cross-platform	Custom, CIS profiles	Open source, CI/CD
Ansible Hardening	Cross-platform	CIS, custom	Open source, agentless

Application and Service Hardening

Beyond OS hardening, individual applications require their own security configurations. Web servers, databases, and common services all have hardening requirements.

nginx_hardening.conf
Nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Nginx Security Hardening
server_tokens off;
 
# TLS Configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE - ECDSA - AES128 - GCM - SHA256: ECDHE - RSA - AES128 - GCM - SHA256;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared: SSL: 50m;
ssl_stapling on;
ssl_stapling_verify on;
 
# Security Headers
add_header X - Frame - Options "SAMEORIGIN" always;
add_header X - Content - Type - Options "nosniff" always;
add_header X - XSS - Protection "1; mode=block" always;
add_header Content - Security - Policy "default-src 'self'" always;
add_header Strict - Transport - Security "max-age=31536000" always;
 
# Rate limiting
limit_req_zone $binary_remote_addr zone = api: 10m rate = 10r / s;
 
# Disable unnecessary methods
    if ($request_method!~ ^ (GET | HEAD | POST)$ ) { return 405; } 

Container and Cloud Hardening

Modern infrastructure requires hardening beyond traditional OS configurations. Containers and cloud resources have their own attack surfaces.

Dockerfile.hardened
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# Hardened Container Image Example
FROM alpine: 3.19 AS base
 
# Use specific, non - latest tags
# Run as non - root user
RUN addgroup - g 1000 appgroup && \
    adduser - u 1000 - G appgroup - D appuser
 
# Minimal package installation
RUN apk add--no - cache ca - certificates && \
    rm - rf /var/cache/apk/*
 
# Copy only what's needed
COPY --chown=appuser:appgroup ./app /app
 
# Read-only filesystem friendly
WORKDIR /app
USER appuser
 
# No shell for production
# Remove if not needed: RUN rm /bin/sh
 
# Health check
HEALTHCHECK --interval=30s --timeout=3s \
    CMD wget -q --spider http://localhost:8080/health || exit 1
 
# Explicit exposed ports
EXPOSE 8080
 
# Non-root, minimal privileges
ENTRYPOINT ["/app/server"]

Container Hardening Checklist

•Use minimal base images (Alpine, distroless)
•Run as non-root user (USER directive)
•Use read-only root filesystem
•Drop all capabilities, add back only required
•Scan images for vulnerabilities before deployment
•Sign and verify images
•Use specific version tags, not 'latest'

Hardening Challenges and Best Practices

Security hardening introduces operational challenges that must be carefully managed.

Hardening Challenges and Mitigations
Challenge	Description	Mitigation
Application Breakage	Hardening may break applications expecting permissive configs	Test in staging; implement gradually; maintain exception process
Configuration Drift	Systems drift from hardened state over time	Automated compliance scanning; infrastructure as code
Operational Friction	Restrictions slow troubleshooting	Document exceptions; provide break-glass procedures
Legacy Systems	Old systems can't meet modern standards	Risk-accept with compensating controls; plan upgrades
Scale	Thousands of systems to harden	Automation, golden images, configuration management

Hardening Best Practices

•Start with golden images — Bake hardening into base images so new systems are hardened by default
•Automate everything — Manual hardening doesn't scale and creates drift
•Test before production — Validate hardened configs in staging with real application workloads
•Document exceptions — When hardening can't be applied, document why and what compensates
•Continuously verify — Regular compliance scans detect drift before it's exploited
•Layer with other controls — Hardening complements but doesn't replace patching, monitoring, and response

Summary: Security Hardening

Security hardening proactively reduces attack surface before adversaries discover vulnerabilities. It transforms systems from permissive defaults to secure configurations that minimize risk. Let us consolidate the essential principles.

Key Takeaways

•Minimize Attack Surface — Remove unnecessary services, disable unused features, restrict permissions
•Follow Established Baselines — CIS Benchmarks and DISA STIGs provide vetted, comprehensive hardening guidance
•Automate Compliance — Use OpenSCAP, Chef InSpec, or similar tools for continuous verification
•Harden All Layers — OS, applications, containers, and cloud resources each require attention
•Build Security Into Images — Golden images ensure new systems are hardened from first boot
•Balance Security and Operations — Overly aggressive hardening breaks functionality; maintain exception processes

Module Complete

You have now completed the Security Best Practices module, covering:

Principle of Least Privilege — Grant only necessary permissions
Defense in Depth — Layer multiple independent controls
Security Updates — Patch promptly and systematically
Vulnerability Management — Discover, prioritize, and remediate weaknesses
Security Hardening — Proactively reduce attack surface

Together, these practices form the operational foundation of secure systems.

Module Complete

You now understand security hardening: the philosophy of minimization, practical implementation for Linux and Windows, automated compliance verification, and application/container hardening. Combined with the previous pages on least privilege, defense in depth, patching, and vulnerability management, you have a comprehensive toolkit for building and maintaining secure operating system environments.