A Hardened Approach to System Security

Glenn Phillips, president of Pelham, Ala.-based Forté, says that the dedicated Windows workstations his company sells to hospital emergency room administrators must not only be secure, but absolutely tamperproof as well. After all, lives depend on the machines' flawless operation.

Glenn Phillips, president of Pelham, Ala.-based Forté, says that the dedicated Windows workstations his company sells to hospital emergency room administrators must not only be secure, but absolutely tamperproof as well. After all, lives depend on the machines' flawless operation.

Forté's applications show emergency medical technicians the emergency room's current availability status, "so our software must be the program that is always running," Phillips says. "We cannot have anyone closing our program, adding games, changing Windows settings and so on."

Phillips and others who need to create highly secure workstations or servers are turning to hardening to create a virtual steel wall against intruders. The hardening process involves removing nonessential tools and utilities from an operating system or application, any of which could be used to help an attacker gain unauthorized access to system settings or data.

The approach can be used to substitute for or, more commonly, complement other security practices and technologies, such as network firewalls.

Hardening is a technique that's been around since the earliest days of networked computers, but it gradually fell into disuse as software vendors boosted the security of their products and IT managers adopted new security technologies and practices.

Even so, the security improvements haven't made hardening any less practical or useful. "It's still one of the least expensive and most effective ways of protecting yourself or preventing infections or outages," says Chris Rafter, vice president of consulting services at Logicalis Group, a systems integrator in Bloomfield Hills, Mich.

Peter Makohon, a senior security and privacy manager at the New York office of professional services firm Deloitte & Touche, says hardening is coming back into fashion as more enterprises face pressure to patch every possible security hole that could conceivably be exploited as a pathway into a corporate system. Regulatory compliance is another factor that's inspiring many enterprises, particularly those in highly regulated industries, to take another look at hardening.

Just about any enterprise can benefit from hardening, Rafter says. "Operating systems and applications are definitely a lot more secure than they were a long time ago, but there's still logic to turning off unnecessary services and basically only activating and using what you really need," he contends. "Plus, it doesn't require a great deal of effort."

Most vendors long ago dropped any objections to customers hardening their products. Many -- including Microsoft -- actively encourage the practice. "Hardening an operating system is a key step in protecting a system from intrusion," says Chase Carpenter, a manager in Microsoft's Windows Server unit.

Carpenter says enterprise hardening efforts have traditionally covered the client and server operating systems, but with attacks increasingly targeting the application layer, the focus of hardening is shifting to applications. Microsoft views its Security Compliance Manager and Security Baseline products as hardening tools.

Manual or Automatic?

While most user organizations opt to handle the hardening work themselves -- assigning the task to either IT staffers or outside consultants -- some have opted to use commercial software that's designed to automate the process. For example, CellTrust, a mobile applications developer in Scottsdale, Ariz., hardened its servers and its Linux-based network appliances with a product called Security Blanket from Raytheon Trusted Computer Solutions, based in Herndon, Va.

Vahid Sedghi, CellTrust's vice president of technical services, says that the decision to go with a hardening product came down to convenience and a desire not to take IT staffers away from their core responsibilities. "It was either having our Linux folks go manually out there and see what has been applied and what hasn't been applied in our environment, or letting this tool to do the work in a more automated fashion," he explains. Sedghi says that a process that previously involved hours of writing, pushing and applying Linux scripts was eventually whittled down so it now takes less than 60 minutes.

Sedghi feels that hardening provides a valuable extra layer of protection. "From a business perspective, it lowers the risk of downtime," he observes.

Hardening complements his business's other security measures, Sedghi says, noting that "obviously, we have our different vulnerability scanning tools and network security tools in place." Standard security tools are still important, he notes, because they perform tasks that hardening doesn't address. "They protect, monitor and scan our network and servers," he says. "Hardening just closes the gaps."

Getting It Right

Knowing exactly what to keep or delete among the various operating system or application tools and features is the biggest challenge facing users undertaking hardening projects for the first time. Organizations that decide to do the work in-house need to commit to a process of gathering information about best practices, says Makohon.

He notes that operating system and application vendors, as well as open-source organizations, are usually willing to offer some guidance to enterprises embarking on hardening projects. Software- and security-oriented Web forums are also good sources of practical information about hardening.

There are many resources, both in the private and public sectors, that help define baseline security configuration settings, says Makohon. They also offer information about how certain configuration settings should be made, the order in which they should be made, and what the resulting state of operation should be.

Phillips says that learning how to harden Windows on the Dell OptiPlex desktops that Forté markets to emergency room operators wasn't particularly difficult. "Almost everything we did, we found on the Web," he says. "There were a few things we found through trial and error, such as when we weren't sure how something would work, or when the instructions [found on the Web] weren't very good, but most things you can pretty much find yourself."

Veterans of this process recommend working closely with the application maintenance or application development team at the outset, to make sure you don't turn off something that is essential now or will be needed in a system you're planning to build later.

Makohon also advises enterprises to check with their software's developer to ensure that they're using the most up-to-date version of the product they're planning to harden. "It doesn't make sense to tackle hardening tasks that the vendor may have already addressed," he says.

Rafter says that successful hardening requires a holistic approach that takes overall system security, performance, usability and other key factors into consideration. "It's important to perform a very thorough asset inventory and to make sure that you've covered all the potential entry points, or places where malware could be executed," he says.

While Phillips thinks of hardening as a "foolproof" means of securing systems, he adds that the technique shouldn't be used as an excuse to skimp on or ignore traditional security measures. "Hardening needs to be viewed as an 'extra,' not as an 'instead of,' " he says.

Don't Forget Training and Testing

Training is often neglected, but it should be a key part of the hardening process. Why? Because users may work very hard to circumvent hardening-created safeguards that just seem inconvenient; they need to understand why the safeguards are there.

"You still have to train your users in everyday security practices -- what to do and not to do -- because no matter what you've done to lock down [the operating system or application], within a few months there will be something out there that can bypass that. It's a moving target," Phillips says. He notes that a certain amount of rehardening is inevitable over time.

Phillips recalls a security hole that surfaced with the arrival of USB memory sticks. "We had done all this hardening, and then we discovered that you could simply take a USB drive, plug it into the USB slot, and [a window] would pop up asking, 'Do you want to run this?' "

Hardening basics

Chase Carpenter, a manager in Microsoft's Windows Server unit, says a hardening strategy should focus on the following tactics:

Reducing the attack surface

* Remove nonessential tools and features.

* Disable unnecessary services and protocols.

* Remove or secure file shares.

Restricting user access

* Limit the number of user accounts.

* Curb access rights.

Protecting against known and theoretical attacks

* Configure common security settings.

* Apply necessary patches and updates.

* Use encryption where possible to protect critical data.

Using available tools to detect attacks

* Configure the system to log appropriate and inappropriate user access.

* Configure the system to make it difficult or impossible for attackers to cover their tracks.

-- John Edwards

The discovery prompted a fast repair job to modify the operating system's permissions settings. "We think our hardening solution was far more elegant than taking a hot-glue gun and filling up all the USB ports," Phillips says.

The final step in hardening is testing. "Anytime security configuration changes are made, they can have an impact on manageability, usability or application compatibility," Carpenter says.

Makohon agrees. "It's important to test platform configurations not only from a functionality standpoint, but from a performance and availability standpoint after they've been hardened," he says.

All tests need to be conducted under real-world conditions. "If systems have been hardened in a test environment, can they be properly managed and accessed?" Makohon asks. "It's one thing if they can still perform their primary function, but now can you still gain the required information in order to see how they're performing, or to see what types of logs they are writing, or have [the systems] available to help further track the presence of a malicious insider or a cybercriminal?"

Phillips advises managers to do a thorough job and make sure features are removed, not just made inactive. There's a big difference between removing a feature or command and simply locking it. "If something is simply not there, users are less likely to get frustrated, as opposed to seeing a visible option that won't work," Phillips adds. There's also the possibility that an attacker could exploit a dormant feature.

However, Phillips warns managers striving for maximum protection not to harden their software to the extent that it cripples functionality. "You want some things to be restrictive, [but] the tools need to be supportive and flexible to accomplish business goals," he says. "This is something that I see IT mess up over and over again."

Makohon agrees. "Just remember," he says, "the goal is hardening, not making things harder to use."

Edwards is a technology writer in the Phoenix area. You can contact him at jedwards@gojohnedwards.com.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.