Overview

Hardening is the process of securing a system by reducing its surface of vulnerability. By the nature of operation, the more functions a system performs, the larger the vulnerability surface, however, most systems perform a limited number of functions. It is possible to reduce the number of possible vectors of attack by the removal of any software, user accounts or services that are not related and required by the planned system functions. 

The possibility of a successful attack can be further reduced by obfuscation - by making it difficult for a potential attacker to identify the system being attacked the attack cannot easily exploit known weaknesses.


Purpose & Scope

This policy defines the procedures to be adopted for infrastructure hardening and applies to all components of the infrastructure and includes:

  • Computers
  • Servers
  • Application Software
  • Peripherals
  • Routers and switches
  • Databases

All staff must understand and use this policy. Technical staff are responsible for ensuring that the infrastructure is hardened and that any subsequent changes to systems do not affect the hardening of systems.


Risks

  • Without effective hardening there is an increased risk of the unavailability of systems. This can be caused by attackers, viruses and malware exploiting systems.
  • If external systems such as web servers and email servers advertise their type and version, it makes it easier for an attacker to exploit known weaknesses.
  • Systems which run unnecessary services and have ports open which do not need to be open are easier to attack as the services and ports offer opportunities for attack. Infrastructure Hardening


Policy

The organisation’s technical infrastructure will be hardened according to this policy to minimise vulnerabilities.

Hardening Process

All new systems will undergo the following hardening process. Install system Remove unnecessary software Disable or remove unnecessary usernames Disable or remove unnecessary services Patch system Perform vulnerability scan Vulnerabilities Install anti-virus and anti-malware Configure firewall Production system The process steps are as follows.

  1. Install System
    Install the systems as per the vendor’s instructions.
  2. Remove Unnecessary Software
    Many systems come with a variety of software packages to provide functionality to all users. Software that that is not going to be used in a particular installation should be removed or uninstalled from the system.
  3. Disable or Remove Unnecessary Usernames
    Some systems come with a set of predefined user accounts and are provided to enable a variety of functions. Accounts relating to services or functions which are not used should be removed or disabled. For all accounts which are used the default passwords should be changed. Consideration should be given to renaming predefined accounts if it will not adversely affect the system.
  4. Disable or Remove Unnecessary Services
    All services which are not going to be used in production should be disabled or removed.
  5. Patch System
    The system should be patched up to date. All relevant service packs and security patches should be applied.
  6. Perform Vulnerability Scan
    The system should be scanned with a suitable vulnerability scanner. The results of the scan should be reviewed, and any issues identified should be resolved.
  7. Vulnerabilities
    If there are no significant vulnerabilities the system can be prepared for live use.
  8. Install Anti-Virus and Anti-Malware
    A suitable anti-virus and anti-malware package should be installed on the system to prevent malicious software introducing weaknesses into the system.
  9. Configure Firewall
    If the system can run its own firewall, then suitable rules should be configured on the firewall to close all ports not required for production use.
  10. Production System
    The system is now ready for production use.


Hardening Requirements

  • Only software that has been approved for use may be installed on the organisation’s computing devices.
  • Non-essential software applications and services will be uninstalled or disabled as appropriate.
  • Servers, PC’s and laptops will be configured to prevent the execution of unauthorised software.
  • Vulnerability scanning and inventory scanning software will be configured to automatically uninstall unauthorised software.
  • Bios passwords will be implemented on all PCs and laptops to protect against unauthorised changes.
  • The boot order of PC’s and laptops will be configured to prevent unauthorised booting from alternative media.
  • All PC’s and laptops will be built from a standard image. Any change to the standard image must be supported by a business case.
  • Access to the local administrator account will be restricted to members of IT Department to prevent the installation of unauthorised software and the modification of security software and controls.
  • Default passwords will be changed following installation and before use in a production environment.
  • All PCs and servers will be protected by anti-virus and anti-spyware software. The anti-virus and anti-spyware software will be configured to automatically download the latest threat databases.
  • A local firewall will be installed on all PC’s and laptops. The firewall will be configured to only allow incoming traffic on approved ports and from approved sources.
  • The use of removable media will be controlled. Removable media will be controlled by endpoint protection software.
  • All servers must pass a vulnerability assessment prior to use. The servers will be scanned using the organisations vulnerability scanning tools. All network and operating system vulnerabilities will be rectified prior to use.
  • Public facing servers will be further hardened by obfuscation. The headers on web servers and email servers will be changed so that it is not immediately apparent what software they are running.
  • All devices on the organisation’s network will be scanned for vulnerabilities every 3 months. Any issues identified will be reviewed and rectified as appropriate.
  • All devices on the organisation’s network will patched in accordance with the Patch Management Policy.


Enforcement

  • If any member of staff is found to have breached this policy, they may be subject to disciplinary action.
  • Any violation of the policy by a temporary worker, contractor or supplier may result in the termination of their contract or assignment.