Systems Hardening

Server hardening

Server hardening is a general system hardening process that involves securing the data, ports, components, functions, and permissions of a server using advanced security measures at the hardware, firmware, and software layers.

These general server security measures include, but are not limited to:

• Keeping a server’s operating system patched and updated
• Regularly updating third-party software essential to the operation of the server and removing third-party software that doesn’t conform to established cybersecurity standards
• Using strong and more complex passwords and developing strong password policies for users
• Locking user accounts if a certain number of failed login attempts are registered and removing needless accounts
• Disabling USB ports at boot
• Implementing multi-factor authentication
• Using self-encrypting drives or adwvnced encryption to conceal and protect sensitive information
• Using firmware resilience technology, memory encryption, antivirus and firewall protection

Software application hardening

Software application hardening, or just application hardening, involves updating or implementing additional security measures to protect both standard and third-party applications installed on your server.

Unlike server hardening, which focuses more broadly on securing the entire server system by design, application hardening focuses on the server’s applications, specifically, including, for example, a spreadsheet program, a web browser, or a custom software application used for a variety of reasons.

At a basic level, application hardening involves updating existing or implementing new application code to further secure a server and implementing additional software-based security measures.

Examples of application hardening include, but are not limited to:

• Patching standard and third-party applications automatically
• Using firewalls
• Using antivirus, malware, and spyware protection applications
• Using software-based data encryption
• Using processors that support SGX or SME, TSME, and SEV
• Using an application to manage and encrypt passwords for improved password storage, organization, and safekeeping
• Establishing an intrusion prevention system (IPS) or intrusion detection system (IDS)

Operating system hardening

Operating system hardening involves patching and implementing advanced security measures to secure a server’s operating system (OS). One of the best ways to achieve a hardened state for the operating system is to have updates, patches, and service packs installed automatically.

OS hardening is like application hardening in that the OS is technically a form of software. But unlike application hardening’s focus on securing standard and third-party applications, OS hardening secures the base software that gives permissions to those applications to do certain things on your server.

Oftentimes, operating system developers, do a fine and consistent job of releasing OS updates and reminding users to install these updates. These frequent updates – and we’ve all ignored them – can actually help keep your system secure and resilient to cyber attacks.

Other examples of operating system hardening include:

• Removing unnecessary drivers
• Encrypting the HDD or SSD that stores and hosts your OS
• Enabling and configuring Secure Boot
• Limiting and authenticating system access permissions
• Limiting or eliminating the creation and logging in of user accounts

Database hardening

Database hardening involves securing both the contents of a digital database and the database management system (DBMS), which is the database application users interact with to store and analyze information within a database.

Database hardening mainly involves three processes:

• Controlling for and limiting user privileges and access
• Disabling unnecessary database services and functions
• Securing or encrypting database information and resources

Types of database hardening techniques include:

• Restricting administrators and administrative privileges and functions
• Encrypting in-transit and at-rest database information
• Adhering to a role-based access control (RBAC) policy
• Regularly updating and patching database software, or the DBMS
• Turning off needless database services and functions
• Locking database accounts if suspicious login activity is detected
• Enforcing strong and more complex database passwords

Network hardening

Network hardening involves securing the basic communication infrastructure of multiple servers and computer systems operating within a given network.

Two of the main ways that network hardening is achieved are through establishing an intrusion prevention system or intrusion detection system, which are usually software-based. These applications automatically monitor and report suspicious activity in a given network and help administrators prevent unauthorized access to the network.

Network hardening techniques include properly configuring and securing network firewalls, auditing network rules and network access privileges, disabling certain network protocols and unused or unnecessary network ports, encrypting network traffic, and disabling network services and devices not currently in use or never in use.

Using these techniques in combination with an intrusion prevention or intrusion detection system reduces the network’s overall attack surface, and thus, bolsters its resistance to network-based attacks.