Security+ Objective 1.3 Implement OS hardening practices and procedures to achieve workstation and server security

To describe hardening, we will compare your computer system to a medieval castle.  You want to protect yourself from the bad guys so you build a strong castle with high, thick walls.  If you are the bad guy you want to find the weakest spot and exploit that vulnerability.  You aren’t going to try to penetrate a thick stone wall if there is a thin wooden door take advantage of.  If you are an avid movie watcher, I’m sure you’ve seen movies where the secret sewer tunnel allows someone through!  The point of hardening your system is to make it hard to penetrate the system by reducing the attack surface.

There are many different “thin doors” and “sewer tunnels” that a bad guy might try to penetrate.  Here is list of some things you can do to harden a system:

Some steps to hardening systems (parts of a standard policy):

  • Apply company security template  and configuration baselines
    • Company defined configuration settings should be more secure than out-of-the-box settings
  • Close unnecessary network ports
    • If you never use the “door” seal it off
  • Install only needed software, remove everything else
    • Software can open other doorways for the bad buys
  • Disable all non-required/unused services
    • Not typically configured/secured correctly and can sustain attacks that go unnoticed
  • Network based patch management
    • Push patches to the client instead of hoping they patch themselves
  • Limit administrative privileges
    • Don’t give too many people the keys to the castle
  • Install a strong software firewall
    • Check all the traffic coming in and out of your castle
  • Apply all system patches and service packs
    • Hotfixes, patches, and service packs obtained from the manufacturer’s website will often address security weaknesses
    • The most recent manufacturer updates and patches to the server will seal off newly discovered vulnerabilities
  • Default passwords in hardware and software should be changed
    • The bad guys can find the documented default passwords and gain administrative access to your systems if you don’t change them!

Real world note: The ATM machines that many people use for various banking purposes have been exploited due to default passwords not being changed upon installation.  Systems ranging from a grandma’s home system to powerful government servers have been exploited due to uninstalled security patches.  Many sad stories can be avoided by hardening your systems properly.  

Comptia expects you to know all the things on this list, some of which are described in more detail in the upcoming posts.

Go back to the Exam Objectives list

Be Sociable, Share!


There are no comments yet...Kick things off by filling out the form below.

Leave a Comment