A.25. System Hardening Basics
No computer is ever without vulnerabilities. It is not possible to make a fully secured, impenetrable system. However, it is possible to make a system so secure that most attacks will fail and those that don't will be noticed before significant damage is done. Fully hardening a system is beyond the scope of this appendix, but the foundations of system hardening are well within your grasp.
System hardening has many facets, but one core and overriding principle to follow is this: If you don't need it, get rid of it. By eliminating all but the bare essentials needed to accomplish your work tasks, you remove numerous vulnerabilities and avenues of attack. Any active process that is not actually being used is simply increasing the complexity of the environment and expanding your attack surface.
The attack surface is the conceptual idea of the area exposed to potential attackers. A nonhardened system is said to have a larger attack surface than a hardened one because more exposed vulnerabilities exist for the attacker to target. Your job is to understand your systems thoroughly enough to know what is essential and what is extraneous.
One obvious place to start removing the chaff from a computer system is to examine its services. After you think you know which services are extraneous, you need to test them one by one. Here is the basic process:
Perform a systemwide backup (an image-level backup is preferred for complete recovery ability).
Disable a single service.
Reboot the system.
Verify that the service is not functioning.
Test all required features, functions, and capabilities, both locally and on the network.
If all is working as needed, leave this service disabled and repeat the process, starting with step 2, for another service.
If all is not working as needed, reenable this service, reboot, and start again with step 2 for another service.
Obviously, this process will take considerable time because there are often dozens of services on basic systems to consider. However, as you learn more about the services themselves and the system you are managing, this process can be truncated greatly. You'll soon recognize which services can be disabled without negative consequences and thus you won't need to test every service change.
This "keep it only if you need it" mentality should be applied to every aspect of your computer, from hardware to software. Don't install or keep installed any hardware device that is not used on a regular basis, especially if it is an internal device. Keep external devices, such as USB devices or other automatically installable connection devices, disconnected and powered off until they are actually needed.
As for software, be careful about installing anything new, especially if it is from the Internet. Go out of your way to verify the source identity and reliability before downloading. Then check the file for authenticity and integrity before you launch it. This action often requires you to check the filename, time/date stamps, exact file size, hash value, and certificate/digital signature.
Only install software you actually need and will regularly use. If you find yourself often "test-driving" new software and then removing it later, consider creating a test-drive system, which can be a completely separate physical computer or just a virtual computer in a VMware or Virtual Server environment. A test-drive system provides you with two security improvements. First, it greatly reduces the risk of installing malicious code onto your primary system. Second, it prevents you from cluttering your primary system with unneeded, useless software. Even if you elect to uninstall software, it often leaves traces of itself in the form of Registry entries, data folders, configuration files, and shortcuts. These orphaned items clutter the system, can eventually cause performance and storage problems, and might be increasing your attack surface. Each time you test-drive new software, just delete the virtual machine file and create a new one for the next program down the road.
Review all of the software utilities and add-ons that come with the OS. If you don't need them, remove them or prevent them from loading. Disable all unneeded protocols.
When you've completed the hardware/software weight-loss program, take a complete inventory of the resultant system and create an image-level backup. This image-level backup will serve as your road map should you ever need to reconstitute the computer in the event of a major catastrophe. Securing new systems is always a long and involved process. But through detailed documentation and good backup solutions, rebuilding, duplicating, or improving a secured system is much simpler the next time.
Once you know what you are left with, you need to perform more research to learn about the strengths and weaknesses of every aspect of the OS, active services, employed protocols, and installed software. After you know the vulnerabilities, methods, and tools of attacks, along with the resultant risks, you can take steps to reduce the risks by implementing safeguards and countermeasures.