System hardening is one of the most important areas in information security. Still many companies don’t pay attention to this process, leaving systems open for attackers to break-in.
Most systems running Linux or similar, already provide a bare minimal install option. While that is a great start, hardening should be an ongoing process. During OS installation, software installation and adding new system accounts.
All user accounts which are not used, should be removed. Another alternative is properly disabling them or limiting them, like functional accounts. So they can still be used for running a process, but not actively used for logins.
Access to resources should be limited as possible. By default, users and processes should not be able to access sensitive areas. Only if they are authorized, they should be added to the appropriate access groups, or added to the related access control lists.
Network services are often the first to be targeted by attackers. Any unused service, especially those on the network, should be disabled. Additionally services which are required on the internal network, could be filtered with firewalls. This way only authorized systems can access the related service.
Weak passwords are a common issue and cause for break-ins. By applying password policies, we can force users to choose more safe passwords. Password complexity also include reuse of passwords, character sets and the interval to change passwords.
Besides weak passwords, software weaknesses make a system very vulnerable. Regular software upgrades, or applying security patches, keep a system secure. System hardening is not done during OS installation, but is an ongoing process.