Perform operating system hardening
Overview
This standard is about performing operating system hardening.
Operating system (OS) hardening is the process of securing a server or computer system by minimising its attack surface, or surface of vulnerability, and potential attack vectors. It’s a form of cyberattack protection that involves closing system loopholes that are present in a standard implementation, that cyber attackers can use to exploit the system and gain access to users’ data.
Performing operating system hardening involves removing or disabling unnecessary system applications, user accounts and other features that cyber attackers can exploit to gain access to organisational networks. The aim is to reduce the system’s attack surface. This attack surface often serves as the entry point for malicious cyber activities or hackers. OS hardening also includes patching and applying advanced security measures to protect a server’s OS by understanding system vulnerabilities, performing OS risk assessments to identify areas with the most risk and resolving risks unique to the OS environment.
This standard is for those who need to undertake operating system hardening as part of their duties.
Performance criteria
You must be able to:
Evaluate organisational system needs to identify the types of endpoint devices used and the attack surface presented
Perform an audit of the existing system to determine current vulnerabilities that require remediation
- Review and apply organisational system hardening standards to plan elimination of unnecessary features
Plan system hardening activities to prioritise scheduling of system vulnerability remediation
Develop system patching procedures to specify timely application of Operating System (OS) patches and updates
- Install OS patches and updates in line with organisational procedures
- Remove unnecessary software, drivers, libraries or services in line with organisational procedures
- Encrypt the drive that stores and hosts the OS to increase protection in line with organisational procedures
- Review and limit access and authentication permissions in line with the Principle of Least Privilege (PoLP)
- Manage the creation and updating of privileges of user accounts in line with organisational procedures
- Delete or disable unnecessary user accounts in line with organisational procedures
- Change default passwords to exhibit improved password strength in line with organisational procedures
- Limit the privileges assigned to software applications running on the OS and restrict super-user privileges in line with organisational procedures
- Implement separation of duties for system administrators to reduce the risk of system damage
- Identify and disable all communication ports and protocols that are not required to close access points
- Identify and remove all development tools such as compilers from production OS in line with organisational procedures
- Validate and update endpoint security systems and firewalls in line with organisational procedures
- Produce system hardening reports to document the vulnerabilities identified, OS hardening activities undertaken and patching procedures implemented
Knowledge and Understanding
You need to know and understand:
- How to identify the OS features required by an organisation
- How to audit current OS implementations to identify vulnerabilities
- The basic principles of operating system hardening
- Industry standard OS hardening frameworks and standards used to guide hardening activities
- Security features of industry standard operating systems
- Operating system security principles and models
- How to classify OS hardening activities into categories of low, medium, and high impact
- How to rank OS hardening activities to align the sequence to the level of impact
- The steps involved in developing an OS hardening plan
- The organisational OS patching procedures and how to apply them
- The importance of timely application of OS patches and updates
- The steps involved in updating and patching organisational OS
- How to implement automatic updating of OS with patches and updates
- How to identify and remove unnecessary software, drivers, libraries and services from OS
- Why it is important to encrypt OS storage drives and how to implement this
- The principle of least privilege (PoLP) for managing user access and authentication and how to implement them
- How the operating system authenticates users and security domains so it can decide whether or not they can access certain resources
- How to manage the creation and updating of privileges of user accounts
- The importance of deleting or disabling unnecessary user accounts
- The importance of maintaining strong default and user set passwords
- The steps involved in implementing multiple administrator accounts with different sets of privileges
- How to maintain separation of duties to reduce the risk of serious damage
- The industry standard communication ports and protocols and how to identify them
- The steps involved in disabled ports and protocols that are not required
- The importance of separating development tools from production environments
- How to validate and update endpoint security systems and firewalls
- How to document the activities and outcomes of OS hardening