Share this
System Hardening: An Easy-to-Understand Overview
by Brett Daniel on Apr 14, 2021 4:04:57 PM
Graphic: System hardening is all about protecting your server or workstation.
Did you know that the U.S. government allocated an estimated $18.78 billion for cybersecurity spending in 2021?
The reason why is made clear in the U.S. Department of Defense's Cyber Strategy Report:
Competitors deterred from engaging the United States and our allies in an armed conflict are using cyberspace operations to steal our technology, disrupt our government and commerce, challenge our democratic processes, and threaten our critical infrastructure.
As such, many companies supporting and selling servers and workstations to the DoD are turning to advanced system hardening tools and best practices to improve the security of their servers and other computer systems, oftentimes as a prerequisite for doing business with the DoD.
In this blog post, we'll discuss system hardening, its importance, the types of system hardening, how system hardening is achieved, and more. By the end, you should know what steps to take to begin or expand upon your system hardening processes and procedures.
Graphic: System hardening involves reducing a server's or workstation's attack surface.
What does system hardening mean?
System hardening is the process of securing a server or computer system by minimizing its attack surface, or surface of vulnerability, and potential attack vectors. It’s a form of cyberattack protection that involves closing system loopholes that cyberattackers frequently use to exploit the system and gain access to users’ sensitive data.
One official definition of system hardening, according to the National Institute of Standards and Technology (NIST), is that it’s “a process intended to eliminate a means of attack by patching vulnerabilities and turning off non-essential services.”
Part of the system hardening elimination process involves deleting or disabling needless system applications, permissions, ports, user accounts, and other features so that attackers have fewer opportunities to gain access to a mission-critical or critical-infrastructure computer system's sensitive information.
But at its core, system hardening is a method for protecting a system against attacks perpetrated by cybercriminals. It involves securing a computer system’s software mainly but also its firmware and other system elements to reduce vulnerabilities and a potential compromise of the entire system.
Now you know why system hardening exists, but you might be wondering about its practical purpose and why businesses and organizations implement system hardening practices.
The basic purpose of implementing system hardening techniques and practices is to simply minimize the number of potential entryways an attacker could use to access your system and to do so from inception. This is oftentimes referred to as following a secure-by-design philosophy.
Graphic: There are a few different types of system hardening, but they're all interrelated.
What are the types of system hardening?
System hardening involves securing not only a computer’s software applications, including the operating system, but also its firmware, databases, networks, and other critical elements of a given computer system that an attacker could exploit.
There are five main types of system hardening:
- Server hardening
- Software application hardening
- Operating system hardening
- Database hardening
- Network hardening
It’s important to note that the types of system hardening are broad enough to be universal and translate well across different server and computer system configurations; however, the methods and tools used to practically achieve a hardened or secure-by-design state vary widely.
But for now, let’s review the purpose of each type of system hardening.
Server hardening
Server hardening is a general system hardening process that involves securing the data, ports, components, functions, and permissions of a server using advanced security measures at the hardware, firmware, and software layers.
These general server security measures include, but are not limited to:
- Keeping a server’s operating system patched and updated
- Regularly updating third-party software essential to the operation of the server and removing third-party software that doesn’t conform to established cybersecurity standards
- Using strong and more complex passwords and developing strong password policies for users
- Locking user accounts if a certain number of failed login attempts are registered and removing needless accounts
- Disabling USB ports at boot
- Implementing multi-factor authentication
- Using self-encrypting drives or AES encryption to conceal and protect sensitive information
- Using firmware resilience technology, memory encryption, antivirus and firewall protection, and advanced cybersecurity suites specific to your operating system, such as Titanium Linux
Software application hardening
Software application hardening, or just application hardening, involves updating or implementing additional security measures to protect both standard and third-party applications installed on your server.
Unlike server hardening, which focuses more broadly on securing the entire server system by design, application hardening focuses on the server’s applications, specifically, including, for example, a spreadsheet program, a web browser, or a custom software application used for a variety of reasons.
At a basic level, application hardening involves updating existing or implementing new application code to further secure a server and implementing additional software-based security measures.
Examples of application hardening include, but are not limited to:
- Patching standard and third-party applications automatically
- Using firewalls
- Using antivirus, malware, and spyware protection applications
- Using software-based data encryption
- Using CPUs that support Intel Software Guard Extensions (SGX)
- Using an application like LastPass to manage and encrypt passwords for improved password storage, organization, and safekeeping
- Establishing an intrusion prevention system (IPS) or intrusion detection system (IDS)
Operating system hardening
Operating system hardening involves patching and implementing advanced security measures to secure a server’s operating system (OS). One of the best ways to achieve a hardened state for the operating system is to have updates, patches, and service packs installed automatically.
OS hardening is like application hardening in that the OS is technically a form of software. But unlike application hardening’s focus on securing standard and third-party applications, OS hardening secures the base software that gives permissions to those applications to do certain things on your server.
Oftentimes, operating system developers, such as Microsoft and Linux, do a fine and consistent job of releasing OS updates and reminding users to install these updates. These frequent updates - and we’ve all ignored them - can actually help keep your system secure and resilient to cyberattacks.
Other examples of operating system hardening include:
- Removing unnecessary drivers
- Encrypting the HDD or SSD that stores and hosts your OS
- Enabling and configuring Secure Boot
- Limiting and authenticating system access permissions
- Limiting or eliminating the creation and logging in of user accounts
Database hardening
Database hardening involves securing both the contents of a digital database and the database management system (DBMS), which is the database application users interact with to store and analyze information within a database.
Database hardening mainly involves three processes:
- Controlling for and limiting user privileges and access
- Disabling unnecessary database services and functions
- Securing or encrypting database information and resources
Types of database hardening techniques include:
- Restricting administrators and administrative privileges and functions
- Encrypting in-transit and at-rest database information
- Adhering to a role-based access control (RBAC) policy
- Regularly updating and patching database software, or the DBMS
- Turning off needless database services and functions
- Locking database accounts if suspicious login activity is detected
- Enforcing strong and more complex database passwords
Network hardening
Network hardening involves securing the basic communication infrastructure of multiple servers and computer systems operating within a given network.
Two of the main ways that network hardening is achieved are through establishing an intrusion prevention system or intrusion detection system, which are usually software-based. These applications automatically monitor and report suspicious activity in a given network and help administrators prevent unauthorized access to the network.
Network hardening techniques include properly configuring and securing network firewalls, auditing network rules and network access privileges, disabling certain network protocols and unused or unnecessary network ports, encrypting network traffic, and disabling network services and devices not currently in use or never in use.
Using these techniques in combination with an intrusion prevention or intrusion detection system reduces the network’s overall attack surface, and thus, bolsters its resistance to network-based attacks.
Photo: The NIST maintains one of several system hardening standards.
What are some system hardening standards?
Several industry standards and guidelines for system hardening exist. The National Institute of Standards and Technology (NIST), the Computer Information Security (CIS) Center for Internet Security, and Microsoft, for example, all maintain standards for system hardening best practices.
For example, system hardening best practices outlined by the NIST in Special Publication (SP) 800-123, a document focused entirely on system hardening, include:
- Establishing a system security plan
- Patching and updating the OS
- Removing or disabling unnecessary services, applications, and network protocols
- Configuring OS user authentication
- Configuring resource controls appropriately
- Selecting and implementing authentication and encryption technologies
Another example of a system hardening standard is CIS Benchmarks, an expansive collection of more than 100 system hardening configuration guidelines addressing vendor-specific desktops and web browsers, mobile devices, network devices, server operating systems, virtualization platforms, the cloud, and commonly used software applications.
The CIS Center's system hardening standards are accepted by government, business, industry, and academia. Relevant CIS benchmarks are available for download free of charge on the organization’s Free Benchmarks PDFs webpage.
How can I harden my system?
System hardening is a dynamic and variable process. One of the best ways to begin or expand upon the system hardening process is to follow a system hardening checklist or a system hardening standard, such as those published by the NIST or CIS Center.
Generally, how you harden your system depends on your server’s configuration, operating system, software applications, hardware, among other variables.
The system hardening standards and guidelines published by the NIST and CIS Center for Internet Security, for example, discuss system hardening techniques specific to Microsoft Windows, Unix, and Linux.
So, if you’re curious about how to begin the system hardening process, reading the NIST’s Special Publication 800-123 and the CIS Center for Internet Security’s free benchmark PDFs is a good place to start. You can then, if necessary, consult with an experienced cybersecurity professional on how to move forward with implementing these standards’ recommended processes and best practices within your business or organization.
There are some common and transferrable system hardening practices of which you should be aware, however. We've put a few best practices in the checklist below.
A good system hardening checklist usually contains the following action items:
- Have users create strong passwords and change them regularly
- Remove or disable all superfluous drivers, services, and software
- Set system updates to install automatically
- Limit unauthorized or unauthenticated user access to the system
- Document all errors, warnings, and suspicious activity
Photo: Trenton Systems' 3U BAM Server, a hardened, cyber-resilient rugged server.
Conclusion: Trenton Systems hardens its servers from inception.
Trenton Systems partners with leading cybersecurity companies and is able to make changes to its server hardware, firmware, and software in an effort to further secure, or harden, its servers and workstations.
The 3U BAM Server is our most recent shining example of trusted computing and system hardening. The BAM is secured by Intel PFR, Intel SGX, and Intel TME, and we can even make changes to its ports, further secure its BIOS, among other enhancements, to ensure that your BAM server is as cyber-resilient as possible.
In addition, Star Lab, a Wind River company and Trenton Systems software technology partner, offers the Titanium Security Suite for Linux operating systems. Through our partnership with Star Lab, we can incorporate this suite for customers upon request. We can also incorporate FUTURA Cyber's self-encrypting drive security manager to assist with the management of FIPS 140-2 SEDs.
For more information about acquiring a secure, hardened rugged server or workstation, reach out to us. Our in-house cybersecurity experts and cybersecurity technology partners are here to assist you every step of the way.
Share this
- High-performance computers (42)
- Military computers (38)
- Rugged computers (32)
- Cybersecurity (25)
- Industrial computers (25)
- Military servers (24)
- MIL-SPEC (20)
- Rugged servers (19)
- Press Release (17)
- Industrial servers (16)
- MIL-STD-810 (16)
- 5G Technology (14)
- Intel (13)
- Rack mount servers (12)
- processing (12)
- Computer hardware (11)
- Edge computing (11)
- Rugged workstations (11)
- Made in USA (10)
- Partnerships (9)
- Rugged computing (9)
- Sales, Marketing, and Business Development (9)
- Trenton Systems (9)
- networking (9)
- Peripheral Component Interconnect Express (PCIe) (7)
- Encryption (6)
- Federal Information Processing Standards (FIPS) (6)
- GPUs (6)
- IPU (6)
- Joint All-Domain Command and Control (JADC2) (6)
- Server motherboards (6)
- artificial intelligence (6)
- Computer stress tests (5)
- Cross domain solutions (5)
- Mission-critical servers (5)
- Rugged mini PCs (5)
- AI (4)
- BIOS (4)
- CPU (4)
- Defense (4)
- Military primes (4)
- Mission-critical systems (4)
- Platform Firmware Resilience (PFR) (4)
- Rugged blade servers (4)
- containerization (4)
- data protection (4)
- virtualization (4)
- Counterfeit electronic parts (3)
- DO-160 (3)
- Edge servers (3)
- Firmware (3)
- HPC (3)
- Just a Bunch of Disks (JBOD) (3)
- Leadership (3)
- Navy (3)
- O-RAN (3)
- RAID (3)
- RAM (3)
- Revision control (3)
- Ruggedization (3)
- SATCOM (3)
- Storage servers (3)
- Supply chain (3)
- Tactical Advanced Computer (TAC) (3)
- Wide-temp computers (3)
- computers made in the USA (3)
- data transfer (3)
- deep learning (3)
- embedded computers (3)
- embedded systems (3)
- firmware security (3)
- machine learning (3)
- Automatic test equipment (ATE) (2)
- C6ISR (2)
- COTS (2)
- COVID-19 (2)
- Compliance (2)
- Compute Express Link (CXL) (2)
- Computer networking (2)
- Controlled Unclassified Information (CUI) (2)
- DDR (2)
- DDR4 (2)
- DPU (2)
- Dual CPU motherboards (2)
- EW (2)
- I/O (2)
- Military standards (2)
- NVIDIA (2)
- NVMe SSDs (2)
- PCIe (2)
- PCIe 4.0 (2)
- PCIe 5.0 (2)
- RAN (2)
- SIGINT (2)
- SWaP-C (2)
- Software Guard Extensions (SGX) (2)
- Submarines (2)
- Supply chain security (2)
- TAA compliance (2)
- airborne (2)
- as9100d (2)
- chassis (2)
- data diode (2)
- end-to-end solution (2)
- hardware security (2)
- hardware virtualization (2)
- integrated combat system (2)
- manufacturing reps (2)
- memory (2)
- mission computers (2)
- private 5G (2)
- protection (2)
- secure by design (2)
- small form factor (2)
- software security (2)
- vRAN (2)
- zero trust (2)
- zero trust architecture (2)
- 3U BAM Server (1)
- 4G (1)
- 4U (1)
- 5G Frequencies (1)
- 5G Frequency Bands (1)
- AI/ML/DL (1)
- Access CDS (1)
- Aegis Combat System (1)
- Armed Forces (1)
- Asymmetric encryption (1)
- C-RAN (1)
- COMINT (1)
- CPUs (1)
- Cloud-based CDS (1)
- Coast Guard (1)
- Compliance testing (1)
- Computer life cycle (1)
- Containers (1)
- D-RAN (1)
- DART (1)
- DDR5 (1)
- DMEA (1)
- Data Plane Development Kit (DPDK) (1)
- Defense Advanced Research Projects (DARP) (1)
- ELINT (1)
- EMI (1)
- EO/IR (1)
- Electromagnetic Interference (1)
- Electronic Warfare (EW) (1)
- FIPS 140-2 (1)
- FIPS 140-3 (1)
- Field Programmable Gate Array (FPGA) (1)
- Ground Control Stations (GCS) (1)
- Hardware-based CDS (1)
- Hybrid CDS (1)
- IES.5G (1)
- ION Mini PC (1)
- IP Ratings (1)
- IPMI (1)
- Industrial Internet of Things (IIoT) (1)
- Industry news (1)
- Integrated Base Defense (IBD) (1)
- LAN ports (1)
- LTE (1)
- Life cycle management (1)
- Lockheed Martin (1)
- MIL-S-901 (1)
- MIL-STD-167-1 (1)
- MIL-STD-461 (1)
- MIL-STD-464 (1)
- MOSA (1)
- Multi-Access Edge Computing (1)
- NASA (1)
- NIC (1)
- NIC Card (1)
- NVMe (1)
- O-RAN compliant (1)
- Oil and Gas (1)
- OpenRAN (1)
- P4 (1)
- PCIe card (1)
- PCIe lane (1)
- PCIe slot (1)
- Precision timestamping (1)
- Product life cycle (1)
- ROM (1)
- Raytheon (1)
- Remotely piloted aircraft (RPA) (1)
- Rugged computing glossary (1)
- SEDs (1)
- SIM Card (1)
- Secure boot (1)
- Sensor Open Systems Architecture (SOSA) (1)
- Small form-factor pluggable (SFP) (1)
- Smart Edge (1)
- Smart NIC (1)
- SmartNIC (1)
- Software-based CDS (1)
- Symmetric encryption (1)
- System hardening (1)
- System hardening best practices (1)
- TME (1)
- Tech Partners (1)
- Total Memory Encryption (TME) (1)
- Transfer CDS (1)
- USB ports (1)
- VMEbus International Trade Association (VITA) (1)
- Vertical Lift Consortium (VLC) (1)
- Virtual machines (1)
- What are embedded systems? (1)
- Wired access backhaul (1)
- Wireless access backhaul (1)
- accredidation (1)
- aerospace (1)
- air gaps (1)
- airborne computers (1)
- asteroid (1)
- authentication (1)
- autonomous (1)
- certification (1)
- cognitive software-defined radios (CDRS) (1)
- command and control (C2) (1)
- communications (1)
- cores (1)
- custom (1)
- customer service (1)
- customer support (1)
- data linking (1)
- data recording (1)
- ethernet (1)
- full disk encryption (1)
- hardware monitoring (1)
- heat sink (1)
- hypervisor (1)
- in-house technical support (1)
- input (1)
- integrated edge solution (1)
- international business (1)
- licensed spectrum (1)
- liquid cooling (1)
- mCOTS (1)
- microelectronics (1)
- missile defense (1)
- mixed criticality (1)
- moving (1)
- multi-factor authentication (1)
- network slicing (1)
- neural networks (1)
- new headquarters (1)
- next generation interceptor (1)
- non-volatile memory (1)
- operating system (1)
- output (1)
- outsourced technical support (1)
- post-boot (1)
- pre-boot (1)
- private networks (1)
- public networks (1)
- radio access network (RAN) (1)
- reconnaissance (1)
- secure flash (1)
- security (1)
- self-encrypting drives (SEDs) (1)
- sff (1)
- software (1)
- software-defined radios (SDRs) (1)
- speeds and feeds (1)
- standalone (1)
- storage (1)
- systems (1)
- tactical wide area networks (1)
- technical support (1)
- technology (1)
- third-party motherboards (1)
- troposcatter communication (1)
- unlicensed spectrum (1)
- volatile memory (1)
- vpx (1)
- zero trust network (1)
- August 2024 (1)
- July 2024 (1)
- May 2024 (1)
- April 2024 (3)
- February 2024 (1)
- November 2023 (1)
- October 2023 (1)
- July 2023 (1)
- June 2023 (3)
- May 2023 (7)
- April 2023 (5)
- March 2023 (7)
- December 2022 (2)
- November 2022 (6)
- October 2022 (7)
- September 2022 (8)
- August 2022 (3)
- July 2022 (4)
- June 2022 (13)
- May 2022 (10)
- April 2022 (4)
- March 2022 (11)
- February 2022 (4)
- January 2022 (4)
- December 2021 (1)
- November 2021 (4)
- September 2021 (2)
- August 2021 (1)
- July 2021 (2)
- June 2021 (3)
- May 2021 (4)
- April 2021 (3)
- March 2021 (3)
- February 2021 (9)
- January 2021 (4)
- December 2020 (5)
- November 2020 (5)
- October 2020 (4)
- September 2020 (4)
- August 2020 (6)
- July 2020 (9)
- June 2020 (11)
- May 2020 (13)
- April 2020 (8)
- February 2020 (1)
- January 2020 (1)
- October 2019 (1)
- August 2019 (2)
- July 2019 (2)
- March 2019 (1)
- January 2019 (2)
- December 2018 (1)
- November 2018 (2)
- October 2018 (5)
- September 2018 (3)
- July 2018 (1)
- April 2018 (2)
- March 2018 (1)
- February 2018 (9)
- January 2018 (27)
- December 2017 (1)
- November 2017 (2)
- October 2017 (3)
Comments (6)