System Hardening

System hardening is the process of making changes to a system or application to make it more secure than it’s default configuration.

System Hardening Techniques:

Changing default configurations:

The default password for systems and devices like routers should be changed before using the them; default passwords can be easy to guess or find online

Changing the default name of the administrator account may also be helpful since attackers need the correct username and password to break into the account

The Registry may need to be modified so that Powershell activity is logged

Disabling non-essential ports or services:

Ports and services that are not necessary for a given system’s intended function should be disabled.

This will reduce the system’s attack surface.

For example we’d only expect a web server to be running HTTP and HTTPs on ports 80 and 443 respectively.

Check for open ports on Windows via Command Prompt with the netstat command:

• -a: list all TCP and UDP ports Results will show the state of TCP and UDP ports and connections
• -b: displays the executable that established each open connection
• -o: shows the process IDs for active connections

Once you’ve learned the PIDs associated with open ports you can close the ports, and end the process on Windows with the taskkill command:

• Example: taskkill /pid 333

Check for open ports on Linux in the terminal with the ss command:

• -l: to display listening ports
• -t: to display all TCP connections
• -u: to display all UDP connections
• -p: to display the process IDs associated with connections

Close open ports in Linux using the kill command with the process ID:

• Example: kill 333

Using secure protocols:

Protocols for securely transferring files:

• Secure Shell (SSH): encrypts data motion and encrypts other protocols like POP3 for downloading emails
• Transport Layer Security (TLS): has replaced SSL to be used with HTTPS to help user browse the internet securely
• Secure File Transfer Protocol (SFTP): a secure alternative to FTP that encrypts data with SSH
• File Transfer Protocol Secure (FTPS): a secure FTP alternative the uses TLS for encryption
• Internet Protocol Security (IPsec): encrypts IP traffic moving through a VPN

Secure protocols for voice and video data:

• Secure Real Time Transport Protocol (SRTP): provides encryption, authentication, and integrity for voice and audio data to protect against replay attacks
• Session Initiation Protocol (SIP): used to start, manage, and end messaging, voice, and video communication sessions; logging this data can be helpful with investigating SIP attacks

Secure protocols for web and email data:

• Simple Mail Transfer Protocol (SMTP): moves emails between clients and servers with TLS encryption on port 587
• Post Office Protocol (POP3): moves emails from servers to clients using TCP port 995 for encryption
• Hypertext Transfer Protocol Secure (HTTPS): uses TLS to provide encryption for web traffic

Securing Directory Services:

• Lightweight Directory Access Protocol Secure (LDAPS): uses TLS encryption over TCP port 389 to secure the data used in directory queries

Time Synchronization:

• Network Time Protocol (NTP): a protocol used to synchronize system times to within tens of milliseconds; time synchronization across systems helps with investigating security incidents

Securing DNS:

• DNS Security Extensions (DNSSEC): adds resource record signatures (RRSIG) to DNS queries to provide integrity and authentication to prevent DNS poisoning attacks

Securing network address allocation:

• DHCP Snooping: a preventive security measure that stops unauthorized DHCP servers from operating within a network

Secure Remote Access:

• OpenSSH: a set of tools supported by Windows and Linux that supports secure connections to remote servers

Keeping up with the latest system patches:

Remove unnecessary software to avoid any vulnerabilities that software may have

Maintaining the latest updates ensures that software has the most recent security patches for bugs and vulnerabilities

Strong passwords:

A stronger, more complex password is harder to crack

Characteristics of a strong & complex password:

• Longer = Stronger
• No dictionary words or names
• Includes at least 3 of the following character types: upper case, lower case, numbers, special characters

Multi-factor Authentication (MFA): Requires the user to provide more than 1 form of authentication to gain access such as something you know like a PIN, and something you have like a smart card. MFA is helpful, but this can be bypassed.

Implementing a robust password policy:

Password expiration identifies when users will be forced to change their passwords (Example: every 90 days users will be prompted to change their password)

Password history controls remember previously used passwords and prevent users from reusing old passwords via the password age setting (Example: block users from using their last 30 previously used passwords)

Account lockout policies can prevent password guessing attacks like brute forcing. Lockout threshold defines how many failed login attempts will cause the account to lock, and lockout duration defines how long the account lock will last

Account Management:

Use 2 accounts for admins: Administrators should have one account for day-to-day work and a seperate account for activities that require elevated privileges. If the account used for normal daily work gets compromised, the attacker won’t instantly have elevated privileges.

Do not allow shared accounts: Allowing the use of shared accounts negates the implementation of authorization controls, and makes it harder to attribute actions to specific users

Disabling default and unnecessary accounts: Accounts for termed employees should be disabled ASAP and deleted when no longer needed. Disable the account initially to retain any decryption keys that may provide access to encrypted data associated with the account. Guest accounts should be disabled when not in use.

Resources:

CIS Benchmarks:

• https://www.cisecurity.org/cis-benchmarks-overview

12 ss Command Examples to Monitor Network Connections:

• https://www.tecmint.com/ss-command-examples-in-linux/

netstat:

• https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netstat

The art of MFA Bypass: How attackers regularly beat two-factor authentication:

• https://www.menlosecurity.com/blog/the-art-of-mfa-bypass-how-attackers-regularly-beat-two-factor-authentication/