System and OS hardening is the process of reducing the attack surface of a computer system by eliminating unnecessary services, ports, accounts, and software, and by applying security configurations and patches. For the SY0-701 exam, this topic falls under Security Operations (Objective 4.1) and is critical because attackers routinely exploit misconfigured systems. This chapter will cover the key hardening techniques, including patch management, group policies, secure baseline configurations, and the principle of least functionality. You will learn how to apply these techniques to Windows, Linux, and network devices, and understand the common mistakes that lead to vulnerabilities.
Jump to a section
Imagine a medieval castle that needs to be defended. The castle has multiple layers of defense: a moat, outer walls, inner walls, a keep, and a treasure vault. System hardening is like systematically reducing the attack surface of the castle. First, you remove unnecessary doors and windows (disable unused services and ports). You reinforce the remaining doors with iron bars and heavy locks (apply strong passwords and access controls). You train guards to patrol the walls and watch for intruders (enable logging and monitoring). You also ensure that any secret passages are sealed (remove default accounts and unnecessary software). Just as an attacker might try to scale the walls using grappling hooks (exploit vulnerabilities in services), you must patch holes in the walls (apply security patches). The castle's defenses are only as strong as the weakest point—if a postern gate is left unlocked (unpatched vulnerability), the entire castle can fall. Similarly, in system hardening, every component must be secured, and the process is continuous because attackers constantly develop new siege tactics (new exploits).
What is System and OS Hardening?
System and OS hardening refers to the set of practices designed to secure a computer's operating system by reducing its vulnerability surface. The goal is to minimize the number of potential entry points an attacker can exploit. This is achieved by disabling unnecessary services, closing unused ports, removing default accounts and software, applying the principle of least privilege, and keeping the system patched. Hardening is not a one-time task but an ongoing process that must adapt to new threats.
The Threat Landscape
Unhardened systems are low-hanging fruit for attackers. Common attacks include: - Exploitation of unnecessary services: For example, if a web server is running FTP (port 21) unnecessarily, an attacker could exploit an FTP vulnerability (e.g., CVE-2021-22986 for F5 BIG-IP) to gain access. - Default credentials: Many systems come with default usernames and passwords (e.g., admin/admin). Attackers scan for these using tools like Nmap and Hydra. - Unpatched vulnerabilities: Exploits for known vulnerabilities (e.g., EternalBlue for SMBv1, CVE-2017-0144) are often available within days of a patch release. - Misconfigured permissions: Overly permissive file permissions allow privilege escalation.
Key Hardening Techniques
#### 1. Patch Management
Patch management is the process of acquiring, testing, and applying updates to software. The SY0-701 exam emphasizes the importance of a patch management policy that includes:
- Vulnerability scanning: Identify missing patches.
- Testing: Apply patches to a test environment before production.
- Deployment: Use tools like WSUS (Windows Server Update Services) or SCCM (System Center Configuration Manager) for Windows, or apt and yum for Linux.
- Rollback plan: In case a patch causes issues.
Common Patch Types: - Security patches: Fix vulnerabilities. - Feature updates: Add new features (not always critical). - Service packs: Cumulative updates.
Exam Tip: The exam may ask about the order of patching: critical systems first, then high, medium, low. Also, know that patch Tuesday is the second Tuesday of each month for Microsoft.
#### 2. Disabling Unnecessary Services
Every running service is a potential attack vector. Hardening involves identifying and disabling services that are not required for the system's role. For example:
- Windows: Services like Print Spooler, Remote Registry, or Telnet should be disabled if not needed.
- Linux: Services like telnet, rsh, and ftp should be replaced with secure alternatives (SSH, SFTP).
Command Example (Linux):
# Check listening ports
netstat -tulpn
# Disable a service (e.g., telnet)
systemctl disable telnet.socket
systemctl stop telnet.socketWindows PowerShell:
# List services
Get-Service | Where-Object {$_.Status -eq "Running"}
# Disable Print Spooler
Set-Service -Name Spooler -StartupType Disabled
Stop-Service -Name Spooler#### 3. Port Filtering
Using host-based firewalls (e.g., Windows Defender Firewall, iptables) to allow only necessary inbound and outbound traffic. For a web server, only ports 80 (HTTP) and 443 (HTTPS) should be open. All other ports should be blocked by default.
iptables example:
# Allow incoming HTTP and HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Drop all other incoming traffic
iptables -A INPUT -j DROP#### 4. Least Privilege and Account Management
Remove default accounts: e.g., Guest, Administrator (rename if necessary).
Disable unused accounts: Especially after employee termination.
Use strong password policies: Length > complexity, enforce with Group Policy.
Implement account lockout: After a certain number of failed attempts.
Use service accounts with minimal privileges: Not domain admin.
Group Policy Settings (Windows):
Password Policy: Minimum password length (14+), complexity requirements.
Account Lockout Policy: Account lockout threshold (e.g., 5 attempts), lockout duration (15 minutes).
#### 5. File System Security
NTFS permissions: Use the principle of least privilege. For example, Users should have Read & Execute, not Full Control.
Encryption: Use EFS (Encrypting File System) or BitLocker for data at rest.
Linux permissions: Use chmod and chown appropriately. Avoid 777 permissions.
#### 6. Application Hardening
Remove unnecessary software: Bloatware increases attack surface.
Use application whitelisting: Only approved executables can run (e.g., AppLocker, Windows Defender Application Control).
Disable scripts: Disable PowerShell execution policy if not needed.
#### 7. Registry and Configuration Hardening
Windows Registry: Disable autorun, disable LM hash storage, enable UAC.
Linux kernel parameters: Disable IP forwarding, restrict core dumps.
Example (sysctl):
# Disable IPv4 forwarding
net.ipv4.ip_forward = 0
# Restrict core dumps
fs.suid_dumpable = 0Security Baselines and Benchmarks
Security baselines are sets of standardized configurations that meet security requirements. Common sources: - CIS Benchmarks: Detailed hardening guides for various OS and applications. - NIST SP 800-53: Security controls for federal systems. - Microsoft Security Compliance Toolkit: Provides Group Policy templates.
Exam Tip: The exam might ask where to find hardening guidelines. Answer: CIS Benchmarks or vendor documentation.
Group Policies and Secure Configuration Guides
Group Policy (Windows) is a powerful tool to enforce settings across an organization. For example, you can create a GPO that:
Disables guest accounts.
Enforces password complexity.
Restricts software installation.
Enables auditing.
Example GPO settings:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy: Audit logon events (Success and Failure).
Computer Configuration > Administrative Templates > System > Removable Storage Access: Deny all access.
Hardening Network Devices
Network devices (routers, switches, firewalls) also need hardening:
- Disable unused ports: Use shutdown on unused interfaces.
- Use SSH instead of Telnet: Telnet sends passwords in clear text.
- Set strong passwords: Enable secret on Cisco devices.
- Implement ACLs: Restrict management access to specific IPs.
Cisco example:
! Enable SSH
crypto key generate rsa
ip ssh version 2
line vty 0 4
transport input ssh
login local
! Restrict access
access-list 10 permit 192.168.1.0 0.0.0.255
line vty 0 4
access-class 10 inCommon Mistakes
Applying patches without testing: Can break critical applications.
Over-blocking: Disabling necessary services can disrupt operations.
Forgetting to remove default accounts: e.g., left Guest account enabled.
Not regularly reviewing configurations: Drift occurs over time.
Summary of Attack vs. Defense
Attackers scan for open ports, default credentials, and unpatched vulnerabilities. Defenders harden by closing ports, changing defaults, and patching. The defender's goal is to make the cost of attack higher than the value of the target.
Inventory and Baseline Assessment
Begin by taking an inventory of all systems and their current configurations. Use tools like Nmap to scan for open ports and services, and vulnerability scanners (e.g., Nessus, OpenVAS) to identify missing patches and misconfigurations. Document the baseline: what services are running, what ports are open, what accounts exist, and what software is installed. This step is crucial to understand the current attack surface. For example, a scan might reveal that a web server has port 21 (FTP) open, which is unnecessary. Logs from the scanner will show the vulnerabilities and their severity (e.g., CVSS scores). The output should be a report that prioritizes findings based on risk.
Disable Unnecessary Services and Ports
Based on the inventory, disable any services that are not required for the system's role. On Windows, use Services.msc or PowerShell to stop and disable services like Print Spooler (if not needed), Remote Desktop (if not used), or NetBIOS. On Linux, use `systemctl disable` for services like `cups` or `avahi-daemon`. Also, configure the host firewall to block all inbound traffic except for essential ports. For example, on a database server, only allow port 3306 (MySQL) or 1433 (MSSQL) from specific IP ranges. Use iptables or Windows Firewall with Advanced Security. Document the changes and verify that the services are no longer running using `netstat -an`.
Apply Security Patches and Updates
Ensure the OS and all installed applications are up to date with the latest security patches. For Windows, use Windows Update or WSUS. For Linux, use `apt update && apt upgrade` (Debian/Ubuntu) or `yum update` (RHEL/CentOS). Pay special attention to critical vulnerabilities (e.g., CVE-2021-44228 Log4j). After patching, reboot if necessary. Verify the patch level using `systeminfo` (Windows) or `uname -a` (Linux). In an enterprise, use a patch management tool like SCCM or Ansible to automate this across many systems. Keep a log of patch dates and any issues encountered.
Harden User Accounts and Authentication
Remove or disable default accounts (e.g., Guest, Administrator rename). Enforce strong password policies: minimum 14 characters, complexity requirements, and account lockout after 5 failed attempts. On Windows, configure these via Group Policy (Computer Configuration > Windows Settings > Security Settings > Account Policies). On Linux, edit `/etc/pam.d/common-password` and `/etc/login.defs`. Also, implement the principle of least privilege: assign users only the permissions they need. Remove unnecessary groups (e.g., Domain Admins membership). Use service accounts with minimal privileges instead of domain admin accounts. Enable auditing of logon events to track unauthorized access attempts.
Configure Security Baselines and Monitoring
Apply a security baseline such as CIS Benchmarks. This includes registry settings (e.g., disable SMBv1, enable UAC), file permissions, and audit policies. For example, set audit policy to log successful and failed logon events, account management, and privilege use. Enable logging to a central SIEM (e.g., Splunk, ELK). Configure Windows Event Log sizes and retention. On Linux, configure `auditd` to monitor key files like `/etc/passwd` and `/etc/shadow`. Finally, test the hardening by running a vulnerability scan again to ensure that previously identified issues are resolved. Document the final baseline and establish a schedule for periodic reviews.
Scenario 1: Enterprise Windows Domain Hardening
A SOC analyst at a large financial institution notices an alert from the SIEM: multiple failed logon attempts from a single IP address targeting a domain controller. The analyst checks the event logs (Event ID 4625) and sees that the attacker is trying common usernames like 'admin' and 'administrator'. The analyst immediately checks the domain's password policy: it allows passwords as short as 8 characters and no account lockout. The correct response is to escalate to the system administrator to enforce a stronger password policy and account lockout (e.g., 5 attempts, 15-minute lockout). The analyst also recommends disabling the default 'Administrator' account (renamed or disabled) and implementing RDP restriction via GPO (allow only from specific IPs). A common mistake is to simply block the IP address without addressing the root cause—the weak password policy. The attacker could come from another IP. The analyst uses tools like Active Directory Users and Computers to review user accounts and PowerShell to enforce password policy via Set-ADDefaultDomainPasswordPolicy.
Scenario 2: Linux Server Hardening After Compromise
A security engineer receives an alert from the intrusion detection system (IDS) that a Linux web server is communicating with a known C2 server. The engineer isolates the server and performs forensic analysis. They find that the server was running an outdated version of Apache (2.4.46) with a known vulnerability (CVE-2021-41773) that allows path traversal. The server also had port 21 (FTP) open, which was not needed. The engineer's response: wipe the server and rebuild from a hardened image. They apply the following hardening steps: install the latest Apache version, disable FTP, configure iptables to allow only ports 80 and 443, set proper file permissions (e.g., 644 for web files, 755 for directories), and enable SELinux in enforcing mode. They also configure auditd to monitor changes to /etc/httpd/conf and /var/www/html. A common mistake is to only patch the vulnerability without removing the unnecessary service (FTP), which could be exploited again. The engineer documents the new baseline and uses configuration management (Ansible) to enforce it across all similar servers.
Scenario 3: Network Device Hardening
A network administrator is tasked with hardening a Cisco router that connects a branch office to the corporate network. The administrator discovers that the router has Telnet enabled on VTY lines, uses default credentials (admin/cisco), and has SNMPv2 with a community string 'public'. The attacker could easily gain access and reconfigure the router. The administrator's actions: disable Telnet and enable SSHv2, change the enable secret, set a strong password, restrict VTY access to a management subnet using an ACL, and configure SNMPv3 with authentication and encryption. The administrator also disables unused interfaces (e.g., FastEthernet0/1) and applies port security on switch ports. A common mistake is to enable SSH but leave Telnet enabled as a fallback, which still exposes the device. The administrator uses show running-config to verify changes and saves the config with copy running-config startup-config.
What SY0-701 Tests on This Objective
The exam focuses on the ability to apply hardening techniques to various systems. Specific sub-objectives include:
Understanding the purpose of patch management and the patch cycle.
Identifying unnecessary services and ports that should be disabled.
Applying Group Policy for security settings.
Using security baselines (CIS, NIST).
Implementing the principle of least privilege.
Hardening network devices (disable unused ports, use SSH).
Common Wrong Answers and Why Candidates Choose Them
'Disable all services that are not used by the organization.' While this seems correct, the exam often has a scenario where a service is needed. Candidates choose this because they think 'disable everything' is always best, but the correct answer is 'disable unnecessary services'—not all services.
'Apply patches as soon as they are released.' Candidates know patching is important, but they forget that patches should be tested first. The correct approach is to test patches in a non-production environment before deployment.
'Use the same password for all accounts to simplify management.' This is a trap for those who think simplicity aids security. The correct answer is to use strong, unique passwords.
'Enable all audit policies to log everything.' Over-auditing can fill logs and hide critical events. The correct approach is to enable auditing for specific events (e.g., logon, account management).
Specific Terms and Values
CIS Benchmarks: Industry standard for hardening.
SMBv1: Should be disabled (used by EternalBlue).
Port 445: SMB, often targeted.
Telnet (port 23): Insecure, use SSH (port 22).
Group Policy: Used to enforce settings in Windows domain.
WSUS: Windows Server Update Services.
Patch Tuesday: Second Tuesday of each month.
Least functionality: Principle of disabling unnecessary components.
Common Trick Questions
'What is the first step in hardening a system?' The answer is 'Take an inventory of current configurations,' not 'Apply patches' or 'Disable services.'
'Which of the following is the most secure configuration for a web server?' The answer often includes disabling directory listing, removing default files, and using HTTPS.
'What is the difference between a security baseline and a security policy?' A baseline is a set of technical configurations; a policy is a high-level document.
Decision Rule for Eliminating Wrong Answers
When you see a scenario question about hardening, ask: 'Does this action reduce the attack surface?' If the answer is 'no' (e.g., enabling more services, allowing more ports), eliminate it. Also, look for answers that mention testing patches before deployment—those are usually correct. If an answer suggests using Telnet or FTP, eliminate it. Finally, if an answer says 'disable all accounts' or 'remove all software,' it's likely too extreme and wrong.
System hardening reduces attack surface by disabling unnecessary services, ports, accounts, and software.
Patch management is critical; always test patches in a non-production environment before deployment.
CIS Benchmarks and NIST SP 800-53 are common sources for hardening guidelines.
Group Policy is used to enforce security settings across Windows domains.
Default accounts (e.g., Administrator, Guest) should be renamed and disabled.
Network devices should be hardened: disable unused ports, use SSH instead of Telnet, and set strong passwords.
Least privilege principle applies to user accounts, service accounts, and file permissions.
Regular vulnerability scanning and audits are necessary to maintain a hardened state.
These come up on the exam all the time. Here's how to tell them apart.
Windows Hardening
Uses Group Policy for centralized configuration.
Services managed via Services.msc or PowerShell.
Patch management via WSUS or SCCM.
Registry edits for security settings (e.g., disable SMBv1).
Common tools: SecPol.msc, Local Security Policy.
Linux Hardening
Uses configuration files (e.g., /etc/ssh/sshd_config).
Services managed via systemctl or init.d.
Patch management via apt, yum, or zypper.
Kernel parameters via sysctl.
Common tools: auditd, SELinux, AppArmor.
Mistake
Once a system is hardened, it remains secure indefinitely.
Correct
Hardening is an ongoing process. New vulnerabilities are discovered, and configurations can drift. Regular audits and patch updates are necessary.
Mistake
Disabling all unnecessary services is enough; patching is optional.
Correct
Patching is critical. Even with minimal services, unpatched vulnerabilities can be exploited (e.g., Apache Struts CVE-2017-5638).
Mistake
Default accounts should be deleted, not just disabled.
Correct
Some default accounts (e.g., Administrator) cannot be deleted but should be renamed and disabled. Deleting them can cause system instability.
Mistake
Using a host-based firewall eliminates the need for network firewalls.
Correct
Defense in depth requires multiple layers. Host-based firewalls protect individual systems, but network firewalls provide perimeter security.
Mistake
Group Policy settings apply to all users and computers in the domain.
Correct
Group Policy can be scoped using OUs, security groups, and WMI filters. Not all settings apply universally.
Patch management is the process of acquiring, testing, and applying software updates (patches). Vulnerability management is broader: it includes identifying, classifying, prioritizing, and remediating vulnerabilities, which may involve patching, configuration changes, or compensating controls. For the exam, know that patch management is a subset of vulnerability management.
Critical security patches should be applied as soon as possible after testing, ideally within days. Non-critical patches can be applied monthly. Microsoft releases patches on Patch Tuesday (second Tuesday of each month). For zero-day exploits, emergency patches may be released outside the regular cycle.
It means configuring a system to provide only the functions required for its role. For example, a web server should not have email services or file sharing enabled. This reduces the attack surface.
Yes. SMBv1 is outdated and vulnerable to attacks like EternalBlue (CVE-2017-0144). Disabling it is a recommended hardening step. On Windows, you can disable it via PowerShell: `Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol`.
A security baseline is a set of minimum security configurations that a system must meet. It includes settings for passwords, services, permissions, and auditing. CIS Benchmarks are a well-known example.
Key steps: update packages, disable unnecessary services (e.g., `systemctl disable cups`), configure firewall (iptables or ufw), set strong passwords (use pam_pwquality), disable root login via SSH (`PermitRootLogin no`), enable SELinux or AppArmor, and configure auditing with auditd.
Group Policy allows administrators to centrally enforce security settings across all computers in an Active Directory domain. For example, you can set password policies, account lockout thresholds, software restrictions, and audit policies via GPOs.
You've just covered System and OS Hardening — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?