System hardening is currently one of the most discussed topics among our customers. The great advantage of a system hardening strategy is that it effectively reduces the attack surface of IT systems through configuration settings. Industry standards such as the Center for Internet Security (CIS) or the BSI Grundschutzlompendium provide good configuration settings. Microsoft also publishes hardening recommendations for the respective software.

Companies have identified at least two drivers to deal with system hardening. On the one hand, the level of IT security must be raised in order to counteract the growing dangers of cyber attacks. On the other hand, the topic is also becoming increasingly important in current standards and certifications. ISO27001, the BSI in the context of KRITIS monitoring, but also the Teletrust standard relevant to the “state of the art” all require a concept for system hardening. Our partner company FB Pro has summarized the requirements from a regulatory perspective in a blog article.

We have also explained in our webinars why system hardening should play a key role in any security strategy. The topic is now gaining momentum and many companies are grappling with the question of how they can roll out system hardening quickly, cost-effectively and without major complications. The problem that can make system hardening projects so difficult is that many IT infrastructures have grown historically and contain numerous misconfigurations. At the same time, there are no clear responsibilities for many services or software is used that is very outdated and no longer meets the latest security standards. All of these aspects must be taken into account in a hardening project and, in case of doubt, can delay the project considerably.

In this blog article, we would like to present three tried-and-tested methods that we have already used successfully with our customers. The approach can also be combined individually. In this article, however, we will focus on presenting the individual methods and will also present the advantages and disadvantages of each method.

The three methods are

1. 1. 1. Layered hardening
      2. Rapid hardening
      3. Life-cycle hardening

Layered hardening

At Teal, we not only specialize in system hardening, but also work with our customers to change the way in which IT infrastructure is administered and make it more secure. The Enhanced Secure Administration Environment (ESAE) or Securing Privilege Access procedures from Microsoft, as well as CIS Security Controls and BSI basic protection, play a central role in this. We typically start with a security assessment for customers by analyzing the current situation and identifying weaknesses in the environment on a risk basis. The assessment is completed by a security roadmap, in which we present the results in detail, but also make suggestions for improving the overall security of the infrastructure.

This involves much more than “just” hardening systems according to current specifications; we support the customer in several areas. Starting with a threat analysis to classify the assets and determine the protection requirements. This involves classifying systems into tiers or according to criticality. The aim is to identify the systems that are particularly worthy of protection and then to isolate and protect them with technical and organizational measures. Attackers may still be able to enter the company, but they can no longer easily access critical assets and thus take over the entire environment. In typical security projects, we proceed in such a way that we first secure the assets that are most in need of protection and then harden them accordingly. From a system hardening perspective, we apply the highest possible protection standard. This means, for example, that we want to disable insecure protocols such as SMB v 1 or outdated cipher suites and restrict the use of Ntlm. This in turn has any number of side effects, as older software in particular relies in part on precisely these outdated protocols and would no longer work if the environment were configured accordingly. In reality, this means that you actually have to go through, harden and test system by system. This increases the workload, but also ensures that systems are appropriately secured and protected. Why is it that good security often means a lot of effort?

The next more critical systems, in this case the so-called Tier1 systems, would then be addressed. These are typically server systems such as database servers or web servers or servers that are used as terminal servers or documentation storage. The procedure is similar to that for the particularly critical Tier 0 systems. A security benchmark that is as restrictive as possible is defined and rolled out system by system. In the event of incompatibilities with application software, the specifications would be softened somewhat in practice and the focus would be on the application rather than security. A Tier 1 system may be hardened less restrictively than a Tier 0 system. This must be decided on the basis of an individual risk assessment.

Finally, the so-called Tier2 or end user devices are hardened so that they also have the smallest possible attack surface. On end devices, for example, settings such as Bluetooth usually have to remain switched on so that users can continue to use the headset or have access to a camera.

With all the approaches we are presenting today, it is important to harden new systems right from the start. This saves valuable time later on and ensures that devices are secure right from the start.

Advantages

• • The primary advantage is obvious: once the hardening project has been successfully completed, the critical systems have the best possible protection and therefore the smallest possible attack surface in the environment.
  • At the same time, however, there is another aspect that cannot be dismissed out of hand, namely that you inevitably have to deal with the legacy issues in the environment. Starting with questions such as “who is actually responsible for the system” and “isn’t there perhaps a newer version or even another application that can be used that is more in line with modern security requirements”, you ultimately have to consider many infrastructure-related aspects and, for example, also have the opportunity to update the inventory overview of existing systems, which may have been neglected for a long time.

In summary, this procedure offers the possibility of greatly improving the security level.

Disadvantages

• • The procedure of hardening systems one after the other and individually naturally means that the project duration is relatively long
  • Furthermore, it is time-consuming to introduce restrictive hardening sets, as the need for troubleshooting is higher to ensure that applications are adapted accordingly and comply with the security settings made
  • As a result, the costs for such a hardening project are higher

When should I choose this approach?

The “layered hardening” approach is particularly interesting if you really need to sustainably increase the level of IT security and treat it very restrictively. This is particularly the case for companies that have already been the victim of a cyberattack or are so critical that the probability of a cyberattack is very high.

This approach is also recommended if you are in a highly regulated or sensitive industry and are classified as a company that provides critical services, for example.

Rapid hardening

In contrast to layered hardening, the rapid hardening approach, as the name suggests, is based on the speed at which hardening kits are applied. The aim is to provide as many systems as possible with basic protection as quickly as possible. As in the other approaches, this basic protection should be based on industry standards, such as CIS or BSI, but should only contain the necessary and non-critical settings that are “easy” to roll out without a lot of troubleshooting.

Once a hardening set of, for example, 200 to 300 settings has been defined, the rapid hardening approach concentrates on starting with the client systems (Tier2), for example, and rolling out several hundred systems per week. The procedure would be as follows:

• • Creating the curing set
  • Rolling out the hardening set to 5 to 10 pilot systems
  • Testing the applications and functions
  • Rollout to further systems (100 to 500 systems per week)

How it is rolled out depends on your needs. Rollout cycles by operating system version, by department or by location/site are conceivable.

Once the client operating systems have been provided with basic protection, the server systems would be addressed and equipped with a hardening set that is as uncritical as possible. In this way, a solid hardening set is quickly rolled out in the field and the attack surface is reduced for many systems. Even if the protection does not meet the highest requirements everywhere, further configuration settings can be added to the hardening set and rolled out again and again in a subsequent iterative approach. In this way, the hardening set can be improved over time

The main difference to the procedure presented above is that basic protection is achieved more quickly. However, critical systems are only processed as a secondary priority, as this is where the greatest effort is required.

In any case, it is recommended that new systems are always equipped with appropriate hardening benchmarks. Systems are thus equipped with good protection from the outset.

Advantages

• • The advantage of rapid hardening is the speed and the number of systems that can be secured.
  • The downstream iterative approach means that more systems are protected from the outset than with other methods and the attack surface across the entire environment is reduced from the start.
  • Another advantage is that results can be achieved quickly and, for example, the topic of system hardening can be placed in the company without having to spend a long time discussing whether to harden at all with doubters.
  • Testing efforts are minimized and it is possible to roll out hardening settings alongside normal day-to-day business without a separate project.

Disadvantages

• • On the one hand, you gain good coverage across the entire environment, but at the same time critical systems in particular are only equipped with basic protection. Critical settings such as Smbv 1, for example, cannot be switched off from the outset. However, these are used by numerous attacks, so although basic hardening is a first step towards a secure infrastructure, it is at best a first step.
  • Hardening settings must be continuously improved following the initial rollout.
  • It is possible to give the impression that you are already secure just because you have rolled out basic protection.

When should this method be used?

The rapid hardening approach is particularly useful when results need to be presented quickly, for example to a cyber insurance company or an authority.

Auditors are often satisfied to see that companies have started to tackle an issue and accept that the solution is not yet perfect. It should be mentioned here again that in the end it is important to draw up a solid plan. This must answer how you intend to continuously increase overall security.

Furthermore, rapid hardening is a methodology that can help you get started with the topic, gain initial experience and, if necessary, dispel any concerns.

Lifecycle hardening

The “lifecycle hardening” approach has also proven its worth with our customers. This combines the topic of system hardening with lifecycle topics. For example, if you are currently working on a Windows 11 project or are in the process of updating your server systems to Server 2022, it makes sense to expand the project to include the topic of system hardening. You can decide individually whether to start with a restrictive or a basic hardening set. This depends on your overall situation. However, both rapid hardening and layered hardening approaches are conceivable. The big advantage is that the hardening and, above all, testing efforts are combined with the lifecycle efforts. If I roll out Windows 11 in the field, for example, I inevitably have to test every company application and ensure functionality accordingly. As the testing effort is incurred anyway, it is questionable whether this is really significantly increased by system hardening or, in the best case, remains the same. Certainly, at one point or another an application will not be able to cope with certain hardening settings. This usually increases the overall effort, but not significantly.

From a project management perspective, no further effort is required for system hardening. As with the other methodologies, the rollout itself depends on the circumstances. Rollout scenarios according to operating system version, locations or similar criteria are also conceivable here.

Advantages

• • Combining test and rollout efforts is the greatest added value of this approach. It has long been known and established in management that lifecycle projects cause constant effort and are indispensable in the long term.
  • Combining these projects with security issues can help to prioritize issues and get them implemented at all.
  • Depending on how restrictively the initial hardening set is defined, it is possible to increase system security enormously and effectively reduce the attack surface.

Disadvantages

• • The biggest problem with this approach is that a lifecycle project is not planned every year, but is always linked to corresponding operating system cycles. However, many companies are currently working on the introduction of Server 2022 or Windows 11, so the timing is currently ideal for this approach

When does the LifeCycle Hardening approach make sense?

If you are planning a LifeCycle project in the near future or have already started one, it is advisable to check whether the topic can be expanded to include system hardening.

Summary and comparison

Below we have compared the three procedures and evaluated them according to the categories of security, complexity, effort and duration:

It has been shown that layered hardening can be used to secure critical systems very effectively. At the same time, however, the costs and duration of this method are inferior to the other approaches. Rapid hardening is always recommended if you need to show results quickly, and if you are planning your next lifecycle project anyway, it makes sense to combine the two.

It is also possible to combine the approaches. However, it is important to note that you should always think about how to introduce system hardening. The topic is no longer new. Companies have long since begun to make progress in this area. If you have not yet started with a system hardening strategy, it is high time you did. The topic is becoming increasingly important from both a regulatory and a practical point of view. Reducing the attack surface is the most effective measure you have to ward off cyber attacks and prevent them from happening in the first place.

If you need help or would like to discuss your approach with us, we would be happy to offer you a free consultation. We look forward to hearing from you…