System Hardening and Baselines

System Hardening and Baselines – ISC2 CC Study Guide

System Hardening and Baselines

Why Is System Hardening Important?

Every system, whether it is a server, workstation, network device, or application, ships with default configurations that prioritize ease of use over security. These defaults often include open ports, unnecessary services, sample accounts, and default passwords. Attackers actively scan for and exploit these weaknesses. System hardening is the process of reducing the attack surface of a system so that only what is strictly needed remains active. Without hardening, organizations leave themselves exposed to a wide range of threats including unauthorized access, malware infections, privilege escalation, and data breaches.

Baselines complement hardening by providing a documented, approved standard of configuration. When you have a baseline, you can measure any system against it to determine whether it has drifted from the secure state. This is critical for compliance, incident detection, and consistent security posture across an enterprise.

What Is System Hardening?

System hardening is the practice of securing a system by reducing its attack surface. This involves:

• Removing or disabling unnecessary services and protocols – If a service is not needed, it should not be running. Every running service is a potential entry point for an attacker.
• Closing unnecessary ports – Open ports that are not required for business operations should be closed or filtered.
• Applying patches and updates – Keeping operating systems, firmware, and applications up to date to eliminate known vulnerabilities.
• Changing default credentials – Default usernames and passwords must be changed immediately upon deployment.
• Removing default or unnecessary accounts – Guest accounts, sample accounts, and any accounts not required should be removed or disabled.
• Implementing least privilege – Users and processes should only have the minimum permissions required to perform their functions.
• Configuring security settings – Enabling logging, auditing, encryption, and other security features built into the system.
• Disabling unnecessary scripts and subsystems – Removing or disabling components like PowerShell remoting, SNMP communities, or Telnet when not needed.

What Are Baselines?

A security baseline is a set of minimum security standards and configuration settings that every system of a given type must meet before being deployed in the environment. Think of it as a known good configuration. Baselines are:

• Documented – Written down so they can be reviewed, audited, and enforced.
• Repeatable – Applied consistently across all systems of the same type.
• Measurable – Systems can be compared against the baseline to detect configuration drift.
• Maintained – Updated periodically to address new threats and changes in technology.

Organizations often base their security baselines on industry standards such as:
• CIS Benchmarks (Center for Internet Security)
• DISA STIGs (Defense Information Systems Agency Security Technical Implementation Guides)
• Vendor-provided security guides (e.g., Microsoft Security Baselines)
• NIST SP 800-123 (Guide to General Server Security)

How Does System Hardening Work in Practice?

1. Start with a clean installation – Begin with a minimal installation of the operating system or application. Only install what is needed.

2. Apply the baseline configuration – Use the organization's approved baseline to configure security settings. This may be done manually or through automation tools such as Group Policy Objects (GPOs), Ansible, Puppet, Chef, or SCCM.

3. Patch the system – Apply all current patches and updates before connecting the system to the production network.

4. Remove or disable unnecessary components – Turn off services, remove unused software, close ports, and disable protocols that are not required.

5. Configure access controls – Set up proper authentication mechanisms, enforce strong passwords, enable multi-factor authentication where possible, and apply the principle of least privilege.

6. Enable logging and monitoring – Configure the system to log security-relevant events and forward them to a centralized logging solution (e.g., SIEM).

7. Test and validate – Scan the system with vulnerability scanners and configuration compliance tools to ensure it meets the baseline. Common tools include Nessus, Qualys, and OpenSCAP.

8. Deploy to production – Only after validation should the system be placed into the production environment.

9. Monitor for drift – Continuously or periodically compare the system's configuration against the baseline to detect unauthorized changes. Configuration management tools and file integrity monitoring (FIM) tools help with this.

Key Concepts to Understand

• Attack Surface – The sum of all points where an attacker can try to enter or extract data from a system. Hardening reduces the attack surface.

• Configuration Drift – When a system's configuration changes over time from its approved baseline, whether through manual changes, software installations, or updates. Drift can introduce vulnerabilities.

• Least Functionality – A core hardening principle meaning the system should be configured to provide only essential capabilities. This aligns with the principle of least privilege applied at the system level.

• Default Deny – A philosophy where everything is blocked or disabled by default, and only specific required functionality is explicitly enabled.

• Image-Based Deployment – Organizations often create a golden image (also called a master image) that has been fully hardened and baselined. This image is then used to deploy new systems, ensuring consistency and saving time.

• Change Management – Any changes to a hardened and baselined system should go through a formal change management process to ensure they do not introduce vulnerabilities.

Common Areas of Hardening

• Operating System Hardening – Disabling unnecessary services, removing unused accounts, applying patches, configuring firewalls, enabling disk encryption, and enforcing strong authentication.

• Application Hardening – Removing sample files, changing default settings, disabling debug modes, applying application patches, and configuring secure communication (e.g., TLS).

• Network Device Hardening – Changing default SNMP community strings, disabling unused interfaces, using SSH instead of Telnet, applying firmware updates, and implementing access control lists (ACLs).

• Database Hardening – Removing default databases, restricting network access, encrypting data at rest and in transit, and applying the principle of least privilege to database accounts.

• Endpoint Hardening – Installing endpoint protection software, enabling host-based firewalls, restricting USB access, and configuring automatic updates.

---

Exam Tips: Answering Questions on System Hardening and Baselines

1. Remember the goal – System hardening is about reducing the attack surface. If an exam question asks about the purpose of hardening, focus on minimizing vulnerabilities and unnecessary exposure.

2. Baselines = consistency and measurement – If a question asks about the purpose of a baseline, the key idea is that it provides a documented, approved standard that allows organizations to measure compliance and detect drift.

3. Default settings are insecure – Exam questions may describe a scenario where default configurations are left in place. The correct answer will almost always involve changing defaults as part of hardening.

4. Least functionality is a core principle – If a question mentions configuring a system with only essential capabilities or removing unnecessary features, this is the principle of least functionality, which is central to hardening.

5. Know common hardening actions – Be prepared to identify hardening activities: disabling services, closing ports, patching, removing default accounts, and enabling encryption.

6. Configuration drift – If a question describes a system that was once compliant but is no longer, think about configuration drift and the need for continuous monitoring against the baseline.

7. Golden images – Questions about deploying consistent, secure configurations across many systems often relate to golden images or master images that incorporate hardening baselines.

8. Industry frameworks – If you see references to CIS Benchmarks, DISA STIGs, or NIST guidelines, these are sources for security baselines. Recognize them as authoritative sources for hardening guidance.

9. Patching is part of hardening – Do not think of patch management and hardening as completely separate activities. Applying patches is a key element of maintaining a hardened state.

10. Elimination strategy – On multiple-choice questions, eliminate answers that suggest leaving default settings, enabling unnecessary services, or skipping documentation. These contradict hardening and baseline principles.

11. Think operationally – The ISC2 CC exam focuses on Security Operations. Questions may emphasize the ongoing nature of hardening — it is not a one-time activity. Systems must be continuously monitored, re-assessed, and re-hardened as new threats emerge and configurations change.

12. Change management connection – Remember that any modification to a baselined system should follow a change management process. If a question presents a scenario where unauthorized changes were made, the correct answer likely involves change management controls and baseline re-verification.