8 important OS hardening tips to protect your clients
Cybersecurity is no longer a question of IF you should provide those services, but HOW to implement it into your offerings. Threats are constantly evolving and strengthening, and you and your clients must be protected.
There are so many facets to cybersecurity, including proper patch management. In a Duo Trusted Access Report from 2019, 51% of Mac OS devices were not running the most up-to-date version of their operating system, while Windows 10 usage is on the rise. This means that the majority of Mac OS devices are not running the latest security patch, leaving many networks vulnerable to threats.
Proper patch management is critical to protecting client data and uptime, but it’s just one of many security considerations. When it comes to compromising a device or network, malicious actors look for any way to gain entry. It may surprise some, but operating system vulnerabilities actually provide bad actors with easy access. A solution is to harden operating systems.
What is OS hardening?
Before we dive into the eight steps of OS hardening, here are a couple of definitions to clarify.
Search Security says:
When you harden a box, you’re attempting to make it bulletproof. Ideally, you want to be able to leave it exposed to the general public on the internet without any other form of protection. This isn’t a box you’ll use for a wide variety of services. A hardened box should serve only one purpose—it’s a Web server or DNS OR Exchange server, and nothing else. You don’t typically harden a file and print server, a domain controller, or a workstation. These boxes require too many functions to be properly hardened.
This definition takes a more liberal stance:
Hardening of the OS is the act of configuring an OS securely, updating it, creating rules and policies to help govern the system in a secure manner, and removing unnecessary applications and services. This is done to minimize a computer OS’s exposure to threats and to mitigate possible risk.
To provide your clients with peace of mind, safeguard their sensitive data, and differentiate your security offerings from others, here are six ways to harden customers’ operating systems:
8 OS hardening tips:
Different operating systems will have their own intricacies, but there are OS hardening techniques that can apply to any operating system used. Keep in mind that this list doesn’t include everything you can do, so be sure to implement other additional system hardening strategies as you see fit. However, to minimize your client’s risk of a cyberattack, you should follow these tips at a minimum.
1. Keep things clean: Remove unnecessary and unused programs. Every program installed on a device is a potential entry point for a bad actor—so, clean these up regularly. If a program has not been okayed or vetted by a company, it should not be allowed. Hackers look for security holes when attempting to compromise networks, so this is your chance to minimize their opportunities.
2. Use service packs: This is simply about keeping your programs up-to-date and installing the latest versions. There’s no single action that ensures protection, especially from zero-day attacks, but using services packs are an easy and effective step to take.
3. Patches and patch management: Patch management should be part of any regular security regimen. This involves planning, testing, implementing, and auditing consistently to ensure the OS is patched, as well as individual programs on the client’s computer.
4. Establish group policies: Sometimes, user error can lead to a successful cyberattack. One way to prevent this is by defining the groups that have accessibility and stick to those rules. Update user policies and make sure all users are aware of and compliant with these procedures. For instance, enforce smart practices such as using strong passwords.
5. Take advantage of security templates: These are often used by corporate environments and are essentially text files that represent a security configuration. So, you could basically use a security template to help manage your group policy and ensure consistency across your entire organization.
6. Configuration baselines: Baselining is how you measure changes in networking, hardware, software, etc. Baselines are created by selecting something to measure and doing so consistently for a period of time. Once you establish a baseline, measure it on a schedule that meets your security maintenance standards and your clients’ needs.
7. Review the user accounts and the access regularly, ideally every month, to ensure no one has added an account or changed privileges to give an account higher access rights than it should have.
8. With the increase and constant changes in the threat landscape today, consider monitoring and alerting of all of the controls you have in place on the systems. This is an especially good practice if the system stores, processes, or transmits sensitive or business critical information.
Protecting your clients’ environments will be an ongoing, continuous effort that can be tackled in a multitude of ways. Operating system hardening is a good place to get started. As their trusted security advisor, you should empower your clients by educating them on the importance of OS hardening and the value of keeping their systems up to date. As a result, they can rest assured that everyone has played their part in keeping systems secure.