System hardening is the application of known best practices and security measures in order to increase the security resilience of a network.
The fundamental philosophy of system hardening is to reduce the overall exposure to risk by reducing the attack surface area.
System hardening should be part of a cohesive approach along with proper network segmentation, access control, and training programs. System hardening helps to increase a server system and network’s resilience against denial of service, unauthorized disclosure, and network intrusion. Hardening a server system not only helps protects against threats, but also allows for successful forensics investigations if a security incident is to occur.
It is important to note that not all threats can be prevented and security attack vectors are often outside of technical control measures with end users often being compromised. A thorough and regular end user training and awareness program should be adopted as part of your organization’s cohesive strategy.
Needs vary based on your application, but hardened servers should have a reliable redundant disk subsystem. Hardware or software raid levels should include redundancy for physical drive failure. If your machine is on a VM platform then you will want to ensure that the underlying hardware is server class with redundant power and storage.
Connectivity to your server systems should be sufficient to meet your bandwidth needs. Your own risk analysis can help determine if you need redundant connections based on the cost of downtime or hardware failure. Modern MPLS (Multiprotocol Label Switching) networks can be engineered to meet your needs if your organization has multiple office locations. MPLS networks are designed to keep traffic between your different network locations isolated and optimized. Keeping a service grade connection with an SLA will help ensure that downtime due to connectivity is minimized.
The base operating system installation should be healthy with a minimal install. Your system should only have software and packages installed that are being used. Installation for your operating systems, server applications, and system devices should be current stable releases. Your system and data partitions should have enough space for daily maintenance routines and working data. Depending on your needs you may need more space or can get by with less space if your server configuration and data growth is static. Running services and boot processes should be minimal and only what is needed for your server application.