OS Hardening is the process of carefully considering the configuration of the underlying Operating Systems in order to reduce the security risk. To minimize the exposure of possible vulnerabilities, there are a variety of OS-specific installation, configuration options and parameters to consider. The desired outcome is to reduce the chances of a system compromise.

Operating System Hardening Practices and Procedures must define the explicit installation and configuration settings in order to meet regulatory compliance requirements.

Regardless of compliance requirements these basic security measures should be employed in all circumstances. This list outlines the areas of Operating System configuration that need to be considered when preparing each Operating System’s configuration Practices and Procedures:

• Install latest available versions and patches whenever possible.
  • Must be as current as possible while remaining consistent across the environment.

• Remove or disable unnecessary services, applications and network protocols.
  • Removal is preferable to disabling, whenever possible, given as some exploits attempt to enable previously disabled items. Removal of unnecessary services effectively eliminates this vulnerability.

• Configure OS user authentication.
  • Remove or disable unneeded default accounts.
  • Disable non-interactive accounts that are not in use.
  • Create user groups using a “least privilege” concept.
    • User Groups should have restricted levels of access and privileges should be defined commensurate with the lowest possible level of authorization required to perform their role.
  • Create identity and access management methods and procedures.
    • Users should have unique and identifiable accounts.  Required shared accounts and service accounts must be traceable to an individual.
    • User’s privileges should be controlled at the Group level.  Where individual privileges are necessary and appropriate privileges should be granted with the lowest possible level of authorization needed to perform their function.
  • Set Account Password Policies and user account access parameters (e.g. failed login count and lockout duration) in accordance with established policy or common practice where policy is undefined.

• Configure Automated Time Sync
  • Ensure consistency of time source.  Internal sources should receive their time sync from Stratum 1 sources.

• Configure System Access Controls
  • Limit access to/from the server to/from specified networks and systems.
  • Limit access to system resources and applications (set permissions and controls on key items – Password files, files with authorization information, etc. ), including:
    • System and Application software and configuration files.
    • Files directly related to Security mechanisms, like password hash files and other files used for authentication, files containing authorization information used in controlling access and cryptographic key material.
    • System and application log and audit files.
  • Ensure admin access is always performed via secured protocols

• Server logging configuration must include the following:
  • Log file access must be tightly controlled and only accessible to authorized individuals.
  • Log files access control lists must be subject to periodic review for appropriateness
  • Log files must remain readily accessible for a minimum of 90 days, and  preserved and available for one year;
  • Log files must be transferred from the device to a central source at regular intervals.

• Logging should be configured to track:
  • any actions taken by individuals with root or administrative privileges;
  • system access attempts, both successful and failed;
  • changes to any system configuration;
  • creation or deletion of system level objects;
  • changes and installation for any software component;
  • changes, additions, deletion of any accounts or to any identification and authentication mechanism;
  • changes  to access rights, authorizations, or escalation of privileges;
  • initialization or stopping of system audit or logging functions;
  • access to any system audit or log files;
  • changes to time settings.

• Each log entry must contain:
  • user identification;
  • type of event;
  • date and time of event;
  • success or failure indication;
  • origination of event;
  • identity or name of affected data, system component, or resource.

• Install and Configure Additional Security Controls (we need to scope these a bit better and define circumstances where required)
  • Anti-Malware
  • Host based IDS / IPS
  • Host based firewalls

A central repository must be maintained where approved scripts, images, tools, and control tests can be found and referenced by those responsible for the installation of any operating systems.