TABLE OF CONTENTS
- Operating System Hardening
- Network Hardening
- Web Server Hardening
- Web Application Hardening
- Continuous Hardening
- Read Next
To harden a computer system means to make it more difficult for a malicious hacker to attack. In formal terms, system hardening refers to reducing the attack surface – where the attack surface is the combination of all the points where an attacker may strike. Hence, increasing the overall security at every layer of your infrastructure.
In this short VIDIZMO infrastructure hardening guide, we will look at 5 hardening process steps that you can take as an administrator of a server, which hosts web applications.
Operating System Hardening
Following steps are taken by VIDIZMO on a regular basis to ensure hardening of our Operating System - which is one of the base-level of system hardening:
- Turn on detailed logging.
- Enable automatic OS patching or enable patch notifications. Security patches are of critical importance and installing them automatically is more secure.
- To avoid unauthorized access, require strong passwords as part of access control (but do not require regular password changes – such practices were found to be less secure) or use key-based authentication.
- Uninstall all unnecessary software. Each program may have a potential vulnerability that may allow the attacker to escalate the attack. This includes, for example, even unnecessary compilers/interpreters, because they may enable the attacker to create reverse shells.
In order to maintain network security, following is done to harden the network connections on VIDIZMO servers:
Network hardening also becomes a by-product when carrying out OS hardening.
Web Server Hardening
While Azure follows its own set of principles to harden infrastructure, following steps are taken by VIDIZMO on a regular basis to ensure hardening of our secondary Web Servers:
- We either patch server software to the latest version automatically or turn on notifications for manual patching.
- Modify the default configuration settings. This helped us change setting for a lot of our web servers which supported otherwise old SSL/TLS protocols in their default settings. This protected the server from attacks such as BEAST or POODLE.
- Remove all unnecessary web server modules. A lot of web servers by default come with several modules that introduce security risks.
- Turn on additional protection for web applications such as using a Content Security Policy (CSP).
Web Application Hardening
Since most web vulnerabilities are a result of errors in web applications, the hardening of VIDIZMO Web Application is one of the most important steps:
- Perform further penetration testing. While a vulnerability scanner will find most security vulnerabilities, penetration testers find the ones that are not detectable automatically. Penetration testing and vulnerability scanning are treated as complementary activities, not alternatives.
- Add temporary rules to the web application firewall if there are vulnerabilities that we cannot eliminate immediately.
- Regularly scan all our web applications using a web vulnerability scanner. Eliminate all vulnerabilities as early as possible. We ensure to scan applications at the development stage, for example, using Jenkins.
As VIDIZMO Application is primarily hosted on Azure Cloud, here are a few more links further informing about the infrastructure hardening measures taken by Azure Platform: