TABLE OF CONTENTS


Overview

To harden a computer system means to make it more difficult for a malicious hacker to attack. In formal terms, system hardening refers to reducing the attack surface – where the attack surface is the combination of all the points where an attacker may strike. Hence, increasing the overall security at every layer of your infrastructure.


In this short VIDIZMO infrastructure hardening guide, we will look at 5 hardening process steps that you can take as an administrator of a server, which hosts web applications. 


Operating System Hardening

Following steps are taken by VIDIZMO on a regular basis to ensure hardening of our Operating System - which is one of the base-level of system hardening:

  1. Turn on detailed logging.
  2. Enable automatic OS patching or enable patch notifications. Security patches are of critical importance and installing them automatically is more secure.
  3. To avoid unauthorized access, require strong passwords as part of access control (but do not require regular password changes – such practices were found to be less secure) or use key-based authentication.
  4. Uninstall all unnecessary software. Each program may have a potential vulnerability that may allow the attacker to escalate the attack. This includes, for example, even unnecessary compilers/interpreters, because they may enable the attacker to create reverse shells.


Network Hardening

In order to maintain network security, following is done to harden the network connections on VIDIZMO servers:

  1. Enforce strong firewall rules. If this is a dedicated web server, make sure that the only incoming connections that are allowed are web connections and potentially administrative connections (e.g. SSH).
  2. Monitor outgoing connections for potential reverse shells.
  3. Shut down and uninstall all unnecessary services if they are not used on this server. For example, FTP, telnet, POP/SMTP, and more. This helps us eliminate all unnecessary open network ports.

Network hardening also becomes a by-product when carrying out OS hardening.


Web Server Hardening

While Azure follows its own set of principles to harden infrastructure, following steps are taken by VIDIZMO on a regular basis to ensure hardening of our secondary Web Servers:

  1. Install and run a web application firewall (WAF). Most web servers support the open-source ModSecurity firewall.
  2. We either patch server software to the latest version automatically or turn on notifications for manual patching.
  3. Modify the default configuration settings. This helped us change setting for a lot of our web servers which supported otherwise old SSL/TLS protocols in their default settings. This protected the server from attacks such as BEAST or POODLE.
  4. Remove all unnecessary web server modules. A lot of web servers by default come with several modules that introduce security risks.
  5. Turn on additional protection for web applications such as using a Content Security Policy (CSP).


Web Application Hardening

Since most web vulnerabilities are a result of errors in web applications, the hardening of VIDIZMO Web Application is one of the most important steps:

  1. Perform further penetration testing. While a vulnerability scanner will find most security vulnerabilities, penetration testers find the ones that are not detectable automatically. Penetration testing and vulnerability scanning are treated as complementary activities, not alternatives.
  2. Add temporary rules to the web application firewall if there are vulnerabilities that we cannot eliminate immediately.
  3. Regularly scan all our web applications using a web vulnerability scanner. Eliminate all vulnerabilities as early as possible. We ensure to scan applications at the development stage, for example, using Jenkins.


As VIDIZMO Application is primarily hosted on Azure Cloud, here are a few more links further informing about the infrastructure hardening measures taken by Azure Platform: