To harden a computer system means to make it more difficult for a malicious hacker to attack. In formal terms, system hardening means reducing the attack surface – the attack surface is the combination of all the points where an attacker may strike.

Many computer systems by default have a very large attack surface. This is because a lot of software is installed with too many permissions and as many functions as possible. System hardening, therefore, is basically all about skimming down options.

In this short hardening guide, we will look at 5 hardening process steps that you can take as an administrator of a server, which hosts web applications.

Step 1. Operating System Hardening

The base level of system hardening is taking care of operating system security. A hardened operating system lets you avoid a lot of security threats.

To harden the operating system of your server:

  • Uninstall all unnecessary software. Each program may have a potential vulnerability that may allow the attacker to escalate the attack. This includes, for example, even unnecessary compilers/interpreters, because they may enable the attacker to create reverse shells.
  • Remove all unnecessary user accounts and make sure that user accounts that are used to run services do not have excessive privileges. For example, if you use a user account to run your web server, it may not need shell access at all and it should have minimal privileges.
  • To avoid unauthorized access, require strong passwords as part of access control (but do not require regular password changes – such practices were found to be less secure) or use key-based authentication.
  • Turn on detailed logging if you can afford the resources. The more details you have in your logs, the easier it will be to analyze the logs after an attack.
  • Enable automatic OS patching or enable patch notifications. Security patches are of critical importance and installing them automatically is more secure.

Note that the above general tips apply to all operating systems: Linux/UNIX, Microsoft Windows, macOS, and any others. However, specific cases may apply to specific systems. For example, on Windows, you may additionally want to focus on group policies.

Step 2. Network Hardening

Network hardening spans beyond the server and often includes additional network devices. However, on the level of the server that you are managing, there is already a lot that you can do to improve network security.

To harden the network connections on your server:

  • Shut down and uninstall all unnecessary services if they are not used on this server. For example, FTP, telnet, POP/SMTP, and more. This will let you eliminate all unnecessary open network ports.
  • Enforce strong firewall rules. If this is a dedicated web server, make sure that the only incoming connections that are allowed are web connections and potentially administrative connections (e.g. SSH).
  • If you can afford the resources, monitor outgoing connections for potential reverse shells.

A lot of network hardening is already done when you harden the OS. However, if you are not the only person with access to the server, it’s a good idea to safeguard against someone else opening unsafe network connections.

Step 3. Web Server Hardening

Since we’re assuming that the primary function of your server is hosting web applications, you must focus on hardening web server software.

To harden your web server:

  • Remove all unnecessary web server modules. A lot of web servers by default come with several modules that introduce security risks.
  • Modify the default configuration settings. For example, a lot of web servers support old SSL/TLS protocols in their default settings. This means that your server is vulnerable to attacks such as BEAST or POODLE.
  • Turn on additional protection for web applications. For example, introduce a Content Security Policy (CSP).
  • Install and run a web application firewall (WAF). Most web servers support the open-source ModSecurity firewall.
  • If possible, either patch server software to the latest version automatically or turn on notifications for manual patching.

We also have detailed guides for hardening the most popular web servers:

Step 4. Web Application Hardening

If you already know a bit about web security in general, you know that most web vulnerabilities are a result of errors in web applications, not in underlying software (such as web servers or operating systems). Therefore, this is the most important step.

To harden your web applications:

  • Regularly scan all your web applications using a web vulnerability scanner. Eliminate all vulnerabilities as early as possible. The best way to do this is to scan applications at the development stage, for example, using Jenkins.
  • Perform further penetration testing. While a vulnerability scanner will find most security vulnerabilities, penetration testers will be able to find the ones that are not detectable automatically. Penetration testing and vulnerability scanning should be treated as complementary activities, not alternatives.
  • Add temporary rules to the web application firewall if there are vulnerabilities that you cannot eliminate immediately.

While it is not part of hardening itself, secure coding is very important for web application security. Therefore, if your organization promotes it, you will have fewer vulnerabilities to worry about.

Step 5. Continuous Hardening

The most important thing to realize about hardening is that it is a never-ending process. You should perform regular system hardening check-ups to make sure that your security configuration is up to date, all the security measures are still in place, and there are no new threats to your information security. Such new threats may come from other users of the server, the developers of web applications, or simply due to vulnerabilities found in existing software.

Luckily, part of the process can be automated. For example, you may use patch management software to make sure that your key software is always up to date. You may also run scheduled scans using a web vulnerability scanner to make sure that new and updated web applications do not introduce cybersecurity threats.

The best way to do it is to maintain a hardening checklist, which you create initially with your first hardening exercise and then modify as you discover new ways to make your system less prone to attacks.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.