204 7.5 Hardening Systems
employed. For example, a default installation of a server operating system
may install mail, Web, and file-sharing services on a system whose sole
function is a Domain Name Server (DNS). Unnecessary software and ser-
vices represent a potential security weakness. Their presence increases the
potential number of discovered and undiscovered vulnerabilities present in
the system.
Additionally, system administrators may not install patches or monitor
the unused software and services to the same degree as operational software
and services. Protection against those risks begins when the systems are con-
structed and software is installed, through a process that is referred to as
“hardening” a system. When deploying off-the-shelf software, management
should harden the resulting system. Patching issues are discussed in further
detail later in this chapter.
System hardening is important because file and database servers used to
store an organization’s critical information resources must be kept strictly
confidential. Servers also store information used for management deci-
sions or customer billing, which demands a high level of integrity.
Authentication servers store information about user accounts and pass-
words. Any disclosure from an authentication server could compromise all
of the information on a network. Public servers (such as Web servers) are
used by an organization to represent itself to the public. The integrity of
the information on those servers is critically important to maintain the
image desired by corporate management and to satisfy customers. Web
servers used by customers for electronic commerce must be available and
reliable to prevent loss of revenue. Servers that provide essential services
for employees of your organization must be reliably available; otherwise,
people could be unable to work. As you can see, the reasons for hardening
systems are many, and all are quite valid. Hardening includes the actions
shown in Figure 7.1.
After deployment, the COTS systems may need updating with current
security patches. Additionally, the systems should be periodically examined
to ensure the software present on the systems is authorized and properly
configured.
7.5.1 Management of the Hardening Process
Most organizations today require an environment that is highly secure,
available, scalable, and manageable. One of the first steps in achieving this
optimum environment is to implement security hardening services for your
corporate servers. This involves some key activities and the generation of