Chapter 9. Host Hardening

The term host hardening refers to taking a typical or default installation of an operating system (OS) and associated applications and then modifying the configuration to decrease the host's potential exposure to threats. The extent of hardening depends on the role the system performs. A properly locked-down host can act as an effective contributor toward a reliable network security perimeter.

This chapter presents core principles of the host-hardening process, with the goal of helping you devise standards and procedures for locking down system configurations in your organization. Rather than providing long checklists for every scenario and OS you might encounter, we focus on concepts that are common to most host-hardening scenarios, empowering you to customize publicly available checklists and guidelines for your purposes. With this in mind, we go over key steps involved in stripping the system of unnecessary OS components and tools as well as discuss the procedures for limiting user access to unnecessary files and programs. We also offer guidance regarding auditing issues and go over best practices related to applying patches. We complete the discussion of host hardening by offering pointers to additional hardening resources. The topic of host-level security continues in Chapter 10, "Host Defense Components," where we build on this chapter's guidelines by explaining how to use hosts to help detect and isolate attacks on the network security perimeter.