(/)

OVERCOMING THE 3 BIGGEST CHALLENGES IN SYSTEM HARDENING

By Keren Pollack, on October 25th, 2021

Get Notifications
As delivered from the manufacturer, your network systems’ default configurations are often function-oriented rather
than security-oriented. Changing the system’s default configuration to a more secure form is what we refer to as
system hardening.

Server Hardening Challenges

This task is critical for two main aspects:

1. Security- the cyber-crime landscape keeps evolving with more and more sophisticated attack techniques. Yet, it has
been proven that investigating in basic controls, such as system hardening, has the biggest impact on your
organization’s security. System hardening can have a huge impact on your organization’s security. In fact,
misconfigured assets are responsible for over 40% of infrastructure vulnerabilities. Furthermore, establishing secure
configurations will protect your organization from the highest number of attack techniques (according to an ATT&CK
report).

 
2. Compliance- system hardening is now a basic requirement of most information security regulations. Regulations
such as PCI-DSS, HIPAA, CMMC, and others require organizations to implement a robust hardening policy. Hardening
can no longer be a ‘check the box’ task to pass an audit. Implementing a comprehensive hardening policy, based on the
industry’s best practices benchmarks, is a continuous process that must be handled with care.
 
The high regulatory demands and emerging risk for cyber attacks require organizations to invest more than ever in
achieving a secure baseline by implementing robust hardening policies.
 

THREE MAIN CHALLENGES IN A HARDENING PROJECT:

1. generating an impact analysis report.
2. policy implementation and change management.
3. remaining compliant.

If you're planning to harden your

1
servers, we have some
interesting information for you...
 (/)
5 reasons why system hardening should be
your top priority this year
If you haven’t yet established an
organizational system hardening routine,
now is a good time to start a hardening
project. A good place to start is building

Get Notifications
your policy, usually according … Continue
reading

Calcom software

THREE MAIN STAGES IN A HARDENING PROJECT:

1. Setting hardening policies – policies must be granulated as possible, addressing different environments, machine
types, roles, and versions. It is normal to see one organization managing tens of policies for its infrastructure. Policies
often rely on industry’s best practice benchmarks adjusted to each organization’s unique needs.

 
2. Generating an impact analysis of the policies and implementing them – policies’ impact on production must be
analyzed to prevent production outages resulting from the implementation of the policies. This is a critical stage as it is
prone to mistakes that can lead to devastating results. After analyzing, only policies that won’t affect the production
can be implemented on the relevant machines.
 
3. Monitoring and maintaining compliance posture – hardening is often mistaken to be considered as a one-time task.
The truth is that if you’ll treat it like that, you’ll find yourself back in square one after a year or two post your initial
hardening project due to the dynamic character of the infrastructure. While machines are taken off and others are
installed, change management procedures are a weak link in maintaining your compliance posture. In addition, new
vulnerabilities must be addressed in your hardening policies.
 
 

CHALLENGE #1- GENERATING AN IMPACT ANALYSIS

REPORT:
In order to generate an impact analysis report detailing how your policy will affect your production, you’ll need to build a
test environment.
Why? Implementing the policy directly on production systems can cause severe damage. Therefore, the policy must be
tested on a dedicated test environment in order to understand its impact (impact analysis).
The Challenge hides in the number of different environments and types of machines and applications that you have in
your infrastructure.

If you're planning to harden your

1
servers, we have some
interesting information for you...
 (/)

Get Notifications
SECURITY IMPACT ANALYSIS – What, Why,
and How?
When planning a hardening project, there are two types of impact
analysis you need to think of as part of your plan – policy impact
analysis and security impact analysis.   … Continue reading

Calcom software

Solution:
non-automated-
In an optimal impact analysis, you’ll need to perfectly simulate every type of environment that you have in production.
After doing that, you’ll need to simulate every required policy and check its impact on the server’s functionality. Note
that even after building such an environment you won’t be able to simulate the amount of traffic and users in the
network. Make sure to take this into consideration in relevant policy rules.
 
automated-
Use automated tools (https://www.calcomsoftware.com/server-hardening-suite/?
utm_source=article&utm_medium=traffic&utm_campaign=postLink&utm_id=postLink) that will generate this report
from analyzing the impact directly on production. These tools are usually agent-based and will generate the most
accurate report possible.
 

CHALLENGE 2- POLICY IMPLEMENTATION AND CHANGE

MANAGEMENT:
To really achieve a secure and compliant infrastructure, policies must be as granulated as possible. This is why
implementing the right policy on the right machine and making sure all the rules are being followed can be tricky. This
process is prone to human errors that can either end up in decreased security and compliance posture. In addition,
keeping track, managing, and having the ability to roll back from any policy change is rather complex when having multi-
environment infrastructure.
 

Solution:
non-automated –
Use Group Policy Objects (GPOs) or configuration management tools and administrative methods to make sure that the
right policy was fully implemented in the right machine. Follow change management best practices methods
(https://us-cert.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-CCM.pdf) to build a
change management policy inside your organization.
 
If you're planning to harden your
automated- servers, we have some
1

interesting information for you...

An automated solution (https://www.calcomsoftware.com/server-hardening-suite/?
(/)
utm_source=article&utm_medium=traffic&utm_campaign=postLink&utm_id=postLink) for this challenge will allow
you to control the entire implementation process from a single point of control. An automated solution will help you find
your feet when managing multiple policies for your infrastructure. Change management procedures will no longer be an
issue and the entire process will be much less prone to human mistakes.
 

CHALLENGE 3- REMAINING COMPLIANT:

Get Notifications
Investing efforts in the proper hardening of servers is not enough. Ongoing monitoring and maintenance are required as
the production environment constantly change, and new vulnerabilities are discovered. Lots of time and money can be
saved when adopting healthy habits that will prevent the need to harden your infrastructure from scratch every few
years.
 

Solution:
non-automated / using scanning tools –
You’ll need to implement structured procedures for:
1. Annual Policy Update due to new vulnerabilities and updates in the infrastructure’s components and structure.
2. Compliance checks to make sure that policy and infrastructure changes didn’t damage compliance.
3. Conserving information about what changes were made, where and when, is crucial. Usually, all relevant
knowledge is possessed by the IT staff member who is responsible for this matter. Once that staff member leaves the
organization, no one knows what actually happened in the system and why certain decisions were made.

 
automated –
An automated solution (https://www.calcomsoftware.com/server-hardening-suite/?
utm_source=article&utm_medium=traffic&utm_campaign=postLink&utm_id=postLink) for this challenge will provide
continuous monitoring of your compliance posture, prevent configuration drifts, and remediate undesired changes.
 

CONCLUSION:
There are two approaches for system hardening- automated and non-automated. By choosing a non-automated
approach you’ll need to develop intra-organization procedures and assist non-hardening specific tools. The level of in-
house knowledge and resources you’ll need will be high. This approach is relevant for small-size businesses with up to
150 servers’ infrastructure. For larger organizations, the recommended approach is to use hardening automation tools
(https://www.calcomsoftware.com/server-hardening-suite/?
utm_source=article&utm_medium=traffic&utm_campaign=postLink&utm_id=postLink). These tools will provide a
hole solution for this process and dramatically increase the chance of having a secure and compliant infrastructure.
 

Hardening Tools 101 [updated:2021]

System hardening refers to actions done to
reduce the attack surface, by securing the
configurations of the system’s components
(servers, applications, etc.). As arrived from
the manufacturer, system components are
more … Continue reading

Calcom software

If you're planning to harden your

1
servers, we have some
interesting information for you...
 (/)

Get Notifications
(http://calcom.hubspotpagebuilder.com/how-to-plan-and-manage-your-hardening-project-1)

CHS Baseline Hardening Suite

(https://www.calcomsoftware.com/server-hardening-suite/)

PAC - Policy Analysis Center

(https://www.calcomsoftware.com/policy-compliance-analysis/)

CSS FOR IIS

(https://www.calcomsoftware.com/css-for-iis-2/)

Make Your Hardening Project Effortless

Learn if CalCom Hardening Automation Suite is the right solution for you

If you're planning to harden your

REQUEST DEMO servers, we have some
1

interesting information for you...

 (/)
CONTACT

HQ
+972-8-9152395

info@calcomsoftware.com (mailto:info@calcomsoftware.com) (https://twitter.com/calcomsoftware

Get Notifications
US OFFICE
+1-212-3764640

sales@calcomsoftware.com (mailto:sales@calcomsoftware.com)

All rights reserved. CalCom 2019

If you're planning to harden your

1
servers, we have some
interesting information for you...