Security Best Practice - Hardening Guide

TABLE OF CONTENTS

1. INTRODUCTION.........................................................................................................................3

2. OS HARDENING GUIDELINES.....................................................................................................3

3. ROUTER CONFIGURATION BEST PRACTICE................................................................................7

4. PRINTER CONFIGURATION BEST PRACTICE................................................................................9

1. Introduction
What is a Hardened System?

Hardened systems are computing systems that are secured, with the goal of making them
hack-proof.

The process of hardening devices and systems involves eliminating or mitigating

vulnerabilities. The term vulnerability refers to software flaws and weaknesses, which may
occur in the implementation, configuration, design, or administration of a system.

Threat actors exploit these vulnerabilities to hack into devices, systems, and networks.

Hardening techniques typically involve locking down configurations, achieving a balance

between operational functionality and security.

Vulnerability management and change control is another critical component of this effort. It
introduces visibility and controls that can help you maintain a hardened build standard.

Benefits of Systems Hardening

While system hardening requires a large, continuous effort, it provides substantial benefits
for organizations. Here are several notable benefits:

 A higher level of security—the main purpose of system hardening techniques and

tools is to reduce the attack surface. This translates into a significantly lower risk of
malware, unauthorized access, data breaches, or other malicious activity.
 Better system functionality—system hardening best practices often involve reducing
the amount of programs and functionality. This translates into less operational
issues, reduced chance of misconfiguration which can affect user operations, less
incompatibilities, and also reduced change of cyber attacks, which in themselves hurt
user functionality.
 Simplified compliance and auditing—system hardening techniques can help turn a
complex environment into a simpler one with less programs and accounts, and
stable, predictable configuration. This translates into a more straightforward and
transparent environment which is simpler to monitor and audit.
2. OS Hardening Guidelines
We have considered Windows 10 as base OS and the checklist are prepared for hardening
the systems/Laptop against attacks and threats

We recommend to use Commerical, licensed Windows 10 OS pack for enabling the

maximum built-in control against threat vector

Enable Windows Defender Antivirus- Windows Defender Antivirus is built into Windows,
and does not require any manual configuration or support (except for automatic updates).
This is a major advantage compared to third party antivirus solutions.

WDA has a built-in firewall and a secure browsing environment to protect users from the
most common threats. The firewall supports three network configurations (domain, private
and public). However, in general, this feature is enabled by default (to comply with security
by default rules) and is effective without any adjustments.

Enable Windows Defender Exploit Guard- Microsoft Windows Defender Exploit Guard is
anti-malware software that protects Windows 10 users from intrusion. Exploit Guard is
available as part of Windows Defender Security Center and can help protect your computer
from many types of attacks.

For example, it offers memory protection measures to prevent attacks that manipulate
internal memory. Other intrusion prevention methods used include reducing the attack
surface of applications, preventing malware from accessing folders, and protecting networks
from malware.

Enable Windows Defender Device Guard- Windows Defender Device Guard is designed to
protect your device by whitelisting applications and implementing a code integrity policy.
This prevents malicious code from finding its way onto your computer and compromising
the operating system.

Code integrity policies determine if software is allowed to run on Windows 10, so IT can
block unknown or untrusted plug-ins, applications and add-ons from accessing endpoint
devices.

Enable Windows Defender Credential Guard- Windows Defender Credential Guard helps
prevent credential theft by isolating login information from the overall operating system.

With Credential Guard, user credentials can only be accessed by privileged software. To
prevent brute-force attacks, credential information is stored as randomized, full-length
hashes. Domain credentials are also protected.

Enable Microsoft SmartScreen - SmartScreen is a built-in feature that scans and prevents
the execution of known malware. It also compares the reliability of emails and websites to
Microsoft’s blacklist, so it can alert Windows 10 users when they try to open suspicious
content.

Enable Windows Hello

Microsoft Windows Hello is an access control feature that supports biometric identification
via fingerprint scanners, iris scanners, and facial recognition technologies on compatible
devices running Windows 10. The Hello engine allows users to securely log into a device
with the necessary hardware components so they don’t have to enter a password.

Enable Windows Sandbox

If administrators decide to allow users to install unknown applications, Windows Sandbox is
the perfect solution. It allows you to run new applications on an isolated virtual silo and
avoid full exposure to threats.

Enable Windows Secure Boot

The Secure Boot feature safeguards a user’s UEFI/BIOS to protect against ransomware.
Windows 10 users can configure the Secure Boot feature so that all code that runs
immediately after the operating system starts must be signed by Microsoft or the hardware
manufacturer.

UEFI Secure Boot can also create Windows 10 save points. Secure Boot prevents the
installation of hardware-based malware, but safe points offer a safety net for when you
have trouble installing new applications.

Windows BitLocker Encryption

Encryption processes encode data in a manner that makes it unusable to unauthorized users
who do not have the decryption key. The main advantage of encryption is that it turns data
into an unreadable form that cannot be used when stolen. Windows offers a feature called
BitLocker, which enables you to encrypt entire drives and prevent unauthorized system
changes.

BitLocker was designed by Microsoft to provide encryption for disk volumes. It is a free and
built-in feature in many Windows versions, including Windows Vista and Windows 10.
BitLocker asks users for a password, generates a recovery key, and proceeds to encrypt the
entire hard drive.

Windows Information Protection

As more organizations allow employees to use their personally-owned devices, the risk of
accidental data leaks increases. Employees use many corporate applications and services
that cannot be controlled by the organization. Emails, public cloud services, and social
media platforms, for example, can all lead to data leaks.

Windows Information Protection (WIP) is designed to protect against potential data leaks
without disrupting user experience. Formerly known as enterprise data protection (EDP),
this service is especially designed to reduce data leak risks originating from bring your own
device (BYOD) practices, including protection for both personally-owned and company-
owned devices.
WIP does not require modifying existing environments. It is offered as a mobile application
management (MAM) mechanism on Windows 10. You can use WIP to manage data policy
enforcement for documents and applications on Windows 10 desktop operating systems. It
can also help you remove access to company data from all devices.

Additional Best practices for OS hardening

 Disable Windows 10 automatic login. When you first set up a new PC with Windows
10, you create a user account. By default, your new account is set to log in
automatically at startup. If you’re at home all the time or don’t have access to any
sensitive data, then this might not be a problem.
But it can create a serious security risk if anyone can open your computer, then
immediately get access to your data and company systems. This is especially
important if you travel with a laptop, bringing it with you to places like a coffee shop,
airport, or open co-working spaces.

 Application Management- It is strongly preferred to configure Windows to only

allow the installation of approved applications from controlled software repositories
or application marketplaces. This can prevent the following security risks:

 Attackers can email malicious applications to the user, or use social engineering to
convince them to download and install it.
 Even if you require administrative access on the local machine to install software,
users can be convinced to sign in as administrator to install a malicious app.
 Installing applications via elevated privileges can be exploited by attackers to create
a compromised administrator account on the user’s machine.

 Application Control- Many attack vectors rely on execution of malicious code, even if
it is not installed on the user’s device. Whitelisting and blacklisting of executables in
Windows 10 can be extremely effective at preventing these attacks.

It is advised to create a whitelist of files that are allowed to execute on end-user

machines, and do this from scratch, without relying on the files currently running on
the machine or a list from an application vendor. The whitelist should explicitly
specify executables, libraries, scripts, and installers that are allowed to execute.

 Disabling Remote Access- The Windows Remote Desktop feature in Windows 10

allows users to connect their computer remotely via a network connection. A user
with remote access can control the computer just as a user with direct access.

The downside of Remote Desktop is that attackers can exploit remote access to
wrest control of your system and steal sensitive information or install malware.

The remote access feature is disabled by default and you can easily disable it once
enabled. Make sure you turn off this feature whenever users are not actively using it.
 Enable Auto-Updates for Your Operating System- Make sure that any urgent
security update is installed immediately. The faster you apply a new security patch,
the faster you can fix vulnerabilities and protect yourself from the latest known
threats.
Your organization likely has a security policy for updating operating systems. Users
should be made aware of the policy so they know whether they should install
updates straight away or wait to hear from IT when to install updates. Some
companies give the responsibility for updating operating systems to the IT team.

Businesses that are running older versions of Windows are at greater risk. For
example, Microsoft terminated support for Windows 7 in January 2020, so anyone
still using it is at risk of new attacks. Therefore, it is important to ensure your
operating systems are upgraded before you are exposed.

 Enable File Backups- Setting up file backups on a regular basis can help prevent
critical data loss during disasters like hardware failures or malware attacks. To help
you protect your data, Windows 10 offers several tools and features, including:

 Use File History – this free tool can help you easily backup files.
 Create recovery drives – serve as backup images from which you can restore
a system.
 Backup to the cloud – use cloud storage services, such as Dropbox, Google
Drive, and OneDrive, or enterprise cloud backup solutions, to continuously
back up your data.

 Make sure Windows Scripting Host is disabled. Find c:%5Cwindows%5CWscript.exe

and delete it.

 Set up your user accounts.- You can also set up multiple accounts with different
levels of permissions:
 Administrator Account: The first account on a Windows 10 PC is a member of
the Administrators group and has the right to install software and modify the
system configuration.
 Standard Account: Additional accounts can and should be set up as Standard
users. You can use a Standard user account for your regular use, which limits
access to the Administrator account, preventing a nontechnical user from
inadvertently making changes to your system or helping block an unwanted
software installation.
 Guest Account: By default, a Guest account has a blank password. Since the
Guest account provides anonymous access to your computer, it is a security
risk and a best practice to leave the Guest account disabled.

 Disable file sharing.- Go to Start > Control Panel > Network > File and Print Sharing
(button) and uncheck both boxes.
 Disable USB port by default.
 Regularly check system audit logs to monitor malicious activity.
3. Router Configuration Best Practice

 Change router password- All routers come with a default username and password,
which are usually “admin” and “admin”, or “admin” and “password”. Hackers know
this, so it’s best to change it. First, find your router’s IP address and type it into your
browser’s address bar. Log in with the default credentials (usually printed on the
bottom of the router, or included in the box) and go to settings. From here, select
the option to change your router password. Regularly, you can change the username
and password of router.
 Update router’s firmware - Routers run on low-level software called firmware. It
sets the security standards for your Wi-Fi network and defines the rules as to which
devices can connect. Regularly updating your router’s firmware will fix any bugs or
security flaws, which, if left, could open your home up to all kinds of cyberattacks.
Newer models will update themselves in the background, but you should always
check that you’re running the latest firmware by logging in to your router’s settings –
it’s usually pretty easy to find.

Disable remote access, UPnP, and WPS

 Disable remote access- The problem with having remote access enabled is that
you’re leaving a door open for hackers to enter. The remote access feature on
routers is great if you ever need to tinker with your router settings away from home.
But that’s unlikely and isn’t worth the risk. You can easily turn this feature off in your
router’s settings panel.

 Disable UPnP- The Universal Plug and Play feature allows devices to connect with
each other as well as the router without authentication. While that’s great for
multiplayer gaming or setting up communal printers, it also presents serious security
flaws. Because you’re telling your router to automatically open ports to anything
trying to connect from outside, UPnP exploits like CallStranger can hit you with DDoS
attacks to steal the data from any connected device. Our advice is to disable UPnP
and manually authenticate each device, which shouldn’t be too much hassle for your
regular home devices.

 Disable WPS- Wi-Fi Protected Setup (WPS) lets you connect new devices with a PIN
code or by pushing a button on your router. WPS will make new connections faster
and easier, but a numerical PIN code is easier to brute-force than an alpha-numerical
password. This means that anyone could connect to your home Wi-Fi and hack your
router. Disable it, especially if you don’t have lots of different devices trying to
connect every day.

 Enable MAC Address Filtering - Each system will be having unique MAC address. This
allows only whitelisted MAC devices to connect to router.
 Using Firewall - A Firewall acts as a shield in the process of separating your device
from the Internet. Some openings called ports may communicate with your device.
 At this point, the firewall arrests those ports and prevents your device from hackers.
Software firewalls are widely used for home users since they are cheap .
 Hide your network from view - Whenever you set up a connection with a password,
ensure that the network is hidden from view. Hiding your network will help you to
block visitors from getting on the network.
 Turn on the wireless network encryption - Encryption is the security process that
clambers the information that you send over the Internet. Most of the Wi-Fi routers
have built-in encryption. You can set your security type using wireless encryption like
WPA and WPA2. Use WAP2 encryption method as it is more secure compare to
WAP.
 Take the time to review the security logs - Reviewing your router's logs (via its built-
in firewall functions) is often the most effective way to identify security incidents,
both in-progress attacks and indicators of upcoming attacks. Using outbound logs,
you can also identify Trojans and spyware programs that are attempting to establish
an outbound connection. Also, generally, the router is on the perimeter of your
network, and allows you to get an overall picture of the inbound and outbound
activity of your network.
 Maintain physical security of the router - It is important then to make sure that
physical access to your networking equipment is secure to prevent the placement of
sniffing equipment, such as an unauthorized laptop, on the local subnet.
 LOCAL ADMINISTRATION - A malicious person on your network is bad enough, but
we need to prevent them from being able to modify the router. The web interface of
a router also needs to be protected from malicious web pages that exploit CSRF
bugs. Local admin must access the router admin page through HTTPS not through
HTTP. Also, Every time the router administrator logs on to the router or change the
router settings, there should be a log entry for this.

Interface and Port Recommendations

As with services, all router interfaces and switch ports that are not used should be
disabled to prevent unauthorized access to the device.
 Enable port security.
 Shut down unused interfaces and switch ports.
 Place unused switch ports in a VLAN that is not routed and closely monitored.
Reassign the native VLAN.

Disable the following

 Unused interfaces and routing protocols
 IP direct-broadcast
 IP proxy-ARP

4. Printer Configuration Best Practice

 All networked printers must have a static IP address.
 Limit access to the printer only to member/staff who have a definite need to use it. 
 Disable unneeded or unused services on the machine, e.g., "Document Server" 
 Do not save and/or store documents that contain classified or sensitive information
on the machine. 
 Change default logins and passwords
 All services must be configurable and must be allowed to be completely disabled
(i.e., SMTP, NTP, FTP, HTTP, NFS, etc.) 
o Disable: the the Telnet daemon. If a remote shell is needed, it is
recommended to use SSH or OpenSSH; 
o Disable: Anonymous FTP access; 
o Support for the HTTP Trace method; 
o NetBIOS Null sessions; 
o The SNMP community name string must be changed from the public default
name string.  Please click here to find more information on how to disable
the SNMP community name string. 
 Use a firewall for your devices - The firewall blocks suspicious activity and protects
the network from unauthorized access via the device. This firewall should be in
addition to general network firewalls.
 Disable USB ports - USB keys can contain undetectable malware and corrupt the
device. Users can also use USB ports to obtain data without authorization.
 Erase device hard drives periodically - Printers, copiers, faxes, scanners and
multifunction devices can maintain copies of documents on their hard drives. Erase
periodically to mitigate potential data loss.
 Implement SSL encryption for information transmission - Data needs to be secure in
transmission and at rest on the device’s hard drive. SSL provides the best form of
encryption to protect information throughout its u
 Prohibit printing from non-company assets - Employees or guests should not be able
to print using cell phones or personal computer devices. These devices can easily
contain malware that can infect printers and other network components.
 Update and Patch- Just like computers, printers and multi-function devices need
updates and patches.  Check for firmware updates on all printer and network devices
as part of your regular patch management schedule.