How system hardening the Windows OS improves security

Q: What are the pros and cons of Windows system hardening? I want to make my systems more secure without breaking any apps. -M.N.

A: First of all, let's define "hardening." When you harden a system, you're attempting to make it bulletproof. Ideally, you want to be able to leave it exposed to the general public on the Internet without any other form of protection. This isn't a system you'll use for a wide variety of services. A hardened system should serve only one purpose--it's a Web server or DNS or Exchange server, and nothing else. You don't typically harden a file and print server, or a domain controller, or a workstation. These systems need too many functions to be properly hardened.

In general, if you need a hardened system, you shouldn't be looking to Microsoft. It's far easier to harden a Red Hat or FreeBSD system, among others. Not only is there less work, but there's better documentation on how to do it.

I've stripped down every Microsoft OS ever produced, and believe me, you'll never get the level of satisfaction you'll get with a hardened Linux system in the same amount of time.

That said, I should point out that there are notable exceptions. If you're running a Check Point firewall on NT, there's no reason not to feel the system is as secure as its Unix counterpart. Vendors of these products generally catch things a user might otherwise miss when hardening the system on their own.

System Hardening Steps
To harden a Windows server, you'll need to do the following three steps, at a bare minimum:

• Disable all unnecessary services. To do this, you first need to determine which services can be disabled. Sounds simple enough, but it's not. For example, it's impossible to disable the Remote Procedure Call (RPC) service. Also, little documentation exists to identify what services a given purpose will require. Even if we had such a list, it would likely change depending on a vendor's specific implementation (say, of a DNS or mail server). In the end, knowing which services are required and which can be disabled is largely a matter of trial and error.
• Remove all unnecessary executables and registry entries. Forgetting to remove unneeded executables and registry entries might allow an attacker to invoke something that had previously been disabled.
• Apply appropriately restrictive permissions to files, services, end points and registry entries. Inappropriate permissions could give an attacker an opening. The ability to launch CMD.EXE as "LocalSystem," for example, is a classic backdoor.

Now to the specific question on the pros and cons of server hardening. The benefits of OS hardening a Windows server are that you will have fewer patches to apply, you'll be less likely to be vulnerable to the average exploit, and you'll have fewer records to review in the logs. You can focus your attention on what the server is doing, not on services it may have running that you don't need.

On the other hand, it's very difficult to properly harden/configure a system so that it keeps running effectively. Documentation is scarce, and permissions are required to make it effective--and in the Windows world, permissioning remains one of those mystic arts. Finally, even a hardened Windows server will probably have far too many resident files and registry entries to effectively monitor and maintain.

An alternative to this type of system hardening is what TruSecure calls essential configurations, or ECs. ECs are like best practices for server security, a set of tasks that can be completed in an hour or so on any existing or new system. ECs don't harden the box, per se, but they make it resistant to all known mass exploits and the most common vulnerabilities for the box's primary task. Therefore, ECs can be applied to any box, regardless of its role, but aren't designed to equal the security of a hardened system. 

About the author:

Russ Cooper is surgeon general of TruSecure Corp. and editor of the NTBugtraq mailing list.