System Hardening for Your Web Applications

System hardening is the practice of securing a computer system by reducing its attack surface. This includes removing unnecessary services and unused software, closing open network ports, changing default settings, and so on. For web applications, the attack surface is also affected by the configuration of all underlying operating systems, databases, network devices, application servers, and web servers. This article examines approaches to system hardening and shows what security measures you can apply to keep your web applications safe.

System Hardening for Your Web Applications

System hardening is the practice of securing a computer system by reducing its attack surface. This may involve disabling unnecessary services, removing unused software, closing open network ports, changing default settings, and so on. For web applications, the attack surface is also affected by the configuration of the entire software stack and hardware setup, from operating systems, databases, and network devices to application servers and web servers. In this article, we will look at approaches to system hardening and see what security measures can help keep your web applications safe.

Know Your Attack Surface

The attack surface of a web application is the combination of all potential security vulnerabilities, backdoors, and other attack vectors in the application and its infrastructure. This includes not just unpatched software and firmware but also unsafe configurations, insecure access to data and applications, default or hard-coded logins and passwords, lack of suitable encryption for data in transit and/or at rest, and so on.

Apart from reducing the risk of malware attacks and other security threats, minimizing the attack surface also brings a host of other benefits. Hardened systems are easier to maintain because they have fewer active components. Hardening can also improve performance by eliminating unnecessary functionality that might otherwise drain valuable resources.

Formal Approaches to the Hardening Process

System hardening is not just a good practice – in some industries, it is a regulatory requirement to minimize security risks and ensure information security. For example, if you process medical patient data, you may be subject to HIPAA server hardening requirements, while for payment processing you may be affected by PCI DSS requirement 2.2

Several organizations publish commonly accepted standards and procedures for eliminating system weaknesses, including the Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin, Audit, Network, and Security Institute (SANS), and National Institute of Standards and Technology (NIST). Major software vendors also provide their own hardening guides for specific products.

Your Web Application Hardening Checklist

A hardening checklist is a formal document listing all the steps required to lock down one or many systems. Your checklist will vary depending on the application infrastructure and security configuration – an all-cloud deployment will require very different actions than a full physical infrastructure, but the overall goals and concepts are the same.

To determine your hardening requirements, start by preparing an inventory of all relevant software and hardware assets. Complement this by checking the existing external attack surface using a cybersecurity audit, web vulnerability scan, penetration testing, or other methods to identify vulnerabilities and weak points. Web application discovery can be invaluable to detect forgotten or outdated applications that present additional targets.

Locking Down User Accounts and Data Access

Regardless of your physical and logical infrastructure, effective data access control is the biggest hardening issue. It applies across all software and hardware tiers, with the overriding goal of preventing unauthorized access to systems and data.

Start by enforcing role-based access controls and restrictions, and ensure that only valid and required user accounts are enabled. For each role and user, follow the rule of minimum necessary privileges. Define suitable password policies to enforce strong passwords and password rotation as required.

Determine where your data is stored (in databases, files, directory services, etc.) and define encryption policies to ensure that critical data is encrypted both at rest and in transit. Enforce policies to centralize data management and protection, for example by storing user files on a central file server protected by encryption and backups.

Network and Server Hardening

Server hardening is the main aspect of securing a web application. This includes not just web servers and application servers but also database and file servers, cloud storage systems, and interfaces to any external systems. Start by removing or disabling unnecessary software and services (especially file sharing services such as FTP), and closing all unnecessary ports. Minimize administrative access channels – if you only use SSH sessions to manage a server, remove or disable its web-based administrative interface.

Network security is another crucial aspect of system hardening. If your infrastructure uses physical network devices, change all default settings and credentials, and ensure that firmware is always up to date to minimize exposure to known bugs and vulnerabilities. Implement access lists to lock down data and system access, and encrypt traffic when necessary.

Timely patching is vital on all software and hardware levels, so ensure that you always apply the latest security patches after testing them outside the production environment. To keep systems updated, it’s a good idea to automate the update process and generate alerts about out-of-date products.

Operating System Hardening

Operating systems are usually supplied with a wide array of functionality, drivers, services, and other components to ensure universal support. When used to run a server, the OS should be stripped down to support only a specialized subset of functionality, which means removing all unnecessary software, libraries, services, and drivers. Depending on the server role, you may need to install or enable security services such as an anti-virus, anti-spyware tool, firewall, or intrusion detection system.

Specific configuration settings for hardening a Microsoft Windows server might include disabling guest accounts, enabling the Windows Firewall, requiring login to shut down the system, or disabling or restricting anonymous access to shares. For a Linux server, hardening steps might include creating separate partitions for critical mounts, specifying secure encryption settings for remote SSH sessions, configuring SELinux, logging all administrator and root access, or restricting process access to core dumps.

How to Maintain Cybersecurity

System hardening is a continuous process, not something you can do once and forget about it. The result of your first system hardening effort should be a baseline secure configuration. Every change and addition to your web application and infrastructure must then be tested against that baseline to ensure everything is secure.

The web security landscape is constantly shifting and new threats and exploits emerge daily. Combined with the risk of uncontrolled system changes, this requires continuous monitoring and testing. To ensure system security, it’s a good idea to use enterprise-grade web vulnerability scanning and penetration testing tools to see your application’s weak points as an attacker might see them.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.