- David Galiata
Having a proper patch management system is critical to protecting client data but it's just one of many security considerations. With Ransomware and other exploits on the rise, MSPs and IT Departments must strengthen defenses against outside attacks. When attempting to compromise a device or network, malicious parties look for any opening. Many small- and medium-sized businesses are unaware that operating system vulnerabilities provide easy access into key systems. In order to provide users with peace of mind, safeguard their sensitive information and differentiate your security services from the competition, here are some ways to harden clients operating systems:
Definition of OS Hardening
What is OS hardening? Here is a quick definition from the web:
Hardening of the OS is the act of configuring an OS in a secure fashion, keeping it up to date with patches, etc., creating rules and policies to help govern the system in a secure manner, and removing unnecessary applications and services. This is done to minimize a computer OS's exposure to threats and to mitigate possible risk.
OS Hardening Tips
While different operating systems have their own specific details, there are recommended hardening procedures that apply universally. This list is not all-inclusive and you may implement additional system hardening best practices when applicable. However, in order to minimize clients' risk of suffering a cyber attack, adhere to the following protocols:
Application clean-up – Remove unnecessary programs. End users should not have admin rights to their workstations. Almost every time I have been on a machine where users can install applications, there are always random media player programs and other odd software that should not be installed. Every application is a risk. Cleaning out unnecessary software limits the risk of allowing hackers into the system. Attackers look for back-doors and security holes when attempting to compromise networks. Minimize their chances of getting through.
Install major OS updates – Keep up-to-date and install the latest versions. Nothing guarantees protection, especially from zero-day attacks, but this is an easy rule to follow.
Patches and patch management – Planning, testing, implementing and auditing patch management software should be part of a regular security regimen. Make sure the OS is patched regularly, as well as the individual programs on the client's computer. Your consulting firm should have processes in place that when new updates and patches are released, you test them in an isolated environment and make sure they get approved. Properly testing patches goes a long way. Another thing I recommend is to not blindly accept driver updates as a part of your patching process. I've seen too many times where a Lenovo, HP, or Dell driver gets automatically updated and something on the system breaks. Going with security and critical updates is a better route.
Group Policies – Having a proper Active Directory structure is paramount to deploying your Group Policies. With Group Policies, you can have full control over which users and groups are impacted by specific policies. can or can’t access and maintain these rules. Establish or update user policies and ensure all users are aware and comply with these procedures. For example, everyone should be implementing strong passwords, securing their credentials and changing them regularly.
In today's world, there’s no end to how much you can do to protect your clients infrastructure, however this list should help get you started. Sometimes, it’s small changes that can make the biggest difference. Teach your clients the importance of OS hardening and the value of keeping their systems up-to-date. Ultimately, they will rely on you to keep them informed on security best practices.