1 00:00:00,630 --> 00:00:01,589 In this lesson, 2 00:00:01,589 --> 00:00:03,510 we're going to discuss device hardening 3 00:00:03,510 --> 00:00:05,790 in relation to our endpoint devices. 4 00:00:05,790 --> 00:00:08,310 Now, device hardening refers to ensuring that the device 5 00:00:08,310 --> 00:00:10,500 has had any unnecessary applications, 6 00:00:10,500 --> 00:00:14,370 services, or ports disabled or removed from that host. 7 00:00:14,370 --> 00:00:15,390 To dive a bit deeper 8 00:00:15,390 --> 00:00:17,160 into the definition of device hardening, 9 00:00:17,160 --> 00:00:18,900 we can state that device hardening 10 00:00:18,900 --> 00:00:20,940 is the process of making a host system 11 00:00:20,940 --> 00:00:23,130 or application configuration secure 12 00:00:23,130 --> 00:00:25,020 by reducing its attack surface 13 00:00:25,020 --> 00:00:27,030 by running only necessary services, 14 00:00:27,030 --> 00:00:28,470 installing monitoring software 15 00:00:28,470 --> 00:00:30,540 to protect against malware and intrusions, 16 00:00:30,540 --> 00:00:32,430 and establishing a maintenance schedule 17 00:00:32,430 --> 00:00:34,050 to ensure the system is patched 18 00:00:34,050 --> 00:00:36,750 and secured against software exploits. 19 00:00:36,750 --> 00:00:39,750 Now, device hardening is applied to our endpoint devices, 20 00:00:39,750 --> 00:00:41,850 our servers, our network infrastructure, 21 00:00:41,850 --> 00:00:43,680 and our mobile devices as well. 22 00:00:43,680 --> 00:00:45,030 Any device can be hardened, 23 00:00:45,030 --> 00:00:47,040 and this helps to reduce our attack surface 24 00:00:47,040 --> 00:00:48,450 and risk of attack. 25 00:00:48,450 --> 00:00:50,250 When dealing with a host or a server, 26 00:00:50,250 --> 00:00:51,630 it is really important to ensure 27 00:00:51,630 --> 00:00:53,460 that the endpoint security software, 28 00:00:53,460 --> 00:00:55,860 such as anti-malware, anti-virus, 29 00:00:55,860 --> 00:00:58,020 spam filters, host-based firewalls 30 00:00:58,020 --> 00:00:59,400 and log collection agents, 31 00:00:59,400 --> 00:01:01,560 are all installed on that host as well, 32 00:01:01,560 --> 00:01:03,300 to increase its security posture 33 00:01:03,300 --> 00:01:04,709 and our ability to detect 34 00:01:04,709 --> 00:01:07,110 when something is not as it should be. 35 00:01:07,110 --> 00:01:09,150 Thankfully, manufacturers are helping us 36 00:01:09,150 --> 00:01:10,830 in our quest for more secure hosts 37 00:01:10,830 --> 00:01:12,390 by adding specialized hardware, 38 00:01:12,390 --> 00:01:14,550 such as more secure BIOS configurations, 39 00:01:14,550 --> 00:01:18,480 like UEFI, the Trusted Platform Module, or TPM; 40 00:01:18,480 --> 00:01:22,620 and Hardware Security Modules, or HSM, into our devices. 41 00:01:22,620 --> 00:01:25,440 As more and more networks become de-perimeterized, 42 00:01:25,440 --> 00:01:27,390 it's going to become more important than ever 43 00:01:27,390 --> 00:01:29,370 to ensure that even our endpoint devices 44 00:01:29,370 --> 00:01:32,160 are well-protected from the dangers of the outside world, 45 00:01:32,160 --> 00:01:34,050 and not just our servers. 46 00:01:34,050 --> 00:01:35,490 To conduct host hardening, 47 00:01:35,490 --> 00:01:37,410 system administrators will secure a host 48 00:01:37,410 --> 00:01:38,790 by ensuring that all of its software 49 00:01:38,790 --> 00:01:40,170 is patched and up to date 50 00:01:40,170 --> 00:01:42,600 and that the device is properly configured. 51 00:01:42,600 --> 00:01:45,390 They'll also work to remove unnecessary applications, 52 00:01:45,390 --> 00:01:47,640 block unnecessary ports and services, 53 00:01:47,640 --> 00:01:49,800 tightly control any external storage devices 54 00:01:49,800 --> 00:01:51,120 connected to that host, 55 00:01:51,120 --> 00:01:53,190 disable unneeded accounts on the system, 56 00:01:53,190 --> 00:01:54,720 rename default accounts, 57 00:01:54,720 --> 00:01:57,030 and change the device's default passwords. 58 00:01:57,030 --> 00:01:58,410 Other forms of host hardening 59 00:01:58,410 --> 00:02:00,330 include configuring a standardized baseline 60 00:02:00,330 --> 00:02:01,710 for the operating system, 61 00:02:01,710 --> 00:02:04,140 as well as putting in allow and deny list 62 00:02:04,140 --> 00:02:06,300 for your applications on the system, 63 00:02:06,300 --> 00:02:08,430 implementing security and group policies, 64 00:02:08,430 --> 00:02:10,620 restricting the command-line interface from being used, 65 00:02:10,620 --> 00:02:13,740 and restricting the use of peripheral devices. 66 00:02:13,740 --> 00:02:15,030 When you conduct hardening, 67 00:02:15,030 --> 00:02:17,220 you always want to balance the access requirements 68 00:02:17,220 --> 00:02:18,750 and the usability of the system 69 00:02:18,750 --> 00:02:22,170 against those open ports, protocols and services. 70 00:02:22,170 --> 00:02:24,570 Our goal is to open the least amount of ports 71 00:02:24,570 --> 00:02:26,340 and run the least amount of services 72 00:02:26,340 --> 00:02:29,640 to effectively get the job done on a particular device. 73 00:02:29,640 --> 00:02:31,500 So when it comes to hardening, 74 00:02:31,500 --> 00:02:33,750 what kind of things should you be looking at? 75 00:02:33,750 --> 00:02:36,540 Well, first, you should check any network interfaces 76 00:02:36,540 --> 00:02:38,730 that provide connectivity to the local area network 77 00:02:38,730 --> 00:02:40,560 or a wide area network. 78 00:02:40,560 --> 00:02:43,140 Most commonly, you're going to have a network interface card 79 00:02:43,140 --> 00:02:44,100 for wired networks 80 00:02:44,100 --> 00:02:47,640 and a wireless network adapter for your Wi-Fi connection. 81 00:02:47,640 --> 00:02:48,930 Some servers and hosts 82 00:02:48,930 --> 00:02:51,240 may have additional network interface cards as well 83 00:02:51,240 --> 00:02:53,820 that are reserved for a connection to a management LAN. 84 00:02:53,820 --> 00:02:55,620 Consider each of these network connections 85 00:02:55,620 --> 00:02:57,720 and determine if you really need them. 86 00:02:57,720 --> 00:02:58,890 Any that are unneeded 87 00:02:58,890 --> 00:03:02,310 should be explicitly disabled inside the operating system. 88 00:03:02,310 --> 00:03:04,590 Second, you should look at the list of services 89 00:03:04,590 --> 00:03:07,380 that are installed and running on your clients and servers. 90 00:03:07,380 --> 00:03:09,300 Services are a form of application 91 00:03:09,300 --> 00:03:10,410 that are running in the background 92 00:03:10,410 --> 00:03:12,450 to provide some kind of functionality. 93 00:03:12,450 --> 00:03:14,070 If you're not using a service, 94 00:03:14,070 --> 00:03:17,010 it should explicitly be disabled on that system. 95 00:03:17,010 --> 00:03:19,530 For example, let's say you're not running a print server 96 00:03:19,530 --> 00:03:20,850 on your Linux server. 97 00:03:20,850 --> 00:03:22,980 Well, you should disable the CUPS daemon 98 00:03:22,980 --> 00:03:24,210 on that server then. 99 00:03:24,210 --> 00:03:25,380 If you're running a Linux server 100 00:03:25,380 --> 00:03:27,330 that doesn't have any Bluetooth devices, 101 00:03:27,330 --> 00:03:30,600 you need to disable the Bluetooth daemon on that system too. 102 00:03:30,600 --> 00:03:31,770 This is what I'm talking about 103 00:03:31,770 --> 00:03:34,560 when I talk about disabling unneeded services. 104 00:03:34,560 --> 00:03:36,240 Third, you should always look at the ports 105 00:03:36,240 --> 00:03:37,650 that are open and in use, 106 00:03:37,650 --> 00:03:39,930 especially if they're running different applications 107 00:03:39,930 --> 00:03:41,610 on different service ports. 108 00:03:41,610 --> 00:03:44,670 For example, let's say you're running an HTTP server 109 00:03:44,670 --> 00:03:46,680 and you expect to see that on Port 80, 110 00:03:46,680 --> 00:03:48,120 which is going to be open by default 111 00:03:48,120 --> 00:03:49,980 if you're running a web server. 112 00:03:49,980 --> 00:03:52,440 Any ports that you don't need open for this service 113 00:03:52,440 --> 00:03:53,670 should be disabled. 114 00:03:53,670 --> 00:03:56,280 And most servers will only need a couple of ports open 115 00:03:56,280 --> 00:03:57,810 to perform their given function, 116 00:03:57,810 --> 00:04:01,260 like a web server needing Port 80 and Port 443. 117 00:04:01,260 --> 00:04:03,600 The rest should all be closed or blocked 118 00:04:03,600 --> 00:04:07,140 using a host-based firewall to further harden your servers. 119 00:04:07,140 --> 00:04:08,460 One thing to note with ports 120 00:04:08,460 --> 00:04:10,650 is that not all servers are going to be configured 121 00:04:10,650 --> 00:04:12,420 to use standardized ports. 122 00:04:12,420 --> 00:04:14,340 Sometimes you may be running servers 123 00:04:14,340 --> 00:04:17,220 on non-standard ports for a valid reason. 124 00:04:17,220 --> 00:04:19,800 For example, if I have a single physical server 125 00:04:19,800 --> 00:04:22,140 that's going to be running two different web servers on it, 126 00:04:22,140 --> 00:04:25,620 I may have them running on Port 80 and Port 8080. 127 00:04:25,620 --> 00:04:28,290 In this case, Port 80 is the standard port 128 00:04:28,290 --> 00:04:30,480 for HTTP or web traffic. 129 00:04:30,480 --> 00:04:34,020 But Port 8080 is considered a non-standard port, 130 00:04:34,020 --> 00:04:35,820 and I'm using it because I need to have 131 00:04:35,820 --> 00:04:37,800 two different web servers running at once 132 00:04:37,800 --> 00:04:39,660 on this particular system. 133 00:04:39,660 --> 00:04:41,400 Fourth, you should always ensure 134 00:04:41,400 --> 00:04:42,870 that you're using disk encryption 135 00:04:42,870 --> 00:04:44,700 to harden your endpoints too. 136 00:04:44,700 --> 00:04:47,670 Many endpoints will hold data created by your applications, 137 00:04:47,670 --> 00:04:49,230 as well as cache credentials. 138 00:04:49,230 --> 00:04:51,330 Therefore, you want to make sure your storage 139 00:04:51,330 --> 00:04:54,030 is encrypted on that device by default. 140 00:04:54,030 --> 00:04:56,910 Easiest way to do this is to enable full-disk encryption 141 00:04:56,910 --> 00:04:59,070 or use a self-encrypting drive 142 00:04:59,070 --> 00:05:02,070 so, that way, your data at rest is always secure. 143 00:05:02,070 --> 00:05:04,830 Fifth, you should review all of your accounts on the system 144 00:05:04,830 --> 00:05:06,300 as part of your hardening. 145 00:05:06,300 --> 00:05:08,400 If you have extra accounts that are not needed, 146 00:05:08,400 --> 00:05:10,650 those should be disabled or deleted. 147 00:05:10,650 --> 00:05:12,270 Remember, the rule of thumb 148 00:05:12,270 --> 00:05:14,730 is that anything that is unused or unneeded 149 00:05:14,730 --> 00:05:17,010 should be disabled, deleted, or blocked 150 00:05:17,010 --> 00:05:18,990 to best harden your systems. 151 00:05:18,990 --> 00:05:21,360 Now, one final word on device hardening. 152 00:05:21,360 --> 00:05:22,320 It is really important 153 00:05:22,320 --> 00:05:24,360 to consider the lifecycle of your device 154 00:05:24,360 --> 00:05:26,280 as part of your hardening actions. 155 00:05:26,280 --> 00:05:28,500 When you're buying a particular piece of software, 156 00:05:28,500 --> 00:05:30,180 hardware, or operating system, 157 00:05:30,180 --> 00:05:33,060 you need to consider the end of life, or EOL, date 158 00:05:33,060 --> 00:05:37,080 and the end of support, or EOS, date for those items. 159 00:05:37,080 --> 00:05:39,390 The end of life date usually refers to the date 160 00:05:39,390 --> 00:05:42,720 where a manufacturer will no longer sell a given product. 161 00:05:42,720 --> 00:05:46,320 For example, Microsoft announced that Windows Server 2019 162 00:05:46,320 --> 00:05:50,100 would reach the end of life on January 9th, 2024. 163 00:05:50,100 --> 00:05:52,260 At that time, there will be no new licenses 164 00:05:52,260 --> 00:05:53,880 sold for that operating system, 165 00:05:53,880 --> 00:05:55,800 and no mainstream support, patches, 166 00:05:55,800 --> 00:05:57,840 or updates will be available. 167 00:05:57,840 --> 00:05:59,790 Now, the end of support date, on the other hand, 168 00:05:59,790 --> 00:06:00,990 refers to the last date 169 00:06:00,990 --> 00:06:03,690 that a manufacturer will support a given product. 170 00:06:03,690 --> 00:06:06,810 Going back to my example of Windows Server 2019, 171 00:06:06,810 --> 00:06:09,570 Microsoft has listed an extended end of support date 172 00:06:09,570 --> 00:06:11,970 of January 9th, 2029. 173 00:06:11,970 --> 00:06:13,710 So while you can no longer buy 174 00:06:13,710 --> 00:06:16,530 Windows Server 2019 after 2024, 175 00:06:16,530 --> 00:06:19,260 you can still receive patches, updates, and support 176 00:06:19,260 --> 00:06:21,630 if you have an extended service contract with Microsoft 177 00:06:21,630 --> 00:06:23,550 until 2029. 178 00:06:23,550 --> 00:06:25,140 Now, the reason these end of life 179 00:06:25,140 --> 00:06:27,540 and end of support dates are really important 180 00:06:27,540 --> 00:06:29,850 is that the manufacturer is no longer going to provide 181 00:06:29,850 --> 00:06:32,760 any kind of patches or updates after those dates, 182 00:06:32,760 --> 00:06:34,890 and so you can't keep your system fully up to date 183 00:06:34,890 --> 00:06:36,150 and fully hardened. 184 00:06:36,150 --> 00:06:37,950 And this means attackers are going to be able 185 00:06:37,950 --> 00:06:40,350 to find vulnerabilities in those operating systems 186 00:06:40,350 --> 00:06:42,630 after those EOL and EOS dates, 187 00:06:42,630 --> 00:06:45,630 and then they can attack those legacy end of life 188 00:06:45,630 --> 00:06:47,490 or end of support operating systems 189 00:06:47,490 --> 00:06:50,700 as an open attack surface forever and ever afterwards. 190 00:06:50,700 --> 00:06:53,640 So you need to make sure you're always using a software 191 00:06:53,640 --> 00:06:55,893 that is currently in life and in support.