Consider hardening the host OS as it presents possible additional vulnerabilities to the network. In general, it is recommended to run the minimum required services and applications to support the required functionality and help reduce the attack surface. This can be done by creating baselines and by conducting periodic port and OS scans to obtain a list of open ports and services. Conducting periodic vulnerability scans is also highly recommended as it identifies any potential vulnerabilities that are related to the OS itself or any vulnerabilities that are introduced by underlying applications or its dependencies.
There is a common set of considerations for each type of OS to keep the environment more secure and to reduce the potential attack surface. The items listed below are some general considerations for securing an OS:
- Ensure that only those who are required have access to the OS.
- Ensure that any user or service account has the minimum set of privileges necessary to carry out the required tasks.
- Use strong passwords.
- Configure host OS firewall rules (access lists) for managing traffic coming into and leaving the host.
- Integrate authentication with an existing central authentication system when possible.
- Keep up with the latest patches and ensure that they are applied only after being tested and approved.
- Disable unused or unnecessary services.
- Configure the system to use NTP.
- Configure logging settings and integrate with a central logging system or security information and event management (SIEM) when possible.
- Conduct credentialed vulnerability scanning regularly (per organizational policy).
- Deploy endpoint security software, such as anti-virus, to detect potential threats on the OS.