A fundamental part of the security of your infrastructure is the reinforcement of the protection of your elements and services from the point of view of patching to the reduction of the attack surface. This is where “hardening” comes in. Whether your environment is in a physical data center (on-premise) or hosted in the cloud, implementing good hardening practices is one of the most effective ways to reduce the attack surface and increase the resilience of your systems.
Contents
- 1 What is Hardening and why should you apply it now?
- 2 Fundamental elements of hardening
- 2.1 1. Removing unnecessary configurations: Removing default parameters, example configurations, or functions that are not used but could pose risks.
- 2.2 2. Shutting down unused services: Disabling or completely removing services, daemons, or applications that are installed but not needed.
- 2.3 3. Enforce Strict Security Policies: Implement secure controls and configurations to authenticate users, log events, restrict permissions, and protect data.
- 2.4 4. Operating System Assurance: Review and adjust operating system configurations according to security best practices.
- 2.5 5. Service and Application Assurance: Strengthen the configuration of databases, web servers, enterprise applications, and other key services.
- 2.6 6. Patching and Patching:Apply security updates provided by software manufacturers to fix known vulnerabilities.
- 2.7 7. Network and communications hardening: Securing the way data travels over the network and restricting traffic to what is strictly necessary.
- 2.8 8. Hardening containers and orchestrators: Protect modern container-based environments (Docker) and their orchestration (Kubernetes).
- 2.9 9. Audit and compliance verification: Check that hardening measures are effectively applied and maintained over time.
- 3 Hardening On-premise: Strengthening from the roots
- 4 Recommended tools for on-premise:
- 5 Hardening in the Cloud: Shared Security, Your Responsibility
- 6 On-premise vs Cloud: What’s changing in the hardening approach?
- 7 Practical example: Basic Hardening on an Ubuntu instance (cloud or on-premises)
- 8 Containerized Hardening: Don’t Forget Your Modern Infrastructure
- 9 Automate and scale your hardening like a DevSecOps
- 10 Toughen up now or expose your business tomorrow
What is Hardening and why should you apply it now?
Hardening is a set of systematic actions that aim to reduce exploitable vulnerabilities in a technological system or infrastructure. In other words, it is about strengthening each component of the system to make it more resistant to attacks or configuration errors that can be exploited by malicious actors.
This is not a one-off action, but an ongoing process that is part of any well-designed security strategy.
Fundamental elements of hardening
Below, I explain in detail the pillars that make up a robust hardening plan:
1. Removing unnecessary configurations: Removing default parameters, example configurations, or functions that are not used but could pose risks.
Examples:
- Delete sample configuration files from Apache or Nginx.
- Disable CGI scripts or public admin panels.
- Remove unnecessary PHP modules, such as phpmyadmin, if they are not used.
Objective:
Reduce functionalities that can be exploited without affecting the performance or objectives of the system.
2. Shutting down unused services: Disabling or completely removing services, daemons, or applications that are installed but not needed.
Examples:
- Stop and disable telnet, ftp, cups, avahi-daemon, etc.
- On Windows servers: disable services such as “Remote Registry” or “Fax”.
Objective:
Reduce possible attack vectors, especially those that could open unnecessary ports or allow uncontrolled remote access.
3. Enforce Strict Security Policies: Implement secure controls and configurations to authenticate users, log events, restrict permissions, and protect data.
Examples:
- Strong password policies (minimum length, expiration, history).
- Setting up MFA (multi-factor authentication).
- Centralized and immutable audit logs.
- Access control lists (ACLs) to limit who accesses what.
Objective:
To prevent unauthorised access, hinder lateral movements and improve traceability in the event of incidents.
4. Operating System Assurance: Review and adjust operating system configurations according to security best practices.
Examples:
- Set correct permissions on system files (/etc/shadow, /etc/passwd).
- Disable the execution of binaries in temporary directories.
- Use separate partitions for /home, /var, /tmp, and mount with noexec, nosuid, nodev options.
Objective:
Reduce the impact of a possible intrusion and prevent escalation of privileges.
5. Service and Application Assurance: Strengthen the configuration of databases, web servers, enterprise applications, and other key services.
Examples:
- Disable default users in databases.
- Force secure connections (TLS) on web servers.
- Validate the use of HTTP headers such as Content-Security-Policy, X-Frame-Options, Strict-Transport-Security.
Objective:
To prevent misconfigured services from becoming gateways for an attacker.
6. Patching and Patching:
Apply security updates provided by software manufacturers to fix known vulnerabilities.
Examples:
- Patch the Linux kernel with security updates.
- Apply hotfixes to services such as Apache, MySQL, or Exchange.
- Update container base images with the latest secure versions.
- Automate patching with tools such as WSUS (Windows), Landscape (Ubuntu), Patch Manager (AWS), etc.
Objective:
To close known vulnerabilities before they can be exploited.
Without patching, even a well-configured system can be completely exposed.
7. Network and communications hardening: Securing the way data travels over the network and restricting traffic to what is strictly necessary.
Examples:
- Implement firewalls (local and perimeter).
- Use VPNs for remote access.
- Restrict open ports with iptables, ufw, or nftables.
- Apply segmentation and micro-segmentation rules (in VLANs or Security Groups in the cloud).
Objective:
To prevent an attacker from being able to move easily through the network in the event of a compromise.
8. Hardening containers and orchestrators: Protect modern container-based environments (Docker) and their orchestration (Kubernetes).
Examples:
- Do not run containers as root.
- Use signed and scanned images.
- Apply RBAC controls in Kubernetes.
- Enable network policies and namespaces for isolation.
Objective:
To protect dynamic environments where changes and deployments are constant, without sacrificing security.
9. Audit and compliance verification: Check that hardening measures are effectively applied and maintained over time.
Tools used:
- Lynis, OpenSCAP, Chef InSpec, CIS-CAT Pro.
- Scanners such as Nessus, Qualys, Rapid7 or OpenVAS.
Objective:
Identify deviations, reinforce configurations, generate reports for audits and maintain compliance with standards such as CIS, NIST, ISO 27001.
Hardening On-premise: Strengthening from the roots
On-premises physical or virtualized environments are still at the heart of many operations. Here, the control is total, but so is the responsibility.
Critical areas to harden:
| Component | Examples of hardening measures |
| Operating system | Disable unnecessary services, apply password policies, restrict root/admin usage. |
| Databases | Deactivate accounts by default, encrypt data at rest, limit access by IP. |
| Web Servers | Enable HTTPS, configure secure headers, limit HTTP methods. |
| Networks and Firewalls | Segmentation, access control lists (ACLs), intrusion detection. |
Recommended tools for on-premise:
1. Lynis
What it is for:
Security auditing and hardening on Linux and Unix systems.
How to use:
Runs directly from the terminal and evaluates operating system configuration, services, authentication, network, and more.
Bash
sudo apt install lynis
Sudo Lynis Audit System
Where it is integrated:
Linux operating systems, both on-premise and in virtual machines in the cloud. It can also be included in CI/CD pipelines to verify base security before deployment.
2. Microsoft Security Compliance Toolkit (SCT)
What it’s for:
Apply predefined security policies (based on CIS and other guidelines) on Windows systems using GPOs (Group Policy Objects).
How to use:
- The templates are downloaded from the official portal.
- They are imported into the Group Policy Console (GPMC).
- They apply at the domain or organizational unit level.
Where it integrates:
Active Directory infrastructures in Windows corporate environments.
3. OpenSCAP
What it’s for:
Compliance auditing, vulnerability scanning, and secure configuration validation.
How to use it:
OpenSCAP uses standardized definitions (such as SCAP, XCCDF, OVAL) to verify that a system complies with desired security policies.
Bash
OSCAP XCCDF Eval –Profile X –Results resultado.xml benchmark.xml
Where it is integrated:
- On Linux servers.
- In DevSecOps pipelines to verify configurations before deployment.
- Compatible with tools such as Red Hat Satellite, Foreman or Spacewalk.
4. Ansible + CIS Benchmarks
What it’s for:
Automate the hardening process using the Center for Internet Security (CIS) security guides.
How to use:
- CIS-compatible playbooks are downloaded.
- They adapt to the infrastructure.
- They run with Ansible on multiple hosts simultaneously.
Bash
Ansible-Playbook -I Inventory hardening-cis.yml
Where it is integrated:
- In hybrid environments (Linux, Windows, cloud).
- In automated configuration processes (CI/CD, pipelines).
- Can be combined with Terraform for full provisioning.
5. Chef InSpec
What it’s for:
Automated compliance testing and secure configuration. Allows you to define security policies as code.
How to use:
Control profiles are written that define which configurations should be present. Scans are then run to validate that the system complies with them.
Bash
inspec exec profile/ –target ssh://user@host
Where it is integrated:
- In DevSecOps flows for automatic security testing.
- On individual servers or fleets.
- Compatible with AWS OpsWorks and container environments.
6. CIS-CAT Pro
What it’s for:
Compliance scanning with Center for Internet Security (CIS) benchmarks. Generate detailed reports on the security status of each host.
How to use:
- It runs on local or remote systems.
- Evaluates system configuration, user, permissions, services, etc.
- Provides points and recommendations per item.
Where it is integrated:
- Both on physical machines and in cloud environments.
- Ideal for organizations that require reports for audits or certifications.
- Compatible with operating systems, databases, and applications.
In cloud environments, security is shared between the provider (such as AWS, Azure, or OCI) and you as the customer. The provider secures the infrastructure; You secure your apps, settings, and users.
Top areas of cloud hardening:
| Area | Common Good Practices |
| Virtual machines | Same as on-premise: disable ports, update OS, use SSH keys. |
| Accounts and Accesses (IAM) | Principle of least privilege, mandatory MFA, key rotation. |
| Storage (S3, Blob, etc.) | Block public access, use encryption at rest and in transit. |
| Network and Firewall (NSG, SG) | Close ports, restrict by IP or range, use VPCs or private networks. |
| Containers (K8s, Docker) | Image signatures, vulnerability scanning, namespace control and RBAC. |
Useful tools for the cloud:
- CIS-CAT Pro: Compliance scanning in cloud and on-premise environments.
- Ansible + CIS Benchmarks Cloud Modules: Automated application of hardening policies on AWS, Azure, GCP.
- AWS Security Hub / Azure Defender / Google Security Command Center: Native monitoring and hardening tools.
- Kube-bench: To verify Kubernetes’ compliance with the CIS benchmark.
On-premise vs Cloud: What’s changing in the hardening approach?
| Feature | On-premise | Cloud |
| Control | Total over hardware and network | Partial control, depending on the model (IaaS, PaaS, SaaS) |
| Scalability | Limited by physical hardware | High, but requires secure configuration when scaling |
| Automation | Manual or semi-automated | Facilitate automation with CI/CD pipelines |
| Audit and compliance | Requires local tools | There are integrated dashboards (e.g. Security Hub) |
| Costs | High initial CAPEX | Variable costs depending on usage, but with risks of misconfiguration |
Practical example: Basic Hardening on an Ubuntu instance (cloud or on-premises)
Bash
# Update the system
Sudo apt update && sudo apt upgrade -y
# Install Lynis for Security Scan
sudo apt install lynis -y
Sudo Lynis Audit System
# Disable unnecessary services
sudo systemctl disable bluetooth.service
# Configure basic firewall rules
sudo ufw enable
sudo ufw default deny incoming
sudo ufw allow ssh
Containerized Hardening: Don’t Forget Your Modern Infrastructure
Containers and orchestrators like Kubernetes also need hardening. Just because they are ephemeral, they are not without risks.
Good practices:
- Do not run containers as root.
- Sign and scan images.
- Restrict resources with limits and requests.
- Apply network policies (NetworkPolicy) and access control (RBAC).
Automate and scale your hardening like a DevSecOps
The key to keeping your hardening up to date is to automate. Tools such as Ansible, Terraform, Chef or Puppet, along with CIS benchmarks, allow you to apply secure configurations to hundreds of systems with consistency.
Example: Ansible + CIS playbook
Yaml.
- hosts: all
Become: Yes
tasks:
- name: Ensure UFW is installed
apt:
Name: UFW
state: present
- name: Set default policies
UFW:
state: enabled
policy: deny
Toughen up now or expose your business tomorrow
Hardening is not an optional step or a one-off task: it is an essential and ongoing process. It involves a combination of configuration review, access control, attack surface reduction and, especially, constant software updating (patching).
An effective hardening strategy must be adaptable, automatable, and validated regularly. With it, you reduce your risk exposure and improve your overall security posture, whether it’s on a physical server in your datacenter or in a virtual cloud instance.
Thanks for reading me!!!
Leave a Reply