Generic filters

Establishing a System Hardening Baseline

August 6, 2021

Securing your enterprise against internal and external threats requires several critical steps to establish a system hardening baseline.

Systems hardening is a collection of tools, techniques, and best practices to reduce vulnerability in technology applications, systems, infrastructure, firmware, and other areas. The goal of systems hardening is to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface.

Nearly every compliance mandate discusses “cyber hygiene” in some way. For example, the Cybersecurity Maturity Model Certification (CMMC) uses the term throughout. At Level 1, companies in the Defense Industrial Base (DIB) need to meet “Basic Cyber Hygiene” practices. To meet CMMC Level 3 compliance, they need to prove “Good Cyber Hygiene” practices. By hardening systems, organizations can mature their cybersecurity and compliance postures.

What is system hardening?

System hardening applies secure technical configurations across system and device software, firmware, and operating systems. Secure technical configurations are low-level controls that reduce technology vulnerabilities.

When looking to harden your systems, you can use security checklists or baselines. If you’re beginning your security and compliance journey, you can start with the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-128 and 800-70. These guides provide best practices for security configuration management and direct you to the NIST National Checklist Repository. Some examples of security baselines include Security Technical Implementation Guides (STIGs) and CIS Benchmarks.

You should scan your entire environment and review it for potential vulnerabilities or secure configuration violations to harden systems. Then, you need to make sure that you remediate any weaknesses by updating the configuration. Finally, if you need to meet a compliance requirement, you should document all changes made to prove your security posture.

What happens if you don’t harden your system?

If you don’t harden systems, you might have misconfigurations that create security weaknesses. For example, system hardening is a way to eliminate common vulnerabilities and exposures (CVEs) that malicious actors use to gain access to systems and networks. CVEs are known security weaknesses released to the public. These threat actors look for ways to use them in their attacks.

Often, companies that harden systems manually find the process time-intensive and costly. So, although they know that it’s a best security practice, they usually wait to do it. In the meantime, malicious actors treat this as an opportunity to attack the organization, leading to a data breach.

What is the benefit of system hardening?

System hardening provides several other significant benefits beyond mitigating the risk that threat actors will use a weakness as part of an attack.

Some of the additional benefits include:

  •   Improved performance: removes unnecessary files from a device, freeing up memory and making it run more efficiently
  •   Reduction in access points: removes unnecessary file sharing and their associated access points, limiting threat actor ability to use them as     in attack vector
  •   Cost savings: reduces software on devices, saving costs associated with purchasing memory or need for larger hard drive

5 Must-Haves for Your System Hardening Checklist

Systems hardening demands a methodical approach to audit, identify, close, and control potential security vulnerabilities throughout your organization. As your company adopts more devices and software, keeping track of your system hardening processes is a way to document your cyber hygiene. To harden systems effectively, creating a checklist to identify any gaps is essential. Below are 5 must-haves to include on your checklist:


Databases should focus when setting up a cyber hygiene program based on hardening because they often store sensitive data. As part of your system hardening checklist, you should make sure to:

  • Update software regularly
  • Turn off unnecessary services and functions
  • Encrypt data-at-rest and in-transit


If you have your own data center, then hardening servers is critical to securing data. As part of the hardening process, you should make sure to:

  • Make sure that you disable default accounts
  • Only activate features you need
  • Configure for an automatic update when possible

Operating systems

Since operating systems run hardware, hardening them can sometimes lead to downtime, which is why IT administrators often push them off. As part of the hardening process, you should make sure to:

  • Limit unnecessary drivers
  • Enable and configure Secure Boot
  • Encrypt the HDD or SS storing the operating system


Most business processes rely upon software technology. However, it’s also a primary attack vector that threat actors use because most software needs to connect to the internet. As part of your hardening process, you should make sure to:

  • Encrypt data-at-rest and in-transit
  • Update software regularly in response to newly published vulnerabilities
  • Use firewalls


Since networks are the communication paths that data travels on, you need to make sure that you secure them. As part of the hardening process, you should make sure to:

  • Check firewalls configurations
  • Review network rules and network access privileges
  • Disable unused or unnecessary network ports and protocols
  • Encrypt traffic

SteelCloud: Automated Hardening for Better Cyber Hygiene

System hardening mitigates risks from software vulnerabilities by ensuring that organizations implement secure configurations. By using STIGs and CIS benchmarks, organizations build more robust security. Automating these lower-level controls and documenting processes gives organizations a way to prevent threat actors from exploiting software and firmware vulnerabilities.

SteelCloud’s patented ConfigOS automation scans your entire environment in a few hours, implement controls, detect conflicts, remediate conflicts, and document waivers all in a single location.


Share This Resource: