Chapter 57 Β· Glossary

Hardening Techniques β€” Glossary

Key terms across OS hardening, endpoint protection, attack surface reduction, and defense-in-depth controls.

System Hardening
The process of reducing a device's attack surface by eliminating unnecessary components, enforcing strict access controls, keeping software current, and encrypting sensitive data. Hardening applies across all platforms β€” Windows, Linux, macOS, iOS, Android, network devices β€” and is never a single action but a collection of layered controls. No single hardening technique provides complete protection; the goal is defense in depth: multiple independent barriers such that bypassing one does not mean bypassing all. Hardening is also not a one-time event β€” it must be maintained as software is updated, configurations drift, and new vulnerabilities are discovered.
Attack Surface
The total set of points through which an attacker can potentially enter or extract data from a system. Every open network port, every installed application, every enabled OS service, every user account, every management interface, and every piece of software is a component of the attack surface. Hardening is fundamentally the practice of attack surface reduction: closing ports, removing software, disabling unneeded services, restricting account permissions, and locking down management interfaces. A smaller attack surface means fewer opportunities for exploitation. Attackers prioritize targets with large, poorly maintained attack surfaces because they offer more entry points.
EDR (Endpoint Detection and Response)
An advanced endpoint protection platform that goes beyond signature-based antivirus to detect, investigate, and autonomously respond to threats. Detection methods: signature matching (known malware), behavioral analysis (malicious patterns regardless of signature), machine learning (classification based on structural similarity to known malicious code), and process monitoring (watching process trees, file writes, and network connections for anomalies). Investigation: root cause analysis traces back through the attack chain to identify how initial access was gained and what the attacker did. Response: automatic isolation of the endpoint, quarantine of malicious files, and rollback to a pre-infection configuration β€” all API-driven without technician intervention. Addresses the scale problem: 1 million+ new malware variants created daily make signature-only detection insufficient.
Behavioral Analysis (EDR)
An EDR detection method that identifies malicious activity based on what an application or process does rather than what it is. Behavioral analysis can detect malware that has no existing signature β€” including zero-day malware and custom-written tools β€” because it evaluates actions rather than file hashes or signatures. Examples of behavioral indicators: a word processor spawning a command-line interpreter (common macro exploitation pattern), a new process establishing an outbound connection to an unusual IP address at 3AM, a script interpreter writing executable files to a system directory, or a process reading the Windows credential store without user interaction. The key advantage over signatures: behavioral analysis can detect the attack pattern even before the specific malware is known to any vendor.
Host-Based Firewall
A software firewall running on the endpoint operating system itself, providing per-process control of both inbound and outbound network traffic. Because it sits on the OS, it has visibility into traffic before encryption (outbound) and after decryption (inbound) β€” unlike network firewalls, which cannot inspect TLS-encrypted traffic without a separate decryption proxy. Key capabilities: application-specific rules (only chrome.exe may use port 443), unknown process detection (new processes attempting network access are flagged or blocked), and centralized policy management across all endpoints. Common examples: Windows Defender Firewall (managed via Group Policy), iptables/nftables on Linux. The host-based firewall is the last line of network-layer defense β€” it enforces policy at the endpoint regardless of what network-level controls may have passed the traffic.
HIPS (Host-Based Intrusion Prevention System)
A security control running on individual endpoints that monitors OS-level activity for attack patterns and blocks malicious actions before they complete. Unlike a network IPS, which monitors traffic flowing between devices, a HIPS monitors what is happening inside the device β€” memory access, registry modifications, file system writes, and process behavior. Detection methods: signatures (match against known attack patterns), heuristics (evaluate behavior against suspicious-but-not-definitively-malicious rules), and behavioral monitoring (baseline normal OS activity and alert on deviations). HIPS-specific detections: buffer overflow attempts, unauthorized writes to C:\Windows\System32\, suspicious registry modifications (especially run keys for persistence), and unauthorized kernel driver installation. In modern deployments, HIPS functionality is typically integrated into the EDR agent rather than deployed as a standalone product.
Open Port
A network port on which a system is actively listening for incoming connections. Every open port is a potential entry point: a service is running behind that port, and that service may contain vulnerabilities, accept weak authentication, or expose more functionality than intended. Hardening principle: close every port that is not required for the system's specific function. Port management requires: (1) inventory (scan with Nmap to discover what is actually open); (2) mapping (identify which service uses each open port); (3) remediation (stop and disable services for unnecessary ports); (4) enforcement (host-based firewall or network ACL permitting only required ports); (5) continuous monitoring (re-scan periodically to detect new ports opened by software updates or configuration changes). A next-generation firewall enforces rules based on application identity rather than port number alone, preventing unauthorized applications from re-using permitted ports.
Nmap
An open-source network scanning tool that discovers open ports, running services, and OS information on networked systems. The industry-standard tool for port inventory during hardening assessments. A basic Nmap scan of a single host takes seconds and returns all open TCP ports; more thorough scans (UDP, service version detection, OS fingerprinting) take longer. Hardening use case: run Nmap against each system before and after hardening to verify that unnecessary ports have been closed and that no new ports have been opened without authorization. Ongoing monitoring use case: schedule periodic Nmap scans against the environment and alert when any system's open-port profile changes unexpectedly β€” a new open port is often a sign of a new service, a misconfiguration, or malware establishing a listening channel.
Default Credentials
The username and password shipped with a device or application from the manufacturer β€” identical on every unit sold. Default credentials are publicly documented in vendor manuals and security databases; any attacker can look them up in seconds. The risk: a device deployed without changing the default credentials allows anyone who knows the device model to log into its management interface immediately. The hardening requirement is absolute: change all default credentials before placing any device or application in service. This applies to network devices (routers, switches, firewalls, WAPs), server management interfaces (IPMI/iDRAC/iLO), application management consoles, IoT devices (cameras, printers, building systems), and any software with a built-in administrative account. Beyond password changes, management interfaces should be restricted to specific source IPs (a dedicated management VLAN) and protected with MFA.
Next-Generation Firewall (NGFW)
A firewall that enforces access control based on application identity, user identity, and content inspection β€” not just port numbers and IP addresses. Standard firewalls operate at layers 3–4 (IP/TCP/UDP); NGFWs operate at layer 7 (application layer), identifying the actual application generating traffic regardless of which port it uses. Hardening benefit: an NGFW can permit "only corporate web browser HTTPS traffic on port 443" while blocking a malware C2 tool that also uses port 443 β€” something a standard port-based firewall cannot distinguish. NGFWs are the preferred tool for enforcing port and service restrictions because they prevent port-reuse attacks where unauthorized applications mimic permitted protocols.
Removal of Unnecessary Software
A hardening practice that permanently reduces the attack surface by uninstalling applications, OS components, roles, and features that are not required for a system's intended function. Every installed application is a potential vulnerability source: software contains bugs, some of which are security flaws; each application requires its own patching process (creating maintenance burden); and unused software is often not monitored for new vulnerabilities because no one remembers it is installed. Removal eliminates these risks entirely β€” a removed application cannot be exploited. Common removal targets: default OS components (Telnet, FTP clients, SMBv1), OEM bloatware, development tools on production servers, deprecated software no longer receiving updates, and applications from completed or migrated projects. On servers, this extends to OS roles and features: install only what the server's function requires.
Defense in Depth
A security architecture principle in which multiple independent, layered controls protect a system such that defeating one layer does not compromise the overall defense. Applied to hardening: OS patching closes known vulnerabilities; EDR detects malware that exploits any remaining unpatched flaws; the host-based firewall blocks unauthorized network communications from compromised processes; HIPS detects OS-level exploitation attempts; removing unnecessary software eliminates entire categories of vulnerability. Each layer addresses scenarios the others do not. An attacker must defeat every relevant layer sequentially β€” each additional layer increases the cost and complexity of a successful compromise. Defense in depth is the governing principle that explains why all hardening techniques are applied together rather than choosing one as "sufficient."