Glenn Phillips, president of Pelham, Ala.-based Forté, says that the dedicated Windows workstations his company sells to hospital emergency room administrators must not only be secure, but absolutely tamperproof as well. After all, lives depend on the machines' flawless operation.
Forté's applications show emergency medical technicians the emergency room's current availability status, "so our software must be the program that is always running," Phillips says. "We cannot have anyone closing our program, adding games, changing Windows settings and so on."
Phillips and others who need to create highly secure workstations or servers are turning to hardening to create a virtual steel wall against intruders. The hardening process involves removing nonessential tools and utilities from an operating system or application, any of which could be used to help an attacker gain unauthorized access to system settings or data.
The approach can be used to substitute for or, more commonly, complement other security practices and technologies, such as network firewalls.
Hardening is a technique that's been around since the earliest days of networked computers, but it gradually fell into disuse as software vendors boosted the security of their products and IT managers adopted new security technologies and practices.
Even so, the security improvements haven't made hardening any less practical or useful. "It's still one of the least expensive and most effective ways of protecting yourself or preventing infections or outages," says Chris Rafter, vice president of consulting services at Logicalis Group, a systems integrator in Bloomfield Hills, Mich.
Peter Makohon, a senior security and privacy manager at the New York office of professional services firm Deloitte & Touche, says hardening is coming back into fashion as more enterprises face pressure to patch every possible security hole that could conceivably be exploited as a pathway into a corporate system. Regulatory compliance is another factor that's inspiring many enterprises, particularly those in highly regulated industries, to take another look at hardening.
Just about any enterprise can benefit from hardening, Rafter says. "Operating systems and applications are definitely a lot more secure than they were a long time ago, but there's still logic to turning off unnecessary services and basically only activating and using what you really need," he contends. "Plus, it doesn't require a great deal of effort."
Most vendors long ago dropped any objections to customers hardening their products. Many -- including Microsoft -- actively encourage the practice. "Hardening an operating system is a key step in protecting a system from intrusion," says Chase Carpenter, a manager in Microsoft's Windows Server unit.
Carpenter says enterprise hardening efforts have traditionally covered the client and server operating systems, but with attacks increasingly targeting the application layer, the focus of hardening is shifting to applications. Microsoft views its Security Compliance Manager and Security Baseline products as hardening tools.
Manual or Automatic?
While most user organizations opt to handle the hardening work themselves -- assigning the task to either IT staffers or outside consultants -- some have opted to use commercial software that's designed to automate the process. For example, CellTrust, a mobile applications developer in Scottsdale, Ariz., hardened its servers and its Linux-based network appliances with a product called Security Blanket from Raytheon Trusted Computer Solutions, based in Herndon, Va.