Security Hardening Checklist

System hardening reduces the attack surface by removing unnecessary services, enforcing security policies, and implementing defense-in-depth controls.

General Principles (All Platforms)

Defense in Depth

• Multiple layers of security controls
• Assume each layer may be compromised
• No single point of failure

Least Privilege

• Users and processes get minimum necessary permissions
• Regular review of privileges
• Separate accounts for admin vs. daily use

Principle of Least Functionality

• Disable unused services and features
• Remove unnecessary software
• Close unused network ports

Keep Current

• Apply security patches promptly
• Update applications and firmware
• Subscribe to security advisories

macOS Hardening

1. System Updates

Enable Automatic Updates

# Check current settings
softwareupdate --schedule

# Enable automatic updates
sudo softwareupdate --schedule on

# Install all available updates
sudo softwareupdate -ia

Configure Update Settings

• System Settings → General → Software Update
• Enable “Install macOS updates”
• Enable “Install application updates from the App Store”
• Enable “Install Security Responses and system files”

2. FileVault (Disk Encryption)

Enable FileVault

# Check status
sudo fdesetup status

# Enable (will prompt for credentials)
sudo fdesetup enable

Best Practices

• Store recovery key securely (not on the encrypted disk)
• Consider iCloud recovery key escrow for managed devices
• Test recovery process before deployment

3. Firewall Configuration

Enable Firewall

# Enable firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

# Enable stealth mode (don't respond to ICMP ping)
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

# Enable logging
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

GUI Method

• System Settings → Network → Firewall
• Turn on Firewall
• Configure options

4. Gatekeeper and System Integrity Protection

Verify SIP Status

# Check SIP status (should be enabled)
csrutil status

Gatekeeper Settings

# Check Gatekeeper status
spctl --status

# Verify app signatures before running
spctl --assess --verbose /path/to/app.app

5. User Account Security

Disable Root User

# Disable root login
sudo dsenableroot -d

Set Strong Password Policy

# Require password after sleep/screen saver (5 seconds)
defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 5

# Set password minimum length (via pwpolicy)
sudo pwpolicy -setglobalpolicy "minChars=12"

Disable Guest Account

• System Settings → Users & Groups
• Disable Guest User

6. Disable Unnecessary Services

List Running Services

sudo launchctl list

Disable Bluetooth (if not needed)

sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -int 0

Disable Remote Services

# Disable remote login (SSH)
sudo systemsetup -setremotelogin off

# Disable remote management
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop

# Disable screen sharing
sudo launchctl disable system/com.apple.screensharing

7. Audit and Logging

Enable Security Auditing

# Enable audit daemon
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

# Check audit status
sudo audit -s

Configure Audit Flags

# Edit /etc/security/audit_control to enable desired audit flags
sudo nano /etc/security/audit_control

8. Network Security

Disable AirDrop (if not needed)

defaults write com.apple.NetworkBrowser DisableAirDrop -bool true

Disable Bonjour

sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true

DNS over HTTPS/TLS

• System Settings → Network → DNS
• Add DNS servers that support DoH/DoT (e.g., 1.1.1.1, 8.8.8.8)

9. Privacy Settings

Limit Location Services

• System Settings → Privacy & Security → Location Services
• Disable for apps that don’t need it

Control App Permissions

• Review Camera, Microphone, Files and Folders access
• Remove permissions for untrusted apps

10. Additional Hardening

Disable USB Power During Sleep (prevents DMA attacks)

sudo pmset -a destroyfvkeyonstandby 1
sudo pmset -a hibernatemode 25
sudo pmset -a powernap 0
sudo pmset -a standby 0
sudo pmset -a standbydelay 0
sudo pmset -a autopoweroff 0

Secure Safari

• Enable “Warn when visiting a fraudulent website”
• Disable “AutoFill”
• Block pop-ups
• Require website passwords

Linux Hardening

1. System Updates

Debian/Ubuntu

# Update package lists
sudo apt update

# Upgrade installed packages
sudo apt upgrade -y

# Enable automatic security updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

RHEL/CentOS/Fedora

# Update all packages
sudo dnf update -y

# Enable automatic updates
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer

2. Disk Encryption

LUKS Encryption (during installation)

• Select “Encrypt disk” during OS installation
• Use strong passphrase

Encrypt Existing Partition

# Backup data first!
# Encrypt partition
sudo cryptsetup luksFormat /dev/sdX

# Open encrypted volume
sudo cryptsetup luksOpen /dev/sdX cryptvolume

# Create filesystem
sudo mkfs.ext4 /dev/mapper/cryptvolume

3. Firewall Configuration

UFW (Uncomplicated Firewall)

# Install UFW
sudo apt install ufw

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (if needed)
sudo ufw allow ssh
# Or specific port: sudo ufw allow 22/tcp

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

firewalld (RHEL/CentOS)

# Start and enable firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld

# Set default zone to drop
sudo firewall-cmd --set-default-zone=drop

# Allow SSH in public zone
sudo firewall-cmd --zone=public --add-service=ssh --permanent

# Reload
sudo firewall-cmd --reload

4. SSH Hardening

Edit /etc/ssh/sshd_config

# Disable root login
PermitRootLogin no

# Use SSH protocol 2 only
Protocol 2

# Disable password authentication (use keys only)
PasswordAuthentication no
PubkeyAuthentication yes

# Disable empty passwords
PermitEmptyPasswords no

# Limit authentication attempts
MaxAuthTries 3

# Set login grace time
LoginGraceTime 30

# Disable X11 forwarding (if not needed)
X11Forwarding no

# Use only strong ciphers and MACs
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

# Allow only specific users/groups
AllowUsers username
# Or: AllowGroups sshusers

# Enable SSH key regeneration
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

Restart SSH

sudo systemctl restart sshd

5. User Account Security

Password Policy

# Install password quality library
sudo apt install libpam-pwquality  # Debian/Ubuntu
sudo dnf install libpwquality      # RHEL/CentOS

# Edit /etc/security/pwquality.conf
minlen = 12
dcredit = -1    # Require digit
ucredit = -1    # Require uppercase
lcredit = -1    # Require lowercase
ocredit = -1    # Require special char

Password Aging

# Edit /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS   1
PASS_WARN_AGE   7

# For existing user
sudo chage -M 90 -m 1 -W 7 username

Lock Inactive Accounts

# Lock account after 30 days of inactivity
sudo useradd -D -f 30

# For existing user
sudo usermod -f 30 username

Disable Root Login

# Lock root account
sudo passwd -l root

6. Kernel Hardening (sysctl)

Edit /etc/sysctl.conf or create /etc/sysctl.d/99-hardening.conf

# IP Forwarding (disable unless router)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Disable source packet routing
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Enable SYN cookies (DDoS protection)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Ignore ICMP ping requests
net.ipv4.icmp_echo_ignore_all = 1

# Ignore broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable IPv6 (if not needed)
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# Randomize kernel addresses (KASLR support)
kernel.randomize_va_space = 2

# Restrict kernel logs access
kernel.dmesg_restrict = 1

# Restrict access to kernel pointers
kernel.kptr_restrict = 2

# Enable ExecShield (NX/XD bit)
kernel.exec-shield = 1

Apply Changes

sudo sysctl -p

7. Mandatory Access Control

AppArmor (Ubuntu/Debian)

# Install AppArmor
sudo apt install apparmor apparmor-utils

# Check status
sudo aa-status

# Enable profile
sudo aa-enforce /etc/apparmor.d/usr.bin.program

# Complain mode (log only)
sudo aa-complain /etc/apparmor.d/usr.bin.program

SELinux (RHEL/CentOS)

# Check status
sestatus

# Set to enforcing mode
sudo setenforce 1

# Make permanent (edit /etc/selinux/config)
SELINUX=enforcing

# View denials
sudo ausearch -m avc -ts recent

# Generate policy from denials
sudo audit2allow -a -M mypolicy
sudo semodule -i mypolicy.pp

8. Audit and Logging

Install and Configure auditd

# Install
sudo apt install auditd  # Debian/Ubuntu
sudo dnf install audit   # RHEL/CentOS

# Start and enable
sudo systemctl start auditd
sudo systemctl enable auditd

# Add audit rules (edit /etc/audit/rules.d/audit.rules)
# Monitor /etc/passwd changes
-w /etc/passwd -p wa -k passwd_changes

# Monitor sudo usage
-w /var/log/sudo.log -p wa -k sudo_log

# Monitor SSH activity
-w /var/log/auth.log -p wa -k ssh_activity

# Reload rules
sudo augenrules --load

Centralized Logging

# Forward logs to remote syslog server
# Edit /etc/rsyslog.conf or /etc/rsyslog.d/50-default.conf
*.* @@logserver.example.com:514  # TCP
*.* @logserver.example.com:514   # UDP

9. Disable Unnecessary Services

List Running Services

sudo systemctl list-unit-files --state=enabled

Disable Unused Services

sudo systemctl disable bluetooth
sudo systemctl disable cups  # Printing
sudo systemctl disable avahi-daemon  # Bonjour/mDNS

10. Filesystem Hardening

Mount Options in /etc/fstab

# Example secure mount options
/dev/sda1  /tmp  ext4  defaults,nodev,nosuid,noexec  0 2
/dev/sda2  /var  ext4  defaults,nodev  0 2
/dev/sda3  /home ext4  defaults,nodev,nosuid  0 2

# tmpfs with restrictions
tmpfs  /run/shm  tmpfs  defaults,nodev,nosuid,noexec  0 0

Apply Changes

sudo mount -a

Windows Hardening

1. Windows Updates

Enable Automatic Updates

# Check Windows Update settings
Get-WindowsUpdate

# Install all updates
Install-WindowsUpdate -AcceptAll -AutoReboot

# Configure automatic updates via Group Policy
# Computer Configuration → Administrative Templates → Windows Components → Windows Update
# Configure Automatic Updates: Enabled
# Option: 4 - Auto download and schedule install

PowerShell Method

# Enable automatic updates
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "AUOptions" -Value 4

2. BitLocker Encryption

Enable BitLocker

# Check BitLocker status
Get-BitLockerVolume

# Enable BitLocker on C: drive
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector

# Backup recovery key
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[0].KeyProtectorId

GUI Method

• Control Panel → BitLocker Drive Encryption
• Turn on BitLocker
• Save recovery key securely

3. Windows Firewall

Enable Firewall for All Profiles

# Enable firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# Set default inbound action to block
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block -DefaultOutboundAction Allow

# Block all inbound connections
Set-NetFirewallProfile -Profile Public -DefaultInboundAction Block -AllowInboundRules False

# Check status
Get-NetFirewallProfile | Select-Object Name, Enabled

Create Firewall Rules

# Allow RDP only from specific IP
New-NetFirewallRule -DisplayName "Allow RDP from Admin Network" -Direction Inbound -LocalPort 3389 -Protocol TCP -Action Allow -RemoteAddress 10.0.0.0/8

# Block outbound to specific IP
New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Outbound -RemoteAddress 192.0.2.1 -Action Block

4. User Account Control (UAC)

Enable UAC at Highest Level

# Set UAC to always notify
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 2
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 1

Registry Values

• 0 = Never notify
• 1 = Notify without secure desktop
• 2 = Always notify (recommended)

5. Account Security

Password Policy

# Configure via Local Security Policy (secpol.msc)
# Account Policies → Password Policy

# Via command line (requires admin)
net accounts /minpwlen:12 /maxpwage:90 /minpwage:1 /uniquepw:5

# Enforce password complexity
secedit /export /cfg C:\secpol.cfg
# Edit secpol.cfg: PasswordComplexity = 1
secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY

Account Lockout Policy

# Lock account after 5 failed attempts
net accounts /lockoutthreshold:5 /lockoutduration:30 /lockoutwindow:30

Disable Guest Account

Disable-LocalUser -Name "Guest"

Rename Administrator Account

Rename-LocalUser -Name "Administrator" -NewName "SysAdmin"

6. Disable Unnecessary Services

List Running Services

Get-Service | Where-Object {$_.Status -eq "Running"}

Disable Services

# Disable Remote Registry
Stop-Service RemoteRegistry
Set-Service RemoteRegistry -StartupType Disabled

# Disable Windows Remote Management (if not needed)
Stop-Service WinRM
Set-Service WinRM -StartupType Disabled

# Disable Print Spooler (if not printing)
Stop-Service Spooler
Set-Service Spooler -StartupType Disabled

# Disable Bluetooth (if not needed)
Stop-Service bthserv
Set-Service bthserv -StartupType Disabled

7. Windows Defender

Enable Real-Time Protection

# Enable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $false

# Enable cloud-based protection
Set-MpPreference -MAPSReporting Advanced

# Enable automatic sample submission
Set-MpPreference -SubmitSamplesConsent SendAllSamples

# Enable PUA protection
Set-MpPreference -PUAProtection Enabled

# Update definitions
Update-MpSignature

# Run full scan
Start-MpScan -ScanType FullScan

Configure Exclusions Carefully

# Only exclude what's necessary
Add-MpPreference -ExclusionPath "C:\TrustedApp"

8. Remote Desktop Security

Harden RDP

# Enable Network Level Authentication (NLA)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1

# Require strong encryption
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "MinEncryptionLevel" -Value 3

# Set idle timeout (15 minutes)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "MaxIdleTime" -Value 900000

# Disable RDP if not needed
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 1

9. Audit and Logging

Enable Advanced Audit Policy

# Enable logon/logoff auditing
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable

# Enable account management auditing
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable

# Enable object access auditing
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Registry" /success:enable /failure:enable

# Enable privilege use auditing
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable

# Enable process tracking
auditpol /set /subcategory:"Process Creation" /success:enable

# View current audit policy
auditpol /get /category:*

Increase Security Log Size

# Set Security log to 1GB
wevtutil sl Security /ms:1073741824

10. Disable Unnecessary Features

Disable SMBv1

# Disable SMBv1 (vulnerable to WannaCry)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

# Verify disabled
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Disable PowerShell v2

# Disable PowerShell 2.0
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -NoRestart

Disable Windows Script Host (if not needed)

# Disable WSH
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Script Host\Settings" -Name "Enabled" -Value 0

11. Application Whitelisting

AppLocker Configuration

# Create default rules (allows Windows and Program Files)
New-AppLockerPolicy -RuleType Executable,Script,Installer -User Everyone -Optimize | Set-AppLockerPolicy -Merge

# Start AppLocker service
Set-Service AppIDSvc -StartupType Automatic
Start-Service AppIDSvc

# Enable AppLocker via GPO
# Computer Configuration → Windows Settings → Security Settings → Application Control Policies → AppLocker

12. Network Hardening

Disable NetBIOS

# Disable NetBIOS over TCP/IP
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled -eq $true}
foreach ($adapter in $adapters) {
    $adapter.SetTcpipNetbios(2)  # 2 = Disable
}

Disable LLMNR and mDNS

# Disable LLMNR
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0

# Disable mDNS (via Group Policy)
# Computer Configuration → Administrative Templates → Network → DNS Client
# Turn off multicast name resolution: Enabled

Harden SMB

# Require SMB signing
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force

# Disable SMB compression (SMBGhost vulnerability)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "DisableCompression" -Value 1

Compliance and Verification

CIS Benchmarks

• Follow CIS (Center for Internet Security) benchmarks for your OS
• Use CIS-CAT tool for automated compliance checking
• Available for macOS, Linux, Windows

STIG (Security Technical Implementation Guides)

• DoD standards for system hardening
• More rigorous than CIS
• Use STIG Viewer and SCC (SCAP Compliance Checker)

Automated Scanning Tools

• OpenSCAP: Linux compliance scanning
• Lynis: Security auditing tool for Unix/Linux
• Microsoft Security Compliance Toolkit: Windows hardening
• macOS Security Compliance Project: Apple hardening

Regular Audits

• Schedule quarterly security audits
• Document baseline configurations
• Track deviations and remediate
• Test hardening doesn’t break functionality

Conclusion

Security hardening is an ongoing process, not a one-time task. Implement these controls in stages, test thoroughly, and maintain configurations over time.

Key Takeaways:

1. Update systems regularly
2. Encrypt data at rest
3. Enable and configure firewalls
4. Harden remote access (SSH/RDP)
5. Implement strong authentication
6. Disable unnecessary services
7. Enable comprehensive logging
8. Follow principle of least privilege
9. Test and verify hardening
10. Document everything

Remember: Security is a balance between protection and usability. Tailor these guidelines to your specific environment and risk tolerance.

Need help implementing security hardening across your infrastructure? I’ve deployed these practices across multi-location enterprise environments. Let’s talk about securing your systems.