What Is System Hardening?

PC hardening is a critical part of your strategy to reduce security vulnerabilities.

With system hardening, IT administrators take action to identify and address security vulnerabilities throughout their IT environment. By reducing the potential attack surface, you’ll leave fewer opportunities for hackers to exploit your systems. A key part of this strategy involves PC hardening.

With every attack on your IT infrastructure, a potential hacker must find a way to get in. They may attempt to inject malicious code into your OS by tricking a user into giving them access. Or they may target the hardware, firmware, or software. If successful, attackers can inject malicious elements to hijack a system. In cases where malicious code injection is difficult, sophisticated attackers can use residual data left from trusted applications to build gadgets that subvert modern security technologies. If other attempts fail, attackers can also simply steal a laptop or other device and gain access at their leisure. They may try to physically exploit vulnerabilities in device drivers to bypass traditional OS security—for example, with a kernel DMA attack. However they compromise your system, once they’re in, hackers can spy on users, steal data, prevent authorized access, or render machines unusable.

System hardening means doing everything you can to find and fix security vulnerabilities, whether it’s in hardware, firmware, software, applications, passwords, or processes.

Benefits of System Hardening

The main goal of system hardening is to improve your overall IT security. This lowers your risk for data breaches, unauthorized access, and malware injection. By avoiding attacks, you’ll also avoid the unplanned downtime that comes with remediation. System hardening can also help you simplify compliance with any internal or external regulations.

Types of System Hardening

System hardening should be practiced at every layer of your IT infrastructure. This ranges from servers to networks to endpoints. While IT system administrators typically focus on server hardening in the data center, it’s just as important to help protect clients. Reducing potential vulnerabilities in endpoint security reinforces a zero-trust enterprise security strategy.

You already know that PCs are a major potential attack surface. However, many IT administrators don’t realize that antimalware is no longer enough to secure PCs. Attacks on hardware and firmware have always been possible, but they are very difficult to do. Now, with the availability of kits and tools online, hackers have become much more sophisticated, moving down the stack to attack PCs beneath the OS.

PC hardening focuses on closing any potential attack vectors and routinely updating your systems to avoid being exploited. Attacks may include:

  • Malicious hardware injection attacks that exploit openings in the supply network (supply chain attacks).
  • Social engineering attacks that manipulate users into divulging confidential credentials.
  • Malicious code-based attacks that exploit vulnerabilities in software and firmware.
  • Legitimate code-based attacks that use residual data in-memory to compromise the system.
  • Physical access attacks that exploit vulnerabilities in hardware.
  • Side-channel attacks.

Security First

At Intel, security is not just product security. It’s an ongoing effort intended to assure that users work best and are most secure on Intel®-based platforms.

Intel’s security-first pledge represents our commitment to design for product security. It starts with customer-first urgency. We consistently work with our customers in the commercial segment, our ecosystem, researchers, and leaders in academia to better understand their pain points so we can build and deliver helpful solutions with security deeply rooted within.

Our transparent, timely communications and ongoing security work demonstrate our efforts to push the boundaries of security beyond what is built into the product. Thanks to our bug bounty program, security red teams, and involvement with Common Vulnerabilities and Exposures (CVE), we can proactively identify and mitigate threats to Intel® platforms and provide guidance to our customers in a timely manner.

Intel® security technologies are embedded into our silicon to help protect devices at the most foundational level. But system hardening is not fully possible without a joint effort from the ecosystem. That’s why Intel® technologies are designed to integrate with other end user solutions, enhancing software-based security features from leading vendors.

In addition, Intel offers a business-class PC platform that was designed to simplify PC hardening. The Intel vPro® platform is built with hardware-based security features that help minimize the risks associated with security threats. It includes Intel® Hardware Shield, which is designed to provide out-of-the-box protections from attacks below the OS. In 10th Generation Intel® Core™ vPro® processors, these features are expanded to include application and data protection features and advanced threat protection capabilities to provide holistic endpoint security features across hardware, firmware, and software. The processors also provide the hardware resources needed for virtualized workloads and help reinforce virtualization-based security (VBS) with features to help protect PCs at runtime and data rest.

Considerations for PC Hardening

As you’re planning your IT security hardening strategy, there are a few important goals to keep in mind when it comes to PC hardening.

  • Ensure supply chain visibility from assembly to IT provisioning. Intel® Hardware Shield helps IT identify any unauthorized hardware changes made prior to the platform provisioning.
  • Make sure you’re protecting PCs at runtime. With the below-the-OS capabilities that are part of Intel® Hardware Shield, you can support a secure boot so that systems launch into a trusted state.
  • Protect your BIOS. Intel® Hardware Shield locks down memory in the BIOS when software is running. This helps prevent planted malware from compromising the OS.
  • Ensure hardware-to-software security visibility. Dynamic Root of Trust for Measurement (DRTM), included with Intel® Hardware Shield, helps relaunch the OS and virtualized environments in an Intel-protected code-execution environment to help protect OS secrets from firmware. This provides the OS visibility of firmware security and enables additional OS security features.
  • Protect against physical memory access attacks. Intel® Hardware Shield helps prevent unauthorized access to data stored on the device with no additional setup required.
  • Prevent malware injection into the OS with industry-leading hardware virtualization and advanced threat detection features. Intel® Hardware Shield provides essential hardware resources for modern and virtualized client security workloads, helping protect the OS from the latest cyber threats.
  • Provide a way to remotely manage PCs. This allows you to install security patches and perform configuration management as needed. Intel® Active Management Technology, part of the Intel vPro® platform, provides an out-of-band connection for remote PC management. You can also use it to boot devices into a safe environment for troubleshooting and repair. And now, the Intel® Endpoint Management Assistant (Intel® EMA) tool lets IT remotely and securely manage devices, inside and outside the firewall, over the cloud.

Getting Started: System Hardening Checklist

The following is a short list of basic steps you can take to get started with system hardening. For a more comprehensive checklist, you should review system hardening standards from trusted bodies such as the National Institute of Standards and Technology (NIST).

  • Take an inventory of all your IT systems, including PCs, servers, and networks. Document your hardware and software products, including OS and database versions.
  • Perform an audit of your users and their access to all systems and applications. Eliminate any accounts and privileges that are no longer necessary.
  • Consider how you will approach operating system hardening. For PCs, upgrade your OS to Windows* 10 to make sure you’re getting the latest security updates.
  • Automate software updates so that neither the user nor IT administrator needs to think about them.
  • Train users to adopt strong passwords and identify phishing schemes. A large number of attacks come from stolen credentials and social engineering. User education is the foundation of any system hardening strategy.

It’s important to remember that system hardening is an evolution, rather than a one-time activity. As attacks grow more sophisticated, so must your hardware security strategy. By choosing business laptops and business PCs on the Intel vPro® platform, you can simplify PC hardening with our latest hardware-based security technologies built into your devices. This helps you ensure strong protection for your PCs.

With the built-in security capabilities that are part of Intel® Hardware Shield, you can enable holistic endpoint security across all layers of the PC computing stack.

Security Benefits of the Intel vPro® Platform

The built for business Intel vPro® platform provides hardware-enhanced security features that help protect all computing stack layers. Businesses can benefit from supply chain transparency and traceability of PC components, advanced memory scans, and hardware-based support of Windows* 10 security services. Furthermore, IT has the ability to quickly roll out software fixes on critical vulnerabilities to managed PCs.

Endpoint Security

Endpoints are the portals hackers use to access your critical data or embed malicious code in your systems. And today’s workplace has a wide array of devices that can challenge endpoint security. As part of the Intel vPro® platform, Intel® Hardware Shield enables your IT team to implement policies in the hardware layer to help ensure that if malicious code is injected, it cannot access data.

System Hardening

Intel vPro® platform development has evolved through system hardening processes that have optimized hardware-based security features. The benefit to your organization includes configurable firmware protection, BIOS security to reduce its attack surface, and advanced threat detection.

Security Patching and Threat Remediation

Intel® Active Management Technology within the Intel vPro® platform enables remote access and management across the organization. Your IT team can use these technologies to execute timely security patching and threat remediation. Security patching can update large populations of devices regardless of their location. Threat remediation is addressed by implementing countermeasures to help reduce an endpoint’s susceptibility to a specific attack.

Legal and Disclaimers

Intel® technologies may require enabled hardware, software, or service activation.

No product or component can be absolutely secure.

Your costs and results may vary.