Hardening hosts is an absolutely critical part of securing your IT infrastructure. It's also one of the more boring ones. A lot of these are almost platitudes, like good passwords and things like that. But they are important. Keep in mind in this episode, we're talking about hardening just the host itself. We're not talking about the applications on the host.
We're not talking about its network interfaces, those are handled in other episodes, we're talking about the core host itself. Now, to do this, I'm going to be using a Windows 10 system, but in no way is it limited to a Windows hosts, we could do this with any operating system. In fact, we could do it with virtually any type of box as well. So let's go ahead and start hardening this host and probably going to start with one of the most important things that we always should do and that is disabling unnecessary services. any operating system is going to have tons of servers versus running and the vast majority you probably need. But it is critical that we actually go through the process of disabling unnecessary services.
Now, if we take a look here on my windows 10 system, now, this is pretty much a default windows 10 installation. So there's nothing in here that totally terrifies me. But what I want to do right here is make sure we understand, you notice we have a number of running services, and that's fine. But there are a lot of these that are set to manual. So you'll think, oh, they're not running. So that's not an issue, that that's not true.
If a particular program needs a service to light up, it can easily do that on its own. So it's important for us to be able to go through anytime we have an issue with something and we're worried about a particular service, we can go ahead and turn it off by actually going into the properties and truly disabling it like you see right there. Now I'm not going to go through and tell you which services you can disable in which version of Windows or os 10, or Linux or whatever you might be using. What it is important for you to understand is that you need to disable these, there are entire websites, there are entire services you can buy that will help you determine what needs to be turned off, and what needs to be left on. Now while we're talking about services. The other thing I want to bring to mind here is that there are a lot of programs out there that don't necessarily show an interface, but they are still applications that they're not running as a service.
However, they act like a service. So like on this system right here. So if I open up a command prompt, I'm going to run good old netstat real quick. So if we run a netstat, I want you to look right up at the top here I have listening ports on 22 and 80. What's happening here is I have an SSH server running and I also have a web server running. Do I really need these is that an important thing They're not truly services in the classic sense of the word.
But they're hidden to me. It's not easy for me to see that they're up there. So while they're technically not services, they still act enough like services to me that I want to bring them up. So you probably want to go through and be shutting those things off as well, if they're unnecessary. This system here needs an SSH server. I'm going to keep that running.
Okay. The next thing I want to talk about is default passwords. I have probably three different episodes, where I hammer on the importance of good passwords, but that's not what I'm talking about. Right now. What I'm talking about is not using default passwords. Now.
Look, we're all grown up people here. And we're all pretty good with for example, on our Windows systems, or os 10 systems have always changing the default passwords. In fact, you can't even install Windows or Linux or os 10 without changing the administrator password and things like that. So we're pretty Much in good shape when it comes to desktop style operating systems, where we really get into trouble with default passwords is in all the Internet of Things devices. Some of the worst botnet attacks we have seen, came not by people infecting desktop computers, or smartphones. They did it by infecting cameras, home lighting systems, thermostats, all of these different little devices, the big Internet of Things devices, hundreds of thousands of these, we're still using the default password.
So it doesn't matter to me if you've got a home thermostat, or a camera, or a smartphone or whatever it is, the first thing I do with that magic box is you change the default password and go ahead and not only change the default password, but use good password methodologies to make sure that bad guys can hack into it. All right, next, I think we should talk about all of those extra user accounts on your systems. If there's one thing that can easily take place on any networked environment, and that is you can start generating lots of user accounts and lots of groups. And over time, you just don't need them. So I've set up a demonstration here of probably about every bad habit you could do in a Windows domain. So this is just one example of where we can be naughty.
So I've got my Server Manager running, this is an old copy of Windows 2003 server still runs great. And what I've done is I'm showing you all of the domain groups, and then the domain accounts. So a couple of things in here, I want you to notice it's particularly bad. Like for example, here's a group called management one. Okay. A lot of people have management groups.
There's nothing wrong with that. But look here. Here's a management to what is probably happening here is that people are not taking good care of dealing with least privilege. And something happened they got another management person to come in Instead of generating a proper hierarchy of groups, they just threw another one in. And that can create all kinds of problems. Now let's take another look here.
So here I've got something here. So here's a counting, for example. A lot of times a lot of groups, a lot of counting groups, it's pretty common. But look underneath here, here's bookkeepers. So I'm going to actually be taking a moment look at what actual privileges these users need that require them to have this type of group division. I'm not saying this is bad, but just the naming alone sets up a red flag for me.
And again, I'm going to be looking at what these people are doing. And I might be deleting some of these groups. Now going down to users, we've got a number of issues here. For example, I know here's here's one goes, that scares me right there. I'm gonna have to see what that's all about. Guest you have a built in Guest account, but that's usually going to be disabled.
And in our case, if you look really closely, you can see it is disabled. So that's good. Here's a user named Dudley. And there's a Dudley lemur, who's my partner here, total seminars, but then there's a deadly two. Now what's going on here? Now we talked about in other episodes, that we don't want to have a user with multiple accounts, that type of thing.
And that is a huge red flag. So I'm going to really be going through here and cleaning this up. Now keep in mind, in this particular situation, I'm only talking about a Windows domain, you can run into this situation, you can have an SSH server that has unnecessary user accounts, you can have a router that you're using that as a number of accounts on it, so it can happen anywhere. So good, tight controls, always concentrating on the idea of least privilege is always very, very important. All right, so those are some good examples. So what's the next thing I want to do to harden my host?
Oh, I know patch management. Anybody who owns a modern operation system deals with patches, Windows Update, all of these tools that are built in are fantastic tools. But when we talk about patch management, I want to talk about it more from an enterprise level. Also, keep in mind that when we're talking about patching things, we're not just patching desktop systems or laptops. We could be patching our networking hardware, we could be patching cameras, we could be patching smartphones, it doesn't matter what it is, the process of patching, when you look at it at an enterprise level is very different than the UI just clicking and allowing windows to update itself automatically. Now, Windows update is a powerful tool.
And it's something we should always take advantage of. However, in an enterprise environment, you have to be a bit more careful, even here at total seminars. We did a big windows 10 update not that long ago, and it ended up messing up one of our accounting systems. So even a little tiny company like this, a little jurisprudence is probably not a bad idea. Okay, so let's go through A patch management process. Now there are hundreds of patch management processes out there, you're not really going to be tested on what are the four steps to patch management.
This is just my opinion, but they're pretty good. And they'll get you through the exam. So the number one thing we have to do is monitor. We have to be out there on the street listening, being updated, being aware of patches that are coming out. Now for desktop operating systems, that's pretty easy because the manufacturers do a really good job of updating us and letting us know that patches are out. The problem we run into is for little unmanaged devices or even manage devices.
My Cisco router Cisco does not automatically patch my routers, so I have to be on top of it. And I'm monitoring the news. I'm monitoring the industry. I'm monitoring my suppliers to be aware of what's out there patch wise. So patches start rolling in. So the first thing I'm going to do with a patch is I'm going to test it.
I should have tested it on that Windows 10 update. I never would have caught with that silly accounting software problem. But we get a sandbox type system. And we test it, we install what we need to install, we run it, we see what the upsides and the downsides are. And then we go ahead and see if this patch is good. At some point in here, we're also evaluating to simply take every patch that comes down the pike is not necessarily a good idea.
So we do tend to take a jaundiced eyes when we hear about some patch, we go, is this an important patch for us? Okay, so we know things are pretty good. So then we go about actually deploying the patch. Now in a smaller environment, that's not that big of a deal. Usually you just press a button and go. However, in an enterprise environment, this could be really, really important in terms of how you schedule this stuff.
And large organizations where the actual patching process could end up taking many man hours. That could be a problem. So good scheduling comes into play as well. And last, as you might imagine, you document keeping up to date and turn of what is being patched and what isn't, is really, really important. In fact, it's so important that for most people, when it comes to patch management, they're going to rely on third party tools. There's so many of them out there, it's almost hard to count them all, that do all this for you.
They do all the monitoring for you, they will help you in your testing. They will help you through the deployment process. And they'll give you a single source of documentation so that you know what to do when it comes to Patch Manager. I don't think anybody listening this video is not aware of the fact that you should be running anti malware. And that's really not what I want to talk about here. What I want to talk about is, yes, you are running anti malware.
But from a security standpoint, particularly when you're an enterprise, things change a little bit. So we know everybody's running anti malware. Now as part of patch management. We always want to make sure that our anti malware is updated as often as possible. As often as necessary. Now, one of the things that will happen is we can use centralized tools.
I'll talk about those in a minute. But before we get into that, there's a lot of basic steps that people forget about. Number one, training, your number one line of defense on malware, our users, they should be comfortable with recognizing what's going to be taking place. If malware is running on their system, they should recognize what happens if the anti malware flags something, there should be procedures in place that if they see malware, they need to be able to recognize it, they need to be able to deal with it at whatever level your organization wants them to. In a lot of cases, they clean it themselves. But mainly what we'll see is that people make a report and somebody from it comes down.
It's not that your users can't do the cleaning themselves. It's just that it needs to get their eyes on it so they can see how it's going to affect the enterprise as a whole. So part of that training is not just recognizing that but also recognizing good practices, proper use of USB, and things like that, that become very variable. Important. Now, from an enterprise standpoint, the big thing we're doing when it comes to malware is that we're monitoring. So we're watching our security logs.
We're monitoring the network flow diagrams to see if there's a bunch of computers that are starting to try to phone home in ways that we don't like. We check DNS to see if individual computers are trying to connect to no naughty DNS servers. So we can use monitoring, we can use IDs. So intrusion detection systems can often do this for us as well. But if you really want to get serious, we usually turn to third party enterprise anti malware tools. Malwarebytes is one of my favorite companies that do that.
What they do is they basically take everything you got to do your own training, but they'll do everything else for you. And they'll do all of the monitoring for you. They'll make sure all your anti malware is updated and in good order. And for a few extra pennies, it really really makes a big difference to make sure that malware doesn't hit your individual hosts. Okay, so the last thing I want to talk about are host firewalls. Every computer in your network should have a host firewall.
Pretty much every operating system today comes with some type of firewall. And they generally do a good job in and of themselves. However, when we're talking about hardening hose, one of the downsides to firewalls is that they're only as good as the operator that's actually monitoring that. And that operator tends to be the user themselves. So in an enterprise environment, we tend to do some little bits of extra control to make sure our firewalls do the best job that they can do. Keep in mind that firewalls work pretty much on an application level basis, some program starts running on that computer, and then it starts trying to do something on the network, and that flags the firewall.
So one of the big things that we do in an enterprise environment is we will whitelist or blacklist applications. So What you'll see in a lot of places is that they'll have a whitelist. And that means these are the only programs that you can install. If it's not on this list, you can install it more difficult to do is a blacklist, blacklist will make a list of known naughty programs that you shouldn't install. But of course, that does not prevent somebody from finding yet another program that they shouldn't install and putting on their systems. If you're using a whitelist, you can actually do some pretty interesting controls with firewalls.
When you're using centralized management. For example, one of the things I love about a Windows domain is that I can set firewall rules for the entire domain. So I can generate a security policy that's basically going to say that unless you're an IT God, you do not have the right to go ahead and let a firewall run a particular program through the firewall. So it's a very, very powerful tool, and again, a great motivator for centralized management tools.