OS Hardening: Patching, Baseline Config, and CIS Benchmarks
Apply OS hardening techniques — disabling unnecessary services, enforcing baseline configurations, and using CIS benchmarks — to reduce attack surface.
What Is OS Hardening?
OS hardening is the process of reducing an operating system's attack surface by removing unnecessary features, applying security configurations, and keeping the system patched. A freshly installed operating system is not secure by default — it prioritizes usability, enabling services and features that many users might want but that most enterprise servers do not need. Every enabled service, open port, and default credential is a potential entry point for attackers. Hardening systematically closes these entry points before a system enters production.
Patch Management
Patch management is the process of identifying, testing, and applying software updates that fix security vulnerabilities. An unpatched system is one of the most exploitable targets — many major breaches (Equifax 2017, WannaCry 2017) exploited known, already-patched vulnerabilities that organizations simply had not applied. A mature patch management process defines: patch identification (subscribe to vendor advisories, CVE feeds), criticality classification (Emergency/Critical/High/Medium), testing timelines (critical patches within 48-72 hours in many frameworks), and deployment verification.
# Patch criticality SLA example
CVSS Score SLA Notes
---------- ---------- ----------------------
9.0 - 10.0 48 hours Emergency patch cycle
7.0 - 8.9 7 days Critical patch cycle
4.0 - 6.9 30 days Standard patch cycle
0.1 - 3.9 90 days Routine patch cycle
# Verify patch application:
# Windows: Get-HotFix | Where-Object {$_.HotFixID -eq 'KB5023706'}
# Linux: dpkg -l | grep package_nameAll lessons in this course
- Antivirus, EDR, and XDR Platforms
- OS Hardening: Patching, Baseline Config, and CIS Benchmarks
- Mobile Device Management (MDM) and BYOD Policies
- Host-Based Firewall and Application Allowlisting