Laying the Foundation: Hardening a New System Build

Laying the Foundation: Hardening a New System Build

Any time a new system is deployed, security should be part of the process from the very beginning—not bolted on after the fact. Recently, I was tasked with provisioning a new system to be used in a production environment. Before any applications were installed or users were added, I focused on one thing: hardening.

Start with a Minimal Installation

I began by installing a minimal version of the operating system. This reduced the attack surface by cutting out unnecessary packages, services, and software. Fewer components mean fewer potential vulnerabilities.

After the install, I immediately applied all available security patches and updates. I configured role-based access controls using Active Directory and local system policies. Only the required administrators were granted login permissions, and password policies were enforced to meet complexity and expiration standards. I also disabled the root login (for Linux) and restricted remote login capabilities wherever possible.

Configure Logging and Auditing

No hardened system is complete without visibility. I set up logging for system events, access attempts, and configuration changes. These logs were then forwarded to a centralized log server to ensure they couldn’t be tampered with locally. Auditing was enabled to track changes to system files and user activities—essential for both incident response and compliance.

Next, I installed and configured Sophos Endpoint Protection to provide real-time monitoring, exploit detection, and application control. Paired with firewall settings and controlled software whitelisting, this helped keep the system protected from day one. A quick review of running services revealed a few that weren’t needed. I disabled these immediately, making sure the system was only doing what it was designed to do—nothing more. Open ports were reviewed and locked down with firewall rules using host-based and network-level configurations.

Before deploying the system, I documented the hardened configuration and captured a baseline image. This image serves as a reference point for future comparisons and ensures consistency in future builds. Hardening a new system isn’t about checking boxes—it’s about creating a secure environment from the start. By putting in the work early, you reduce the chances of future incidents and save time in the long run.

Security isn’t just something you respond to. It’s something you build.