System hardening
System hardening is the deliberate reduction of an IT system's attack surface through secure configuration, such as disabling unnecessary services, closing open ports and removing default accounts.
System hardening covers all the technical and organisational measures used to systematically reduce the attack surface of an IT system. It starts from the premise that every installed piece of software, every open network service, every default account and every unnecessary privilege represents a potential point of entry. The goal of hardening is to reduce a system to exactly the functions it needs for its intended purpose and to disable or remove everything else. Typical hardening measures apply to operating systems, databases, web servers, container images, network components and cloud configurations.
Classic measures include disabling or uninstalling unnecessary services and protocols, closing unused ports, removing or renaming default accounts and replacing preset passwords, applying the principle of least privilege, enabling encryption and logging, and maintaining rigorous patch management. In practice, hardening follows recognised configuration guidance such as the CIS Benchmarks, the German BSI IT-Grundschutz recommendations or vendor-specific security configuration guides. These baselines are ideally rolled out in an automated fashion and continuously checked for deviations (configuration drift).
From a regulatory perspective, system hardening is a core building block of an effective information security management system. ISO/IEC 27001 requires appropriate technical safeguards through Annex A controls such as secure configuration (A.8.9), management of technical vulnerabilities (A.8.8) and protection against malware. The BSI IT-Grundschutz addresses hardening in several modules, for example SYS.1.1 (general server). Within the scope of the NIS2 Directive, secure configuration and vulnerability handling are among the required risk management measures under Article 21 NIS2. Hardening is therefore not a one-off project but an ongoing process that must be tightly integrated with vulnerability, patch and change management.
Legal Basis
ISO/IEC 27001:2022 Annex A 8.8 and A 8.9; BSI IT-Grundschutz (incl. SYS.1.1); Article 21 NIS2 Directive (EU) 2022/2555
Practical Example
A mid-sized machinery manufacturer qualifies as an important entity under NIS2. Its information security officer defines a hardening baseline for all new Linux servers based on the CIS Benchmarks: default accounts are disabled, SSH allows key-based authentication only, unnecessary services are switched off and the configuration is rolled out automatically via Ansible. A weekly compliance scan reports any deviation from the baseline to the ticketing system, so that configuration drift is detected and remediated in a documented manner. At the next ISO 27001 surveillance audit, the company can fully demonstrate the effective implementation of control A.8.9.