Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.5  Security Baselines

Previous Topic/Section
3.5  Security Baselines
Previous Page
Pages in Current Topic/Section
Next Page
Some Areas to Look At When Hardening an OS
Next Topic/Section

3.5.1  OS/NOS Hardening

OS hardening deals with the actions that can be taken to secure an OS.

In this section, we look at resources for hardening Windows and UNIX systems, and then we look at particular areas of consideration. Note that specific practical measures for any specific OS are beyond the domain of the Security+ exam, so we present these as “geek tips”. Nevertheless, if you’re going to be working in Security, you really do need to know the practical details of securing your organization’s operating systems of choice. Here are some hints on where to look for this information.

Windows Resources

In the Windows world, there are both written guidelines such as the SANS “Gold Standard” and automated tools like the Microsoft Baseline Security Analyzer which attempt to automate some baseline security measures. The following are two resources in which the US government was involved.

The “Gold Standard” is a recent development by the Center for Internet Security, DISA, NSA, NIST, SANS and GSA. The US National Security Agency, after review of successful system compromises of Windows 2000 during the past eighteen months, found that more than 85% of them would have been blocked had the owners been using the Gold Standard. Heard enough? Go get it349. Similarly, the FBI/SANS duo has updated its list of the Top 10 Windows vulnerabilities, as of October, 2002. This list, and a similar list for UNIX systems, is available at Also available at this site is a list of vendors supplying scanners that check for the presence of these vulnerabilities, some free.

The Microsoft Baseline Security Analyzer supplied by Microsoft itself, helps check for new security patches and insecure OS and Microsoft application configurations. While its results were somewhat inconsistent at the beginning, it has matured nicely and we feel it is a valuable tool to run, because it is likely to alert you to one or two more things you could do to secure your systems even if you think you’ve already taken care of it all. A third-party alternative to this is HardenNT, a security script generator, available at many locations on the net.350

In addition to these guidelines, many excellent books on the subject of securing Windows exist. These discuss not only OS details, but also networking in the context of Windows systems. For example, a good overview of Windows File Sharing considerations may be found in Windows NT/2000 Network Security351 by E. Schultz.

Another interesting book with Windows “checklist” ideas, registry configuration details, etc. is Have You Locked the Castle Gate352 by Brian Shea.

UNIX/Linux Resources

In the UNIX world there are many tools that set and help check for compliance with organizationally set baselines. The original UNIX hardening script, written originally for Solaris, is Titan (, which also runs on FreeBSD and Linux. Bastille-Linux ( helps administrators lock down a Linux system. JASS ( and YASSP ( can be used to harden a Solaris system.

As noted above, you can find the FBI/SANS list of the Top 10 UNIX vulnerabilities at as well.

Quick navigation to subsections and regular topics in this section




351. Schultz, E. Eugene, Windows NT/2000 Network Security, Macmillan Technical, September, 2000,

352. Shea, Brian, Have You Locked the Castle Gate, Addison-Wesley, April, 2002,

Previous Topic/Section
3.5  Security Baselines
Previous Page
Pages in Current Topic/Section
Next Page
Some Areas to Look At When Hardening an OS
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.