3.5.1 OS/NOS Hardening
OS hardening deals with the actions that can be taken to secure an OS.
In this section, we look at resources for hardening Windows and UNIX systems, and then we look at particular areas of consideration. Note that specific practical measures for any specific OS are beyond the domain of the Security+ exam, so we present these as geek tips. Nevertheless, if youre going to be working in Security, you really do need to know the practical details of securing your organizations operating systems of choice. Here are some hints on where to look for this information.
In the Windows world, there are both written guidelines such as the SANS Gold Standard and automated tools like the Microsoft Baseline Security Analyzer which attempt to automate some baseline security measures. The following are two resources in which the US government was involved.
The Gold Standard is a recent development by the Center for Internet Security, DISA, NSA, NIST, SANS and GSA. The US National Security Agency, after review of successful system compromises of Windows 2000 during the past eighteen months, found that more than 85% of them would have been blocked had the owners been using the Gold Standard. Heard enough? Go get it349. Similarly, the FBI/SANS duo has updated its list of the Top 10 Windows vulnerabilities, as of October, 2002. This list, and a similar list for UNIX systems, is available at http://www.sans.org/top20/. Also available at this site is a list of vendors supplying scanners that check for the presence of these vulnerabilities, some free.
The Microsoft Baseline Security Analyzer supplied by Microsoft itself, helps check for new security patches and insecure OS and Microsoft application configurations. While its results were somewhat inconsistent at the beginning, it has matured nicely and we feel it is a valuable tool to run, because it is likely to alert you to one or two more things you could do to secure your systems even if you think youve already taken care of it all. A third-party alternative to this is HardenNT, a security script generator, available at many locations on the net.350
In addition to these guidelines, many excellent books on the subject of securing Windows exist. These discuss not only OS details, but also networking in the context of Windows systems. For example, a good overview of Windows File Sharing considerations may be found in Windows NT/2000 Network Security351 by E. Schultz.
Another interesting book with Windows checklist ideas, registry configuration details, etc. is Have You Locked the Castle Gate352 by Brian Shea.
In the UNIX world there are many tools that set and help check for compliance with organizationally set baselines. The original UNIX hardening script, written originally for Solaris, is Titan (http://www.fish.com/titan), which also runs on FreeBSD and Linux. Bastille-Linux (http://www.bastille-linux.org) helps administrators lock down a Linux system. JASS (http://www.sun.com/blueprints/tools) and YASSP (http://www.yassp.org) can be used to harden a Solaris system.
As noted above, you can find the FBI/SANS list of the Top 10 UNIX vulnerabilities at http://www.sans.org/top20/ as well.
351. Schultz, E. Eugene, Windows NT/2000 Network Security, Macmillan Technical, September, 2000, http://www.nerdbooks.com/item.html?id=1578702534
352. Shea, Brian, Have You Locked the Castle Gate, Addison-Wesley, April, 2002, http://www.nerdbooks.com/item.html?id=020171955X.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.