|Like this CertiGuide? Get it in PDF format!|
Use coupon code "certiguide" to save 20%!
|Also available: 300-question Security+ practice test!|
|Get It Here!|
(Page 6 of 10)
OS, Network and Application Hardening
When hardening an OS, some steps
you may wish to take include:
- Research common guidelines that include a set
of specific activities for hardening each specific OS you use, and start
with these as a base of potential improvements; build on it from there,
adding and subtracting items as needed.
- Improved user/password management (remove unused
accounts, enforce password guidelines such as length and ageing, log
logins/logouts/attempts/account changes, consider putting users into
groups to ease administration and enforce lockout of accounts after
a number of unsuccessful attempts).
- Analyze where youve just taken the
defaults during an OS installation and decide whether it was appropriate;
some defaults may install unnecessary services which lead to vulnerabilities;
in general, you should make sure that only required components are installed,
and only required services are enabled.
- Tighten polices in use (if your OS
supports it (such as Windows), you can use system and network policies
to lock down entire groups of machines and users at a time).
- Select a secure file system (on Windows machines,
file systems like FAT are not secure, because permission-based access
is not used; a better Windows choice is FAT; also consider an encrypting
file system so that if an attacker steals the disk and tries to read
it directly on another machine, he will not be able to get the data;
you might also consider the robustness of the file system
and its resistance to data corruption
some file systems are better
- Select secure authentication mechanisms (choose
something like Kerberos rather than a mechanism that transmits the password
in cleartext; in Windows 2000 and higher, this has already been done
for you courtesy of the Kerberos functionality built into the OS).
- Set appropriate permissions on files and directories
(do not allow users to write into system directories; follow guidelines
appropriate to your organization for restricting users access
to other users files).
- Keep on top of updates, such as patches (a fix
to a software problem; sometimes patches add new features, but usually
just fix bugs), hotfixes (interim fixes issued for critical bugs that
are often security-related; they are generally developed more quickly
and are less tested than service packs) and service packs (or update
pack, which is a collection of patches; service packs are often heavily
tested to minimize the potential for trouble after installation); be
aware that ANY update you install to your system may break something,
so you should test any update during non-production hours to ensure
compatibility with your existing system configurations.
When hardening a network, some steps
you may wish to take include:
- Update firmware (the updateable programming that
determines how a device operates; it is important to watch for vendor
updates and update firmware on a regular basis, since it can correct
security bugs in hardware devices just as OS updates correct OS vulnerabilities).
- Carefully configure each device (changing any
default or blank passwords on the device will remove lots of low
hanging fruit from attackers; make any configuration changes recommended
by the vendor to improve security).
- Disable any non-required services on the device,
as unnecessary services running on the device increase vulnerability
without adding any functionality your organization needs.
- Use access control lists to specify traffic that
will and will not be allowed to pass through the device (it is common
to deny all inbound traffic, and list exceptions that will be permitted
such as traffic inbound on port 80 to the web server, inbound on port
25 to the mail server, etc., and often common to permit all outbound
traffic; permit all outbound traffic is becoming less popular
as employers crack down on employee use of peer-to-peer Internet services,
and workday Internet browsing; you should also use access control lists
to specify that inbound traffic with a source address equal to your
inside network should not be allowed, and outbound traffic with a source
address not inside your network should not be allowed, to help foil
When hardening network applications,
you should ensure that the platform on which they are deployed (the
OS) is secure by following the guidelines listed above for hardening
an OS. Since these machines tend to be more attractive targets to attackers,
special attention should be paid to keeping them up to date with patches
and secured. Most network applications in common use involve services
running on well-known TCP/IP ports (that is, on ports numbered 0-1023),
although TCP/IP ports up to 65535 are possible. In general, you should
make sure that only required services and applications are installed
on each server; a common guideline is to require that each server do
only one thing (be a web server, be an email server, be a database server,
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.