Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.5  Security Baselines
           9  3.5.1  OS/NOS Hardening

Previous Topic/Section
3.5.1  OS/NOS Hardening
Previous Page
Pages in Current Topic/Section
1
234
Next Page
3.5.1.1  File System
Next Topic/Section

Some Areas to Look At When Hardening an OS
(Page 1 of 4)

In addition to file systems and OS updates (covered in upcoming sections), some areas to look at when hardening an OS installation include user accounts, installed OS options, available services and OS configuration.

User Accounts

Multi-user systems such as Linux and Windows 2000 support the concept of user accounts, so that each person accessing a system does so with a unique identifier. This makes it easy to log interesting events, define privileges for special users, etc.

Along with user accounts, most (if not all) OS’s have some concept of a supervisor level account with additional privileges. In Windows, the user ID is Administrator. In UNIX, this user is “root”, a.k.a. the “super user” account, by default. Both Windows and UNIX let you rename the account, which is not a bad practice, since it complicates the life of password-guessers (if they mindlessly attack Administrator, and your administrative account is named SiteManager, they’ll be at it all day, to no effect). This is possible because in both OS’s, security is actually based on a value underlying the user ID name – the UID on UNIX and the SID (Security ID) on Windows. The UNIX UID is a numeric value, whereas the SID is a rather long string.

Additionally, both Windows and UNIX allow users to be categorized into “groups” which can be used when setting permissions (this is particularly valuable on Windows systems due to its flexibility in assigning permissions to multiple groups). As with user ID’s, groups are named, but are really referenced by underlying GID or SID.

It’s a good idea to regularly audit your user databases, looking for accounts which are no longer used, or which have no password (even if you didn’t create an account without a password, a software package installation routine may have), and to disable any such accounts that are found. Similarly, as we’ve discussed elsewhere in this book, enforce a policy in which passwords are changed regularly, and meet some minimum criteria for strength (such as minimum 6 characters, not appearing in a dictionary, etc.).

Action Steps

Some action steps you can (and probably should) take in the area of user accounts include:

1. Remove unused accounts.

2. Enforce password security.

3. Enforce lockout of accounts on unsuccessful passwords.


Be careful when assigning administrative permissions to users (sometimes people do this as the “easy way out” when other security settings, such as file permissions, were set, possibly inadvertently to deny users’ access; you’re much better off spending the time to resolve the underlying issue)


Previous Topic/Section
3.5.1  OS/NOS Hardening
Previous Page
Pages in Current Topic/Section
1
234
Next Page
3.5.1.1  File System
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.