Some Areas to Look At When Hardening an OS
(Page 1 of 4)
In addition to file systems and OS updates (covered in upcoming sections), some areas to look at when hardening an OS installation include user accounts, installed OS options, available services and OS configuration.
Multi-user systems such as Linux and Windows 2000 support the concept of user accounts, so that each person accessing a system does so with a unique identifier. This makes it easy to log interesting events, define privileges for special users, etc.
Along with user accounts, most (if not all) OSs have some concept of a supervisor level account with additional privileges. In Windows, the user ID is Administrator. In UNIX, this user is root, a.k.a. the super user account, by default. Both Windows and UNIX let you rename the account, which is not a bad practice, since it complicates the life of password-guessers (if they mindlessly attack Administrator, and your administrative account is named SiteManager, theyll be at it all day, to no effect). This is possible because in both OSs, security is actually based on a value underlying the user ID name the UID on UNIX and the SID (Security ID) on Windows. The UNIX UID is a numeric value, whereas the SID is a rather long string.
Additionally, both Windows and UNIX allow users to be categorized into groups which can be used when setting permissions (this is particularly valuable on Windows systems due to its flexibility in assigning permissions to multiple groups). As with user IDs, groups are named, but are really referenced by underlying GID or SID.
Its a good idea to regularly audit your user databases, looking for accounts which are no longer used, or which have no password (even if you didnt create an account without a password, a software package installation routine may have), and to disable any such accounts that are found. Similarly, as weve discussed elsewhere in this book, enforce a policy in which passwords are changed regularly, and meet some minimum criteria for strength (such as minimum 6 characters, not appearing in a dictionary, etc.).
Be careful when assigning administrative permissions to users (sometimes people do this as the easy way out when other security settings, such as file permissions, were set, possibly inadvertently to deny users access; youre much better off spending the time to resolve the underlying issue)
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.