WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search






Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.5  Security Baselines
           9  3.5.1  OS/NOS Hardening

Previous Topic/Section
Some Areas to Look At When Hardening an OS
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 3.5.1.2  Updates
Next Topic/Section

3.5.1.1  File System
(Page 2 of 2)

Windows/NTFS



Windows NTFS-based file systems typically provide the following permissions, accessed by right clicking to open a file’s Properties menu and then selecting the Security tab:

  • Read – Read files, list the names of files in directories, read attributes and permissions, synchronize.

  • Write – Create and write files, create folders, write attributes, read permissions, synchronize.

  • Modify – Same as “Read and Execute”, plus create and write files, create folders, write attributes, delete.

  • Read and Execute – Same as “Read” permissions, plus allow users to run program files and travel through directories to reach lower level files.

  • List Folder Contents – Same as “Read and Execute”.

  • Full Control – allows all of the above, plus delete subfolders and files, change permissions, and take ownership.

Each of these permissions can be granted to a user or group that the OS knows about. Be cautious about granting Full Control, since that gives the user “the keys to the kingdom” as far as that file is concerned. In reality, these permissions are just a convenient way of specifying useful groups of finer-grained permissions. The full list of permissions can be accessed via the “Advanced” tab.

UNIX/Linux

UNIX/Linux file systems typically provide the following permissions, which you can specify separately for the owner of the file, users who are in the “group” that is assigned to the file, and everyone else (a.k.a. “other” in UNIX speak):

  • Read – allow users to read files, and list the names of files in directories.

  • Write – allow users to write and rewrite files, and create and delete files in directories.

  • Execute – allow users to run program (script and binary) files, and travel through directories to reach lower level files.

[spacer]*NIX Also Offers

Additional attributes that can be assigned to UNIX files along with those basic permissions include:

1. Sticky: On a directory set with write permission, keeps the user from deleting files owned by users other than themselves (other users’ files are “sticky” to the directory… get it?).

2. Set user ID / Set group ID: Allows the process to take on the user ID or group ID assigned to the file, when it is run (this can be a major security issue… files with these permissions are often security vulnerabilities waiting to happen).


As you can see, the UNIX permissions model is considerably less complex than the Windows model, at the cost of some feature richness, such as being able to assign different permissions to different groups of users.

Putting *NIX Power to Practice

Example file-system-related policies you could (and probably should) enforce include:

1. Don’t allow users write privilege into system directories, or shared data directories they don’t need to update (be warned that some software still insists on writing into C:\WINDOWS\SYSTEM32 no matter how annoying this is, and that because of this, some organizations may not be able to completely lock down all directories).

2. Provide each user with their own home directory, whose file access control settings fit your organization (for some organizations, this might mean the directory is unreadable by all users except the directory’s owner; for others, it might mean everyone can read it but only the owner can write to it).

3. Make sure that sensitive shared data directories are unreadable by everyone except those authorized to use them.



Previous Topic/Section
Some Areas to Look At When Hardening an OS
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 3.5.1.2  Updates
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.