CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.5  Security Baselines            9  3.5.1  OS/NOS Hardening

Some Areas to Look At When Hardening an OS 1 2 3.5.1.2  Updates

File system issues are important to consider when hardening an OS. These relate to both the type of file system chosen, and the access controls on information stored in them.

In most modern operating systems, an administrator can choose to format a disk in any number of standardized formats, called file systems. For example, in the Windows world, there is NTFS, FAT-32, FAT-16, etc. In the UNIX world, there are MS-DOS compatible file systems, JFS, extfs, ReiserFS, etc. The best way to make sense of these is to study your documentation, as complete coverage of the attributes of these file systems is beyond the scope of this document.

Several security-related aspects of file systems are important to consider when choosing a file system:

• What kind of access controls does the file system provide? (Some, like the FAT-32, provide none);
  
  
• What kind of encryption/data privacy features does the file system provide? (Again, some may provide none, requiring you to use application-level encryption);
  
  
• How resistant is the file system to loss of data as a result of a system crash? (Some, like compressed file systems sometimes used in days of old to conserve disk space, were notoriously bad; others, like the journaling file system for UNIX, are generally good).

As noted above, some file systems are notorious for losing data when the system crashes. Other file systems are noteworthy for being robust, such as the JFS (journaling file system)³⁵⁹ available for Linux. When thinking about file system security, it’s tempting to focus primarily on access controls. But it’s important to also take into account the reliability of the file system – if your data disappears when there are system problems, it can cause as much business disruption as a cracker intrusion.

Of course, one should also visit the topic of proper file access control configuration. File access permissions provided by an OS depend on the file system involved. As mentioned above, some file systems like the Windows FAT-32 file system and its ancestors provide no file access control permissions (giving everyone locally accessing the machine full permissions to all files and instead leaving it up to network share permissions to control access granted to remote users).

Some Areas to Look At When Hardening an OS 1 2 3.5.1.2  Updates