CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.5  Security Baselines            9  3.5.1  OS/NOS Hardening

3.5.1  OS/NOS Hardening 1 2 3 4 3.5.1.1  File System

In addition to file systems and OS updates (covered in upcoming sections), some areas to look at when hardening an OS installation include user accounts, installed OS options, available services and OS configuration.

Multi-user systems such as Linux and Windows 2000 support the concept of user accounts, so that each person accessing a system does so with a unique identifier. This makes it easy to log interesting events, define privileges for special users, etc.

Along with user accounts, most (if not all) OS’s have some concept of a supervisor level account with additional privileges. In Windows, the user ID is Administrator. In UNIX, this user is “root”, a.k.a. the “super user” account, by default. Both Windows and UNIX let you rename the account, which is not a bad practice, since it complicates the life of password-guessers (if they mindlessly attack Administrator, and your administrative account is named SiteManager, they’ll be at it all day, to no effect). This is possible because in both OS’s, security is actually based on a value underlying the user ID name – the UID on UNIX and the SID (Security ID) on Windows. The UNIX UID is a numeric value, whereas the SID is a rather long string.

Additionally, both Windows and UNIX allow users to be categorized into “groups” which can be used when setting permissions (this is particularly valuable on Windows systems due to its flexibility in assigning permissions to multiple groups). As with user ID’s, groups are named, but are really referenced by underlying GID or SID.

It’s a good idea to regularly audit your user databases, looking for accounts which are no longer used, or which have no password (even if you didn’t create an account without a password, a software package installation routine may have), and to disable any such accounts that are found. Similarly, as we’ve discussed elsewhere in this book, enforce a policy in which passwords are changed regularly, and meet some minimum criteria for strength (such as minimum 6 characters, not appearing in a dictionary, etc.).

Be careful when assigning administrative permissions to users (sometimes people do this as the “easy way out” when other security settings, such as file permissions, were set, possibly inadvertently to deny users’ access; you’re much better off spending the time to resolve the underlying issue)

3.5.1  OS/NOS Hardening 1 2 3 4 3.5.1.1  File System