Operating System Hardening Based on slides accompanying the book Network Defense and Countermeasures by Chuck Easttom (2018)

Objectives Properly configure a secure Windows system Properly configure a secure Linux system Apply appropriate operating system patches to Windows Apply application patches Securely configure a web browser

Introduction Securely configuring the operating system and its software is a critical step in system security that is often neglected. It is not enough to just implement firewalls and proxy servers, it is also important to secure internal machines and the applications and information they house. You may want to revisit security in-depth and what that means.

Configuring Windows Properly Key configuring tasks include Disable unnecessary services Configure the Registry Enable the firewall Configure the web browser

Windows Accounts and Users Disable default user accounts and groups Disabling the default administrator account is better than renaming it. Other accounts to disable if not used IUSR_MachineName ASP.NET Database accounts Assign each account the least privileges needed to perform the job  The principle of least privileges Discuss the default accounts that are created during installation of Windows.

Windows Security Policies Password policies History, age, length, complexity Account lockout policies Other issues Users should not write passwords down Users should not share passwords Users should have the least privileges required Have separate admin accounts and standard user accounts Only use the admin accounts for tasks that require admin privileges You may want to include a discussion of the information presented in the tables. The following slides have those tables to display if you need them. Explain the additional issues of protecting passwords and granting access when required.

Default Windows Password Policies

Password Setting Recommendations

Windows Lockout Policies

Recommended Lockout Policies

Registry Basics Hierarchical Database Edit using regedit Top-level sections HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG Explain what registry settings are held in each of these folders.

Registry Editing Caution Incorrect editing of your registry can render parts of your operating system unusable. If you are new to registry editing, do not practice on a production machine that has critical data. Explain the danger associated with editing the registry.

Securing the Registry Restrict Null session access Restrict Null session access over named pipes Restrict anonymous access Change TCP/IP stack settings Disable default administrative shares Disable remote access to the Registry Restrict anonymous access to the Registry Continue discussion of the registry. You may want to demonstrate viewing the registry through regedit. (DO NOT CHANGE ANYTHING HERE, UNLESS YOU KNOW WHAT YOU ARE DOING.) Note Table 8.5 on the next slide.

Securing the Registry

Working with Window Services Services run without direct user intervention Referred to as daemons in Linux/Unix Disabling unneeded services can increase security Use the Services.msc console to manage services Be careful not to disable a service that’s needed; Use the Dependencies tab to see whether other services depend on the one you are about to disable Demonstrate the Services console and show how to disable and enable services.

Encrypting File System (EFS) Encrypts files and folders for greater security Uses a method based on public key encryption Virtually transparent to the user Built into Windows and easy to use Discuss EFS and how it benefits the user and how it might affect the user.

Security Templates A security template contains hundreds of possible settings that can control a single or multiple computers Settings include user rights, permissions, and password policies Enable administrators to deploy settings with Group Policy Objects (GPOs) Discuss the purpose and use of security templates.

Security Templates Hisecdc.inf: Domain controllers (more secure) Securedc.inf: Domain controllers (less secure) Hisecws.inf: Client computers and member servers Securews.inf: Client computers and member servers Setup security.inf: Reapplies the default security settings of a freshly installed computer Explain the differences between each of these different templates. Refer to the end-of-chapter exercise on security templates for practice.

Configuring Linux Properly Many security principles apply in Linux as they do in Windows Commonalities between Windows and Linux Default users and policies (names are different) All services not in use should be shut down Browser must be configured securely Routinely patch the OS Explain the commonalities between Linux and Windows and that differences reside in the implementation, not necessarily in how the security policies act.

Configuring Linux Properly cont. Differences between Linux and Windows No application should run as the root user Root password must be complex and changed frequently Disable all console-equivalent access for regular users Hide your system information Discuss how the two operating systems differ.

Patching the Operating System Allow Windows Update to run automatically in Windows to keep the OS up to date In Linux, open up a terminal window and type sudo apt-get upgrade.

Configuring Browsers Privacy settings Security settings Block third-party cookies Prompt for first-party cookies Always allow session cookies Security settings Limit what can run Unsigned components ActiveX Java Explain where and how you would configure the privacy and security settings in IE. You might give examples both in Windows and Macintosh.

Configuring Browsers Each browser has its own way of changing settings General principles: Limit cookies Do not allow ActiveX to run without your knowledge Do not allow any scripts to execute without your knowledge Provide examples of the differences between IE and other browsers such as Chrome and Firefox.

Summary Hardening of operating systems is a critical part of network security Proper security configuration can make hacking more difficult Encrypted File System (EFS) can secure information on the local computer Disable unneeded services in Windows Proper Registry settings are also key in a Windows environment

Summary Failure to properly configure Registry settings will greatly reduce the security of the computer Securing the browser can limit exposure to malware Summarize the finer points of securing your browser.