Operating Systems Security

The information contained in this section is meant as a basic overview of some of the basic administrative information, as well as tasks, that should be performed in order to harden the operating systems that will be targeted on the exam. It is very likely that you will encounter questions related to these operating systems’ fundamentals on the exam. Please keep in mind, this overview is by no means meant to be a detailed “how-to” administrative reference. Instead, it isolates the information that is most likely to appear on the exam.

Throughout this book, you have been introduced to tools, resources, and practices used to harden or better ensure the integrity of your systems and overall network. No matter what operating systems you are protecting, the following well-known practices should be implemented:

• Remember to stop or remove any unneeded services. Many default operating system installs include and run services such as FTP, Web services, and Telnet. These services require hardening and continuous patches. Many operating system services provide weakness and leave systems open to attack. Regardless of the operating systems you are using, consider removing or stopping any unneeded services.

• Keep your service packs and patches up-to-date, no matter what operating systems you are running. Variants of viruses and blended threats are developed continuously to take advantage of operating system weaknesses. Operating system software vendors recognize this and develop patches to secure inherent weaknesses.

• Set up e-mail servers to scan e-mail attachments. Also configure
  e-mail servers to block attachments with extensions that are known threats. These usually include attachments with extensions such as .bat, .vbs, .exe, .hta, and .scr.

• Isolate any system that is known to be infected—this is important in order to reduce the chances of other systems being infected. Disconnect the infected system from the network. Then follow your corporate or business policy regarding the extraction of evidence (forensics).

Basic Windows Security

As you are most likely aware, many versions of Microsoft Windows exist in the world today in both homes and in business. The current Security+ examination is most likely to focus on the underlying administrative and basic security principles generally associated with Microsoft Windows operating systems. Throughout this book, you have been introduced to administrative principles that apply in general to most Microsoft operating systems. This section is in place to sharpen that knowledge.

For our specific security-related study focus and the obvious fact that Microsoft operating systems such as Microsoft Windows NT and Windows 2000 are currently the most widely used Enterprise level operating systems, we shall target their administrative security basics first.

The following administrative actions (hardening) should be considered after installing Microsoft Windows operating systems. If you are already running a Windows operating system, you should also consider the following recommendations:

Rename the Administrator Account

The most powerful account included with most Microsoft Windows versions is called the Administrator account. Hackers will often target this account with password breaking programs. It is good practice to rename the Administrator account to something less obvious, in order to reduce possible threats and access to this powerful account.

Verify That the Windows Guest Account Is Disabled

The Windows Guest account is disabled by default with Windows NT, 2000, and XP. It is important that you verify that this account is disabled and remains disabled. If the Guest account is enabled, it can be used to access shared resources without entering a password for authentication. This is a major security issue. As mentioned earlier in the chapter, Nimda enables the Guest account and takes advantage of its inherent weaknesses. For the exam, it is sufficient to know that the Guest account should be and remain disabled.

The following miscellaneous administrative functions should also be considered when using Microsoft Windows operating systems.

• Remove full control permissions for the Everyone group. For even stronger security, remove the Everyone group from directories altogether.

• Enable auditing and logging.

• Remove access to default administrative shares.

• Use strong passwords that use a combination of letters, numbers, and symbols.

• Allow administrative access to systems by local sign-on only.

Basic UNIX/Linux Security

If you’re coming from a Microsoft point-of-view, UNIX-based operating systems can seem quite foreign. File systems, access control methods, user accounts, and administrative tasks are designed to work in conjunction with the UNIX kernel—the central component of this OS. Security issues within UNIX-based operating systems are handled in a different manner than their Windows counterparts and we’ll discuss a few items that might show up on the exam.

Linux, arguably the most popular UNIX variant, is actually based on the Linux kernel, which resembles UNIX in many ways but was written from scratch. Just be aware that although Linux and UNIX are often used within the same sentence, they are different animals. With that in mind, let’s take a look at some UNIX/Linux security issues, as well as a few basic concepts that separate UNIX-based OSes from the Microsoft variety.

Although there are window managers that offer a graphical interface with the underlying OS, UNIX is traditionally managed through a command-line interface. Working with commands requires exacting knowledge of command syntax and the file system itself. In Linux, commands can even be case-sensitive. The most apparent difference in a UNIX environment is the structure of the file system. Instead of drive letters, UNIX and its cousins use a hierarchical set of directories that stem from the top-level directory called root. Root is represented by a slash (/), so a full path in UNIX would be displayed as /etc/testfile. The first slash represents root and what follows is the directory etc where the file testfile is stored. Hidden directories in UNIX are represented by a dot (.) that precedes the directory name. For example, the directory /home/.secret would be hidden to casual viewers. Following are a few important directories to be aware of in the UNIX environment.

• /home: This directory contains subdirectories named after each user of the system. Personal files are stored here and access is typically limited to root and the owner of the directory.

• /etc: This directory contains system configuration and administration files.

• /bin: Named after its binary contents, this directory holds frequently used executables.

• /dev: This area contains files that point to the physical devices attached to the system.

• /tmp: As the name implies, this directory stores temporary files and is referred to as the scratch area.

Keep in mind that root is also the name of the administrative user account in UNIX and Linux. The most important step in the installation of a Linux system is setting the password for root, and as always, stronger passwords are better. The root account has system-wide access, and running certain applications as root can cause great harm to the system. Because of the dangers of using the root account, limited-access user accounts can be configured to allow system access to novice users. This is especially helpful when using one of the graphical interfaces to operate a UNIX system. Because these window managers can make changes to the system on their own, their use is not recommended while logged in as root.

One of the greatest challenges in making Linux user friendly has been the creation of a standardized package management system. In Windows, packaged .exe files work great for installing programs because Microsoft has retained a somewhat consistent method for placing system files. However, the many flavors of UNIX and Linux can vary greatly with regard to the placement of system files. Red Hat has developed one such package management system for Linux called RPM. Although it has its quirks, the RPM system has improved the way that applications are installed in Linux. Just like .exe files, .rpm files present security concerns. Even if a user is not logged in as root, running an .rpm file might require root privileges. If a malicious .rpm file is allowed root access, it might be able to damage the system.

You might be asked to identify the location of specific system files in the UNIX hierarchy. The following list points out the most significant files and their place in the file system:

• Unencrypted passwords: These are stored in the /etc/passwd file.

• Encrypted passwords: These are stored in the /etc/shadow file, if shadow passwords are set. If other forms of security such as MD5, DES, PGP Keyserver, or LDAP were in use, then the case would be different.

• Environment variables: These are stored in the hidden /home/~username/.cshrc file.

• Common ports and services: This data is found in the /etc/services file. For example, this file tells the system that the Telnet service runs on the TCP port 23.

• Login settings: These are stored in the hidden /home/~username/.login file. The commands in the .login file are executed immediately upon logging into the system.

• List of IP addresses mapped to hostnames: These are stored in the /etc/hosts file.

• List of hosts allowed to access the Internet: These are stored in the /etc/hosts.allow file.

• List of hosts prohibited from accessing the Internet: These are stored in the /etc/hosts.deny file.

Now, let’s look at a few basic commands in the UNIX/Linux world:

• tar: This command is similar to the DOS copy command and is used also to make backups.

• ls: This command lists the contents of a directory. It is the DOS equivalent is dir.

• rm: This command deletes files.

• passwd: This command is used to create or change user passwords.

• chmod: This command changes the access permissions (or mode) of a file. For example, you might chmod a file from read-only to read-write-execute.

• gzip: This command compresses files. To uncompress, the command gunzip is used.

• pwd: This command displays the complete path of the current directory. Literally, it stands for print working directory. Don’t confuse it with passwd.

• rlogin: This command is used to initiate remote access sessions.

• kill: This command terminates application processes.

• make: This command is used to install programs; it requires root privilege.

• su: The superuser command is executed to allow temporary root privileges and requires the root password. Because a non-root user can execute this command, the root password must be protected vigorously.

Now, let’s take a look at a few tactics that prevent security breaches in a UNIX/Linux system. The most critical security concerns are related to the root user account. Operating as root can expose a system to Trojans and other maladies. Obviously, leaving an unattended system logged in as root is also a bad idea. The remote login capabilities for the root account should be disabled. The file, /etc/security, contains data regarding where root can log in from. Any undesired points of login should be commented out of this file. As with other OSes, always disable unused ports, services, executables, and protocols. Disable unused or dormant user accounts. Use encryption whenever possible and employ SSL and SSH to protect services and protocols. Make sure that the shadow password file is in use. If it’s installed, disable autologin.