System administrators are responsible for the configuration of operating systems to meet an organization’s security control requirements. Learn about the concept of operating system hardening, including managing security settings, patch management and trusted operating systems.
- [Instructor] System administrators are responsible for the configuration of operating systems to meet an organization's security control requirements. This is an extremely important responsibility because attackers can often exploit security vulnerabilities to gain access to a vulnerable system and even potentially leverage that access to compromise an entire network. Let's take a look at three important operating system security issues, security settings, patch management, and trusted operating systems.
There are many different security settings in any operating system that you can customize to meet the security needs of your organization. You'll want to establish a security baseline for your organization that includes the settings important in your environment. One of these is limiting the access that users have to administrative resources because this level of access can result in security compromises. Let's take a look at how to limit administrative access on a Windows system. Here I am on the desktop of a Windows system.
Windows manages many security settings through group policy objects. We want to ensure that users on endpoint devices do not have administrative access to their computers. We do that by opening up the group policy management tool. And I'm going to navigate here to the group policy objects folder and create a new GPO for this domain by right-clicking on this and choosing new. It's important to give GPOs descriptive names because you'll want to be able to remember what the GPO does when you come back and look at the object's name month or years later.
Let's call this one limit administrative access to local systems. That's a pretty descriptive name and I'm pretty confident that I'll understand what that means later on. I click okay to create the GPO and I now have an empty GPO. It's a shell that does nothing. I need to make sure that this GPO limits administrative access. I'm going to right-click on it and choose edit, which launches the group policy management editor. I want to use this GPO to remove every user from the administrator's local group on the system.
This is a user configuration setting so I'm going to go here to user configuration and then drill down into preferences, control panel settings, and I'm going to right-click on local users and groups here. I'm going to tell Windows that I want to create a new local group. That's a little confusing terminology because I actually want to remove someone from an existing local group. But we'll tell Windows that in this window. See here where the action says update instead of these alternatives, create, replace and delete.
That means that I'm going to modify an existing group. The group that I want to modify is the built in administrators group. So I'm going to choose that here. And the action I want to take is to remove the current user from the group. When I click apply, that applies this policy to all users in the domain, removing them from the local administrators group and giving them only normal user access. I'm going to click okay and then just close out of the group policy management editor and group policy management.
This second operating system security issue that we'll discuss is patch management. Applying patches to operating systems is critical because it ensures that systems are not vulnerable to security exploits discovered by attackers. Each time an operating system vendor discovers a new vulnerability, they create a patch that corrects the issue. Promptly applying patches ensures a clean and tidy operating system. In Windows, the Windows update mechanism is the simplest way to apply security patches to systems as soon as they are released.
Let's return to our Windows system and take a look at how to enable Windows update. I'm going to go ahead and open the control panel. Then I'm going to choose system and security. And click on Windows update. You can see here information about recent updates. I'll go ahead and click the check for updates button which causes this system to reach out to Microsoft servers to determine whether there are patches available for security or other fixes. And, as you can see here, this computer is currently up to date.
There aren't any critical patches that need to be applied. Even though the system now has all the available updates, let's go ahead and configure it to automatically apply updates in the future. I'm going to click on change settings here. And then look at where it say important updates, notice there's this red X and it says "never check for updates not recommended." This system is currently configured not to reach out for security updates. If I pull this down here, I can look and see there are other choices available to me. The recommended choice is install updates automatically where the computer will periodically reach out to Microsoft servers, check for updates, and then automatically install them on the system to make sure that it is up to date with current security standards.
That's the best choice and I'm going to choose that here. I'll go ahead and click okay and Windows goes ahead and does one more check for updates to see if there's anything available right now. It tell me I'm okay. And notice now it says "you're set to automatically install updates." I can rest easy knowing that Windows will reach out and update my system when new patches are available. Now let's look at applying updates on a Linux system. There are several different ways to update Linux systems that vary depending upon the distribution that you're using.
I have an SSH session open here to a Linux system running in Amazon web services. And, as you can see, on the login banner the system is telling me that there are updates available. There are 11 packages needed for security out of 27 available updates. And conveniently, it even tells me the command that I need to enter to apply the updates. The Sudo command tells the system that I need to use root administrator privileges and I want to run the YUM package manager and tell it to apply updates.
Let's go ahead and do that. I'm going to type in sudo yum update and hit enter. The system goes through, checks what updates are available. Here's a list of all the packages it wants to install and update. And then down here, it tells me it wants to install one package and upgrade 26 packages and that will take about 52 megabytes of download. And it's asking my permission to do that. I came here to apply updates, so I'm going to say yes. And the Linux system is going to go ahead and apply these updates.
It shows me that it's downloaded those 27 updates and it's now going through the updating and cleaning process. We're almost done here as we've gone through 53 different steps to apply these updates and we'll soon see that this system is full patched. And then the update completes. That's how we apply patches to a Linux system. The final concept we'll discuss in this video, is the trusted operating system. This is a formal term used to describe operating systems that have gone through an accreditation process by government agencies, known as the common criteria.
The process for accreditation as a trusted operating system is very vigorous and very few operating systems go through this process because it frankly doesn't matter very much, outside very secure defense applications. Unless you work in the military sector, you probably won't encounter the trusted operating system concept in real life. But you should be familiar with the term for the CISSP exam. In this video, we discussed three important operating system security concepts, managing security settings, patch management, and trusted operating systems.
It's also important to lock down your operating system configuration by hardening the services, management interfaces, and accounts that it uses.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security