After completing this video, the learner will understand the concept of operating system hardening, including managing security settings, patch management and trusted operating systems.
- [Voiceover] System administrators are responsible for the configuration of operating systems to meet an organization's security control requirements. This is an extremely important responsibility because attackers can often exploit security vulnerabilities to gain access to a vulnerable system and then even potentially leverage that access to compromise an entire network. Let's take a look at three important operating systems security issues. Security settings, patch management, and Trusted Operating Systems.
There are many different security settings in any operating system that you can customize to meet the security needs of your organization. You'll want to establish a security baseline for your organization that includes the settings important in your environment. One of these is limiting the access that users have to administrative resources because this level of access can result in security compromises. Let's take a look at how to limit administrative access on a Windows system. Here I am on the desktop of a Windows system.
Windows manages many security settings through Group Policy Objects. We want to ensure that users on endpoint devices do not have administrative access to their computers. We do that by opening up the Group Policy Management tool and then I'm going to navigate here to the Group Policy Objects folder and create a new GPO for this domain by right clicking on this and choosing New. It's important to give GPOs descriptive names because you'll want to be able to remember what the GPO does when you come back and look at the object's name months or years later.
Let's call this one Limit Administrative Access to local systems. That's a pretty descriptive name and I'm pretty confident I'll understand what that means later on. I click OK to create the GPO, and I now have an empty GPO. It's a shell that does nothing. I need to make sure that this GPO limits administrative access, so I'm going to right click on it and choose Edit, which launches the Group Policy management editor. I want to use this GPO to remove every user from the administrator's local group on the system.
This is a user configuration setting, so I'm going to go here to User Configuration and then drill down into Preferences, Control Panel Settings, then I'm going to right click on Local Users and Groups here. I'm going to tell Windows that I want to create a new local group. That's a little confusing terminology because I actually want to remove someone from an existing local group, but will tell Windows that in this window. See here where the action says Update? Instead of these alternatives, Create, Replace, and Delete.
That means that I'm going to modify an existing group. The group that I want to modify is the built-in administrators group, so I'm going to choose that here and the action I want to take is to remove the current user from the group. When I click Apply, that applies this policy to all users in the domain, removing them from the local administrators group and giving them only normal user access. I'm going to click OK, and then just close out of the Group Policy management editor and Group Policy management.
The second operating system security issue that we'll discuss is patch management. Applying patches to operating systems is critical because it ensures that systems are not vulnerable to security exploits discovered by attackers. Each time an operating system vendor discovers a new vulnerability, they create a patch that corrects the issue. Promptly applying patches ensures a clean and tidy operating system. In Windows, the Windows update mechanism is the simplest way to apply security patches to systems as soon as they are released.
Let's return to our Windows system and take a look at how to enable Windows update. I'm going to go ahead and open the Control Panel, then I'm going to choose System and Security, and click on Windows Update. You can see here information about recent updates. I'm going to go ahead and click the Check for updates button which causes this system to reach out to Microsoft servers to determine whether there are patches available for security or other fixes. And as you can see here, this computer is currently up to date, there aren't any critical patches that need to be applied.
Even though the system now has all of the available updates, let's go ahead and configure it to automatically apply updates in the future. I'm going to click on Change Settings here and then look at where it says Important updates. Now notice there's this red x and it says Never check for updates (not recommended). This system is currently configured not to reach out for security updates. If I pull this down here, I can look and see there are other choices available to me. The recommended choice is Install updates automatically where the computer will periodically reach out to Microsoft servers, check for updates, and then automatically install them on the system to make sure that it is up to date with current security standards.
That's the best choice and I'm going to choose that here. I'll go ahead and click OK and Windows goes ahead and just does one more check for updates to see if there's anything available right now, tells me I'm okay, and notice now it says You're set to automatically install updates. I can rest easy, knowing that Windows will reach out and update my system when new patches are available. Now let's look at applying updates on a Linux system. There are several different ways to update Linux systems that vary depending upon the distribution that you're using.
I have an SSH session open here to a Linux system running in Amazon Web Services. And as you can see, on the login banner, the system is telling me that there are updates available. There are 11 packages needed for security out of 27 available updates. And conveniently, it even tells me the command that I need to enter to apply the updates. The sudo command tells the system that I need to use root administrator privileges, and I want to run the yum at package manager and tell it to apply updates. So let's go ahead and do that.
I'm going to type in sudo yum update, and hit enter. The system goes through, checks what updates are available. Here's the list of all the packages that it wants to install and update, and then down here it tells me it wants to install one package and upgrade 26 packages and that will take 52 megabytes of download and it's asking me for permission to do that. I came here to apply updates, so I'm going to say yes and the Linux system is going to go ahead and apply all these updates. It shows me that it's downloaded those 27 updates and is now going through the updating and clean up process.
We're almost done here, we've gone through 53 different steps to apply these updates and we'll soon see that this system is fully patched. And then the update completes. That's how we apply patches to a Linux system. The final concept we'll discuss in this video is the Trusted Operating System. This is a formal term used to describe operating systems that have gone through an accreditation process by government agencies known as the Common Criteria. The process for accreditation as a Trusted Operating System is very rigorous and very few operating systems go through this process because it frankly doesn't matter very much outside of very secure defense applications.
Unless you work on the military sector, you probably won't encounter the Trusted Operating System concept in real life, but you should be familiar with the term for the Security+ exam. In this video we discussed three important operating system security concepts. Managing security settings, patch management, and Trusted Operating Systems. It's also important to lock down your operating system configuration by hardening the services, management interfaces and accounts that it uses.
You'll learn about those in my Security+ Threats and Vulnerabilites course.
We are now a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- SQL injection prevention
- Cross-site scripting (XSS) prevention
- Fuzz testing
- Mobile device management (MDM)
- Mobile device tracking
- Operating system security
- Hardware security
- Virtualization security
- File permissions
- Data encryption
- Securing smart devices