Posted by arlene

System security and hardening is the process of building a barrier between the network and those who would do it harm. The key is to make sure the network you are in charge of is not one that is an easy target. You want to make the barrier more difficult to cross than anyone else’s network. In other words, Information Technology (IT) security involves creating a deterrent to convince a would-be-attacker that a system is more difficult to breach than some other system.

Let’s start with hardening the OS and the network operating system (NOS) environments. This area includes concepts previously studied such as access control, authentication and auditing (AAA), media access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and auditing, as well as a number of sublevels including:

• File security
• Updates
• Hotfixes
• Service packs
• Patches

When looking at ways to provide file and directory security, you must first look at how file security can be structured.

• Start with everything accessible and lock down the things you want to restrict
• Start with everything locked down and open up the things you want to allow access to

Of these two potential methods, the second, which is also referred to as the rule of least privilege is the preferred method. Least privilege is when you start with the most secure environment and then loosen the controls as needed. Using this method works to be as restrictive as possible with the authorizations provided to users, processes, or applications that access these resources. Accessibility and security are usually at opposite ends of the spectrum; this means that the more convenient it is for users to access data, the less secure the network. While looking at hardening security through permissions (e.g., AAA), administrators should also consider updating the methods used to access the resources. It is important to look at the use and appropriateness of MAC, DAC, and RBAC in controlling access appropriately, and to coordinate this effort with the establishment of file system controls.

Other tasks within the OS and NOS hardening area include keeping track of updates, hotfixes, service packs, and patches. This can be overwhelming, because these items are delivered at an incredibly rapid rate. Not only are there a lot of them, but many of the vulnerabilities they address may not apply to a particular system. Administrators need to make a huge effort to evaluate the need for each fix or patch. It is very important to fully test the upgrades, patches, service packs, and hotfixes on test equipment that parallels the live environment. It is never recommended or prudent to apply these “fixes” to production systems without testing, as sometimes the “fix” ends up breaking critical services or applications. To get things started, let’s review the general steps to follow for securing an OS:

• Disable all unnecessary services.
• Restrict permissions on files and access to the registry
• Remove unnecessary programs
• Apply the latest patches and fixes
• Remove unnecessary user accounts and ensure password guidelines are in place

File System

Controlling access is an important element in maintaining system security. The most secure environments follow the “least privileged” principle, as mentioned earlier. This principle states that users are granted the least amount of access possible that still enables them to complete their required work tasks. Expansions to that access are carefully considered before being implemented. Law enforcement officers and those in government agencies are familiar with this principle regarding non-computerized information, where the concept is usually termed need to know. Generally, following this principle means that network administrators receive more complaints from users unable to access resources. However, receiving complaints from authorized users is better than suffering access violations that damage an organization’s profitability or capability to conduct business.

In practice, maintaining the least privileged principle directly affects the level of administrative, management, and auditing overhead, increasing the levels required to implement and maintain the environment. One alternative, the use of user groups, is a great time saver. Instead of assigning individual access controls, groups of similar users are assigned the same access. In cases where all users in a group have exactly the same access needs, this method works. However, in many cases, individual users need more or less access than other group members. When security is important, the extra effort to fine-tune individual user access provides greater control over what each user can and cannot access.

Keeping individual user access as specific as possible limits some threats, such as the possibility that a single compromised user account could grant a hacker unrestricted access. It does not, however, prevent the compromise of more privileged accounts, such as those of administrators or specific service operators. It does force intruders to focus their efforts on the privileged accounts, where stronger controls and more diligent auditing should occur. Figure 8.1 displays a possible path for consideration and creation of file system access.

Notice it starts with the process of evaluating risk. That’s one of the key steps in the hardening process, as the question will often arise as to what is secure enough? That’s the role of the risk assessment in this process. As an example, your child’s piggy bank may be protected by no more than a small lock hidden on the bottom. While that’s suitable for your child’s change, you have probably noticed that your bank has many more controls protecting you and their other customer’s assets. Risk assessment works the same way in that the value of the asset will drive the process of access control and what type of authorization will be needed to access the protected resource.

Possibly related posts: (automatically generated)
Processes of OS and NOS Hardening

• Popular Commercial IDS Systems
• Network Access Control Databases
• RPC, PEER TO PEER, AND CONVERSATIONAL
• Network and Programming: the .Net framework
• The Skype API Operates on Windows and Mae OS X
• Network Hardening OSes and NOSes
• Processes of OS and NOS Hardening continue...
• Security Facilities in Java
• Small Business Ecommerce: Security is not just about payment
• Programming Chips and Automotive Parking System