Security Baselines and Operating System, Network and Application Hardening

From Techotopia
Revision as of 17:29, 27 February 2008 by Neil (Talk | contribs) (Operating System Hardening)

Jump to: navigation, search

In this chapter we will look in detail at the concept of security baselines in conjunction with the steps involved in hardening operating systems, networks and applications.

Security Baselines

The process of baselining involves both the configuration of the IT environment to confirm to consistent standard levels (such as password security and the disabling of non-essential standards) combined with the identification of what constitutes typical behavior on a network or computer system (such that malicious behavior can more easily be identified should it occur during the baselining process).

The baselining process involves the hardening the key components of the IT architecture to reduce the risks of attack. The thre main areas requiring hardening are operating system, network and applications, each of which will be covered in detail in the remainder of this chapter.

Operating System Hardening

The hardening of operating systems involves ensuring that the system to configured to limit the possibility of either internal or external attack. While the methods for hardening vary from one operating system to another the concepts involved are largely similar regardless of whether Windows, UNIX, Linux, MacOS X or any other system is being baselined. Some basic hardening techniques are as follows:

  • Non-essential services - It is important that an operating system only be configured to run the services required to perform the tasks for which it is assigned. For example, unless a host is functioning as a web or mail server there is no need to have HTTP or SMTP services running on the system.
  • Patches and Fixes - As an ongoing task, it is essential that all operating systems be updated with the latest vendor supplied patches and bug fixes (usually collectively referred to as security updates).
  • Password Management - Most operating systems today provide options for the enforcement of strong passwords. Utilization of these options will ensure that users are prevented from configuring weak, easily guessed passwords. As an additional levels of security include enforcing the regular changing of passwords and the disabling of user accounts after repeated failed login attempts.
  • Unnecessary accounts - All guest, unused and unnecessary user accounts must be disabled or removed from operating systems. It is also vital to keep track of employee turnover so that accounts can be disabled when employees leave an organization.
  • File and Directory Protection - Access to files and directories must be strictly controlled through the use of Access Control Lists (ACLs) and file permissions.
  • File and File System Encryption - Some filesystems provide support for encrypting files and folders. For additional protection of sensitive data it is important to ensure that all disk partitions are formatted with a file system type with encryption features (NTFS in the case of Windows).
  • Enable Logging - It is important to ensure that the operating system is configured to log all activity, errors and warnings.
  • File Sharing - Disable any unnecessary file sharing.

Network Hardening

Retrieved from "https://www.techotopia.com/index.php?title=Security_Baselines_and_Operating_System,_Network_and_Application_Hardening&oldid=5226"