Five ways to thwart threats to your network

The following operating system security tips provide proactive steps for confronting common threats to today's networks. While these measures will close potential gaps in a variety of operating systems, users must also remain vigilant about identifying new ways to keep networks secure. Only by acting as aggressively as hackers and malicious code writers do can operating systems be well protected.

Killing Unused Shells in *nix Operating Systems

Almost all Unix operating systems come with multiple shells as part of the installation. Yet each one utilizes a "preferred shell" under which its system calls take place. The remaining shells are security incidents waiting to happen. Those shells not used by the operating system should be terminated in the following manner:

  • Determine which shells the operating system doesn't require.

  • Determine if any of the nonessential shells are required by other applications such as Apache.

  • If you find an application that needs an alternate shell, examine alternative applications that accomplish system performance goals, yet may use the same shell as the operating system.

  • If you can't live without that application and no good alternative exists, examine other operating systems that may use the same shell as the application.

  • Eliminate all remaining shells that aren't needed by your operating system and applications.

Lock Down and Identify Systems by Function

Many security tutorials discuss various out-of-the-box functions that should be shut off or disabled within each operating system. Most, however, fail to discuss the specific act of identifying the mission or function of a system, then locking down unnecessary services, ports, registry keys, etc. This critical error puts a blind spot in your enterprise security model. If you can't accurately define acceptable behavior from an operating system on a machine based upon its mission, location, etc., you won't know when a security breach from a skilled adversary occurs. Keeping a database of mission information for each fielded system also provides operating system security insight, because it allows the security monitoring team to know whether a system is behaving properly.

For example, few human resources or accounting end-user workstations running Windows 2000 should have Microsoft Internet Information Server also running on them. Yet without a working knowledge of what function each system within an enterprise should perform, there is no way to know whether the system's behavior is anomalous.

Encrypt the Hard Drive for All Mac OS X Laptops

Information theft and corporate espionage are becoming more prevalent as collaborative tools and infrastructures emerge. As a result, data protection on mobile devices is paramount. The encryption and decryption process for the hard drive in Mac OS X is not only built into the operating system, but is also far easier to operate than in other *nix-based or Windows systems.

The most intelligent way to implement data security within OS X is to create a disk image partition on the hard drive. This stores all nonsystem files on an encrypted working disk image as part of the Disk Image tool-image creation process in the operating system. Here's how:

  • Open the disk image utility by opening your hard drive and choosing Applications > Utilities > Disk Copy.

  • Select File > New > Blank Image.

  • Select a name for your image under Volume Name, then a size (remember, this is your working partition, so make it big).

  • Be sure to select "AES-128" under the Encryption option (otherwise your work isn't protected).

  • Finally, use "Save As" to save your file with the same name you gave it under volume name, make sure you are saving it to the desktop (ease of access) and click the Create button.

  • Disk Copy will prompt you for a password to secure your encrypted image and will automatically add it to your key chain. Add it to your keychain automatically only if your settings require you to enter a strong password in order to access your key chain in the first place. Otherwise, you might as well not encrypt the image to begin with, because it will automatically open every time you log on.

  • You'll notice two icons appearing on your desktop, one with the volume name ("test.img," for example) and the other showing the mounted image ready to be used.

Disable Users' Ability to Install New Applications

Although this has been preached before, the realities of high user-to-security and user-to-administrative personnel ratios and general human laziness mean that this security directive is seldom enforced. As a result, unauthorized applications enter the enterprise, the AOL dial-up mail icon suddenly appears on desktops, and bandwidth gets hammered over time.

If an organization has an acceptable use policy and a predefined list of applications required for organizational use by system function, and if a machine is configured by the administrator or security staff in accordance with security guidelines, there should be no reason for an end user to have regular additional needs. In those instances where occasional irregular needs arise (such as specific new applications being adopted by individual groups within the organization), then the administrative team can interact with the user to properly install the new application. These interactions, however, should be infrequent.

Scan Users' Systems with Each New Log-on (or at Least Regularly)

Although this action isn't a direct operating system interaction, it nonetheless directly affects operating system security. A knowledgeable security or administrative team should know the function of all machines and can then scan them for open ports, operational or listening services, or other security holes. Those ports, services or applications not authorized on a particular machine should immediately reveal themselves. If automated checks can't be performed with each log-on, security personnel utilizing any modern vulnerability scanner with credible content can perform spot checks on a recurring basis throughout the enterprise.

Rob Bagnall is director of intelligence operations at iDefense Inc., a security consulting company in Reston, Va. He can be contacted at rbagnall@idefense.com.

Special Report

Tips From Security Experts

Stories in this report:

Related:

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon