Skip the navigation

Steps to a secure operating system

By Arvind Krishna, IBM Tivoli Software
July 14, 2003 12:00 PM ET

Computerworld - Today's operating systems are more sophisticated and feature-rich than ever before, which makes them substantially more useful to the enterprise but also adds to security vulnerability—unless the operating systems are configured, administered and monitored correctly. Contrary to popular belief, this can be accomplished with a minimum of fuss and bother. The key is to centralize and automate operating system security across the enterprise, rather than do it manually for each box.


In fact, the costs and risks of not centralizing and automating operating system security are enormous. Over half of the security break-ins we read about daily are the result not of inherent weaknesses in operating system technology but of operating systems not being configured properly or not being verified and monitored regularly. The operating systems were provisioned out of the box at the default security settings, which made them highly vulnerable to attack.


Today, roughly 20% of user identifications and passwords have never been changed. The word password is still a common password in many organizations. The reason administrators neglect to configure these settings properly is simple: It would take approximately 20,000 hours to provision and verify a 1,000-server network manually, as it must be done in many organizations, and few organizations can afford the necessary time and money.











Advice

Arvind Krishna
Organizations that do change server security configurations manually spend an inordinate amount of their help desk resources assisting users with password inquiries rather than dealing with more serious network issues. Given these disadvantages, it's no wonder many administrators run server operating systems at the default. That practice gets servers into production quickly, but it adds significantly to security risk.


There are three things that can enhance operating system security across an enterprise network. First, provisioning of the servers on the network should be done once in one place, involving the roughly tens of separate configurations most organizations require. This image, or set of images, can then be downloaded across the network, with the help of software that automates this process and eliminates the pain of doing it manually for each server. Moreover, even if you had an instruction sheet for these key configurations, you wouldn't want local administrators to access these key configurations for each server, which is very dangerous. The best way to do it is once and for all.


Once the network has been provisioned, administrators need to be able to verify policy compliance, which defines user access rights and ensures that all configurations are correct. An agent running on the network or remotely can monitor each server continuously, and such monitoring wouldn't interfere with normal operations.


Second, account management needs to be centralized to control access to the network and to ensure that users have appropriate access to enterprise resources. Policies, rules and intelligence should be located in one place—not on each box—and should be pushed out from there to provision user systems with correct IDs and permissions. An ID life cycle manager can be used to automate this process and reduce the pain of doing this manually.


Third, the operating system should be configured so that it can be used to monitor activity on the network easily and efficiently—revealing who is and isn't making connections, as well as pointing out potential security events coming out of the operating system. Administrators can use a central dashboard that monitors these events in real time and alerts them to serious problems based on preset correlations and filtering. Just as important, this monitoring system should be set up so that administrators aren't overwhelmed by routine events that don't jeopardize network security.


Security doesn't have to be a budget buster or interfere with normal business operations. As organizations move from manual to automated security processes, there are significant cost savings to be had. Manual processes are not only expensive and inflexible; they also contribute significantly to breakdowns that add to costs. Properly configured operating system security is a business enabler that will save money as it keeps the bad guys where they belong—on the defensive.



Special Report

Tips From Security Experts
Stories in this report:

Read more about Security in Computerworld's Security Topic Center.



Our Commenting Policies