Recent studies show that securing the operating system is recognized as a necessary practice in an organization’s overall security policy, but it is not being done on a regular, consistent basis across the enterprise. Operating systems control every function that the server on which it is installed, provides. The OS is responsible for the management and coordination of everything that happens on a computer, including how and where resources are shared. It serves as the foundation for every application running on a server.
With today’s threat environment, security has become the focus of many system administrator jobs. Most system administrators agree that locking down (or hardening) operating systems to a prescribed level of compliancy, and maintaining that compliancy across the enterprise is a best practice to follow. On the flip side, studies reveal that the majority of organizations are not locking down all of their servers and many are not even locking down all Internet facing servers which are the most vulnerable. The vulnerability that organizations face when they do not lock down their operating systems, consistently and persistently, can be devastating.
Unfortunately, companies and government agencies are faced with limited resources and increasingly shrinking IT budgets, while at the same time, threats to data and other sensitive and classified information is on the rise. When faced with budget decisions, securing assets can become a costly afterthought.
In a constantly changing environment locking down operating systems across the enterprise and maintaining an identified level of compliancy is no easy task. On blogs frequented by system administrators, questions always arise regarding the lock down process, indicating the lack of straightforwardness. Regardless of which operating system a company or government agency is running, there are a variety of methods (such as free lock down scripts) that system administrators can implement to harden an operating system. However, these scripts most often require modification in order to adhere to specific security policies. Modification has to be done manually which means that there is always the chance for error. What happens where errors are made? Applications don’t run and users are very unhappy. Scripts can be reversed but then the OS configuration is back to its initial state and you find yourself starting over again. You cannot simply undo the one lock down that caused the problem.
Another option is to turn to a consulting organization that provides services, including scans of the operating system that show how the operating system fares against a set of security best practices. These organizations may also offer lock down services, but this can be costly over time, and once the consultants are gone, there is the issue of maintenance. There are configuration management tools available that assess the security of operating systems and make recommendations as to what needs to be done to remediate vulnerabilities. But again, the configuration of the OS is done manually and therefore the same costs and risks remain.
It would be ideal if new off-the-shelf operating systems were shipped with lock downs fully enabled. However, the vendors that provide these systems would soon be out of business. Installation of the OS would be cumbersome at best and once it was installed, there would be a high probability of not all applications running successfully. Operating systems are shipped unsecure for a reason, so that they can be easily installed and applications will run on them. Therefore, system administrators are tasked with locking down all new out-of-the-box OS before installing applications. Further, once the systems are up and running within an environment they must be constantly maintained to adhere to the organization’s security and compliance standards.
When new software is installed on an OS, services needed for installation are enabled, but these services may not be needed beyond initial installation. Unused services are a prime target for attackers. They know that services are frequently turned on without the system administrator’s knowledge, which make an operating system susceptible to widespread attacks. As part of the lock down process, system administrators should disable as many unused services as possible, including network, peer-to-peer, file sharing and general services. The challenge comes in finding out which unnecessary services have been enabled and are not needed. Lastly, in the lock down process, system administrators should adjust the kernel’s TCP/IP settings to help prevent denial-of-service attacks and packet spoofing. These additional measures are often referred to as layered security or in-depth-defense. All of these things help minimize an organization’s potential attack surface.
Administrative password misuse is another example of a potential vulnerability. According to the “20 Critical Security Controls,” published by the SANS Institute, the misuse of administrator privileges is the number one method used by attackers to infiltrate an enterprise. The second most common technique is the elevation of privileges by guessing or cracking a password for an administrative user to gain access to a targeted machine. As part of the operating system lock down practice, organizations need to ensure administrative passwords have a minimum of 12, somewhat random, characters and that all administrative accounts are configured to require password changes on a regular basis. Further enforcement of securing administrative accounts should ensure that machines cannot be accessed remotely.
Another best practice to protect an organization’s systems from attackers is to maintain the highest possible degree of awareness. Logging is key. Without it, you don’t always know that an attack has occurred. Even if you are aware without logging and analysis, there are no details provided about the attack. The devil really is in the details. Having the details allows action to be taken to prevent the attacker from instigating broad-based damage to your enterprise vital information. An organization’s operating system lock down practices must include logging access control events when users try to gain access to something without having the appropriate permission. And lastly, extensive logging is worth little if potential attackers can gain access to log files. These files need to be maintained on separate machines from those that are generating the events.
While there is no one process to make any organization 100% secure, establishing a company-wide security policy based on industry standard best practices is a good place to start. Many of these best practices can be implemented as part of the operating system assessment and lock down process. Securing the foundation on which your IT organization runs is not easy to do. It takes time, money, and resources, but the potential for an attack is too great and too costly to ignore. By implementing a consistent, enterprise-wide operating system assessment and lock down process, a company can hopefully thwart malicious attackers and keep them at bay.