Daily News |  Current Issue |  Archives  |  Blogs |  Keywords |  Mediakit  |  Advertise |    |  Free Trial!
System News
System News > Volume 144 > Issue 2 > VendorVoice >
Sign in  |   Register  |   Password Help   |   Membership types
Best Practices on Securing Enterprise Operating Systems
 Paper Examines Issues With Commonly Used Practices, Offers Solution
February 12, 2010,
Volume 144, Issue 2

While there is no one process to make any organization 100% secure, establishing a company-wide security policy based on industry-standard best practices is a good place to start.
 

A review of best practices on securing companies' and government agencies' operating systems is presented in the six-page PDF "Securing the Foundation of IT Systems".

The paper covers commonly used and oftentimes problematic practices adopted by system administrators, and offers some insights on ways to improve security, including a look at Trusted Computer Solutions' (TCS) Security Blanket - a tool that automatically locks down operating systems.

General Tips

Some general tips offered in the paper include:

  • Password security: Organizations must ensure that administrative passwords have a minimum of 12, somewhat random, characters and that all administrative accounts are configured to require password changes on a regular basis. Further enforcement of securing admin­istrative accounts should ensure that machines cannot be accessed remotely.

  • Awareness via logging: An organization’s operating system lock down practices must include logging access control events when users try to gain access without having the appropriate permission. Log files should be maintained on separate machines from those that are generating the events so that potential attackers cannot gain access to these files.

  • Baselining identification: This is the identification of significant states within the revision history of a configuration item. As a best practice, system admin­istrators should periodically perform a baseline comparison to identify changes that could potentially become a fault.

  • Consistency: Maintaining a predetermined "good state" or configuration policy on every server across the enterprise provides system administrators with control and eliminates downtime and surprises.

Issues with Commonly Used Techniques

Most system administrators agree that locking down, or hardening, operating systems to a prescribed level of compliancy, and maintaining that compliancy across the enterprise is a best practice to follow. However, studies re­veal that the majority of organizations are not locking down all of their servers and many are not even locking down all Internet-facing servers, which are the most vulnerable. The vulnerability that organizations face when they do not lock down their operating systems consistently and persistently can be devastating.

Regard­less of which operating system a company or government agency is running, there are a variety of methods that system administrators can implement to harden an operat­ing system. Free lock down scripts are ones often used. However, these scripts often require modification in order to adhere to specific security policies. Modification is a manual process which also introduces the chance for error.

When new software is installed on an operating system, services required for installation are enabled, but these services may not be needed beyond initial installation. Unused services are a prime target for attackers. As part of the lock down process, system administrators should disable as many unused services as possible, including network, peer-to-peer, file sharing and general services. The chal­lenge comes in determining which unnecessary services are enabled, and then disabling them.

However, disabling a service is not fool-proof. If firewall rules fail to parse and the daemon doesn’t start, a security breach can occur. Another issue with unused services is the amount of system resources being allocated to services not even used; plus, system administrators still have to manually disable, configure, and patch these services.

Another option is to turn to a consulting organization that provides services, including scans of the operating system that show how it fares against a set of security best prac­tices. These organizations may also offer lock down services but this can be costly over time.

There also are configuration management tools available that assess the security of operating systems and make recommendations as to what needs to be done to remediate vulnerabilities. But again, the operating system configuration is manual and therefore the same costs and risks remain.

TCS Security Blanket

With 14 years spent developing, accrediting, and deploying secure solutions for the US Government, TCS has developed a tool that automates the process of locking down an operating system. Security Blanket is an enterprise platform that automatically configures operating systems to meet industry standard and customized security requirements. It assesses whether the operat­ing system is compliant with policy and then enables the user to automatically lock down the operating system to be compliant.

Security Blanket comes with an administration console that enables a system administrator to manage any number of servers from a central location. Servers can be assigned to groups based upon the level of security they require. Assessments can be run on an entire group of servers as can the automatic operating system configuration of security settings for ease in maintaining consistency across the entire enterprise.

The product offers pre-defined lock down configurations from the CIS, the DISA STIGs, SANS and other standards groups. These pre-defined industry standards can be used as is or modified to create an individualized configuration to support a specific security policy. If something goes wrong, Security Blanket enables users to automatically "undo" the lock down, back to the original state or on an individual security setting basis.

A number of operating systems are supported by Security Blanket, including Red Hat Enterprise Linux, Fedora, Solar­is, CentOS, and SUSE. It runs on any x86 or SPARC plat­form, as well as Linux on the IBM System z mainframe.

More Information

Securing the Foundation of IT Systems - the six-page PDF

TCS Security Blanket

Trusted Computing Solutions

The Center for Internet Security (CIS)

The Defense Information Systems Agency (DISA)

The SANS Institute

Keywords:

fullsource
Print
Email
Current
Profile
Archive
Blog
Generate newsletter
 
Other articles in the VendorVoice section of Volume 144, Issue 2:
  • Best Practices on Securing Enterprise Operating Systems (this article)

See all archived articles in the VendorVoice section.

Top 10 Most Popular Articles in Current Issue (Vol 168, Issue 1)
Featured Articles


Archive by Section
Archive by Activity
Archive by Date
News and Solutions for Users of Solaris, Java and Oracle's Sun hardware products
Just the news you need, none of what you don't – 42,000+ Members – 24,000+ Articles Published since 1998
BigAdmin Cloud Developer Disk Events FOSS Features HPC Hardware Intel
Java MySQL NetBeans News OpenOffice OpenSolaris OpenStorage Partners Performance Publications
Security Servers Service Software Solaris Storage SysAdmin Tape Workstation VendorVoice

Latest Issue  |   Archived Articles  |   Edit Account  |   Blogs  |   About SNI  |   Mediakit  |   NewsToLeads  |   Headlines  |   NewsToLeads  |   RSS Feeds
Copyright © 1998-2011 System News, Inc.