Operating system security

- [Instructor] Whether you're running physical servers in a data center, or virtualized servers in the cloud, system administrators are responsible for the configuration of operating systems to meet an organization's security control requirements. This is an extremely important responsibility, because attackers can often exploit security vulnerabilities to gain access to a vulnerable system and then even potentially leverage that access to compromise an entire network. Let's take a look at some important operating system security issues. There are many different security settings in any operating system that you can customize to meet the security needs of your organization. You'll want to establish a security baseline for your organization that includes the settings important in your environment. One of these is limiting the access that users have to administrative resources, because this level of access can result in security compromises. Let's look at how to limit administrative access on this Windows server. Windows manages many security settings through group policy objects, or GPOs. We want to ensure that users on endpoint devices in this domain don't have administrative access to their computers. We can do that here in the group policy management tool. I'm going to navigate through the folder for my domain, certmike.com, and then the group policy objects folder. Now that I'm here, I'm going to create a new group policy object for this domain by right clicking and choosing new. It's important to give GPOs a descriptive name, because you'll want to remember what the GPO does when you come back and look at this GPO months or even years later. We'll call this one: Limit Administrative Access to Local Systems. Once I click OK, you can see that GPO here in my list of GPOs, but at this point it's still empty. It's a shell that does nothing. We need this GPO to actually limit administrative access. So let's right click on the GPO and choose edit. I'm going to use this GPO to remove every user from the administrators local group on systems. This is a user configuration setting, so let's expand that folder and drill down into preferences and then control panel settings. Once I'm here I'm going to right click on local users and groups. And I'm going to tell Windows that I want to create a new local group. That's a little confusing terminology, because we actually want to remove someone from an existing local group, but we'll tell Windows that in just a moment. See here, where it's selected the action update instead these alternatives: create, replace and delete? That means that we're modifying an existing group. The group that we want to modify is the built-in administrators group, so we'll choose that in the group name menu. And the action that we want to take is to remove the current user from that group. This gives them only normal user access. Clicking apply applies this update to my domain. On a Windows system, the Windows update mechanism is the simplest way to apply security patches to systems as soon as they're released. Here we are on that Windows system again, looking at the system settings. I'm going to choose update and security. And when I do that, I see a screen giving me status information about Windows Update. Now I can see this was just recently checked for updates at 5:43 p.m. today, and the system is telling me that it has all current updates applied. I can click the check for updates button and just run that check again to see if any new updates have been released in the meantime. I find out when I do that there actually is an update available and the system begins downloading and installing that new update. In these settings I can also manage some of the automatic download settings, the hours during which a system will be upgraded and rebooted, and other details about how Windows updates itself. Now let's look at applying updates on a Linux system. There are several different ways to update Linux systems that vary depending upon the distribution that you're using. I'm opening an SSH session here to a Linux system running in Amazon Web Services that's running the Ubuntu Linux distribution. And as you can see here, the system is telling me on the login banner that there are 149 package updates available and 71 of those updates are security updates. I can go ahead and apply these updates using the apt-get command. The first thing I'm going to do is type the command sudo, S-U-D-O. That simply means I'd like to run the command following this as the root user, that gives administrative priveleges that are required to install updates. The next thing I'm going to do is issue the apt-get command. This is the package manager used in Ubuntu distributions. And then I'm going to issue the update command. This simply says, reach out to the distribution servers and obtain all of the latest package updates. It is only retrieving a list of updates, it's not actually applying anything to my system. To apply the updates to my system, downloading them and installing them, I'm going to again issue the sudo command, and then apt-get and then upgrade. Update retrieves a list of packages, upgrade actually downloads and installs them. I then get a long list of all the packages that will be upgraded when I issue this command, and I confirm that I would like to do this. And then the upgrade process begins. Now depending upon the number of packages that you're upgrading, this may take some time. And you'll see lots of text scrolling by as you're installing those updates on your system. As you can see, when you're applying these updates, you're going to see a lot of status messages telling you different things about different packages that are being upgraded. Most of these are just informational in nature. And then eventually the updates will complete, that's how you apply updates to a Linux system. As a security administrator, you should not only ensure that your systems are configured to receive updates, but you should also analyze the output of patch management processes to ensure that those patches are applied promptly. Configuration management tools can assist you with automating this work. You'll also want to perform a task known as system hardening. System hardening involves analyzing the default settings of your operating system and removing services and components that required to meet your business needs. As you perform system hardening, you should accomplish a few important tasks. First, you should remove unnecessary software and operating system components to configure the system for the least functionality required to perform its function. This is an activity known as reducing the attack surface. The fewer things you have installed on a system, the fewer things there are for an attacker to exploit. Second, you should lockdown the host firewall to only allow access to those services that are intended for use by other systems. We'll talk about that more later. Third, you should disable any default accounts or passwords that came with the operating system or applications that you installed. These default accounts provide attackers with a starting point for brute force attacks, and when they're configured with default passwords, they will be quickly compromised if they're exposed to the internet. Remember, there are five important steps that you can take to secure operating systems that you administer, whether they're in the cloud or your own data center. You should configure security policies, manage patches, harden system configurations, lock down host firewalls, and disable default accounts and passwords.