Chapter 7

Operating System Hardening

ITT320 – Introduction to
Computer Security

Mazlan Osman
Objectives

 Properly configure a secure Windows

system.
 Properly configure a secure Linux system.
 Apply appropriate operating system patches
to Windows
 Apply appropriate operating system patches
to Linux
 Securely configure a web browser

3
Introduction

 It is not enough to just implement firewalls

and proxy servers.
 Securely configuring the operating system
and its software is a critical step in system
security that is frequently ignored.
 This chapter takes you to go through this
process by using different operating systems.

3
Configuring Windows Properly

 Properly configuring Windows (with a focus

on Windows 7, 8, and 10) consists of many
facets.
 We must disable unnecessary services,
properly configure the registry, enable the
firewall, properly configure the browser, and
more.

3
Configuring Windows Properly
Accounts, Users, Group and Passwords
 Any Windows system comes with certain
default user accounts and groups.
 These can frequently be a starting point for
intruders who want to crack passwords
 Simply renaming or disabling some of these
default accounts can improve your security.

3
Configuring Windows Properly
Accounts, Users, Group and Passwords
 In Windows 7 or Windows 8 you find user
accounts by going to Start, Settings, Control
Panel, Users and Groups.
 In Windows 10 go to Start, Settings, and
Accounts.
 The Windows 7 and 8 accounts screen is
shown in Figure 7-1. From here you can
alter, disable, or add accounts.

3
Configuring Windows Properly
Accounts, Users, Group and Passwords

Figure 7.1 Alter, Disable, or Add accounts in the Local Users and Groups
Dialog Box
3
Configuring Windows Properly
Accounts, Users, Group and Passwords
 In Windows 10 go to Start, Settings, and
Accounts.
 The Windows 10 accounts screen is shown in
Figure 7-2. From here you can add accounts,
delete accounts, or change accounts.

3
Configuring Windows Properly
Accounts, Users, Group and Passwords

Figure 7.2 Accounts in Windows 10

3
Configuring Windows Properly
Administrator Accounts
 The default administrator account has
administrative privileges.
 Hackers frequently seek to obtain the logon
information for an administrator account.
 Default accounts allow the hacker to bypass
the first half of this process. Administrators
should disable this account (See Figure 7.3).

3
Configuring Windows Properly
Administrator Accounts

Figure 7.3 Disabling Administrator Accounts in Windows 7 or 8

3
Configuring Windows Properly
Other Accounts
 A few accounts that you should be disabled
include:
 IUSR_Machine
 A hacker that is familiar with internet server could
target this account.
 ASP.NET
 A hacker that is familiar with web application could
target this account.
 Database accounts
 A hacker that is familiar with relational database
could target this account. 3
Configuring Windows Properly
Setting Security Policies
 Setting appropriate security policies is the
next step in hardening a Windows server.
 Select Start, Settings, Control Panel,
Administrative Tools, and you will note the
Local Security Policy.
 Double-clicking this and selecting Account
Policies takes you to the screen shown in
Figure 7-4.

3
Configuring Windows Properly
Setting Security Policies

Figure 7.4 Local Security Policies

3
Configuring Windows Properly
Setting Security Policies
 The first matter of concern is setting secure
password policies.
 The default settings for Windows passwords
are not secure.
 Table 7-1 shows the default password
policies.

3
Configuring Windows Properly
Windows Password Policies
Policy Recommendation

Enforce password history 1 password remembered

Maximum password age 42 days

Minimum password age 0 days

Minimum password length 0 characters

Password must meet complexity requirements Disable

Store password using reversible encryption for all users in the Disable
domain

Table 7.1 Default Windows Password Policies

3
Configuring Windows Properly
Setting Security Policies
 The default password policies are not secure
enough, but what policies should you use
instead?
 Different experts answer from Microsoft, the
National Security Agency (NSA), and the
author’s personal are recommended (See
Ebook ITT320).

3
Configuring Windows Properly
Setting Security Policies
 The first matter of concern is setting secure
account lockout policies.
 These policies determine how many times a
user can attempt to log in before being
locked out, and for how long to lock them
out.
 The default Windows settings are shown in
Table 7-2.

3
Configuring Windows Properly
Windows Account Lockout Policies
Policy Default Settings

Account lockout duration 1 password remembered

Account lockout threshold 42 days

Reset account lockout counter after 0 days

These default policies are not secure. User can get the recommendations from
Microsoft, National Security Agency, and the author (See Ebook ITT320).

Figure 7.2 Windows Account Lockout Policies

3
Configuring Windows Properly
Other Issues
 Some account and password issues cannot be
handled with computer settings.
 These involve setting organizational policies
regarding user and administrator behavior.
 The basic list of the most important organizational
security policies are:
 Users must never write down passwords.
 Users must never share passwords.
 Administrators must use the least required access rule.

3
Configuring Windows Properly
Registry Setting
 The Windows Registry is a database used to store
settings and options for Microsoft Windows
operating systems.
 This database contains critical information and
settings for all the hardware, software, users, and
preferences on a particular computer.
 Secure registry settings are critical to securing a
network.

3
Configuring Windows Properly
Registry Basics
 The physical files that make up the registry are
stored differently depending on which version of
Windows you are using.
 Older versions of Windows (that is, Windows 95
and 98) kept the registry in two hidden files in your
Windows directory, called USER.DAT and
SYSTEM.DAT.
 Since Windows XP, the physical files that make up
the registry are stored in %SystemRoot%\
System32\Config.
3
Configuring Windows Properly
Registry Basics
 Since Windows 8, the file has been named
ntuser.dat.
 You can edit the registry directly using a tool,
regedit.exe.
 The registry has a hierarchical structure similar to
the directory structure on the hard disk.
 To view the registry, go to Start, Run, and type
regedit. Registry Editor dialog box will be
displayed (See Figure 7.5).

3
Configuring Windows Properly
Registry Basics

Figure 7.5 Registry Editor Dialog Box

3
Configuring Windows Properly
Registry Basics
 The dialog box consists of five folders. These five
main folders are the core registry folders.
 HKEY_CLASSES_ROOT:
 This folder contains all of the file association types.
 HKEY_CURRENT_USER:
 This folder links to the section of HKEY_USERS.

3
Configuring Windows Properly
Other Registry Settings
 Restrict Null Session Access
 Restrict Anonymous Access
 Remote Access to the Registry

CAUTION !!!
Incorrect editing of your registry can render parts of
your operating system unusable. If you are new to
registry editing DO NOT practice on a production
machine that has critical data.
Configuring Windows Properly
Services
 A service is a program that runs without direct
intervention by the computer user. In Unix/Linux
environments, these are referred to as daemons.
 Shutting down unneeded services is an essential and
very basic part of hardening an operating system.
 Every running service is a possible avenue for a
hacker or a virus to get to your machine.

3
Configuring Windows Properly
Encrypting File System (EFS)
 Beginning with Windows 2000, the Windows
operating system has offered the Encrypting File
System (EFS), which is based on public key
encryption (See Figure 7.6).
 EFS enables users to start encrypting files with no
administrator effort.
 EFS automatically generates a public key pair for
file encryption and decryption.
 Command-line tools and administrative interfaces
are provided for advanced users.
3
Configuring Windows Properly
Encryption File System

Figure 7.6 Encryption File System

3
Configuring Windows Properly
Security Templates
 A security template contains hundreds of possible
settings that can control a single or multiple
computers.
 The following is a partial list of the security
templates:
 Hisecdc.inf
 Hisecws.inf
 Securedc.inf
 Securews.inf
 Setup security.inf
(Refer to Ebook ITT320)
3
Configuring Linux Properly
 Many of the same security concepts that
apply to Windows can be applied to Linux.
 Commonalities between Windows and
Linux:
 User and account policies should be set up the same
in Linux as they are in Windows, with only a few
minor differences.
 All services (called daemons in Linux) not in use
should be shut down.

3
Configuring Linux Properly
 The browser must be configured securely.
 The operating system must be patched routinely.
 Differences between Linux and Windows:
 No application should run as the root user unless
absolutely necessary.
 The root password must be complex and must be
changed frequently.
 Disable all console-equivalent access for regular
users.

3
Patching The Operating System
 From time to time, security flaws are found
in operating systems.
 Whatever operating system you use, you
must apply these patches as a matter of
routine.
 Windows patches are probably the most
well-known.
 Some organizations find that updating once
per quarter or even once per month is
necessary.
3
Configuring Browser
 Most computers, including corporate
workstations, are used to access the Internet.
 This means that proper browser
configuration is absolutely essential for
hardening a system.
 This section describes how to set Internet
Explorer for safe Internet use.

3
Configuring Browser
Securing Browser for Internet Explorer
 Open Microsoft Internet Explorer.
 Select Tools on the menu bar, and then select
Internet Options. The Internet Options
window includes a Privacy tab and a Security
tab
 A screen like the one shown in Figure 7.7
appears.

3
Configuring Browser
Securing Browser for Internet Explorer

Figure 7.7 Internet Explorer Options

3
Configuring Browser
Privacy Settings
 With spyware a growing problem, privacy settings
are as important to operating system hardening as
security settings.
 Clicking on the Advanced button allows you to alter
how your browser handles cookies.
 The following settings are recommended:
 Block third-party cookies
 Prompt for first-party cookies
 Always allow session cookies

3
Configuring Browser
Security Settings

Figure 7.8 Internet Explorer Security Settings