Security

10 security tips for all general-purpose OSes


There are key considerations for system security that apply no matter which general-purpose operating system platform you happen to be using. You should always consider the following precautions when securing your systems against unauthorized access and unfortunate disasters:

  1. Use strong passwords. One of the simplest ways to improve security is to use a password that isn't easily guessed by brute force attacks. A brute force attack is one where the attacker uses an automated system to guess passwords as quickly as possible, hopefully finding the right password before long. Passwords that include special characters and spaces, use both capital and lowercase letters, avoid words in the dictionary, as well as numbers, are much more difficult to crack than your mother's name or your anniversary date. Remember as well that increasing the length of your password by one single character multiplies the total number of possibilities by the number of valid characters that can be used. In general, anything less than eight characters is considered far too easy to crack. Ten, 12, or even 16 is better. Just don't make it too long to remember or too difficult to type.
  2. Invest in good perimeter defense. Not all security occurs on the desktop. It's a good idea to use an external firewall/router to help protect your computer, even if you only have one computer. At the low end, you can purchase a retail router device, such as the commercial Linksys, D-Link, and Netgear routers that are available in stores such as Best Buy, Circuit City, and CompUSA. Higher up the scale, you can get managed switches, routers, and firewalls from "Enterprise" class vendors such as Cisco, Vyatta, and Foundry Networks. Starting somewhere in the middle and moving all the way up to direct competition with the major "Enterprise" class vendors, you can put together your own firewalls either "from scratch" or using prepackaged firewall/router installers such as m0n0wall and IPCop. Proxy servers, antivirus gateways, and spam filtering gateways can all contribute to stronger perimeter security as well. Remember that in general switches are better for security than hubs, routers with NAT are better than switches, and firewalls are a definite necessity.
  3. Update your software. While concerns such as patch testing before deployment to production systems may be of critical importance in many circumstances, ultimately security patches must be rolled out to your systems. Ignoring security updates for too long can result in the computers you use becoming easy targets for unscrupulous security crackers. Don't let the software installed on your computers fall too far behind the security update schedule. The same applies to any signature-based malware protection software such as antivirus applications (if your system needs them), which cannot be any more effective than the degree to which they are kept up to date with current malware signature definitions.
  4. Shut down services you don't use. Often, computer users don't even know which network accessible services are running on their systems. Telnet and FTP are common offenders that should be shut down on computers where they are not needed. Make sure you're aware of every single service running on your computer, and have a reason for it to be running. In some cases, this may require reading up on the importance of that service to your particular needs so that you don't make a mistake like shutting off the RPC service on a Microsoft Windows machine and disallow logging in, but it's always a good idea to have nothing running that you don't actually use.
  5. Employ data encryption. Varying levels of data encryption coverage are available to the security-conscious computer user or sysadmin, and choosing the right level of encryption for your needs is something that must be decided based on circumstances. Data encryption can range from use of cryptographic tools on a file-by-file basis, through filesystem encryption, up to full disk encryption. Typically, this doesn't cover the boot partition, as that would require decryption assistance from specialized hardware, but if your need for privacy is great enough to justify the expense, it's possible to get such whole-system encryption. For anything short of boot partition encryption, there are a number of solutions available for each level of encryption desired, including both commercial proprietary systems and open source systems for full disk encryption on every major desktop operating system.
  6. Protect your data with backups. One of the most important ways you can protect yourself from disaster is to back up your data. Strategies for data redundancy can range from something as simple and rudimentary as periodically saving copies to CD to complex, staggered, periodic automated backups to a server. On systems that must maintain constant uptime without loss of service, RAID can provide automatic failover redundancy in case of a disk failure. Free backup tools such as rsync and Bacula are available for putting together automated backup schemes of arbitrary complexity. Version control systems such as Subversion can provide flexible data management so that you can not only have backups on another computer, but you can keep more than one desktop or laptop system up to date with the same data without a great deal of difficulty. Using subversion in this manner saved my bacon in 2004 when my working laptop suffered a catastrophic drive failure, emphasizing the importance of regular backups of critical data.
  7. Encrypt sensitive communications. Cryptographic systems for protecting communications from eavesdroppers are surprisingly common. Software supporting OpenPGP for e-mail, the Off The Record plug-ins for IM clients, encrypted tunnel software for sustained communication using secure protocols such as SSH and SSL, and numerous other tools can be had easily to ensure that data is not compromised in transit. In person-to-person communications, of course, it can sometimes be difficult to convince the other participant to use encryption software to protect communications, but sometimes that protection is of critical importance.
  8. Don't trust foreign networks. This is especially important on open wireless networks such as at your local coffee shop. If you're careful and smart about security, there's no reason you cannot use a wireless network at a coffee shop or some other untrusted foreign network, but the key is that you have to ensure security through your own system, and not trust the foreign network to be safe from malicious security crackers. For instance, it is much more critical that you protect sensitive communications with encryption on an open wireless network, including when connecting to Web sites where you use a login session cookie to automate authentication or enter a username and password. Less obviously, make sure you don't have any network services running that are not strictly necessary, as they can be exploited if there is an unpatched vulnerability. This applies to network filesystem software such as NFS or Microsoft CIFS, SSH servers, Active Directory services, and any of a number of other possibilities. Check your systems both from the inside and the outside to determine what opportunities malicious security crackers may have to attempt to compromise your computer, and make sure those points of entry are as locked down as reasonably possible. In some respects, this is just an extension of the points about shutting down unneeded services and encrypting sensitive communications, except that in dealing with foreign networks you must be especially stingy with the services you allow to run on your system and what communications you consider "sensitive." Protecting yourself on a foreign, untrusted network may in fact require a complete reworking of your system's security profile.
  9. Get an uninterruptible power supply. You don't just want a UPS so you won't lose files if the power goes out. There are other, ultimately more important reasons, such as power conditioning and avoiding filesystem corruption. For this reason, make sure you get something that works with your operating system to notify it when it needs to shut itself down, in case you aren't home when the power goes out, and make sure you get a UPS that provides power conditioning as well as battery back-up. A surge protector simply isn't enough to protect your system against damage from "dirty" power. Remember, a UPS is key to protecting both your hardware and your data.
  10. Monitor systems for security threats and breaches. Never assume that just because you've gone through a checklist of security preparations your systems are necessarily safe from security crackers. You should always institute some kind of monitoring routine to ensure that suspicious events come to your attention quickly and allow you to follow up on what may be security breaches or threats to security. This sort of attention should not only be spent on network monitoring but also integrity auditing and/or other local system security monitoring techniques.

Other security precautions may apply depending on the specific OS you use. Some operating systems provide additional challenges to security because of design characteristics that produce a less-than-optimal security profile, and some operating systems grant the knowledgeable sysadmin capabilities for increased security that may not exist elsewhere. All of this should be kept in mind when securing your system, whether using proprietary systems such as Microsoft Windows and Apple Mac OS X or open source systems such as your favorite Linux distribution, FreeBSD, NetBSD, or even the very security-conscious OpenBSD.

Only in the very rarest of circumstances is a default install of your OS of choice, with no further thought to securing the system, truly sufficient. Start with the above enumerated security concerns regardless of your operating system, then consider the specific security needs and opportunities of your platform. Don't leave the integrity of your system's security up to luck.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

30 comments
nentech
nentech

Most of this is common sense Some are good Would like to add 1 Work with the people who will be using the systems/network Teach them good security Explain why they cannot do the risky stuff 2 Lose the fortress mindset even the best security can break down There is always someone who will do the most stupid things in any company or group Col

troy.dennis
troy.dennis

Strong passwords are a good security practice but hard to implement im my company. Locking down all unused services on all servers and putting all systems behind a firewall (I use m0n0wall with great success) has worked well for me. also make sure you block SMTP port 25 for all outgoing LAN access or you can end up getting your IP blocked. As far as testing your network what programs do you suggest? i've used nmap but it just scans ports is there some other that you recommend?

Jaqui
Jaqui

This is the source of the majority of MS xploits, MS products are designed around trust everything instead of the secure trust nothing.

gary
gary

11. Test! Employing all these things are great but what about the impact to the user side of things? Whole disk encryption can be a performance killer. Also, everything should be tested because its worse to THINK you are protected rather than knowing you are not. 12. Employ a centralised auditing system - Having a varitey of tools and systems which each do their own thing often means multiple logs. Ensure you have a centralised device that can gather and report on all of these things, Make sure its reviewed. 13. Along with disabling services have a look at Windows security templates. This can be a quick way to ensure identical lockdowns across all Windows servers 14. If using IIS don't forget the IIS lockdown tool.

Absolutely
Absolutely

A program that generates a random string of characters, of user-defined length, is not very difficult to write & post to an Intranet or Internet location. :) It is also not difficult to password-protect an Excel spreadsheet which contains all of a user's passwords, and is editable only with the one password that the user's "remember". There are also open-source programs which incorporate all that functionality in a single program.

gary
gary

First of all I'd suggest a proper pen test from a reputable company. If the budget isn't there for it then metasploit is quite scary in what it can do and exploit. GRC can do a simple firewall scan to see what ports are open and internally you should be using GPO's and templates to lock down your machines as much as possible.

gary
gary

Absolutely. Hence I'd suggest using the NSA lockdown checklists and security templates.

CookieOrc
CookieOrc

You always have to know what are in those things. The first time I got hacked was when I did not realize that I was not the only one using my vnc connection to the server :)

Absolutely
Absolutely

[i]Having a varitey of tools and systems which each do their own thing often means multiple logs.[/i] There is a myriad of text manipulation software available to make multiple log files conveniently viewable. Better to pick the best security & monitoring tools on their technical merits, and deal with their log files as the simplistic chore in text formatting that they are. Too minor a problem to count at all where access control is concerned.

ejhonda
ejhonda

13 & 14 are not for "all general purpose OSes". But your centralized auditing system tip is a good one - a tough one to implement, but a good one. ;)

apotheon
apotheon

"[i]not difficult to password-protect an Excel spreadsheet which contains all of a user's passwords, and is editable only with the one password that the user's 'remember'.[/i]" True . . . but it's also not difficult enough to crack security on software like Excel, or to fill up RAM and unnecessary swaths of hard drive "space", when you do it that way. Much better to use some OpenPGP-based encryption utility like GnuPG, perhaps wrapped with a shell script or a Perl or Ruby script to give it that "application" feel, where security breaches and software bloat are much more difficult to imagine.

Penguin_me
Penguin_me

Along with Metasploit and nmap, if you can run it (I think it's *nix only) Nessus is fairly good, it'll give you a list of open ports and vulnerable services (it doesn't give you everything, and should only be used as *part* of pen-testing) link: http://www.nessus.org/

Jaqui
Jaqui

MS Windows is built to operate with a trust everything model. making it work with a trust nothing model will cripple most people's productivity until they get used to the higher restrictions and wha is required to work with them. A trust nothing on a windows box would mean anything downloaded would need to be virus scanned, adware scanned, spyware scanned, before it could be run. When run, it would have to be sandboxed to the point of requiring constant input from the user to allow it to do anything. Then you could stop malware. The *nix operating systems are closer to a trust nothing, but even they have some trust in some things / accounts. [ userid 0 / root being trusted ]

gary
gary

Yes thats right but not many people know about tools out there that can do this therefore there needs to be more education via sites like this.

apotheon
apotheon

"[i]Better to pick the best security & monitoring tools on their technical merits, and deal with their log files as the simplistic chore in text formatting that they are. Too minor a problem to count at all where access control is concerned.[/i]" I tend to figure that anyone who thinks that dealing with superficially differing text formats requires something akin to a vertically integrated vendor stack is someone who hasn't heard of Perl -- or perhaps even regular expressions.

gary
gary

Quick and dirty way of doing it is to setup something like Kiwi Sylog daemon or the free version of Splunk and get everything converted to syslog format and sent to that server. Windows can send event logs in syslog format via a nice piece of software called SNARE.

-Q-240248
-Q-240248

"13 & 14 are not for "all general purpose OSes"." Neither are 2, 7, 8, 9, or 10 from the original article related to "general OSes". I don't even agree with this list regardless. What's most important is to invest in a good Host-based firewall/IPS suite along with AV and forget about the "external firewall" the author is pushing. Dumb firewalls have thier uses, and are no different than NAT when it comes to protecting, but a good host-based IPS solution goes above and beyond any firewall. Cuts down on the stinking patching issues and as long as you keep them up-to-date, many of those other issues become mute. The only one I have ever followed was disabling the unecessary services. I'll even take extra steps and disable things like the "server service" on my Windoze machines just because I don't need to share anything and there goes 50 other exploits you don't have to worry about.

apotheon
apotheon

I think I recall seeing some OpenPGP libraries for Perl in CPAN, too -- so you may not actually need a separate utility like GnuPG around which to wrap your script. On the other hand, maybe the modules depend on something like GnuPG. I didn't really look into it too deeply at the time, so I couldn't really tell you.

Absolutely
Absolutely

I've been meaning to start tinkering with Perl. That looks like a good mini-project to get me familiar with a bit of its syntax.

gary
gary

In any security stratey you must balance risk against the ability of the user to do thier job. The key is understanding what the business does and how it does it. For example, i hate ipods and other usb devices. I'd love to lock them all out but I know that the business uses them to transfer legitimate data. we also use them in IS so we can't do that YET... if we did we would cause the business more hassle than allowing the devices. It's constantly a balancing act.

apotheon
apotheon

"[i]Now, I admit that this breaks down when you have a mobile workforce.[/i]" It also breaks down if you take -Q's advice, above, and just use a local IPS and malware scanning strategy for security, ignoring any and all other means of securing your system. I of course think your solution makes a lot of sense (and have used similar strategies myself) -- but I'm sure -Q would have a huge problem with your suggestion.

gary
gary

You can operate a trust nothing model with a "sensibly" locked down desktop. Your downloads and av scanning can be handed off to something like a bluecoat proxy appliance or similar. IPS can be used to detected threats on the network and so on. That way you can have LESS loading on the workstation in form of agents that consume CPU and put that loading onto your network appliances. Now, I admit that this breaks down when you have a mobile workforce.

Absolutely
Absolutely

I've been meaning to tidy up my TR Workspace until it's a useful repository of security-related tools and info. One more reason to get on that.

Robbi_IA
Robbi_IA

Excellent response. I agree with your assessment of the previous poster's firewall experience. One doesn't even have to pay top dollar for a firewall appliance to get the best software. I've used several from all levels, and I would have to say that there are some very good stateful firewalls on the market. An external firewall is just one part of the layered approach necessary to protect systems and data.

apotheon
apotheon

That's one of my biggest pet peeves in online discussion -- seeing someone post something about a "mute point". Argh. I usually don't want to say anything about it, though, because the people saying "mute point" are usually the people completely missing my previous points, and in the process of correcting them on the matter I don't want to distract attention from the important meat of what I'm saying. So . . . thanks for bringing it up.

Absolutely
Absolutely

Mnemonic: Like a cow's opinion, a [u]moo[/u]t point simply does not matter.

apotheon
apotheon

"[i]Good God![/i]" While I am flattered by the comparison, I am not He. "[i]Nice article.[/i]" Thanks. I do my best.

rkuhn040172
rkuhn040172

I'm in 100% agreement with Apotheon. This does happen occasionally. I thought the article was spot on. Security isn't taken seriously enough by most people regardless of the OS. Nice article.

apotheon
apotheon

"[i]Neither are 2, 7, 8, 9, or 10 from the original article related to 'general OSes'.[/i]" How are they not related to general purpose OSes? Please elaborate. "[i]I don't even agree with this list regardless.[/i]" How do you disagree (aside from your obvious distaste for perimeter security)? "[i]What's most important is to invest in a good Host-based firewall/IPS suite along with AV and forget about the 'external firewall' the author is pushing.[/i]" I don't see how a host-based firewall obviates the need for an external filter for traffic. The further from the important systems and data in your care malicious activity is stopped, the better. "[i]Dumb firewalls have thier uses[/i]" Who said anything about "dumb" firewalls? Perhaps you're not aware that many external, stand-alone firewall devices actually run some of the best software you can find for stateful "host-based firewalls" (in the form of pf, iptables, et cetera). "[i]no different than NAT[/i]" I'm pretty sure you don't know much about firewalls, at this point. "[i]a good host-based IPS solution goes above and beyond any firewall[/i]" Perhaps you're also unaware that a stateful firewall essentially [b]is an IPS[/b].

Editor's Picks