OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

Share tech news, updates, or what's on your mind.

Sign up to Post


I am not sure if I interpret this correctly but this security report seems to show a few workstations have some suspicious DNS activities and trying to resolve some DGA domain - please see the attached.  

I am not in the security area.  Someone who knows how to handle please advise.  

Many thanks.
CompTIA Security+
LVL 12
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.


I am reading this Qualys vulnerability report which says a server has this IE vulnerability - Please see the attached.  The server already has latest Windows Updates.  

I have apply latest Windows updates to the server.  There are three links under the Expolitability session in the report which the download link to fix the vulnerability is supposed to be available.  But it happens that the download link only downloads a txt file.  

Someone who has an idea please advise.  

Many thanks.
I'm writing a doc on Data Classifications (taking local regulatory/practices into context with
international practices such as GDPR as optional).  Data we have in mind are:

a) our customers particulars (which includes their NRIC# ie equiv of Social Security # in the
    US, their mobile/tel# and addresses : guess all these are PII)

b) bank account numbers of the customers (for payments)

c) the transactions including historical transaction details (customers sea-port clearances
    as well as the volume & types of goods they go through our sea-port)

d) IP addresses of customers who connect to us, internal IP addresses/hostnames of our

So for each data class, need to identify if
1. they must be hosted within our country if we use cloud (& if this is IaaS, SaaS, PaaS)
2. backup of the data must be encrypted
3. data at rest/in-transit must be encrypted
4. to be classified as Restricted, Confidential, Secret, or any other categories
5. which category to be detected by DLP & which category to be blocked by DLP
6. any other actions for each of the data categories

If there are such sample docs out there, care to point me to them?
Local server security.

I just got a ransomware attack. Hence I am asking for help to be able to achieve a great level of security for my server especially. and devices.

WHich devices should I get and why?
we are not subscribing to any professional phishing service but doing our own phishing drill.  can someone provide me a pdf file tt will email back to me (indicating who clicked with a message 'You failed this test' in the pdf) when our o365 exchange online users clicked on the attachment.   Guess we hv to whitelist such a pdf so tt our AV doesnt block it from opening?
Hi I get this error:

Bios update error - phoenix technologies SCT flash ERROR 216 status = 1501

Can’t find what is the Status description


Referring to the workaround given in above link for 64bit windows,
  cacls %windir%\syswow64\jscript.dll /E /P everyone:N

when I checked on my 64bit Windows 10, don't see "everyone" in the ACL:
C:\Windows\SysWOW64\jscript.dll NT SERVICE\TrustedInstaller:F
                                NT AUTHORITY\SYSTEM:R

So should we instead remove the "R" (ie Read) access to  Users &  *APPLICATION PACKAGES  ?
In Windows 2012 R2 we have setup and assigned a IPSEC policy. IN the policy we did not specify an endpoint on the initial screen since the IPSec tunnel is between two internal servers. My questions is it is required to have the firewall enabled and have a rule setup to force all inbound or outbound connections through IPSec? I guess what I am asking is  will IPSec work if the Windows firewall is disabled? Right now we are trying to test the IPSec tunnel between the two servers and only see Key deletions listed under the IPSec Stats everything else is zero and nothing listed under associations.
  I have Windows Server 2016 computer with two NIC. One NIC is connected to internal network (192.168.1.x)  and 2nd NIC is directly connected to public internet and has public static IP address assigned.
  In other words, i can connect to it using public static IP address using Remote Desktop connection program from outside of the network.
  When I check event viewer/Security logs, I see a ton of unauthorized login attempts using "guest" login (which is disabled by default), Owner, Spare, Administrator and popular first names like "Paul", "Michelle" ... etc and that is expected. Fyi, I have secure passwords for local administrator and domain administrator accounts.
  Is there a way that I  can block these hacker's login attempts unless they are coming from certain IP address or device with MAC ID?

We had a past incident of an IT staff who elevated his/her sharepoint privilege
to Site Admin.

What are some of the easier ways to prevent this from happening other
than educating??

Any free tools or low-cost tools are welcome as well
Exploring SQL Server 2016: Fundamentals
LVL 12
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

We have several website and application links stored on a Windows network share.  Recently when we experienced a security warning that "We can't verify who created this file.  Are you sure you want to run this file?".  I tried adding the server to the "intranet" zone and the share but it didn't change anything.  This appears to happen to all our users.   Can anyone suggest a fix that I can apply through group policy?
We have set up several Windows Server Essentials 2012/R2 servers for remote web access (Anywhere Access) with the free Microsoft remote web access domain name and certificate (i.e., company.remotewebaccess.com).  We are now receiving alerts on the server indicating that the remote access certificate is about to expire and needs to be "renewed with your Certification Authority."  Could you please let me know the simplest, most efficient way to renew the Microsoft remotewebaccess.com certificate we originally set up?

If that cannot be done, what is the most straightforward way to resolve this problem and keep Anywhere Access working?

Security certificates are not something I am very familiar/experienced with,unfortunately.

Thanks very much.
Using Group Poilcy how can i remove groups / users from Local users on local machines across domain?  Basically want we need to do is remove Domain Admins, & Enterprise Admins from local admin group & add newly created "Local_Admin" Group to local admin group
I have a windows 8.1 laptop using a windows account to login. I reset the password through windows live and am able to login to the site. My laptop will not accept the password. How can I force the laptop to sync with the new password I set online? Is there some way I can enable the admin account and delete or reset the password?
where specifically in the windows audit settings can you capture file level access (can you also capture file deletes, file creations etc in a single log)? I need to check what is enabled on a number of servers around this? Are there any specific risks/configurations in enabling this on larger file servers, and or any feedback whether the default windows logs are the best tool to capture this data, or whether 3rd party apps may be the way to go?
We have about 70 corporate issued iPads / iPhones & would like to harden them as per CIS benchmark.

Is there a free tool or MDM that could facilitate doing the hardening centrally rather than doing it device by device?
I am doing a review of permissions on a file server. There is a file share crated for a specific department for arguments sake we can say this is \\fileserver\department  - when analysing permissions, at share ACL the admin has granted the NT AUTHORITY\Authenticated Users 'Full' permissions, and on the directory ACL they have given NT AUTHORITY\Authenticated Users Read, Write, Execute and the concerning one being "Delete". These are taken from an MBSA scan of the server.

Within \\fileserver\department\ there are numerous sub-directories, e.g. \\fileserver\department\team1 \\fileserver\department\team2 - a quick scan of permissions set at this child levels show they don't inherit the permissions set at \\fileserver\department - which is good from a data security perspective, as they are configured in such a way that they restrict access to only specific groups.

Where my concern is, that I am trying to determine if I am correct or not to be alarmed, is if NT AUTHORITY\Authenticated Users has delete permissions at the root level, e.g.  \\fileserver\department  level – could they just delete the sub-directories, e.g \\fileserver\department\team1 \\fileserver\department\team2 - or not? Does the fact the permissions on folders such as \\fileserver\department\team1 are more restrictive make my concerns that the NT AUTHORITY\Authenticated Users group has delete permissions at the root level less of an issue.
Was told Exabeam UEBA  charges based on # of staff & no agent needs
to be installed in endpoints as it correlates/uses Splunk's data.

Since this is "user behavior", should we pipe users PCs/laptops events
to the SIEM (hv Splunk in mind) or in general, people only pipe servers
& network devices events to Splunk (ie PCs events are not piped)?

Splunk gave me a spreadsheet for sizing which did not have a column
to input # of PCs/laptops while in the bank I worked for previously,
PCs/laptops events are not piped to SIEM.   As Exabeam correlates/
analyses users' activities, shouldn't the PCs events get piped as well?
I'm looking for ways (most likely auditctl or audit) to monitor Solaris files
(/etc/group, sudoers,  root's  cron.*) & if possible email out a notification
once content of the file(s) is modified.

Will need exact/detailed steps.

I'm on Solaris 10 x86.

File integrity monitoring (like those used by Tripwire) tools is not an
option as we just want to use built-in Solaris tools
10 Tips to Protect Your Business from Ransomware
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

I'll need to monitor several "privilege escalation related" Solaris 10 & RHEL6 files using
ACLs (Access Ctrl Lists) :

a) /etc/group, /etc/sudoers, /etc/cron.daily (or .weekly or any crons owned by root):
    ACL to send to syslog (so that we can pipe to SIEM) when permissions, ownership
    or contents of the above files are changed

b)visudo, sudo, usermod, useradd    command binary files :
   when these are being executed/run, ACL to send to syslog (who & when it's being

Appreciate an exact  setacl (or the actual commands/settings in RHEL6 & Solaris 10
x86  samples
I have a shared folder where permissions for a user are not behaving as displayed in Folder properties. This user exists under a group called "Managers". Managers has been added to the "Share" folder's Permission Entries with full control, applying to "This folder, subfolders, and files".

This issue started with this user not being able to save files, delete files, create new folders, or move files to new folder locations with full control. In order to try to fix this issue I dragged and dropped the "Share" folder into a FAT32 drive, then copying back the folder to the C:\ (NTFS). This was to clear any permissions. Here were the exact steps performed.

1. Closed all files/apps using anything in the Share folder.
2. Verified all files were closed.
3. Created a copy of Share folder inside C:\
4. Copied original Share folder to FAT32 drive.
5. Deleted original Share folder from C:\
6. Copied FAT32 drive Share folder back to C:\
7. Set share settings on Share Folder
- Full Control
- Security Tab > Add Managers group > Assign full control
- Share Name > Share

After completing these steps, the user is able to save files and create new folders inside the drive, but cannot delete or move locations of a file/folder. The only file the user was able to move was one where the user was the owner.

The goal here is to have this user actually have full control of any folder/files inside the "Share" folder. Images attached of share folder properties and permissions.
We are looking at some interesting connections that appear to be inbound from the below snippet:
Incoming connection from ( [source ip here] Port 46525 ) to svchost.exe

The source of the incoming traffic is connected to an external suspicious ip address and not part of our infrastructure.  We would like to see if there is a way to determine whether incoming traffic with svchost.exe as the communicating file can be reasonably white listed?

Is there a set of expected source ip's that we could reference that would allow us to sift out possible known external ip's that are valid incoming connections to an svchost.exe process running on an end point?
In general, does Non Disclosure Agreement covers
a)  information should not be disclosed even verbally?
b) accidental divulging of sensitive information?
c) that a vendor is working for this specific customer on a specific project?
d) the size of the data or database of the customer?
e) the value of the project?
How can I track files  that were moved to another location, for instance, from the local SSD to OneDrive?
The user is required by work to have BitLocker Drive Encryption turned on.  They have a desktop computer.
Dell Inspiron 3670
Windows 10 Pro   10.0.17134  Build 17134    12 GB RAM   Windows 10 is up to date

Every time we try and turn on BitLocker, we are unable to start BitLocker and get message  "An internal error was detected"

How can we get BitLocker installed?


OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.