We help IT Professionals succeed at work.

OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

which one is best splunk or ossec for security monitoring and alerting?
What's the best cyber practice for Windows servers in DMZ: to be member of
AD/domain or to be non-member?

SWIFT & a couple consultants recommended that standalone is deemed more
secure (can't recall the reason)& even recommended dedicated AD for the few
critical servers.  Audit recommended us for such standalone servers to use 2FA
(with OTP) for users who need to access the local Windows account of these
standalone servers as hard to enforce various local password policies (which
sysadmins could bypass).

In terms of enforcing hardenings/compliances (like in our case, we block
browsers from being used to access Internet from servers as well as CIS
hardenings),  I felt joining domain or controlled by GPO is better.

Was told by Wintel admins that WSUS can't push patches to non-members
of AD.  Is this correct?  

So to join AD or don't join?  Which of the 2 is best practice?  In our case,
we can't afford to have one pair of DC/AD server in DMZ & another pair
in the internal zone.

What are the considerations for & against besides what I've listed above?
Was told that PAM solution like CyberArk will require to join member: is
it just simply for single-signon?

Previous wintel admin ever told me that to enable Windows clustering,
both cluster members must be members of same domain:  this is once
consideration though for taking backups & AV, standalone servers are
well-supported by the various backup (Veeam) & AV solutions.
Undetected application removes startup items that are unsigned on my Windows 10, periodically. My guess, about once a week.

I put them back, then after a while they disappear. Those items are internal software that should have nothing to do with any machine cleanup.

I suspect Defender Cleanup, but cannot be sure about that. Maybe some setting?
Is CentOS 7's hardenings the same as CentOS 8?

Currently CIS only release benchmark & script
for CentOS 7 but we prefer to use CentOS 8 so
that it'll last longer before end-of-life
Refer to attached.

After setting the ssl_type to 'ANY' as per CIS hardening
benchmark for our mySql, access was denied.

What's missed?

We're running RHEL 7 OS
Is there an exception or workaround for Windows 10 image 1607 to accept patch  CVE 2020-0601 without failing at >90 percent and reverting back.?
is there a way via command line to set the "password min age"
to 0 & "password history" to 1  just for a few minutes & then set
it back?  Certainly will require domain admin for AD accounts.

This is for "interactive service accounts" which we can't afford
the risk of not updating the password in the applications
which we'll do manually once in a quarter (if we remember to
do it)

A batch script will be great as we dont have PS installed.
How can I disable "USB storage" on the
below #4 via gpedit.msc or something else ?

  ** Operating System = Windows 10 Pro
  ** Location = Home
  ** Domain = NO

 1. I login as me
 2. USB storage works
 3. my 5 year old logs in
 4. no USB storage since I do NOT
    want child to copy data from
    bad USB drives onto PC
Hi Security Experts,

I've been using MSE and MBAM on W7 for many years, both with real-time protection enabled. They play nicely together and, as far as I can tell, they're providing good anti-virus/anti-malware protection.

My understanding is that Windows Defender in the current W10 (1909) is a significantly improved product. For home computers (not on a domain), do you think that WD by itself is sufficient protection or would it be better to run MBAM (with real-time protection), too?

Btw, while doing some web research before posting this, I saw that some folks are recommending MBAM without real-time protection, that is, run MBAM manually every so often (or when there's a problem) to check up on WD. But I'm wondering if it's OK to run MBAM with its real-time protection — will that conflict with WD? Thanks, Joe
I have a batch script setpwd.bat  that contains only 2 lines:

echo off
net user /domain  my_ADid  Myp@ssw0rd

However, when I ran it, I got an error & this is despite I'm changing my
own password which I have the privilege to change ie when Ctrl-Alt-Del,
& select "Change Password", I could change the password.

What was amissed?  I'm on Win 10 which is
connected to our


C:\tool>echo off
The request will be processed at a domain controller for domain abc.com.
System error 5 has occurred.  <==
Access is denied.    <==

I'm using a new complex password (that was never used before) that meet
the GPO requirement.  Command below works though:

net user /domain myADid
(to list out my AD Id's attributes)

I should not need a domain admin to do this, right?
Our audit mandates that an SQL account used by SolarWinds must have
its password expired periodically (eg: every 60 days) even tho we convey
it is a service account.

a) if we forget to change the password prior to expiry, service is affected

b) if we try to set it to non-interactive, will get the error in the attached

In UNIX nagios, I have a tool "changepass" that could change the password
of the nagios interactive account periodically which I could place in crontab
to set the password to an encrypted password ie if this password is seen
by an unauthorized party, he still need to decrypt it.

Thus, I plan to set this MS SQL account's password to expire every 60 days
& then set a script in task scheduler (or some sort of automated periodic
job in MS SQL/Windows) to do something like:
   net user /domain  SolarWindsOrionDatabaseUser  F1xedP@ssw0rd
(above command is for Windows, so I'll need equivalent for MS SQL).

Certainly using the scripted/automated way of changing the password
(including re-using back the password ie bypassing the password
  history should not result in the password being expired: I know this
  is against password history but I would still want it this way, pls.
  When we have time/remembers, we'll go into the script to change
  the password to be set in the script)

Certainly the script has to be non-readable or the password
F1xedP@ssw0rd   is the encrypted password so that if it's leaked/
seen, no harm.
I've come across a case where a Windows file that GPO synchronizes to
(in an IT auditor's laptop) was corrupted & GPO policy could not be
enforced on it.

Anyone recall which file is this?

With USB ports blocked by GPO enforcement, is there any way to
still bypass it to copy data/in out of USB port if the user does not
have admin rights to the PC?  I heard of registry editing (of certain
keys but not all keys) which could be done by non-admin users
so is this registry key for USB blocking editable by normal users?
If the user's PC doesn't join domain while he's outside, will this
USB enforcement loses its effect or it's still enforced?

One other possibility is if the PC's HDD is not encrypted & the
BIOS is not password-protected, user can still go into BIOS to
make PC boots up from a special CD, load USB driver, mount
the HDD, (& even create an extra admin account) to copy
data out: this was an argument point with our auditor on
whether it's required to protect BIOS with password.
For IT audit purposes, what are some of the questions that an auditor should ask
during the audit interview especially for Cyber, IT Infra, End-user computing  audit?

What are some of the open-ended question like "Can you describe your
network architecture", "what's your patch procedure/policy like", "what are
your perimeter & endpoint defenses" ...  <pls add on>.

Presume auditors should start with such open questions first before going
into more targetted questions?

What are some of the more targetted questions?  
Eg: "how long is your backup retention for DB,  logs, ...", "share some of
      the recent patch logs", ...<pls add on> ...
Our auditors subscribe to Teammate SaaS Prod in the cloud.
Teammate also offers a QA/UAT SaaS in the cloud.

Under what circumstances would sites out there subscribe
to QA/UAT  Teammate SaaS?

What's Teammate QA/UAT used for?   Is there any development
work for Teammate that needs to be done in UAT 1st before
being ported over to Prod Teammate?

I've heard of our parent company's  audit dept uses on-prem
Teammate & have both QA/UAT plus Prod environments?
not convenient to ask the auditors, but curious what it's for
refer to attached codes that we do input validation for
a reflected XSS:

we've increased the validations but each time a rescan
is done, there's new set of "pattern" that's not caught
& the same pentester conveys we just have to follow
Owasp recommendations:

can anyone help review the attached & enhance to
make it fully compliant?

pentester says they can't possibly provide all the
possible patterns, so what does this mean?  No
closure possible or we can reduce to a minimum?
Our apps team is getting tired & claims the pentester
fails to provide the full patterns while pentester says
we just need to adhere to Owasp, so which is which
as I'm confused who is right & what's best practice?
Anyone has a sample table (which I need to submit in monthly
ppt slide) for covering patching metrics?

I plan to have a column for virtual patches (as we use NIDS &
endpoint IPS) included, so columns like the following:

a) date vulnerability published by product principal
b) date virtual patch is released, tested in our UAT &
    implemented in Prod  (which I'll indicate as 'NA'
    if not available
c) date actual principal product (ie Oracle, , RHEL, Fwall
    vendor) release their patches & date scheduled to
    test in UAT & date to deploy in Prod

Any other information/columns that I miss?

In particular I have the following products to cover:
a) Solaris OS 10
b) Weblogic  middleware
c) Firewall
d) WAF
e) Oracle DB
f) RHEL 6
Audit mandated we must enable  password expiry for MS SQL accounts though we say they're service accounts:

from DBA: change cannot be implemented as it will expire service accounts
Set the 'CHECK_EXPIRATION' Option to ON for All SQL Authenticated Logins Within the Sysadmin Role

What's the practice out there?  
Can we automate changing the password quarterly & yet not affect service accounts (which I assume
do not need to know the password)?  One of them is nagios

Or set the accounts to non-interactive & how to do it for MS SQL?

This may sound a bit crazy, but is there a way to protect sensitive data from programmers while there are developing the application? (sounds crazy because the programmers has to see the data).  For example,  we are compiling social data of staff like family components, relationships, members income, health issues, etc.  Management want to protect the data from IT support techs that will support this apps and from programmers that will be developing the apps.  If there is no way, and IT has to see all the data, what can a company do to manage this situation where very sensitive data is projected to in the system?

What we have come up with is using dumb data (not real data) for developers to create the applications.  We will use this data from creation up to validation stage.  In data import, the tech responsible has to see this data (so here must be some sort signed agreement) in the support stage since the tech has to see the problem, they have to see data but will not have a test environment with real data.

What u guys think? - any Experts with this type of experience fully appreciated you input
We got an audit finding that our Solaris (& possibly Linux as well but I haven't
verify) OS account used for Nagios monitoring do not have password expiry.

However, when a Solaris account got expired, it'll cause service disruption
(just like root's cron jobs): is there any way around this?

Can we set the SHELL for the nagios account to   /bin/false or no shell so
that it's deemed as non-interactive account & don't require password
expiry?   Will Nagios still work with no shell or a false shell??

if we change the password of this nagios account periodically, do we
need to change it in nagios (script or settings) somewhere?
Picking your brain about password policy.

I was checking a few password management best practices and some of them discourage the "forcing users to change the password" policy, they advise that users change their passwords if they suspect it's been compromised. I still believe that forcing users to change their password coupled with other password policies can really make a password more secure. I was wondering if anyone out there  gave up on forcing users to change the password and what was the reason for that..

Thanks as always...
I've added the following settings in /etc/sysctl.conf  as well as
issued 'sysctl -w ...'  to make it effective as part of hardening.

My apps colleague rebooted the RHEL 7 VMs & now
the docker gave the error '503 Service Unavailable'.

How should I reverse them back: just by removing
those lines from sysctl.conf & reboot (sysctl.conf was
quite empty initially)
re-issue "sysctl -w ..." with the  alternate value (ie if
it's 0, set it to 1 & if it's 1, set it to 0)?  But this doesn't
seem right as we don't know what's the default
value initially.  So how do we know what's the
initial default value before the change??

sysctl -w fs.suid_dumpable=0
sysctl -w kernel.randomize_va_space=2
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w …
refer to attached list of group/world writable folders:
many of them are under docker dir & some are owned by ftp.

is it ok to remove  group writable  permission?

Those files owned by ftp: can we amend to be owned by root?
During hardening, found the following group or world writable files.
Any harm if I do  'chmod g-w  or o-w'  on them:

rw-rw-r--. 1 root utmp 1920 Nov 15 15:26 /run/utmp
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/member
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/user
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/relabel
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/create
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/access
-rw-rw-rw-. 1 root root 0 Nov  8 20:47 /sys/fs/selinux/context
--w--w--w-. 1 root root 0 Nov 12 22:18 /sys/fs/cgroup/blkio/docker/09445bf1ebac906fb92c97d9140a42710796b2dd34bb3474c71794b131f4741b/cgroup.event_control
--w--w--w-. 1 root root 0 Nov 11 18:29 /sys/fs/cgroup/blkio/docker/e760f8367ab29e50ea04629d2d1466013a0d19510052470e0617bb169993e652/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/5370fc625a376632a22e470e0d490e11a1e10ce7b142d87f5854ea258a2a5567/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/cadac22712699622cc1554a6ced7f662fdc8dd62b5793516096dea0f9d268548/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/ffd11120a3e494232e67bb4517bcf358c5d2e1690935455b37db9bcd169e9320/cgroup.event_control
--w--w--w-. 1 root root 0 Nov  8 21:05 /sys/fs/cgroup/blkio/docker/0d93b13bbc417a4d59cc89c5e28160217c844d702f80ea29bb7740df86e1ef3d/cgroup.event_control
--w--w--w-. 1 root root 0…
CIS RHEL7 doc recommends 1.2.3 GPG keys are configured according to site policy.

What's the best practice?

On my RHEL7, got the following, is it best-practice/compliant?
$ rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg-pubkey-fd431d51-4ae0493b --> gpg(Red Hat, Inc. (release key 2) <security@redhat.com>)
gpg-pubkey-2fa658e0-45700c69 --> gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>)
gpg-pubkey-7668xxxx-58axxxxx --> gpg(Docker Release (EE rpm) <docker@docker.com>)
When verifying for RHEL7 CIS benchmark compliance item 1.2.1
"Ensure package manager repositories are configured", got the
message below:  is this an NC & what should be done to rectify?

All the CIS doc says is "Configure your package manager repositories
according to site policy" but currently we don't have one:

$ yum repolist
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
repo id                                                     repo name                                         status
!docker-ee-stable-17.06/x86_64         Docker EE Stable 17.06 - x86_64     19
repolist: 19

OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.