OS Security

21K

Solutions

23K

Contributors

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

Share tech news, updates, or what's on your mind.

Sign up to Post

This article tries to be an eye-opener for a security aspect that should get more attention: watching the electrical power consumption of your computers! If you start reading this article and it does not sound security-related, just have a little patience and be assured: it is.
0
How do you know if your security is working?
LVL 1
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Playing the Triage Game
The intent of this article is not to tell you what solution to use (you know it better) or make a big bang change to your current regime (you are well aware of), but to share how the regime can be better and effective in streamlining the multiple patch implementation.
0
In computing, Vulnerability assessment and penetration testing are used to assess systems in light of the organization's security posture, but they have different purposes.
3
An Incident response plan is an organized approach to addressing and managing an incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
3
Reset Login Password in Windows 10
This tutorial shows a simple method of resetting a forgotten Windows 10 Password, on both a Physical and VM VirtualBox machine without the need for any third-party tools. Both Local and Microsoft Connected accounts are covered. Enjoy...
5
Win 10 - Audio Problem
It is a real story and is one of my scariest tech experiences. Most users think that IT experts like us know how to fix all computer problems. However, if there is a time constraint and you MUST not fail the task or you will lose your job, a simple task might turn out to be your scariest experience.
3
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
3

Expert Comment

by:Ancy Hollo
Comment Utility
Hey if you don't mind spending a little money this site: http://www.vanskeys.com/office-2016-c-185.html will be your good choice, the keys in this site are really cheap, you won't miss it.
0

Expert Comment

by:Ancy Hollo
Comment Utility
Share with you a good site that you can get cheap product keys from there: http://www.vanskeys.com/office-2016-c-185.html, all versions of office keys and office keys can be found in that site.
0
OfficeMate Freezing Error
OfficeMate Freezes on login or does not load after login credentials are input.
0
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY.
How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
0
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a single click.
0
What were the top attacks of Q1 2018?
LVL 1
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

This is a short article about OS X KeRanger, and what people can do to get rid of it.
0
LVL 15

Author Comment

by:Justin Pierce, CEH, CNDA
Comment Utility
Hi Ericpete,

Sorry for the reference to Intego and my site. I've removed the lines that you've asked to be taken out. Again, I'm sorry for the mishap.

Thank you for your time and take care.

vr,

Justin
0
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lot of time with Jeremy Moskowitz's GP books.
0
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My article will show an alternative.
19
LVL 2

Expert Comment

by:Peter Wilson
Comment Utility
Can anyone answer my questions regarding this article here: https://www.experts-exchange.com/questions/29077198/No-Admin-Password-Yubikey.html ? It would be much appreciated.
0
LVL 60

Author Comment

by:McKnife
Comment Utility
Let me add something to the discussion Shaun started whether one should rely on GPOs to remove the danger that this account will be used in scripts (see Note 1): If you wanted to make perfectly sure that this is set, you can add a single line to the action that the account enabling task "adminactive" of step 5 does. Make it

cmd /c net user admin /active & reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /f LimitBlankPasswordUse | findstr 0x1 || msg * Attention, check LimitBlankPasswordUse-policy!

Open in new window


This will show a warning popup making you aware that this value was changed.
I will edit the article now accordingly at step 5.
1
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch applications with the "Run as Administrator" option.
4
LVL 8

Expert Comment

by:Yashwant Vishwakarma
Comment Utility
Good One Fred.
Voted Yes :)
0
LVL 9

Expert Comment

by:Senior IT System Engineer
Comment Utility
This is cool and useful for PCI-DSS compliant environment.
0
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help family and loved ones from being the next victim.
5
LVL 30

Expert Comment

by:MAS (MVE)
Comment Utility
Thanks Btan. Really helpful. Appreciated your effort.
0
LVL 67

Author Comment

by:btan
Comment Utility
No worries. There are many other good article and you can check out the FAQ too.
0
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home edition.
0
LVL 2

Author Comment

by:Joost Kuin
Comment Utility
Take back control of your Windows Updates!
0
LVL 40

Expert Comment

by:evilrix
Comment Utility
This comment is in no way meant to shine a negative light on this article nor the author and is just a general message of caution and advice that careful computer user should consider before making changes that may modify their machine or running a binary from an unknown source.

CAUTION: Anyone who wishes to try this please be aware that it is your responsibility to make sure you back up your machine first and that the risks of any damage caused by attempting this is entirely your own. You should also be aware that running an executable from an unknown source (remember, EE neither supplies nor advocates the execution of the binary achievement in the article) should always be met with a high level of caution and so you are strongly encouraged to scan the file with an up-to-date and reputable anti-virus tool (both before unzipping it and after) before running.
0
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safeguard your privacy!
0
In a recent article here at Experts Exchange, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to running Nuance's PaperPort 14.5. I received a private message from a fellow PaperPort user who read the article asking me if I'm aware that Windows 10 is using my computer to help distribute itself. I was not aware of it!

Perhaps I missed this during my nine-month experimentation with the W10 Technical Preview, or maybe Microsoft added that feature only in the official release (Build 10240), but when I checked it out, it is true. I was very surprised to find that W10 is, in essence, using my PC as a peer-to-peer server in distributing updates and apps, and I figured that other Experts Exchange members may also not be aware of it. So I decided to write this article, which also shows how to disable it.

Sidebar:  During the article review process, an EE Page Editor (MASQ) pointed out that this feature was introduced in March with Build 10036 — I did, indeed, miss it! My thanks to MASQ for this information, and for providing a link to Leaked Windows 10 build hints at peer-to-peer patching, an interesting article about it in The Register.

First, I'll explain how to find the feature (the screenshots in this article are from Version 10.0, Build 10240, created via an automatic update from the Technical Preview version of the Windows Insider Program):

51

Expert Comment

by:MtHolly
Comment Utility
So, does turning off WUDO "Updates From More Than One Place" stop my system from distributing Windows 10 and updates?  Or, just stop it from getting updates from unknown sources?
0
LVL 60

Author Comment

by:Joe Winograd, Fellow&MVE
Comment Utility
Hi MtHolly,
Turning it off does both — (1) stops your system from getting updates and apps from other PCs (meaning it gets them just from Microsoft) and (2) stops your system from distributing/sending updates and apps to other PCs. Regards, Joe
0
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks without using non-microsoft tools or even security software that we would have to pay for.

Let me show the attack types that can be easily defeated:

1 your computer is found unattended and someone connects his USB drive (stick or hard drive or smartphone) to collect some of your data
2 your computer is found unattended and someone tries to run a script to infect your computer. Knowing, that we are prepared for item-1-attacks, he comes with a USB rubber ducky style device, that is a special USB memory stick that camouflages as keyboard to circumvent countermeasures against USB sticks. That way, it can act as a keyboard and type in thousands of code lines per minute…malicious code.The rubber ducky attack  is very dangerous since your computer can be infected in seconds even with current anti-virus software.


The concept:
The usb device, as any other device, needs to be installed in order to work. This takes a few seconds and is long enough to launch a counter-attack and uninstall that devices again before the attacker can use them. Starting with windows 8, the event log will record usb device installations so that we can use these events to trigger the …
15
LVL 60

Author Comment

by:McKnife
Comment Utility
Hi James.

When an .exe is run, it's already too late. So until the removal action would have started (triggered by some mechanism, doesn't matter), the exe code is already inside the RAM of your computer and it will not help to uninstall the device, then.
What we could do, is trigger certain actions when the device is plugged in, like for example search the whole device for *.exe or *.com and if found, uninstall the device. But that might take a few seconds and it could be that this process is too slow, so that the exe is already started manually while the search is still on it.
0
LVL 60

Author Comment

by:McKnife
Comment Utility
Oh James, somthing that will interest you!
I just "strolled" through our GPOs and came across a setting that I almost forgot: starting with win7, we can deny not only read/write but also execute access (separately) on removable devices by GPO! See https://technet.microsoft.com/de-de/library/hh125922%28v=ws.10%29.aspx?
0
Cloud Class® Course: CompTIA Healthcare IT Tech
LVL 12
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each user. It's also an effective way to make sure users who give no thought as to the proper place to save a document don't lose data, and to prevent data from being stolen or lost in the event a workstation dies or is stolen.

However, the biggest battle I have fought in maintaining our new "cloud" environment has been the Saved Games folder. I'm unsure which of the Microsoft security gurus decided this folder needed to be even more tightly protected than the .net Framework folder, yet I am constantly having users call me with error messages on the screen to say they can't reach their AppData folder because the Saved Games folder has messed up the permissions inheritance in the user's profile. 

When I check the permissions, all is fine - the appropriate accounts have the proper permissions, and the user is listed as the owner of the profile folder. But enforce ownership or inheritance on subcontainers and more often than not the message, "You do not have permission to read the contents of Saved Games. Do you want ... Full Control?", appears.  Of course, answering 'yes' accomplishes nothing as not even the server or domain administrator accounts can do anything with this folder without expressly taking ownership of Saved Games
0
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them against attacks.

For starters, let’s define what they are: virus and adware are two different types of malware, each exploiting different aspects of computing architecture to carry out their payload. Malware is simply a category used to refer to software designed to disrupt normal system operations, example of malware are: virus, adware, spyware, Trojan, rootkit, bot, etc.

Let’s go back to our original topic and go over what makes a computer virus a virus,  a Computer Virus is a malicious program that can replicate itself without user interaction by exploits Operating System, Applications, and software vulnerabilities. What the virus does after it’s been executed is another story, though the common denominator is that it’ll disrupt normal system operations and it will attempt to replicate itself.

Something interesting about computer virus is that as much as they can be sophisticated programs most of them pray on users’ vulnerabilities for the initial installation, also known social engineering. “Good” virus writers also study human behavior and emotions hence the I Love you Virus ,they plan their initial attack to align themselves with special occasions, dates, …
16
LVL 31

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
Jorge,

This is an excellent article, but I am surprised that you did not correct more of the mistakes - they make it harder to read (I'm also surprised that a page editor didn't point that out).
0
LVL 8

Expert Comment

by:Yashwant Vishwakarma
Comment Utility
Another good article, voted YES.

Regards,
Yashwant Vishwakarma
0

This is a guide to the following problem (not exclusive but here) on Windows:


Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge.


Any admin who takes security seriously fears attacks by his own colleagues. Thus he faces a small dilemma with user support: strictly speaking, each user PC is "enemy territory". We do not know if the user has evil intentions and might have prepared his already compromised machine, only waiting for us. How to authenticate there without running the risk that the user will somehow capture our password or hash?


Many questions arise:

  • Do we use remote assistance, remote desktop or TeamViewer?
  • Or walk over to the user and enter the password while he watches?
  • Or visit his computer (physically or from remote) "after hours"?
  • Do we use local Admins, or a/the domain admin or do we create an AD Group with delegated privileges? 
  • How do we maintain the passwords? Write lists, memorize, or set all to the same one?
  • Do we type that password in our own session only, or inside the user's session but only on the secure desktop of a UAC prompt, or may we use it with RunAs? Or would it be better to use 2-factor authentication?
  • Or shall we "surrender" and give all users admin rights so they can solve their problems alone? ;-)

You can find various recommendations also by Microsoft but I want to exhibit and recommend my own approach here. It comes without two-factor authentication, without additional software and is robust. I have been using it for more than a year now.


The main idea is: there is no need to use an account that is admin on more machines than the supported one! We are working on one (1) machine, so why should we use an account that is admin on all clients? The reason is convenience. And we pay for that laziness -- anyone familiar with mimikatz and similar exploitation tools will agree. I will show an alternate way that is secure and still convenient.


The usage scenario: User needs support, the problem has been identified: it is not a user profile problem so we will not need to work inside the user's session, but unfortunately, admin rights are needed to fix it. Still, the goal is to leave no exploitable credentials on the supported computer.


My intention is

  • to have one support admin account per computer
  • to have access to domain resources with this account 
  • to enable this account only for the period of the support case
  • not to create any password lists (I'll show that you do not even have to enter a password at all)

Now let's start:


Step 1: For each PC ("somePC") I automatically create a disabled user account "adminsomePC" with a random password that can log on nowhere. Therefore the parameter logonworkstations is set to some fantasy name (here: fantasynamehere). We can create a list.txt with all pc names inside and then run the following at the DC:

for /f %a in (list.txt) do net user /add admin%a /random /active:no /WORKSTATIONS:fantasynamehere

Step 2: These accounts will live in a their own OU, to which (weak) support employee accounts get delegated full rights (using the delegation of control wizard) in order to set those admin accounts active/inactive.


Step 3: A domain startup script makes the corresponding account member of the local admin group:


net localgroup /add administrators admin%computername% 

Step 4: If a supporter needs admin rights on somePC, he activates that somePCadmin account scripted (see below), lets the script set a new password and at the same time enter these credentials in the credential manager of his own computer and automatically set up a remote desktop connection to the PCxy. When he's done, the support account is disabled automatically.


The script itself is simple batch code, refined with a PowerShell script scripts.zip\Day6-PowerShell\GenerateRandomPassword.ps1 (public domain) from http://www.sans.org/windows-security/files/scripts.zip that generates random passwords (adjustable length, default: 15).


@echo off
                                        set /p target=What machine?: %=%
                                        for /f %%a in ('powershell \\server\share\GenerateRandomPassword.ps1') do net user admin%target% %%a /domain /active /workstations:%computername%,%target% & cmdkey /add:TERMSRV/%target% /user:netbiosdomainname\admin%target% /pass:%%a
                                        start mstsc /v:%target%
                                        pause
                                        net user admin%target% /active:no /domain


The account can be used to help via RDP completely safely. If you correctly terminate the batch by pressing any key, that account will be deactivated immediately again. But just in case you should create a task that deactivates all support admins after working hours and schedule it to run on your DC. I had to minimally edit GenerateRandomPassword.ps1 to fit my needs. I commented out line 65:

#1..20 | foreach { Generate-RandomPassword -length $length } ; "`n"

and I added:


1 | foreach { Generate-RandomPassword -length $length } ; "`n"


That's it.

Certainly you can further refine this, my intent is to provide the base.

8
LVL 23

Expert Comment

by:Alan
Comment Utility
Hi McKnife,

Great article - thanks!

Question:  Are you leaving this line:

net localgroup /add administrators admin%computername% 

Open in new window

in your login script permanently so it runs on ever machine at every login?

Thanks,

Alan.
0
LVL 60

Author Comment

by:McKnife
Comment Utility
It's no logon script, but a startup script and yes, you can leave it, it does not matter if it's executed several times.
0
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, business startups and founders can ramp up with new web servers, blogs and data stores more rapidly and affordable than ever before.

Cloud Security
The cloud presents great business opportunities, but it can also lead to legal and financial hot water if you cut corners. Skipping or glossing over data protection safeguards can of course lead to brand damage, financial penalties, loss of customer trust and even put you out of business.

To help startups and entrepreneurs launching or expanding their small businesses into the cloud, I will walk through a "real world" example of how to deploy a more secure solution for your business using Amazon's AWS cloud platform.

I will also include some non-technical guidance that should be applicable to any cloud service provider you choose.

Amazon Web Services (AWS) Overview

You may first find the AWS cloud service is flexible and broad, to include security, automation and management tools within a click of the mouse. You can purchase what you need by 'renting' a smaller server or two with lower capacity (e.g., memory, CPU, etc.), but also scale out to more systems and greater capacity as your business needs and web traffic grow.

AWS Console
1
LVL 15

Expert Comment

by:Eric AKA Netminder
Comment Utility
Netminder,

Thanks for the assist.

Frank,

Your article has been published, and we have awarded it EE-Approved status as well. Congratulations!

ericpete
Page Editor
0
As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected system and how far it was able to get within that system.

With a number of organizations impacted by this virus at an enormous rate (90% or higher internal infection), this virus has actually proven the most complex that I have had to deal with cleanup.  This may be due to it being the first Zero Day infection that I personally witnessed.


IMPORTANT - The information and eradication steps provided below are written with the assumption that you understand how to read and modify your system registry, security settings, and basic system commands.  Performing any of these operations incorrectly could seriously damage your computer.  If you do not understand the information provided and you are not confident you can handle this process by yourself, take your computer to a skilled professional for service.


Resident Location and Behavior
This variant of Qakbot starts with a randomly named executable (EXE) file in the root of the boot drive on a Microsoft Windows based system.  It doesn't matter if it is Windows 7, 2000, XP, or Vista - or Windows Server 2000, 2003 or 2008 for that matter.

A Windows service is created and started to launch the virus into memory, allowing it to propagate deeper into the…
10
LVL 4

Expert Comment

by:Analog_Kid
Comment Utility
Nice!
0
LVL 19

Author Comment

by:Delphineous Silverwing
Comment Utility
This virus has mutated and is now depositting itself into a couple other locations.  If you are manually cleaning a machine, then these should be checked as well:

C:\Documents and Settings\Administrator\application data\microsoft
C:\Documents and Settings\<User>\application data\microsoft
C:\Users\administrator\appdata\roaming\microsoft
C:\Users\<User>\appdata\roaming\microsoft
C:\Windows\prefetch

Substitute <User> with each of the User profiles loaded on this machine.  In current cases Qakbot is installing itself within the profile of the currently logged on user, rather than All Users as previous versions of the virus.

This newer variant of the QAKBOT virus saves a copy of itself in the prefetch folder of modern Windows versions.  This is a new bahavior for this virus, some previous variants saved itself within the windows system restore data.
0
Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality.

That was my job.

Being a lazy sort, there was no way I was going to walk around to each individual workstation for fifty-plus client sites and run utilities.

There's a hack for that.

1. Gather the tools


You'll need some software to be able to complete all the tasks in this guide:
      * Visio 2007
      * Microsoft Active Directory Topology Diagrammer (ADTD)
      * Microsoft Baseline Security Analyzer (MBSA)
      * DumpSEC
      * Lansurveyor Express (registration required for trial version)
      * SaveAsPDFandXPS
      * NMAP
      * The USERS+GROUPS.BAT file, listed below:
@echo off
REM Gets all users by sam
dsquery user -o samid -limit 0 >users.txt

REM Gets all users with 90+day passwords by sam
dsquery user -stalepwd 90

Open in new window

4
LVL 3

Expert Comment

by:drdoug99
Comment Utility
Awesome article....thanks for making it!
0

OS Security

21K

Solutions

23K

Contributors

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.