OS Security




Articles & Videos



Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

Share tech news, updates, or what's on your mind.

Sign up to Post

We have heard that it is possible that TrueCrypt can be accessed when the volume is mounted; it’s keys be retrieved.  

What considerations should one take in account for this possible breach of data?

... and does other OTFE apps suffer same conditions or flaw?

Please advice.
Free NetCrunch network monitor licenses!
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.


The vendor who does our security audit express concern about SSL certificate we are using on our websites.  They mention version 3 and TLS v1 are not secured.  

I check the version of the cert we purchase is SHA-2.  

I usually purchase the latest version cert and apply it to my IIS website.  Are there additional things I need to do?

Please advise.  

Can you please suggest best IT security vulnerability reporting software like hackerone which will be also cost effective.
Is there any update windows (such as windows 7) update patch for dealing with wanna cry threat?

I've got the existing Exchange Server 2013 Standard SP1 that is running as MBX&CAS role in one AD site called Default-First-Site-Name.
I want to decommission it so that I can run the both MBX & CAS on new Win2012 R2 VM so I can configure DAG on the other AD site called Head-Office1.

AD Site Default-First-Site-Name
PRODMAIL14-VM [Mailbox & Client Access Server] - Windows Server 2008 R2 existing legacy.
PRODMAIL15-VM [Mailbox server only] - Windows Server 2012 R2 newly built for DAG.

AD Site Head-Office1
PRODMAIL20-VM [Mailbox & Client Access Server] - Windows Server 2012 R2 existing newly built for DAG.

AD Site Default-First-Site-Name
PRODMAIL14-VM [Decommissioned]
PRODMAIL15-VM [Mailbox & Client Access Server] - Windows Server 2012 R2 setup for DAG with Head Office.

AD Site Head-Office1
PRODMAIL20-VM [Mailbox & Client Access Server] - Windows Server 2012 R2 existing newly built for DAG with PRODMAIL15-VM.

How to do that safely without causing email flow issue during the production business hours ?
What're the steps in installing CAS so that it does not cause any email flow during the business hours on PRODMAIL15-VM ?
If I install the windows update now during the business hours on PRODMAIL15-VM is there any impact or problem when I reboot it ?

Thanks, in advance.
I need to know if there is a way to track how many files users download/copies from our file server. I know I can turn on Auditing using group policies but is there a better way to do this. also, will the auditing tell me who and how much was downloaded/copied?
I've seen the questions and answers about using /etc/pam.d/system-auth and "auth required pam_lastlog.so inactive=30" ( I also added to /etc/pam.d/gdm), but that seems to depend on lastlog and users logging into the gdm are not tracked in lastlog.

Making the password alone lock isn't enough since I want to lock for smart card login as well.

Do I need to implement a script/cron to track inactivity? Or can pam really take care of this for gdm logins?

Thanks in advance!
I'm looking for zipping tools that could create zips with password
for OS/400 R7  platform so that sensitive data in files are encrypted
& when we sftp over to Windows/Unix, the encrypted zipfiles are
sent over : for PCI-DSS compliance, we want data at rest to be
encrypted both at AS400 & the Windows/Unix ends.

Ideally the zipping tool can be called by RPG & Cobol

In Unix, we can 'pipe' data stream directly into a zip; would be good
to have this feature for the AS400 tool.  

Also, we have tons of logs (eg: audit trails) taking up valuable space
in AS400 so this zipping can hopefully reduce the size of these
A consultant has recommended to disable the 2 attached settings on our PCs/laptops:
considering we have about 2% of our PCs that are offsite & can't join our AD, which
approach shd we adopt?

harden registry via GPO (ie enforce by GPO which I think won't help with that 2% &
when new laptops are cloned, there is a few days they won't be used which I'm not
sure if someone will brg the laptop somewhere to try to crack the password) or
clone image/local security policy or both?

Can't attach screen shots now: somethings wrong with my IE; will attach later
this is what i have.
user teacher1
teacher shared folder
              teacher1 folder

teachers group share folder    
                sharing shared
                       with advanced permissions of
                                      authenticated users full control
                                      domain admin full control
                                      local file server admin full control
                 security permissions
                                        domain admin owner
                                       creator owner full control subfolders and files only
                                        authenticated users read/execute this folder only
                                        system full control this folder, subfolders and files
                                        local admin full control this folder, subfolders and files
                                        domain admin full control this folder, subfolders and files
                                        domain group teachers read/execute this folder, subfolders and files
                   teacher1 folder
                                                administrator owner
                                                admiistrator read/write
                                                teachers read
                                   advanced sharing none
Increase Agility with Enabled Toolchains
Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Hi Experts
I need a batch file to change folder permissions and sub folders to the following
remove every users permissions except the administrator and the administrator only have the read only option
There's concerns that trojanized USB sticks are shipped with the following 2 servers below.
What are the best practices if the USB ports can't be disabled?    Physically block the ports,
use specific encrypted USB thumbdrives that doesn't require drivers (saw one such EE link)
or ??  Kindly provide risk assessments & any other mitigations.

Below is the response from the vendor:

For HMC Servers :
For HMC server (7042-CR6), it's likely that the HMC server's BIOS does not have the option to disable the USB ports.

For P750 Servers :
With reference to the P750 model server (8408-E8D), there are a total of 4 x USB ports, which are integrated with the different hardware components (cards & control panel) of the server.   Below are the details:

1. Control Panel                        
-- 1 x USB port integrated. No option to disable as it's build in together with the control panel.

2. Service Processor Card        
-- 1 x USB port integrated. This USB port is used for server firmware upgrade purpose for server that are not managed by any HMC. Thus it's build in together with service processor and no option to disable.

3. Integrated Multifunction Card (an integrated card that is install in the System CEC that provides two USB ports, one serial port, and four ethernet connectors)
-- 2 x USB ports integrated. This card is not assigned to any of the partition's profile, thus it's not recognized as part of the partition's hardware config. As such, it is not …
Hello All,

I stuck with very odd issue .

One server running with 2k8r2 last patched on Aug 2015 not due to wannacry client asking to patch the server.
If i am checking the old patches in WSUS ,its showing declined & expire .
This server doesn't have internet , I try to installed monthly rollup for march but it got failed.

Is there any way to patch the server ???????
Please help
Hello All,

WSUS client running with win2k8 R2 unable to sync with WSUS server running windows 2k8r2.

Performed many steps as mentioned below but no luck, please help

1. Stop the Automatic Updates service and BITS service.
net stop wuauserv
net stop bits
2. Delete “%windir%\softwaredistribution” directory.
3. Start the Automatic Updates service and BITS service. When these two services
have been started, they will auto-create “softwaredistribution” and its subfolder
at system directory.
net start wuauserv
net start bits
4. Stop the Cryptographic Services
5. Rename the C:\windows\System32\catroot2 folder
6. After the “%windir%\softwaredistribution” directory has been generated, please
let the client contact the WSUS server immediately.
wuauclt.exe /resetauthorization /detectnow
7 checked the WSUS client dll version found updated.
8. run sfc scannow
9, WSUS cleanup wizad executed
10. Windows Update troubleshooter excuted but still same issue
11. windows update log didn't help.
 12. Checked registery path & found client poiting to correct wsus server.
13. able to browse the http:// wsus server IP
14. server patch level updated.
I am trying to deploy the latest security patch through Ninjarmm for several clients. I think it has to be applied through the command line. Is there a way to deploy it to multiple clients at one time remotely using Ninja?
Hello there!

As you know WannaCry infection exploits Samba v1 protocol.
So its good to disable it.

What to do with old WinXP client machines who only use samba v1 to connect to Windows server?
What exactly does latest windows xp update do for this problem? Does it make smb v1 more secure?
Is there workaround to use smb v2 in winxp? Windows server is 2008 R2.

I wish to change my password!
Hi All,

We are using Sophos EndPoint antivirus, but now we have decided to change the product means we have started to evaluate different Antivirus products, reason we are changing Sophos because we got hit by Miner C virus few times, and Sophos EndPoint or there support was not able to resolve it
Anyways we are going to meet a tech and see live demonstration of Kaspersky, is that a good product? what others should we try? What questions should we ask them?

Our main need for Antivirus product is to provide secure environment to staff, generate reports, lock USB drives and also manage company mobile phones (Wipe/Lock if device gets lost), and exclude or include whitelisting's for applications, anything else we should look or explore in antivirus products?

I need to find a way to patch my servers by function.  I want to patch the dev/test server, wait a week, patch the QA /staging servers, wait a week then patch the production servers.  This will allow the application support teams to verify  the patching didnt break their applications before being rolled out to the next level.   Same for the workstations.  Patch the Beta group of users, wait a week and then patch the rest.

Waiting to approve the patches doesnt fix my issue and the GPO only allows for a specific date.  Any ideas?  Btw:  Servers are 2012 R2 and desktops are Windows 10 pro.


Turn Insights into Action
Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

I want that when my application starts it checks for Application Folder's  priviledges and change them to
inherit permissions from up Folder down to Sub Folders and Files it contains.

I tried the following code but for C:\Program Folder\MyFolder but got error assigning permissions to MyFolder failed.

intRunError = WshShell.Run("%COMSPEC% /c Echo Y| cacls " _
& strHomeFolder & " /e /c /g Domain\User:F ", 2, True)
Hi ,

I want to create an administrator account for our helpdesk technican lets say for expamle (helpdesk admin)

this user account should be able to pass the authtntication security wizard (which asks for administrator password for computers joined to the domain) when installing new software or application .. in additon to this to be able join users to domian ...

but this accoutn should not be able to log to the servers or have any other privileges

Please advise Step-by-Step
Looking for help on login into windows xp with a Magnetic Stripe Card.
I am applying advanced firewall settings thru a GPO but other than actually looking at the firewall settings on the target systems I cannot view the settings by using rsop,msc, gpedit.msc, etc.  I even tried secpol and attempted to find the appropriated netsh advfirewall command to view settings with not luck.  Any tricks or workarounds?
I've been tasked to help recover data from a Windows 10 PC where an elderly user allowed remote access to a scammer.

So far I've had the owner of the machine turn off the machine and reset his important passwords from another machine.

I'm planning to reinstall Windows on it from scratch.

Before I do that, I'm planning to try to recover personal data. I suppose there is a chance some or all of it has been encrypted with a bitlocker type tool, or at least some files are likely to be infected. I intend to get access to the files by booting up with a Linux Mint live DVD, since I'm familiar with Mint.

Q1. Is it going to be reasonably safe to start the PC up without running Windows and try to boot up from DVD (or maybe USB) into Linux Mint?

Q2. I think this machine predates secure boot technology, but I'm not sure what the implications of that are, other than that there is a risk the boot loader has been replaced perhaps? How would I deal with this?

Q3. Would it be safe to add the HDD into my own machine (which is dual boot Windows 10/Linux Mint machine, though I'd use Mint) and access the data that way, provided that I don't open any files? That would probably be quicker than a Mint live DVD. Obviously I wouldn't boot from the compromised disk.

Hi all,

I have installed Tectia client on two client machines installed with Windows 2008 R2. Tectia client comes with an executable scpg3.exe to copy file to a remote host securely.

I am using the public key method for authentication. I notice that on machine A the file copy to a remote host server with SFTP server installed takes around 3 seconds to complete

ON another machine B, I have tried that the file copy to the same remote host server (using the same file) takes a much longer time to complete (~10 seconds). It seems that the authentication takes around ~8 seconds from machine B.

Please advise the possible causes. Thanks.


OS Security




Articles & Videos



Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.