OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

Share tech news, updates, or what's on your mind.

Sign up to Post

I was asked on an interview, where do you get IT security info regarding IT security.  I drew a blank since the only know a couple of CVE websites.  What would be a proper answer and where should I be looking?
Become a CompTIA Certified Healthcare IT Tech
LVL 13
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Can anyone share a sample full contents of recommended / hardened settings
of postgresql.conf ?

What's indicated in CIS benchmark for Postgresql 10 is unclear & in bits & pieces;
some of the extracts from the benchmarks are posted below:

- configuration file enumerates all tunable parameters and even though most of them are
commented out it is understood that they are in fact active and at those very same
documented values.

- shared_preload_libraries = 'pgaudit'
shared_preload_libraries = 'pgaudit,somethingelse'

- $ vi ~postgres/10/data/postgresql.conf
# load set_user libs before anything else
shared_preload_libraries = 'set_user, other_libs'
Part of bundled O365, we get Activesync MDM that could do remote
wipe of our corporate phones.  However, we found that this remote
wipe for 'full wipe' (ie mailbox plus the phone OS) doesn't wipe the
the OS of certain Android phones but only the mailbox which Audit
gave a finding : it's desired to wipe entire phone.

We log a case through reseller (understand reseller further log with
MS) but did not get any reply, thus enquiring here:

is there a list of published phone models that MS Activesync
supports for 'full remote wipe'?

Is this specific to Android's specific version or it sounds more
like hardware specific/dependent?

Any other workarounds other than training staff not to export
their emails out of the phone or take screen shots to save in
the phone??
I would like to scan 600 PCs & 30 servers that join our AD for
files with a certain hash (given by our threat intel).  Sometimes
we can get hundreds of IOC hashes (last one was 700+) in 1 day.

However, using Trendmicro EDR, it's getting very inefficient as
we have to use Mandiant IOC converter to convert one hash at
a time to be appended to a  .ioc file that looks like below.

So I'm looking for free solutions that either can scan all the AD
endpoints for the presence of hash (I currently have batch scripts
that could scan each time a user logon to a PC for registry key
IOCs) but MS fciv tool can't possibly rescan all that millions of
files (as this could slow down the login by users) & store their
hashes   or   I'll need something better than Mandiant IOC
converter that could read in the entire batch of hashes.

That xxx.ioc file contains the following :

<?xml version="1.0" encoding="US-ASCII"?>
-<ioc xmlns="http://schemas.mandiant.com/2010/ioc" last-modified="2019-07-25T03:02:52" id="2146113a-1513-4be6-b07e-f43969847a6a" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">


-<Indicator id="a1c825b0-ae7f-4461-85dd-25a20720acac" operator="OR">          <== this value is given by the converter
-<IndicatorItem id="333cd85e-637e-4889-b68a-a5f54e1e8d40" condition="is">   <== this value…
I have the following network and wanted to get your opinion, from a security/network point of view as to what is wrong and what to do about it.security issue
What are some services or applications that would be recommended to mssp's so that they can have 2fa on their windows logins and their domains? That way we can provide an extra level of security to ourselves and our clients.
We've started doing some PenTesting in our environment with KaliLinux and utilizing Metasploit as well.  Since this is an internal test, we are going with a segmentation approach, but I wanted to know what would also be recommended for our small company.  We have less than 1k users and smaller sites.  We're also planning on visiting the sites and doing site surveys in the near future.

Thanks for your thoughts and suggestions.
What are some security protocols that a company should take as far as daily checks related to security? Trying to create a template for my company and was curious what would be suggestable protocols to run every day, weekly, monthly,bi-monthly?
We presently have a small SOC group, a total of 4 people, and we run various security tools to both monitor and react as well as for PCI compliance.  Some of the tools we utilize are Palo Alto, ADauditplus, Cisco AMP machines and SCEP for servers, SCCM, Sourcefire, Tripwire and we use SecureWorks for alerting us on potential threats.  We do run somethings on the cloud and are looking to move more apps to the cloud in the near future.  

I wanted to ask if money was not an object, what we could utilize and maybe be more secure while at the same time saving money?  I was informed that AlienVault is now a big player in this arena.  I wanted to hear the pros/cons if selecting AlienVault as well as what are my other options?  I've also been told that AI can now do much of the security stuff and Palo Alto has this feature as well.  
In general, again, if money was no object design, from a security point of view.
I need a tool for PII and DLP to which the software will scan a FILE and verify if there is PII info?  Back in the day, we used a tool that would scan do this, but don't recall the name.  The software would scan a document and someone would need to allow/deny the request to send the email.  Also, there would also be a shortcut to send this encrypted email to the receiver.  

On the same note, we also need to enable DLP on our OFFICE365 environment, but presently we only have it set for the patriot act and only for the US.  We need to enable PII for every country in the world.  We understand we'll need to treak it a bit, but for now just need to enable it globally.
Expert Spotlight: Joe Anderson (DatabaseMX)
LVL 13
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

" Media shared Files and Printing is the message from Anti-Virus "

where mac (machine access control) as ID serial number thing to be shared out ?  Accessing is at vm , host, router or modem ?
Can stop the share ?

I am reading this Qualys vulnerability report which says a server has this IE vulnerability - Please see the attached.  The server already has latest Windows Updates.  

I have apply latest Windows updates to the server.  There are three links under the Expolitability session in the report which the download link to fix the vulnerability is supposed to be available.  But it happens that the download link only downloads a txt file.  

Someone who has an idea please advise.  

Many thanks.
Hi I get this error:

Bios update error - phoenix technologies SCT flash ERROR 216 status = 1501

Can’t find what is the Status description

  I have Windows Server 2016 computer with two NIC. One NIC is connected to internal network (192.168.1.x)  and 2nd NIC is directly connected to public internet and has public static IP address assigned.
  In other words, i can connect to it using public static IP address using Remote Desktop connection program from outside of the network.
  When I check event viewer/Security logs, I see a ton of unauthorized login attempts using "guest" login (which is disabled by default), Owner, Spare, Administrator and popular first names like "Paul", "Michelle" ... etc and that is expected. Fyi, I have secure passwords for local administrator and domain administrator accounts.
  Is there a way that I  can block these hacker's login attempts unless they are coming from certain IP address or device with MAC ID?

I have a windows 8.1 laptop using a windows account to login. I reset the password through windows live and am able to login to the site. My laptop will not accept the password. How can I force the laptop to sync with the new password I set online? Is there some way I can enable the admin account and delete or reset the password?
AD non-interactive service account

1- how do these work?
2-Security concerns if any? can they get locked out?
3- do they work with non-Windows platforms? or non domain joined machines?
Hello, we have some service techs who need to have admin rights on their machines to run/test specific software. I am just scared they may download/install some malicious.

What is the best controls method to contain this?
I'm implementing a new ADFS version -- testing is done by editing the local hosts file.  Users run Windows 10.  Some users can run as Administration using Notepad and edit c:\windows/system32/drivers/etc/hosts and save it.  Some absolutely cannot.  It looks like they should have permissions - based on effective permissions --but they get a permissions error.  We've tried 4 desktops running Windows 10 -- 2 worked easily -- 2 will not work.  What's the difference?  The user is an Administrator on the computer.  We stumped.
There's a request for "Change runbook" that documents/records changes from Day 1
so that in the event of bad changes (malicious or inadvertent ones) being introduced
over along the line of changes, we can rebuild a server/system back selectively,
dropping the "bad" change so that we can bring up the system to a "clean" slate.

Was told it's not "Change Control" nor CRs that we are looking at here.

I've suggested that a 'bare metal' backup be done with incremental backups (think
EMC has one such product) but this is not what the team requires.

Any document, tools or method are much appreciated.
CompTIA Cloud+
LVL 13
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Was told by CyberArk  vendor that the Windows server/VM hosting Cyberark's Vault
should not be hardened ie leave it as vanilla: during installation, Cyberark will auto-
harden it?  Is this the recommended practice?

Can share what are the hardenings that Cyberark do on the Vault (ie the Cyberark
DB) server?

For the server running Cybark's PVWA & CPM, was told a few hardened off services
must be unhardened for PVWA/CPM to work: can share what are these?
I had this question after viewing Locating ClientCertificate to use in WinHTTP.

Similar question, when using the SetClientCertificate property on a WinHttpRequest, I receive a "Certifcate is required to complete client authentication". The certificate has been created successfully, and appears in the Certifcate Store under Console Root -> Certificates (Local Machine) -> Personal -> Certificates.

The Issued to is ABC Certificate, the Friendly name is ABC

The parameters I am using are as follows:

myMSXML.SetClientCertificate "LOCAL_MACHINE\\Personal\\ABC"

I've tried ABC Certificate etc... tried putting the certificate in different stores, tried a number of other things, but still getting same message returned.

How did you go with your problem referencing a certificate in the Cert Store?
I am getting the following error message in the event log each time it's restarted.
This is a Windows 2016 Hyper-V Host.  There's no virtual machines on it yet, this is a brand new install:

Log Name:      System
Source:        Microsoft-Windows-Kernel-Boot
Date:          9/7/2018 7:48:33 AM
Event ID:      124
Task Category: None
Level:         Error
Keywords:      (70368744177664)
User:          SYSTEM
Computer:      HostName.Domain.com
The Virtualization Based Security enablement policy check at phase 0 failed with status: The object was not found.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="Microsoft-Windows-Kernel-Boot" Guid="{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}" />
    <TimeCreated SystemTime="2018-09-07T12:48:33.163793600Z" />
    <Correlation />
    <Execution ProcessID="4" ThreadID="8" />
    <Security UserID="S-1-5-18" />
    <Data Name="Phase">0</Data>
    <Data Name="Status">3221226021</Data>

I'm running CentOS Linux release 7.4.1708 (Core), issue is i'm able to login using local users but not using ldap users, please help me on this.

I've tried restarting services using authconfig-tui command, but still i'm getting authentication failure error for ldap user.

please see the attached doc (ldap issue.docx), and below output commands and let me know if any other details are required.

[root@server01 log]# cat /etc/openldap/ldap.conf
URI ldap://<ldap servrer ip>:389/
BASE dc=prod,dc=hclpnp,dc=com
[root@server01 log]# getent passwd testuser
[root@server01 log]#

[hubba@servder01 ~]$ su - testuser
su: Authentication failure

[root@server01 log]# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Valid entries include:
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files              …
I have a Cisco nexus switch (48-port) and wanted to setup for the first 24 ports on a vlan and the next 24 ports on a separate VLAN.  How do I do this on a Nexus switch?

I am being asked to track access to log archives or audit trail files in our Windows system environment.  

Would someone advise what that means?  Do I enable this tracking in a group policy or the default domain policy?  


OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.