OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

Share tech news, updates, or what's on your mind.

Sign up to Post

We have been working with 7-zip form some time as matter fact was recommend by EE, we use it for large compression and complex-long password protected files.  Today in a meeting we were informed that 7-zip can be hacked.  We didn't believe until the person ran an apps and unzip one of our supposedly secure 7-zip files.  So our question is which compression apps is least to be hacked (WinZIp, WinRar, etc.?), which one can we trust? Is the oldies WinZip & WinRar also hacked?.
Free Tool: Port Scanner
LVL 12
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Hi All,

i have recently enable the AD  Auditing at Domain level in my org  to monitor the activity. i have enabled the following options under computer configuriton--->windows Setting> security Settings----> advance audit policy---- Audit Polices.

1- DS-- Audit Directory Service changes.
2- audit computer account management
3-audit dist Group Management
4- Audit Security Group Management.
and couple of other options, I have created the costume view and  to record the security event for this. But unfortunately I can see from last few days nothing is record for event IR 4728 4729 on so on, which  worried me if I am missing any key Steps to enable this.

Please can any one help and guide me  best practice to enable AD aduite and record in event view for Auditing, and how I can set up to recoved Security, appliaciotn event on different drive or locaiton.

SCCM and some Windows management tools make use of Windows SYSTEM account mentioned above.

Is it considered an interactive or non-interactive account since it has no user profile (unlike administrator)?

Can we set a password to SYSTEM ?  Or it has an unknown password?

When using the tools (possibly psexec & SCCM) to get to command prompt of the managed endpoint,
are the activities (ie when the command prompt is spawned, mappings of drive using 'net use ...'  or
sharing of drive using 'net share ...' being logged in Windows event viewer logs ?
We use  Horizon View  to manage  Virtual Desktops.

If we have Virtual Desktops (VDs) of different sensitivity/criticality levels, what are the measures we can
take to segregate VDs of different functionalities/sensitivities?   We can always grant a different VLan/
segment for each groups with no inter-VLAN routings among them but is there more that can be done?

I've seen cases where sysadmins assign  vNICs  (for DMZ & backend zones) to a VM, thus bypassing
firewalls.  Other than educating sysadmins, is there anything we can control in Horizon View to prevent
such rogue permissioning?    

I guess Horizon View's event logs can be forwarded to an SIEM or could it not?
We have various groups of PCs that are dedicated to access different applications/systems
& are being audited from time to time.

One common item the auditors  look for is whether their USB is blocked : we used a DLP
tool to block & just showing the policy in the DLP console that there's a policy they are
being applied is not good enough.

Instead of being physically present (as we have close to 30 different locations/offices),
we can "remote desktop" to all the PCs using a central PC management tool.  However,
is there a tool/software to simulate a thumb drive being inserted into a USB & we can
then launch Win Explorer to show there's no new drive being detected/mounted?
Not feasible to get IT staff (or even users as the users usually don't have a USB drive
on hand knowing that the USB ports have been blocked) to travel there to insert a
USB drive to test.

We also wanted to have this ability to simulate this as there has been cases where
the DLP policy is applied but it did not work.
We require our staff to use MobileIron MDM and read their corporate emails using
MobileIron's  Email+ (a secure email client by MI).

Several staff read Bloomberg's BFW (Bloomberg First W)  news which is not in
http nor https format but  bbs format which MI can't load though this could
load in Apple IOS partition.

Does Bloomberg offers http or https  instead of bbs ?  It's the
trading staff who subscribes so I don't hv Bloomberg's support

We have logged a case with MI & MI ack'ed they can't support bbs:
Bloomberg was supposed to be used globally, so how is it that MI
can't support it.  Any workaround?
We had an internal debate on fulfilling auditor's requirement for a batch of critical PCs
(that are used for critical processing) : audit requires that login activities to the built-in local
administrator (which we had renamed)  need to be reviewed regularly by another team
(it's used by End User support team on rare occasions only when a PC lost network
 connectivity to central management tool like SCCM) :

as security person, I find it unsustainable to regularly review each time the local admin
is used to login & Audit agrees that if we disables it, then review is not needed.

Somehow, there's a way to tweak it (by replacing a binary with cmd.exe) to boot up the
PC in Safe mode so that we can get to command prompt to re-enable it back for recovery
only (I deem just simply for recovery of a 'disconnected PC' don't need review).

There's debates raised internally:

a) is disabling local admin a more secure practice than reviewing the activities (which I
    felt no organizations have the resource to have a compliance person to follow
    when login to the local admin is used).  Which of the two is more practical?

b) another proposal is to install these critical PCs with SPlunk agents to pipe its
    events to Splunk so the events of using local admins is sort of 'monitored' by

c) Is disabling local admin considered a bad / unsustainable practice?  Any articles
    to support disabling or against it is appreciated
I am looking into CIS/SANS top 20 security controls, which recommend enterprises "Deploy Automated Operating System Patch Management Tools" (and likewise for applications). When you push out updates via system center/WSUS, what exactly needs to be on the end user devices (workstation/server) to receive the updates? Do specific patch management tools need installing on the machines, if so can detailed be provided? I appreciate such tools may be required for non Microsoft OS and software, but had never heard of such a tool required when WSUS/SCCM is pushing out the updates.
We have a request from applications team to grant their non-privileged Solaris and AIX ids to be
able to execute their Shell scripts (which contains lines to run binaries) :
  sudo /gl/_ctron_/start1292
  sudo /gl/_ctron_/start1291

Is there any way not to grant them sudo & root and yet still allow them to stop/start the services?
Or if we grant sudo, restrict them to run only those specific scripts & their sudo can't do anything else?

Any way we can use SGID or SUID sticky bits to grant them without giving them root/sudo privileges?

Users are requesting for AutoIT to automate their tasks (mouse clicks, repetitive keystrokes etc)
but I have concerns like what's listed in link above.

What are the mitigations we can put in place to balance between work productivity & IT security risks?

Are the following valid mitigations?

1. air-gap those PC running AutoIT, namely remove Internet access & email access as these two are
    top vectors of malwares.  Users told me they don't need these 2 functions on the PCs running
    AutoIT but the AutoIT programmer wants it on his PC as he doesn't want to switch around
    between PCs when developing AutoIT scripts & using email/Internet

2. I heard we can compile the scripts & then uninstall AutoIT : so if a hacker got into the PC, he
    can't develop keyloggers/malicious scripts (that capture credentials).  The programmer felt
    this is restrictive but to work around, I heard we can create config file for scripts to read in
    parameters/variables to give more flexibilities or options for the scripts to operate: is this
    so?  Is this a good mitigation?

Pls add on any further mitigations.

I've heard of VB & Java scripts being risks : are they of similar nature as the risks of AutoIT?
Cloud Class® Course: MCSA MCSE Windows Server 2012
LVL 12
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

When accessing our servers it states "my" account is locked out.  I ran Netwrix Account lockout examiner and it shows me locked out.    How do I find out exactly "why" or "what" is locking me out?

I have other accounts I can log on as to run the tests
What are the steps or processes I can follow to run a Windows 10 program under the system context?
We have a SonicWall TZ600.  A manager wants to know in easy to understand terms what the security benefits the firewall is providing us.  Can someone help me word something that would be understandable?  I am new to SonicWall.  We were using a CISCO ASA.
PCI compliance failed.

Hi there experts,

A customer asked me to look at why their pci scan failed. The failing row shows TLS v.1.0, the public IP address, and 3389 port.  Evidently it failed because of TLSv1 but I can't find the source of it. At first I thought port forwarding was enable on the router but it was not the case, then i checked to see if the server we added months ago had rdp enabled, it didn't. I then ran an nmap scan and  and 3389 is not open on any host.  My hypothesis is that a host (may be a laptop) with rdp enabled was connected to the network at the time of the scan but they told me that was not the case. I scheduled another scan  but it won't run until tomorrow...

Has anyone dealt with something like this before? can the scan show that's a tls v1 on a port that's not enabled?
I am preparing to patch multiple 2012R2 servers in mulitple offline networks that haven't been patched in over 2 years, so trying to get an understanding of the expected behavior during the installation process. If I use the settings I have defined below, will the servers just keep downloading and installing updates until they are fully patched or is there an interval that starts when you schedule the maintenance and stops after a certain period of time? Let's say there are 200 patches needed on Server A, they have all been approved in WSUS, and I schedule the installation as defined below... will Server A keep downloading and installing even if it takes until Sunday?

Use option #4 – Auto download and schedule the install
Deselect “Install during automatic maintenance”
Set “6 – Every Friday” for the scheduled install day
Set “17:00” for the scheduled install time
Audit wanted me to simulate a High severity event which we have only a few such as
successful Brute Force, true DDoS (not sure what's the bandwidth) & compromised
network/firewall devices that lead to operations outage.

This is to see if the SoC responds within SLA (from Splunk alert which currently
covers Prod servers/devices) & how fast we mitigate it.

I think the easiest is to
a) install a brute force password cracker
b) create a local account not subject to GPO (eg: password doesnt get locked
    despite number of failed attempts with a simple password) on a non-
    critical Prod server

Any freeware tool on Windows that do brute force for Windows that anyone
can recommend?  SIP Vicious or is there a free l0phtcrack ?
Unable to login to windows 8.1 pro using Microsoft connected account.
User has somehow set up login to try and use email account as user name.
IE joe @xyz.com which is an Exchange service hosted on office 365.

I can login through the portal with user name and pass ,but the users computer says incorrect password when I try to login locally.

If I try to change pass in admin tools users ,it says The system is not authoritative for the specified account.
Any ideas?
does norton go after viruses
malware bytes goes after malware

do I need both

I would like to take an image backup (sort of bare metal  which is built into Win2008 R2 & Win 2012)

For a laptop / PC with encrypted HDD (we use McAfee to encrypt), can we  "Create a Windows System Image"& still restore it?

 if it's booted from a CD, we can't take a backup of an encrypted HDD but what if it's in a fully booted up state?

if the backup can't be used to do a good restore, what's the alternative?  

if we can take a backup of an encrypted HDD (when Win is fully booted up), doesn't this defeat the purpose of encrypting the HDD?
Or encryption is only meant to protect the data in the HDD when Win is locked or prior to PreBoot Authentication?
Protect Your Employees from Wi-Fi Threats
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Sorry, I guess I could answer this myself with a little effort, but haven't had the time to boot off a thumb drive or similar...

I enabled Bitlocker on win 10 pro.  My first dealings with bitlocker.  in settings-manage bitlocker- it says that bitlocker is on.

Booting up is the same as before - windows splash screen, then the normal windows login screen.

uh, I thought there'd be something before that to unlock the drive?  Years ago with some 3rd party thing, you'd get a  screen asking for a password before windows would start.

Beause this is a MS software, that's not the case?

Windows boots enough to ask for a password.  If that fails, you won't get anywhere?  If  i  boot from a thumb drive / linux / etc. I'll see gibberish? (other than maybe windows directory?

And I've done that hack of renaming utilman.exe with cmd.exe to be able to get to a dos prompt to get into a computer we're locked out of.   Same thing -  if I did that, most all of the C drive will be gibberish / not readable?  But yeah, I guess you want to rename utilman.exe back to normal again, otherwise someone could make an admin account and be able to log in?  And then by extension.... say I lost this laptop.  Someone boots from usb, does the utilman / cmd change.  creates a user... then they get to all the hard drive data?  Or at least my c:\user folder is still locked? Even with linux ignoring NTFS permissions?

Going through the daily logs on 12 servers is becoming too cumbersome. I working with a small domain including remote offices of about 50 users and less than 100 devices, mostly Windows clients. I looking for a way to aggregate the logs and filter for items that I need to monitor, not the entries that I know I can ignore. Small business = small budget, so my options are somewhat limited and I really don't have the time or energy to implement an enterprise class solution that requires 6 months of training just to understand. So with that said, what are your suggestions?

I am looking at a Windows 2012 IIS server and I see a certificate WMSvc-myiisserver that has an expiration date of 1/20/2015 and it is using SHA1.

I do not recall I ever deploy that certificate on the server.

Would someone advise if that cert is always there by default?  Where do I go to see the vendor of that certificate?

Please see the attached.  

Running an encrypted laptop which can't handle some Windows Updates.  How can I disable the nag screens until I unencrypt drive to install updates?

Or even better, is there a way to apply major Windows 10 updates without unencrypting?  Using Veracrypt.


Hello I’m looking to putting in my first firewall. I’m looking for a good option for a municipality. If someone could help me out with this it would be great like I said this is my first and I don’t have any experience in it at all! Thanks.
In a Cyber Security training, the trainer/consultant from UK has recommended to my colleague (I did not attend the training) to use MS sysinternals.

Our role is to capture the evidences/artefacts using Sysinternals.

a) an End User IT support told me that sysinternals is not supported by MS, it's given as it is for use.
    Concern is : has MS been updating the version of sysinternals for use on Win 7, 8, 10 and Win2008 R2, Win 2012 R2, Win 2016
    so that it can be run / used on these versions of Windows (both 32bit Win7 as well as 64 bits Windows)?   I felt if sysinternals
    could run & capture evidences/artefacts on these platforms/versions of Windows, it's good enough  or is there any concern
    since MS is not supporting it?    We do have MS Premier support contract including MS Security escalation, so I guess MS
    will still analyse dumps captured using sysinternal or won't MS do it?

b) our role is to capture the evidences/artefacts in the event of compromises/attacks & we'll engage external forensics
     experts to analyse.  Which of the tools/components in sysinternals offer these capturing?  Will need to elaborate a
     bit for this one.  Example for "Process Explorer", we can select the specific process & "Create Full Dump" or take its
    hash & submit to Virustotal if any of the 60+ security products in Virustotal reported the hash as malicious

OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.