OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

Share tech news, updates, or what's on your mind.

Sign up to Post

Attached is a list of *strut* files that are present in our UNIX servers.
Was told by our app staff that we are on a very old (& likely vulnerable) Struts.

Which lines mean we have Struts in our server & the files that we can remove
to fix our vulnerability?   Was told by app staff he doesn't need the Struts but
will need to identify which specific Struts files to remove
Acronis Global Cyber Summit 2019 in Miami
 Acronis Global Cyber Summit 2019 in Miami

The Acronis Global Cyber Summit 2019 will be held at the Fontainebleau Miami Beach Resort on October 13–16, 2019, and it promises to be the must-attend event for IT infrastructure managers, CIOs, service providers, value-added resellers, ISVs, and developers.

now MBSA has been retired one of its really useful functions, I found, was to produce a useful table of share and directory permissions. It gave share, directory, share ACL and directory ACL in a well formatted table for further investigation to ensure permissions were relevant. Although it still works (if you can find the download) on  older OS I am trying to find replacement tools or scripts to achieve the same. Does anyone know of any free tools and/or scripts that can recreate the same data that the MBSA shares check used to perform, which can either be run remotely or run locally on the sever being reviewed (preferably remotely like MBSA could). if the results could go to CSV that would be ideal for further data analysis on the configurations.
Got an audit finding that our Firebird Sql / DB is not hardened.

CIS doesnt have such  a guide & googling only gives a 1-liner pg:

Any where else any one can point me to?

Browsed OWASP site & seems like OWASP API Security  guide or checklist
was just initiated in Dec '18:

a) did I miss or there is already a guide that have been released?  Can
    point me to it?  The above link only give a Table of Content, is there
    a full guide?

b) if it's not released yet, perhaps can point me to a full guide on API
Can anyone provide a step by step instruction on how to compile & 'make'
a fully useable ClamAV on Solaris 10 (x86)?

A minor update engine was released for Linux with source code but package
is only available for Linux, no Solaris
I am configuring a new wireless system and I am preparing for the cut-over process.  The new Wireless has 'hidden ssids' and these SSIDs are different from the production SSID names on the older system.  

For example. the older WiFI used in production :
Employee Corporate WiFi = CWIFI
Guest WiFi = CGUEST
Corp. Printer WiFi = CPRINT

The new Wireless system has:
Employee Corporate WiFi = CWIFI-Test
Guest WiFi = CGUEST-Test
Corp. Printer WiFi = CPRINT-Test

I am planning to cut-over to the new system by turning off the older WiFi controllers and Access Points and then un-hide the new Wireless system SSIDs.  The plan is to use the same naming scheme in the new system that was used in the older system. Hopefully the users will not be confused.

With a few 'printers' and other 'devices' (not laptops) there was no need to 'forget' / 'Remove' the older SSID and then try to login via the new system; but, those specific SSIDs used a Pre-Shared Key(Corp. Printer).  I am wondering if the laptops will need to 'forget' the previous SSIDs in order to use the new system seamlessly?

The Employee WiFI is using 802.1X with RADIUS Servers using Network Policy Server registered in Active Directory.

The Guest WiFI is using a captive portal where the users wil be using a username/password.  

Any thoughts?
Hi Team,

I have an issue with log in to a user account in Windows 10. When i try to login into an account its showing an error message like ,

"The User Profile Service failed the sign-in. User profile cannot be loaded.

I tried with the regedit method and still i can't able to login .

Any suggestions?

Hallo Experts
I would like to collect the following Threat Artifacts from a compromised Windows System:
  • CPU
  • Routing-, ARP- & Process tables
  • Memory
  • Temporary files
  • Relevant data from storage media
What would you collect? Is there any best practice from NIST or anyware?
Thanks a lot
Hallo Experts
For our Security Operations Center (SOC), we are searching for a tool that can collect “Threat Artifacts”. When I worked with McAfee in the past, they used GetSusp to collect information about undetected malware on their computer.
We are searching for a similar tool that we can use in the network to collect information remotely. What would you recommend us? It would be nice, if the tool would work on Windows & Linux, albeit this is not a must.
Thanks a lot
Refer to attached  TrendMicro's  Interscan proxy VM (a custom Linux)
that shows spurious memory shortage.

Have allocated 32GB to the VM & with only 2 users accessing, already
getting these memory messages : plan to roll out to 500 users.

What can be done to address this?  Increase swap space or RAM?
Or there's something to tune?  Hopefully don't have to switch to
another type of proxy.

As this is a bundled free product, quite difficult to get support.

Btw, what's the default root password when it's first set up?
C++ 11 Fundamentals
LVL 13
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

I am looking to restrict a user from using removable drivers on their laptops, this can be accomplished with a local GP, but wondering if there is a way to apply the policy or do it in a different way so I can apply it only to standard users [or specific user] not to admin users.

Also, would I like to lock if possible to boot from USB so they cannot remove or change their password

Windows 10 not joined domain
Dont see such a benchmark guide at CIS site.
Anyone can share/point me to one?
In regards to Kerberos authentication, what is the risk if a 3rd party obtains the keytab file that was uploaded to a system that is doing kerberos proxy authentication?

Would they be able to obtain the kerberos account's password?
I have a 2012 R2 based Domain. We now are using 2012R2 server as clients. All functions are maintained through GPO. Everything is working up to recently. If a domain user with RDP access attempts needs his password reset then either the administrator or a domain admin resets him and provides the temporary password. That domain user then logs in and as soon as he makes the change to his password the GUI goes away. He then attempts to log in again with the NEW password and it rejects it. This is repeatable. Some initial troubleshooting pointed towards some Windows patches could cause this. I took some steps in removing these patches and nothing changed. I re-installed the patches.

We have 2400 local site personnel that use these devices locally. We have 100 "super" ETs that log in to these 2012 R2 clients and help the local site personnel or remotely fix something. So again everything works except if someone forgets their password.

If I (as admin) log in from my desktop (Windows 7) I reset the password for one of these accounts. I then login to the client 2012 R2 and make a new password it then switches over to the normal login and the new password works. SO this problem only occurs if originated from the 2012 R2 client. Help!?
In the years (possibly more than 5-7 yrs ago) before PAMS (Privileged Access Mgmt Systems) are popular,
there are recommendations to use 2FA when sysadmins login to critical servers like Domain Controllers:
one is AD or local account  plus an OTP .

With PAMS (Cyberark, BeyondTrust, TPAM, Thycotic) coming out, admin/privileged access are controlled
using PAMS.

Will PAMS still work with 2FA on the servers/DC?   Ie sysadmin request access, get approved, login to the
PAM to click on a link that will ssh/access into the servers/C : if the server end prompts for the OTP
(1st FA is the password that PAMS sent over), guess the sysadmin can just key in the OTP & will still login,

With PAMS in place, is it still a practice to implement 2FA at the servers/DC end?
Or we just implement 2FA at the PAMs end (ie requestors & approvers have to use 2FA
to login to the PAMs portal)?   Which is a best practice, 2FA at servers end or 2FA at PAMS or both??
we prefer not to do apps whitelisting on our rhel n solaris due to fears of service disruption.

what alternative mitigations can we implement?
Our RHEL servers have no access to Internet, so I download the packages & install at command line.

Refer to attached errors after I've installed the following with no error:

cd /var/tmp/clam
rpm -ivh ./clamav-filesystem-0.101.1-1.el7.noarch.rpm
rpm -ivh ./clamav-data-0.101.1-1.el7.noarch.rpm
rpm -ivh ./libpcre2-8-0-10.32-3.1.x86_64.rpm
rpm -ivh ./clamav-lib-0.101.1-1.el7.x86_64.rpm
rpm -ivh ./clamav-0.101.1-1.el7.x86_64.rpm
rpm -ivh ./clamav-scanner-systemd-0.101.1-1.el7.x86_64.rpm
rpm -ivh ./clamav-server-systemd-0.101.1-1.el7.x86_64.rpm
rpm -ivh ./clamav-unofficial-sigs-5.6.2-3.el7.noarch.rpm
rpm -ivh ./clamav-update-0.101.1-1.el7.x86_64.rpm
rpm -ivh ./clamd-0.101.1-1.el7.x86_64.rpm

What did I miss that  the file clamd can't be found in the entire RHEL7 server?
We'll then work on the PrivateMirror freshclam error after we fix the missing clamd first.

Further attempts:
[root@pjwcsd01 /]# systemctl enable clamd.service
Failed to execute operation: Access denied
[root@pjwcsd01 /]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@pjwcsd01 /]# systemctl enable clamd.service
Failed to execute operation: Access denied
[root@pjwcsd01 ~]# systemctl enable clamd@scan.service
Created symlink from /etc/systemd/system/multi-user.target.wants/clamd@scan.service to /usr/lib/systemd/system/clamd@scan.service.
[root@pjwcsd01 ~]# systemctl start clamd.service
Failed to start …
does anyone know the difference between a 4647 logoff event and a 4634 logoff event in security.evtx on a windows 7 machine joined to an AD domain, e.g. 4647 seems to trigger when i genuinely log out myself, but then it creates a batch of 4634 events also - what exactly triggers these? And also does a lock (CTRL/ALT/DELETE ) lock this computer generate a logoff, or another event altogether?). It looks like 4647 are the user initiated logoffs, and who knows what triggers the 4634, but they seem to follow an initial 4647.

There also seems a number of logon events, e.g. 4625, 4624, 4628. An insight into what each represent, and what generates each, e.g. the user or another process would be interesting. In case it is of any relevance, the machine is windows 7 enterprise.

I just did a test lock my machine, then log back in, the first event is a process creation, then I get 14 random events, which end with logoff 4634 events x2??! In the middle there are a mix of logon (4624), special logon (4672) and logoff (4634), and not in any sort of logical order. It looks like a lock of the machine generates a 4688 process creation, and then it creates a random mismatch of logon, logon, logon, special logon, logoff, logoff, logon, logon, logon, special logon, logoff, logoff.
Do any of the windows or other event logs (or any other file or artefact for that matter) on a windows machine capture what network/wifis a machine connects too. And / or the IP address assigned to a machine at a given time (which in this case wont be that issued by our network as it was 'off site' work).
Active Protection takes the fight to cryptojacking
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

I have vendors who host their services in MS Azure & AWS.

As the IT Security governance/compliance person, so under what circumstances
should I request that the vendors show me   that the cloud's penetration/Vulnerability
scan,  ISO27017/8, SOC2 reports are still valid & patchings/AV are up-to-date?
Regardless of whether the services offered to my organization is SaaS, IaaS, PaaS ?

Does the ISO or SOC2 or which reports  would have covered (ie certified) the
cloud service provider have patchings/Antivirus up-to-date,  penetration/VA
findings remediated?

if the vendors ask me to just refer to the reports available for Azure below:
is that sufficient or I should still insist on the actual penetration/VA scan
reports & SOC2 reports (which I guess is for more sensitive SaaS services
like payroll & credit card systems)??

For less-sensitive systems (that don't contain PII) like transportation
tracking & asset management systems which reports suffice?
I'm exploring if Rapid 7 can be used to track patch status (what patches are applied on which dates
& which ones have been released but yet to be applied) of our Solaris, RHEL 6/7 & Windows servers
as well as configuring it to do weekly scan of CIS hardenings (including for Cisco switches/routers).

Any document/materials on how to configure to check for patch status & CIS hardenings are
much appreciated.
I understand that Cyberark (a PAM) &  TPAM (another PAM product)
requires in Solaris server, the following settings:

PermitRootLogin = yes  (tho CIS benchmark recommends “no”)”   for SSH setting
minweeks = 0  for min period before password can be changed (tho CIS recommends minweeks=1)

Any other requirements by Cyberark?  Are the following required to be 0 ?
  ndd -get /dev/ip ip_strict_dst_multihoming
  ndd -get /dev/ip ip6_strict_dst_multihoming
Token Based Authentication and the .NET Stack

What can you tell me about the built-in capabilities of .NET Stack to use Token Based Authentication  and also Token Based Authentication in general??
Have anyone used Colortokens https://colortokens.com/
what do the do exactly and what do they do for data center and endpoint security?
Greetings! I have well over 15 years in the I.T. world specifically in working with Servers & Workstations, I am considering branching out to another field in the I.T. world specifically in the Cyber Security. I have minimal I.T. Security related experience and knowledge.
Q4U: What Cyber Security Certification would be ideal for a novice like me?
There are so many and I would like to focus on the one that will open the doors to that side of the I.T. world.
Thank you in advance!

OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.