OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

Share tech news, updates, or what's on your mind.

Sign up to Post

I'm following the instructions on setting up Direct Access on a Server 2016 server using the steps found here.

What steps do I need to follow to "Obtain a server certificate for IP-HTTPS connections, with a subject name that matches the FQDN of the server" (step 3)?

I would like to do this with an internal certification authority.

Please provide me with the exact steps on how to do this.
Cloud Class® Course: MCSA MCSE Windows Server 2012
LVL 12
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

I use the Microsoft Sysinternals Autologon program within my test network.

Lately, the Autologon program hasn't been automatically logging onto the Hyper-V virtual Server 2016 and Windows 10 computers (with the domain administrator (administrator) account like it used to.

I have uninstalled the Autologn program, rebooted, and then reinstalled it and retyped in the Administrator username and password but this hasn't fixed the problem.

This Autologon program is only being used within my test environment (which is behind several locked doors and is completely isolated from any production networks.

What can I do to fix this issue so that I can continue to use the Autologon program to automatically logon to these Server 2016 and Windows 10 computers? I need to be able to automatically login to these computers since they are older and take longer to do things and so that my testing can be done properly.

The homepage for Autologon is here.
Are 32 bit computers at a higher risk of Anti-Virus, Malware or Ransomware infections?

We have a few left and I need to know if I should trash them ASAP.
I need to know how to create a GPO group policy to Deny Users the ability to save files to their computers C drive and Desktop, when they login to the Domain.
The GPO should be applied to the " Computer " not the users account to deny access.

They are logging into a Windows 2008r2 environment, and their computers are Windows 7.
I received advice on another question I posted here that I could do without antivirus in Android:

What is the best anti-virus for Android (paid or unpaid)?

But I don't understand that advice because from what I've read Android is the OS for smartmobiles that is most targeted by hackers.

For example, would I be safe if I download apps from other places than Google Play?

And for using apps like for Uber, map apps other than Google Maps etc., would I be safe without anti-virus?
I work for a small company with roughly 50 users and have been asked to have an outside vendor perform security/vulnerability testing.  We have several servers, ranging from SQL, to Exchange, to Remote Desktop with a hosted firewall through Windstream.  I thought I would appeal to the Experts in the Experts-Exchange community for advice and/or recommendations for a good vendor that specializes in such things.
I need a Linux boot CD image that will let me reset a local Windows account password. Long ago I used EBCD but I don't think that's a good option these days. I know there are others out there. What's the best one out there? It doesn't have to be free.
Based on a lot of research I did I found that Windows Defender is doing pretty good job in the latest testing on protection. and have benefits over third party antivirus that it uses less resources. and even more the browser developers claim that third party extensions in the browser make it less safe their some who will argue that it's is much less effective from third party software, but if you look on the ones who back their conclusions based on test like AV-Test Institute London-based SE Labs  AV-Comparatives and more will say is doing pretty good).
For example
Former Firefox developer Robert O'Callahan, says that antivirus software is terrible you should uninstall your antivirus software immediately, unless you use Microsoft's Windows Defender, which is apparently okay.

A couple of months back, Justin Schuh, Google Chrome's security chief, said that antivirus software is "my single biggest impediment to shipping a secure browser, except for Windows Defender.

Back in December, Google-employed security researcher Tavis Ormandy discovered that the extension adds a large number of new JavaScript APIs to Chrome when it’s installed and that “many of the APIs are broken.” Aside from exposing your entire browsing history to any website you visit, the extension offered many security holes for websites to easily execute arbitrary code on any computer with the extension installed.

“My concern is that your security software is disabling web security for
I am trying to confirm whether Sentinel One EndPoint Protection is a viable replacement for existing Webroot EndPoint Protection and MalwareBytes EndPoint protection.  We have been using Webroot/Malwarebytes endpoint clients on our workstations and servers for about four or five years now.  We have not encountered any compromises/issues using these products.   I also need to mention we also use Cisco's Umbrella Roaming Client as well.

We also have a SonicWall TZ500W with the Comprehensive  Gateway protection.  We never enabled the DPI module because it caused many connection issues accessing creditable Court websites, etc.  

So now SonicWall is promoting/offering their Capture Client solution that I am interested in.  I wanted to purchase the Sentinel One client software a couple of years back, but they said I could not make a purchase since the minimum count they could sell is 100.  We only need 25 licenses.  So now that Sonicwall offers Capture Client, I want to know if its feasible to say it would actually replace both Webroot and MalwareBytes EndPoint products and not just work along side and complement them.  So, I contacted Sentinel One Sales and they indicate their product serves as direct replacement.  They also mentioned their clients actually use Capture Client exclusively.

I have concern about a complete replacement solution.  I just want to ensure if we decide to deploy Sentinel One Capture Client as the sole Anti-Virus and Anti-Malware solution it …
why does nfsv4 client open an extra port ? how to close it if it is actually useless ?

hello, all

i'm working with an ubuntu ( xenial ) bunch of servers and need to understand why mounting an nfs v4 share opens a random port on the client side. the port has no associated process and seems to be directly open by the nfs kernel module. the port is closed if i unmount and a different one is opened if i remount the share. no traffic ever hits that port neither when mounting nor afterwards ( possibly because the share is read-only ).

nmap reports the port ( the number ????? changes from time to time using an apparently random high range port ) as :

?????/tcp open  fmproduct 1-4 (RPC #1073741824)

as far as i remember, nfsv4 does not need a port mapper to work so i don't really get the point of whatever RPC service is open on the client side. is that correct ?

if the above is correct, anybody knows how to instruct ubuntu not to open that port ?
( please don't tell me to use the firewall or hosts.deny : i do not want the port to be open in the first place )

thanks all
ON-DEMAND: 10 Easy Ways to Lose a Password
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

I have an issue where I'm sure someone is hacking our network, specifically four machines.  I have witnessed them going into my home folder and deleting my trash on these machines.  They are also able to change the camera settings.  For example, they're zooming in to locations.  They are doing playback.  This all happens between the hours of 12am-2am.

I'm using:
Windows 10
Palo Alto Networks
Security Camera Milestone software.  https://www.milestonesys.com
The cameras are made by Mobitics.

What I've narrowed it down to is this happens when the security camera milestone software is up and running on the four machines.  When I turn that software off there's no connectivity or suspicious things going on.

What I need to know is how do I find out who is doing this?  How can I get an IP address?  Are they inside my network or outside my network?

I would even appreciate a recommendation of a security company that knows how to track intruders down.

I've checked the parking lot and areas of the campus to see if someone is psychically here, but I don't see anyone.  I've also contacted Milestone software and they've recommended I change my password and the camera's password, but we are still having an issue.
I have a requirements to block only 3  Tcp ports on 50 PCs (in 25 branch offices) :
these PCs run a stripped-down DB2 services & I only want PCs in the same subnet
to connect to it.  The Tcp ports are  523, 8000, 50000.

We would like to use McAfee endpoint security (ver 10.5) to do this blocking.
Can someone give me step by step (screen by screen) instructions to do this?

These 25 branches are in the subnets (with their default gateway 10.2.X.1) /24  ==> so permit only  10.2.2.X to connect to its 3 ports above (incoming Tcp) /24  ==> so permit only  10.2.3.X to connect to its 3 ports above (incoming Tcp)
. .  . /24  ==> so permit only  10.2.27.X to connect to its 3 ports above (incoming Tcp)

Using Windows 7 Firewall is not an option for us (for some reason).
In one apps project, they requested to use NFS (Netw File Share)  on Solaris:
My concern is
a) unlike Windows which can have Windows firewall to restrict who can access the NFS share
    (ie endpoint firewall), Solaris are not known to have its own endpoint firewall
b) NFS traffic are not encrypted, correct?
c) NFS authentication is weak?  : Pls elaborate in what way?

What are the mitigations we can put in place if the apps team still wants it?
We have been working with 7-zip form some time as matter fact was recommend by EE, we use it for large compression and complex-long password protected files.  Today in a meeting we were informed that 7-zip can be hacked.  We didn't believe until the person ran an apps and unzip one of our supposedly secure 7-zip files.  So our question is which compression apps is least to be hacked (WinZIp, WinRar, etc.?), which one can we trust? Is the oldies WinZip & WinRar also hacked?.
Hi All,

i have recently enable the AD  Auditing at Domain level in my org  to monitor the activity. i have enabled the following options under computer configuriton--->windows Setting> security Settings----> advance audit policy---- Audit Polices.

1- DS-- Audit Directory Service changes.
2- audit computer account management
3-audit dist Group Management
4- Audit Security Group Management.
and couple of other options, I have created the costume view and  to record the security event for this. But unfortunately I can see from last few days nothing is record for event IR 4728 4729 on so on, which  worried me if I am missing any key Steps to enable this.

Please can any one help and guide me  best practice to enable AD aduite and record in event view for Auditing, and how I can set up to recoved Security, appliaciotn event on different drive or locaiton.

SCCM and some Windows management tools make use of Windows SYSTEM account mentioned above.

Is it considered an interactive or non-interactive account since it has no user profile (unlike administrator)?

Can we set a password to SYSTEM ?  Or it has an unknown password?

When using the tools (possibly psexec & SCCM) to get to command prompt of the managed endpoint,
are the activities (ie when the command prompt is spawned, mappings of drive using 'net use ...'  or
sharing of drive using 'net share ...' being logged in Windows event viewer logs ?
We use  Horizon View  to manage  Virtual Desktops.

If we have Virtual Desktops (VDs) of different sensitivity/criticality levels, what are the measures we can
take to segregate VDs of different functionalities/sensitivities?   We can always grant a different VLan/
segment for each groups with no inter-VLAN routings among them but is there more that can be done?

I've seen cases where sysadmins assign  vNICs  (for DMZ & backend zones) to a VM, thus bypassing
firewalls.  Other than educating sysadmins, is there anything we can control in Horizon View to prevent
such rogue permissioning?    

I guess Horizon View's event logs can be forwarded to an SIEM or could it not?
We have various groups of PCs that are dedicated to access different applications/systems
& are being audited from time to time.

One common item the auditors  look for is whether their USB is blocked : we used a DLP
tool to block & just showing the policy in the DLP console that there's a policy they are
being applied is not good enough.

Instead of being physically present (as we have close to 30 different locations/offices),
we can "remote desktop" to all the PCs using a central PC management tool.  However,
is there a tool/software to simulate a thumb drive being inserted into a USB & we can
then launch Win Explorer to show there's no new drive being detected/mounted?
Not feasible to get IT staff (or even users as the users usually don't have a USB drive
on hand knowing that the USB ports have been blocked) to travel there to insert a
USB drive to test.

We also wanted to have this ability to simulate this as there has been cases where
the DLP policy is applied but it did not work.
We require our staff to use MobileIron MDM and read their corporate emails using
MobileIron's  Email+ (a secure email client by MI).

Several staff read Bloomberg's BFW (Bloomberg First W)  news which is not in
http nor https format but  bbs format which MI can't load though this could
load in Apple IOS partition.

Does Bloomberg offers http or https  instead of bbs ?  It's the
trading staff who subscribes so I don't hv Bloomberg's support

We have logged a case with MI & MI ack'ed they can't support bbs:
Bloomberg was supposed to be used globally, so how is it that MI
can't support it.  Any workaround?
Cloud Class® Course: Microsoft Office 2010
LVL 12
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

We had an internal debate on fulfilling auditor's requirement for a batch of critical PCs
(that are used for critical processing) : audit requires that login activities to the built-in local
administrator (which we had renamed)  need to be reviewed regularly by another team
(it's used by End User support team on rare occasions only when a PC lost network
 connectivity to central management tool like SCCM) :

as security person, I find it unsustainable to regularly review each time the local admin
is used to login & Audit agrees that if we disables it, then review is not needed.

Somehow, there's a way to tweak it (by replacing a binary with cmd.exe) to boot up the
PC in Safe mode so that we can get to command prompt to re-enable it back for recovery
only (I deem just simply for recovery of a 'disconnected PC' don't need review).

There's debates raised internally:

a) is disabling local admin a more secure practice than reviewing the activities (which I
    felt no organizations have the resource to have a compliance person to follow
    when login to the local admin is used).  Which of the two is more practical?

b) another proposal is to install these critical PCs with SPlunk agents to pipe its
    events to Splunk so the events of using local admins is sort of 'monitored' by

c) Is disabling local admin considered a bad / unsustainable practice?  Any articles
    to support disabling or against it is appreciated
I am looking into CIS/SANS top 20 security controls, which recommend enterprises "Deploy Automated Operating System Patch Management Tools" (and likewise for applications). When you push out updates via system center/WSUS, what exactly needs to be on the end user devices (workstation/server) to receive the updates? Do specific patch management tools need installing on the machines, if so can detailed be provided? I appreciate such tools may be required for non Microsoft OS and software, but had never heard of such a tool required when WSUS/SCCM is pushing out the updates.
some of the cyber security best practices require that admin access and admin type activities can only be performed from dedicated admin hosts/ technically how is this enforced to ensure that admin type work can only be performed from dedicated hosts and no other users? Would this be firewall settings on each individual computer joined to a domain? Can enforcing such a policy cause any issues in support/resolution?
We are reviewing compliance against cis/sans top twenty cyber controls, and one of the controls is that of limiting access to script tools, which it sites an example of powershell and python. If users only have standard user rights (no local admin) what is the risk of them having powershell at their disposal on their assigned laptop/workstation?

And how from a systems admin / support perspective could you restrict access to such scripting tools to standard users? e.g. how can you hide/uninstall powershell for all?
We have a request from applications team to grant their non-privileged Solaris and AIX ids to be
able to execute their Shell scripts (which contains lines to run binaries) :
  sudo /gl/_ctron_/start1292
  sudo /gl/_ctron_/start1291

Is there any way not to grant them sudo & root and yet still allow them to stop/start the services?
Or if we grant sudo, restrict them to run only those specific scripts & their sudo can't do anything else?

Any way we can use SGID or SUID sticky bits to grant them without giving them root/sudo privileges?

Users are requesting for AutoIT to automate their tasks (mouse clicks, repetitive keystrokes etc)
but I have concerns like what's listed in link above.

What are the mitigations we can put in place to balance between work productivity & IT security risks?

Are the following valid mitigations?

1. air-gap those PC running AutoIT, namely remove Internet access & email access as these two are
    top vectors of malwares.  Users told me they don't need these 2 functions on the PCs running
    AutoIT but the AutoIT programmer wants it on his PC as he doesn't want to switch around
    between PCs when developing AutoIT scripts & using email/Internet

2. I heard we can compile the scripts & then uninstall AutoIT : so if a hacker got into the PC, he
    can't develop keyloggers/malicious scripts (that capture credentials).  The programmer felt
    this is restrictive but to work around, I heard we can create config file for scripts to read in
    parameters/variables to give more flexibilities or options for the scripts to operate: is this
    so?  Is this a good mitigation?

Pls add on any further mitigations.

I've heard of VB & Java scripts being risks : are they of similar nature as the risks of AutoIT?

OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.