[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

Share tech news, updates, or what's on your mind.

Sign up to Post

Was told Exabeam UEBA  charges based on # of staff & no agent needs
to be installed in endpoints as it correlates/uses Splunk's data.

Since this is "user behavior", should we pipe users PCs/laptops events
to the SIEM (hv Splunk in mind) or in general, people only pipe servers
& network devices events to Splunk (ie PCs events are not piped)?

Splunk gave me a spreadsheet for sizing which did not have a column
to input # of PCs/laptops while in the bank I worked for previously,
PCs/laptops events are not piped to SIEM.   As Exabeam correlates/
analyses users' activities, shouldn't the PCs events get piped as well?
Protecting & Securing Your Critical Data
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

I'll need to monitor several "privilege escalation related" Solaris 10 & RHEL6 files using
ACLs (Access Ctrl Lists) :

a) /etc/group, /etc/sudoers, /etc/cron.daily (or .weekly or any crons owned by root):
    ACL to send to syslog (so that we can pipe to SIEM) when permissions, ownership
    or contents of the above files are changed

b)visudo, sudo, usermod, useradd    command binary files :
   when these are being executed/run, ACL to send to syslog (who & when it's being

Appreciate an exact  setacl (or the actual commands/settings in RHEL6 & Solaris 10
x86  samples
I have a shared folder where permissions for a user are not behaving as displayed in Folder properties. This user exists under a group called "Managers". Managers has been added to the "Share" folder's Permission Entries with full control, applying to "This folder, subfolders, and files".

This issue started with this user not being able to save files, delete files, create new folders, or move files to new folder locations with full control. In order to try to fix this issue I dragged and dropped the "Share" folder into a FAT32 drive, then copying back the folder to the C:\ (NTFS). This was to clear any permissions. Here were the exact steps performed.

1. Closed all files/apps using anything in the Share folder.
2. Verified all files were closed.
3. Created a copy of Share folder inside C:\
4. Copied original Share folder to FAT32 drive.
5. Deleted original Share folder from C:\
6. Copied FAT32 drive Share folder back to C:\
7. Set share settings on Share Folder
- Full Control
- Security Tab > Add Managers group > Assign full control
- Share Name > Share

After completing these steps, the user is able to save files and create new folders inside the drive, but cannot delete or move locations of a file/folder. The only file the user was able to move was one where the user was the owner.

The goal here is to have this user actually have full control of any folder/files inside the "Share" folder. Images attached of share folder properties and permissions.
We are looking at some interesting connections that appear to be inbound from the below snippet:
Incoming connection from ( [source ip here] Port 46525 ) to svchost.exe

The source of the incoming traffic is connected to an external suspicious ip address and not part of our infrastructure.  We would like to see if there is a way to determine whether incoming traffic with svchost.exe as the communicating file can be reasonably white listed?

Is there a set of expected source ip's that we could reference that would allow us to sift out possible known external ip's that are valid incoming connections to an svchost.exe process running on an end point?
In general, does Non Disclosure Agreement covers
a)  information should not be disclosed even verbally?
b) accidental divulging of sensitive information?
c) that a vendor is working for this specific customer on a specific project?
d) the size of the data or database of the customer?
e) the value of the project?
How can I track files  that were moved to another location, for instance, from the local SSD to OneDrive?
The user is required by work to have BitLocker Drive Encryption turned on.  They have a desktop computer.
Dell Inspiron 3670
Windows 10 Pro   10.0.17134  Build 17134    12 GB RAM   Windows 10 is up to date

Every time we try and turn on BitLocker, we are unable to start BitLocker and get message  "An internal error was detected"

How can we get BitLocker installed?

I am looking for software that could monitor when a computer is turned on or off, and which user was logged in when this was done..
If it contains other features then this is fine as well. however...
Also, does the software need to be installed on the suspect computer, or perhaps monitored remotely from a computer on the same network which has admin rights..
It needs to be determined if an unauthorized person is logging into this computer, and also what activity they are doing.
If I use a Solaris server as repository server to get from Internet
ClamAV updates, can it be used by other platform 'satellite'
ClamAV such as Windows, Linux?   Ie can freshclam on
Windows/Linux pull signature updates from a Solaris ?

Are the 3 cvd files (main, daily, bytecode) inter-useable
between Solaris x86, RHEL & Windows ?

We're trying to quickly set up ManageEngine Eventlog analyzer/SIEM for our
Solaris 10 x86   and  RHEL 6  servers : all are 64bit OS.

Somehow I can't locate anything for Solaris 10 x86 : need the agents installer.
Still looking for RHEL6.  I'm not too good with navigating.

Anyone can help locate & give the exact links?
Check Out How Miercom Evaluates Wi-Fi Security!
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

a) https://en.wikipedia.org/wiki/Ceedo  ==> has local distributor/partner, on-prem
b) https://www.garrison.com/                 ==> on-prem, cloud-based coming up
c) https://info.authentic8.com/               ==> cloud only

Trying to narrow down which of the above 3 solutions to adopt for safe Internet

a) uses CDR (Content Disarm & Reconstruct) : how good is this in making the
    Pdf, MS Office files safe? O365's  SpamHaus is not sufficient (still getting
    spams) & lacks defense against malicious attachments & users clicking
    on phish links in emails, can Ceedo's solution do CDR for email/email
    attachments?  Can't seem to find anything in the wiki link above.
    It's not clear if they have proxy solution/feature in their product

b) this solution lacks in terms of proxy (for us to link to SpamHaus or add our
    Threat Intel's bad reputation IP & blocking certain categories like YTube &
    FB) & downloading of files: had to email the attachments & purchase
    proxy/CDR (eg: Deep Secure) solutions to integrate:  personally I prefer to
    cut down on integrations because when there's issues, vendors would
    point to each other.   By making users do downloads by sending email,
    it discourages users from downloading to their PC unless necessary:
    however, I foresee users will be unhappy with such requirement that
    they had to take extra steps to email files they wanted to be downloaded

c) offers cloud solution only …
Which tools do you use for security auditing of windows servers (by which I mean checking the configuration aligns with best practice and is free from administrative/configuration based vulnerabilities). Microsoft baseline security analyser seems to of been retjred and not supported on newer OS. So gauging what tools / scripts etc are common in 2018 would be interesting. I would have thought powershell scripts could replace what MBSA used to check for but couldnt find much out there.
I'm exploring backup policies such that if there's insiders quietly
altering them, we can skip the 'bad' changes:

Day 1: the initial good build
Day 2: legit/good updates were made
Day 3: an insidious/malicious update were made
Day 4: good legit updates/changes were made

We want to restore till Day 2, skip Day 3, restore Day 4.

Was told a GFS scheme as above will help but I tend to think
a mix of incremental plus differential backups is needed.
Pls comment.

For DB, is it better to backup the OS files of the DB or take dumps & backup
the text dumps?
I see several references for best practices on managing NTFS permissions and FIle Shares that states:

"Create a Global Deny group so that when employees leave the company, you can quickly remove all their file server access by making them members of that group."

Makes sense, but I'm curious what others think of this. It seems that if it where at the point that we needed to remove a users file server access and thus access to all of the shares that that have, it would be a simple matter of disabling the account.    What advantage would it be to put the user in this group to remove access over just disabling the account?
Windows Authentication in Chrome does not works as expected from AD/Domain environment.

It works perfect in Firefox after adding the http://app.domain.local to network.automatic-ntlm-auth.trusted-uris

It works also good in Edge and Internet Explorer after adding the URL in Local Intranet - Sites.

I expect it to work in Chrome too. But I am always being promted. Any ideas?

I have tried with or without Negotiate security method for Windows Authentification. I am currently using only NTLM.

Chrome version 69.0.3497.100 64 bit.
IIS 8 and MVC (Webform) (newer version) ASP.Net app

Anyone have CIS scoring tool for Solaris 10 and RHEL Linux (RHEL 6 or 7 will be best):
I last got them from CIS websites for Solaris 8 & RHEL 4/5 about 11 years ago but think
CIS now requires membership to get the scoring scripts.

Looking for free tools/scripts, not something subscription-based.

The scripts should not make changes/hardening but just collection
Hi Experts
I am planing to study the information security, I am working in the IT field long time ago
But I do not know any courses i can start by.  some of them told me that CEH is perfect and other told me  to CEH it is useless
please advice me
I was hoping to scope out some useful tests to include as part of an audit / health check of some traditional file servers, which act as team repositories for shared documents/files, and another acts as a home drive server where each employee has a home drive area locked down just to them. I was thinking of basics such as:

access control lists (ACL) - ensure permissions on directories are appropriately restricted and restrict access based upon need to known principles
teams consuming masses of space (poor internal practices)
documents with no recent last access attribute - compare to data retention requirements etc
non-administrators who have full control over shares/directories (should not be the case)
general OS security (e.g patches, local administrators, backups)
general monitoring (e.g. capacity/free space)

can you think of any more areas that would be of benefit in such a review?
I've seen an ex-colleague blocking file extensions from being created using a feature in McAfee
(can't recall the name).

Can someone provide the steps to do this in Trendmicro Officescan's management console?
What's this feature called in Officescan?
Rowby Goren Makes an Impact on Screen and Online
LVL 12
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

I already have an Active Directory Windows Server 2016 home test server setup, but now want to change my few test Windows 10 Pro clients to use SmartCards

What URL do you recommend showing a step-by-step on how to setup SmartCards in Server 2016 only for CLIENTS, NOT for logging into the server as "user=DAadmin" since I want to still be able to login to the server without a SmartCard ?

I found https://malwaretips.com/threads/how-to-protect-your-head-less-home-server-with-smart-card-authentication-and-a-yubikey.71078/, but think there might be something better
CVE-2017-1283  - How to fix this?
Please help...
Scenario:  We have users that use laptop/desktops to connect to our RDP farm, we also have some “local users” that work on local applications using their network shares.
-      The group policy connects their H: drive to a network share, we want to only allow connection to the file server whilst on the remote desktop (security reasons and to control access).
-      We also have a small group of users that will need to connect to the file server e.g. connect their network shares
-      Servers are in a datacentre, including remote desktop servers
-      Users are at a number of sites (different IP/subnet)
We are trying to use the server firewall rule “File and Printer Sharing (SMB-In)" to limit connections from named servers/computers (remote desktop machines) and an OU group containing the limited list of approved users.
-      Is this the best way to do this and
-      Will the firewall allow me to limit (as above)
All assistance gratefully received…
For the reconcile accounts for Cyberark PAM, is it best practice to
use non-interactive privileged accounts or it has to be interactive

I thought of using non-interactive as such accounts are not subject
to 90-days password expiry & is better secured.  Windows has a
bult-in non-interactive SYSTEM account while UNIX has sys:
are these suitable for use for resetting/recovery?
Is there a relatively easy way to determine the last time an officer last logged on (e.g RDP) to a windows server? I need to verify a list of officers with admin access to a server and need some stats on last access to help flag potential inappropriate assignment of admin rights.
Dear Experts, I want to ask about Folder Permissions in Windows Server 2012.

Is there any way that i can copy all the permissions/rights assign to folders ? Suppose when i will change the location of a folder (Copy/Move to a different location) I want the same user rights to be assigned back instead of doing this activity manually.

Also can i create a Backup of Folder Rights (User rights / Folder Permissions)

OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.