OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

Share tech news, updates, or what's on your mind.

Sign up to Post


I am not sure if I interpret this correctly but this security report seems to show a few workstations have some suspicious DNS activities and trying to resolve some DGA domain - please see the attached.  

I am not in the security area.  Someone who knows how to handle please advise.  

Many thanks.
Active Protection takes the fight to cryptojacking
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

I'm writing a doc on Data Classifications (taking local regulatory/practices into context with
international practices such as GDPR as optional).  Data we have in mind are:

a) our customers particulars (which includes their NRIC# ie equiv of Social Security # in the
    US, their mobile/tel# and addresses : guess all these are PII)

b) bank account numbers of the customers (for payments)

c) the transactions including historical transaction details (customers sea-port clearances
    as well as the volume & types of goods they go through our sea-port)

d) IP addresses of customers who connect to us, internal IP addresses/hostnames of our

So for each data class, need to identify if
1. they must be hosted within our country if we use cloud (& if this is IaaS, SaaS, PaaS)
2. backup of the data must be encrypted
3. data at rest/in-transit must be encrypted
4. to be classified as Restricted, Confidential, Secret, or any other categories
5. which category to be detected by DLP & which category to be blocked by DLP
6. any other actions for each of the data categories

If there are such sample docs out there, care to point me to them?
Local server security.

I just got a ransomware attack. Hence I am asking for help to be able to achieve a great level of security for my server especially. and devices.

WHich devices should I get and why?
we are not subscribing to any professional phishing service but doing our own phishing drill.  can someone provide me a pdf file tt will email back to me (indicating who clicked with a message 'You failed this test' in the pdf) when our o365 exchange online users clicked on the attachment.   Guess we hv to whitelist such a pdf so tt our AV doesnt block it from opening?

Referring to the workaround given in above link for 64bit windows,
  cacls %windir%\syswow64\jscript.dll /E /P everyone:N

when I checked on my 64bit Windows 10, don't see "everyone" in the ACL:
C:\Windows\SysWOW64\jscript.dll NT SERVICE\TrustedInstaller:F
                                NT AUTHORITY\SYSTEM:R

So should we instead remove the "R" (ie Read) access to  Users &  *APPLICATION PACKAGES  ?
In Windows 2012 R2 we have setup and assigned a IPSEC policy. IN the policy we did not specify an endpoint on the initial screen since the IPSec tunnel is between two internal servers. My questions is it is required to have the firewall enabled and have a rule setup to force all inbound or outbound connections through IPSec? I guess what I am asking is  will IPSec work if the Windows firewall is disabled? Right now we are trying to test the IPSec tunnel between the two servers and only see Key deletions listed under the IPSec Stats everything else is zero and nothing listed under associations.
We had a past incident of an IT staff who elevated his/her sharepoint privilege
to Site Admin.

What are some of the easier ways to prevent this from happening other
than educating??

Any free tools or low-cost tools are welcome as well
Using Group Poilcy how can i remove groups / users from Local users on local machines across domain?  Basically want we need to do is remove Domain Admins, & Enterprise Admins from local admin group & add newly created "Local_Admin" Group to local admin group
where specifically in the windows audit settings can you capture file level access (can you also capture file deletes, file creations etc in a single log)? I need to check what is enabled on a number of servers around this? Are there any specific risks/configurations in enabling this on larger file servers, and or any feedback whether the default windows logs are the best tool to capture this data, or whether 3rd party apps may be the way to go?
We have about 70 corporate issued iPads / iPhones & would like to harden them as per CIS benchmark.

Is there a free tool or MDM that could facilitate doing the hardening centrally rather than doing it device by device?
Acronis True Image 2019 just released!
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

I am doing a review of permissions on a file server. There is a file share crated for a specific department for arguments sake we can say this is \\fileserver\department  - when analysing permissions, at share ACL the admin has granted the NT AUTHORITY\Authenticated Users 'Full' permissions, and on the directory ACL they have given NT AUTHORITY\Authenticated Users Read, Write, Execute and the concerning one being "Delete". These are taken from an MBSA scan of the server.

Within \\fileserver\department\ there are numerous sub-directories, e.g. \\fileserver\department\team1 \\fileserver\department\team2 - a quick scan of permissions set at this child levels show they don't inherit the permissions set at \\fileserver\department - which is good from a data security perspective, as they are configured in such a way that they restrict access to only specific groups.

Where my concern is, that I am trying to determine if I am correct or not to be alarmed, is if NT AUTHORITY\Authenticated Users has delete permissions at the root level, e.g.  \\fileserver\department  level – could they just delete the sub-directories, e.g \\fileserver\department\team1 \\fileserver\department\team2 - or not? Does the fact the permissions on folders such as \\fileserver\department\team1 are more restrictive make my concerns that the NT AUTHORITY\Authenticated Users group has delete permissions at the root level less of an issue.
Was told Exabeam UEBA  charges based on # of staff & no agent needs
to be installed in endpoints as it correlates/uses Splunk's data.

Since this is "user behavior", should we pipe users PCs/laptops events
to the SIEM (hv Splunk in mind) or in general, people only pipe servers
& network devices events to Splunk (ie PCs events are not piped)?

Splunk gave me a spreadsheet for sizing which did not have a column
to input # of PCs/laptops while in the bank I worked for previously,
PCs/laptops events are not piped to SIEM.   As Exabeam correlates/
analyses users' activities, shouldn't the PCs events get piped as well?
I'm looking for ways (most likely auditctl or audit) to monitor Solaris files
(/etc/group, sudoers,  root's  cron.*) & if possible email out a notification
once content of the file(s) is modified.

Will need exact/detailed steps.

I'm on Solaris 10 x86.

File integrity monitoring (like those used by Tripwire) tools is not an
option as we just want to use built-in Solaris tools
I'll need to monitor several "privilege escalation related" Solaris 10 & RHEL6 files using
ACLs (Access Ctrl Lists) :

a) /etc/group, /etc/sudoers, /etc/cron.daily (or .weekly or any crons owned by root):
    ACL to send to syslog (so that we can pipe to SIEM) when permissions, ownership
    or contents of the above files are changed

b)visudo, sudo, usermod, useradd    command binary files :
   when these are being executed/run, ACL to send to syslog (who & when it's being

Appreciate an exact  setacl (or the actual commands/settings in RHEL6 & Solaris 10
x86  samples
I have a shared folder where permissions for a user are not behaving as displayed in Folder properties. This user exists under a group called "Managers". Managers has been added to the "Share" folder's Permission Entries with full control, applying to "This folder, subfolders, and files".

This issue started with this user not being able to save files, delete files, create new folders, or move files to new folder locations with full control. In order to try to fix this issue I dragged and dropped the "Share" folder into a FAT32 drive, then copying back the folder to the C:\ (NTFS). This was to clear any permissions. Here were the exact steps performed.

1. Closed all files/apps using anything in the Share folder.
2. Verified all files were closed.
3. Created a copy of Share folder inside C:\
4. Copied original Share folder to FAT32 drive.
5. Deleted original Share folder from C:\
6. Copied FAT32 drive Share folder back to C:\
7. Set share settings on Share Folder
- Full Control
- Security Tab > Add Managers group > Assign full control
- Share Name > Share

After completing these steps, the user is able to save files and create new folders inside the drive, but cannot delete or move locations of a file/folder. The only file the user was able to move was one where the user was the owner.

The goal here is to have this user actually have full control of any folder/files inside the "Share" folder. Images attached of share folder properties and permissions.
We are looking at some interesting connections that appear to be inbound from the below snippet:
Incoming connection from ( [source ip here] Port 46525 ) to svchost.exe

The source of the incoming traffic is connected to an external suspicious ip address and not part of our infrastructure.  We would like to see if there is a way to determine whether incoming traffic with svchost.exe as the communicating file can be reasonably white listed?

Is there a set of expected source ip's that we could reference that would allow us to sift out possible known external ip's that are valid incoming connections to an svchost.exe process running on an end point?
In general, does Non Disclosure Agreement covers
a)  information should not be disclosed even verbally?
b) accidental divulging of sensitive information?
c) that a vendor is working for this specific customer on a specific project?
d) the size of the data or database of the customer?
e) the value of the project?
How can I track files  that were moved to another location, for instance, from the local SSD to OneDrive?
The user is required by work to have BitLocker Drive Encryption turned on.  They have a desktop computer.
Dell Inspiron 3670
Windows 10 Pro   10.0.17134  Build 17134    12 GB RAM   Windows 10 is up to date

Every time we try and turn on BitLocker, we are unable to start BitLocker and get message  "An internal error was detected"

How can we get BitLocker installed?

IT Pros Agree: AI and Machine Learning Key
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

I am looking for software that could monitor when a computer is turned on or off, and which user was logged in when this was done..
If it contains other features then this is fine as well. however...
Also, does the software need to be installed on the suspect computer, or perhaps monitored remotely from a computer on the same network which has admin rights..
It needs to be determined if an unauthorized person is logging into this computer, and also what activity they are doing.
If I use a Solaris server as repository server to get from Internet
ClamAV updates, can it be used by other platform 'satellite'
ClamAV such as Windows, Linux?   Ie can freshclam on
Windows/Linux pull signature updates from a Solaris ?

Are the 3 cvd files (main, daily, bytecode) inter-useable
between Solaris x86, RHEL & Windows ?

We're trying to quickly set up ManageEngine Eventlog analyzer/SIEM for our
Solaris 10 x86   and  RHEL 6  servers : all are 64bit OS.

Somehow I can't locate anything for Solaris 10 x86 : need the agents installer.
Still looking for RHEL6.  I'm not too good with navigating.

Anyone can help locate & give the exact links?
a) https://en.wikipedia.org/wiki/Ceedo  ==> has local distributor/partner, on-prem
b) https://www.garrison.com/                 ==> on-prem, cloud-based coming up
c) https://info.authentic8.com/               ==> cloud only

Trying to narrow down which of the above 3 solutions to adopt for safe Internet

a) uses CDR (Content Disarm & Reconstruct) : how good is this in making the
    Pdf, MS Office files safe? O365's  SpamHaus is not sufficient (still getting
    spams) & lacks defense against malicious attachments & users clicking
    on phish links in emails, can Ceedo's solution do CDR for email/email
    attachments?  Can't seem to find anything in the wiki link above.
    It's not clear if they have proxy solution/feature in their product

b) this solution lacks in terms of proxy (for us to link to SpamHaus or add our
    Threat Intel's bad reputation IP & blocking certain categories like YTube &
    FB) & downloading of files: had to email the attachments & purchase
    proxy/CDR (eg: Deep Secure) solutions to integrate:  personally I prefer to
    cut down on integrations because when there's issues, vendors would
    point to each other.   By making users do downloads by sending email,
    it discourages users from downloading to their PC unless necessary:
    however, I foresee users will be unhappy with such requirement that
    they had to take extra steps to email files they wanted to be downloaded

c) offers cloud solution only …
Which tools do you use for security auditing of windows servers (by which I mean checking the configuration aligns with best practice and is free from administrative/configuration based vulnerabilities). Microsoft baseline security analyser seems to of been retjred and not supported on newer OS. So gauging what tools / scripts etc are common in 2018 would be interesting. I would have thought powershell scripts could replace what MBSA used to check for but couldnt find much out there.
What free options are available to scan/search unstructured data (file shares and exchange mailstores) for sensitive data like PHI or PCI data?

OS Security





Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.