Host Hardening, Part 2
Sign in

Host Hardening, Part 2

Information Security Professiona
In my previous post, I talked about two aspects of host hardening: removing unnecessary services and applications. Today, I'll discuss two more.

User Accounts  
Many operating systems offer accounts with elevated rights.  Windows XP has the administrator account, while UNIX has the root or superuser account.  These privileged accounts provide access to administrative functions, which can include security of the system and access to log files.  Compromising the former can result in the installation of malicious programs, such as backdoors (which allow an attacker to come in whenever he wants) or other eavesdropping applications; modifying or deleting log files can allow an attacker to cover his tracks.  In fact, because of the dangers posed by malware that is automatically downloaded simply by visiting a website, some security professionals recommend that home PC users set up a “limited” account for surfing purposes. 

When you select “User Accounts,” which is accessed through the Control Panel, the accounts currently set up on your PC are listed. The “Learn About” topic “User account types” shows the different privileges available to administrators versus limited users. The "limited account" has far fewer privileges.  And, to promote safe(r) surfing, as promised, “Install programs and hardware” is not an option.

Software Patching  
Not that I want to bash Microsoft… but if you have not heard about Windows vulnerabilities, you either live in a cave or use an unregistered (for whatever reason) version of Windows.  If you live in a cave, I suppose you might miss the occasional headline (end ironic comment) announcing that a new flaw had been found.  If you are using an unregistered copy of the operating system, you might miss the emails which arrive every month or so with a title like, “Microsoft Security Bulletin.”  Assuming that you are using a legal copy of Windows, you can (and should) set up your PC to receive and download code fixes from Microsoft automatically.  To sign up for automatic updates, open your Control Panel, and then choose “System.”  “Automatic Updates” is one of the tabs.

By default, it is checked.  When you are signed up for automatic updates and one is made available, you will see a yellow shield icon in your toolbar.  If you hover over the icon, the message will indicate that updates are available. If you double-click on the shield, you can choose the “Express Install” (which is the recommended course) or “Custom Install” (which is think belongs in the propeller-head realm).  You could choose to install it now by clicking on the “Install” button.  However, if you have Windows XP, it will run automatically—unless you take steps to not run it—the next time you power off your PC.  When you begin to power down your PC, you will see a slightly different menu, one which tells you to not turn off the computer while the updates are being installed. When the install in complete, your PC will then shut down.

Next time: Encryption.

start_blog_img