Managing Operating System (OS) Lock Down

by Dave Shackleford Sept. 1, 2017 via SANS Institute

Any IT/Security Manager worth his salt knows that configuration management is a mainstay of secure network operations. This year (2010), “Secure configurations for hardware and software on laptops, workstations, and servers ” was again on SANS list of top 20 critical security controls. Nowhere is this more critical than at the operating system (OS) level, where default passwords and vulnerable services and ports are known to be huge exposures. Although organizations are generally good at locking down critical server operating systems initially, these “gold builds” fall out of configuration over time, particularly in distributed organizations where local resources are scarce. For example, when a system is used to test a new application that is never uninstalled, it exposes all the data and vulnerabilities associated with that new application to attackers. In other cases, certain system updates and patches are forgotten or deliberately not applied; new users are added or deleted without updating; or systems are moved and are no longer listed on the active system inventory list.