Entries from November 2010 ↓

Security+ Objective 1.3 Implement OS hardening practices and procedures to achieve workstation and server security – Security Templates

Templates were traditionally used to paint shapes or letters that were all identical. Essentially, you could create one stencil that says “STOP” and paint it at every intersection in town. Every “STOP” in town would be uniform and look nice.
Security templates serve a similar purpose. They allow an administrator to apply uniform security settings to every system in an organization. When there is a corporate policy that defines the security configuration of systems, a template is a great way to make every system comply. If an organization purchases a large number of new computers, templates allow them all to be easily secured.
Administrators can also utilize user account templates to easily grant proper permissions to new users. For example, you could create a user named “new accounting user” and place it in all of the appropriate security groups to grant permissions for a typical accountant in your organization. Whenever a new accountant comes on board, you copy the “new accounting user” profile, put the new accountants name on it and they already have all the permissions they need. This will make sure that all accountants are granted identical permissions that comply with corporate policy.

Go back to the Exam Objectives list

Security+ Objective 1.3 Implement OS hardening practices and procedures to achieve workstation and server security – Group Policies

If you have to manage a large number of computers, you don’t want to have to make configuration changes one by one.  Group policies allow an administrator to centrally manage the configuration settings of systems on the network. 

For example, a user can go the firewall settings on an individual system and turn it off.  If there is a group policy that controls the firewall settings, individual users will not be able make changes to those settings.  If you need to configure VPN settings in your domain, you can quickly and easily create one policy and apply it to every system enterprise wide.  This is very powerful, so make sure you test your settings before you unleash them in the production environment.  Almost every aspect of the user interface and security of a system can be set by using group policies.

Go back to the Exam Objectives list

Security+ Objective 1.3 Implement OS hardening practices and procedures to achieve workstation and server security – patch management

So, now we’ve learned about patches.  We should probably make sure we are taking care of this stuff.  That’s patch management.  As the bad guys discover new ways to harm us, vendors create patches to protect us.  It is vital to our systems security to protect them with the latest patches.

The basic steps of patch management are:

  1. Determine what patches are needed and download them
    1. Check for the latest patches on a regular basis
    2. Make sure it is coming from the vendor website and is not tampered with
    3. Verify that the patch is relevant to your system or application
  2. Test and install the patches
    1. Test in a way that won’t affect production if the patch causes problems
    2. Use automated delivery to push patches across the entire network
  3. Verify that the patches are successfully applied.
    1. Use patch management software to automate reports

 

The typical user is not doing these things.  If you want your organization’s computers to be secure, patch management needs to be implemented in a way that takes care of every system on the network.  Typically, patch management is an automated process.  Utilize a server that can download and then push the approved patches out to every system on the network.  The patches should not be approved for deployment until they are tested in a non-production environment.  Following these guidelines will give you control over an important aspect to the security of your systems.

Go back to the Exam Objectives list

Security+ Objective 1.3 Implement OS hardening practices and procedures to achieve workstation and server security – patches

patchA patch is similar to a hotfix but differs in two main ways.  First, a patch is typically larger than a hotfix.  Second, a patch is less urgent and thus more thoroughly tested than a hotfix.  A vendor patch may be released to fix a single security issue that has been discovered in their software.  If a system is missing many vendor patches, there are probably many security vulnerabilities that can be exploited.

Another important note regarding patches concerns virtualization.  Each virtual computer and the virtual host machine must all be patched individually.

You should also know that, despite vendor testing, there are innumerable scenarios that patches are introduced into.  The vendor can’t possibly test absolutely every situation that could be encountered out in the wild world.  Before you install a patch to your production environment, you should test it to verify that it doesn’t cause application errors in your systems.

Hotfixes and service packs each have their own unique features that differentiate them from patches.  Make sure you know the difference.

Go back to the Exam Objectives list

Security+ Objective 1.3 Implement OS hardening practices and procedures to achieve workstation and server security – Service Packs

A service pack is a collection of patches or fixes that are released by a vendor as a single installable package.  Security fixes are almost always included.  These are vendor tested patches released as a bundle, which saves you from having to install multiple patches individually.  Once the service pack is installed, you only have to install the patches that are created after the service pack’s release. 

Hotfixes and patches each have their own unique features that differentiate them from service packs.  Make sure you know the difference.

Go back to the Exam Objectives list