COTS Security Guidance (CSG--10\S) -- Summary Of Overview Of Operating System Security Features

Published date: August 2009

Foreword
Effective Date
Annex A – Summary of Recommendations
Annex B – Security Services Vulnerabilities, Threats and Risks
Annex C – Security Features Checklist for Operating Systems
Table 1: LINUX Security Services Vulnerabilities,Threats and Risks
Table 2: Mac OS Security Services Vulnerabilities,Threats and Risks
Table 3: WINDOWS Security Services Vulnerabilities,Threats and Risks
Table 4: Security Recommendations – LINUX
Table 5: Security Recommendations – Mac OS X
Table 6: Security Recommendations – WINDOWS
List of Abbreviations and Acronyms

Foreword

The Summary of Secure use of Operating System (CSG–10\S) is an unclassified publication, issued under the authority of the Chief, Communications Security Establishment Canada (CSEC).

Suggestions for amendments should be forwarded through departmental communications security channels to your Client Services Representative at CSEC.

For further information, please contact CSEC's ITS Client Services area by e–mail at itsclientservices@cse–cst.gc.ca or call 613-991–7654.

Effective Date

This publication takes effect on 08/28/2009.

Carey Frey
Director, IT Security Program

It is not permissible to make copies or extracts from this publication without the written consent of CSEC.

Annex A – Summary of Recommendations

Mitigation	Policy
Include Desktop OS in security planning and implementation	Include the desktop OS in IT security program and contingency planning
Disable all unnecessary features	The IT department is responsible for the protection and maintenance
Change default passwords	Require that there be no unauthorized access
Allow only the necessary traffic between the device and a minimum set of trusted addresses	Require authentication for all activities
Require that all IT devices be certified before connection to any network	Define acceptable use policy and make users aware through training
Encrypt data communications	Enforce least privileges
Log all activities extensively	Require periodic security audits
Prevent tampering with audit logs	Require security certification before allowing desktop OS on the network
Employ strong user I&A (e.g., two–factor)	Prohibit the unauthorized copying of sensitive documents
Apply least privileges to users	Prohibit unauthorized external access
Apply the latest software updates and security patches	Require extensive logging of all activities on network devices
Establish thorough change management and auditing programs	Require anti–virus and software updating for all networked devices
Use SNMPv3 for centralized management	Prohibit unauthorized network sniffing
Protect the devices physically	Require that IT technology be selected for appropriate security
Require that anyone accessing the device be identified and authorized

Annex B – Security Services Vulnerabilities, Threats and Risks

Table 1 below identify the vulnerabilities, threats and risks associated with LINUX OS.

Table 1: LINUX Security Services Vulnerabilities,Threats and Risks

Security Services	Vulnerabilities	Threats	Risks
Identification and Authentication	Account/Authentication Configuration using weak encryption and lack of separation between user names and associated passwords	Hackers can decrypt the weak encryption to gain access to passwords. Hackers or malicious users can access passwords for user accounts from the file.	Unauthorized access; Loss or disclosure of information.
Identification and Authentication	Lack of hardening of the GRUB/LILO: GRUB password same as 'root' password. GRUB stores the password in clear text.	Hacker exploitation through weak passwords to gain access to workstation and/or Network.	Unauthorized access; Loss or disclosure of information.
Authorization	Weak file System Security contributes to: Unrestricted access to administration utilities; Default SUID and SGID permissions on executable files; compiler packages from desktops not removed for software development	Hacker exploitation of workstation and/or Network services.	Unauthorized access; Loss or disclosure of information; Malware/worm infection
Authorization	Weak File/Print Security contributed by: WuFTPd and Anonymous File Serving capabilities [1] Transient and At–Boot File from external devices/desktops IP address SAMBA Security in network share SCP and SFTP services running on desktops [2].	Hacker exploitation of workstation and/or Network services.	Unauthorized access; Loss or disclosure of information; Malware/worm infection
Access Control	Firewall installation with default/insufficient parameters attributes to overall weakness for compromise to systems confidentiality, Integrity and availability of the workstation and its information assets.	Hacker compromises workstation through weak firewall settings.	Unauthorized access; Loss or disclosure of information; Malware/worm infection
Access Control	No restriction on remote 'root' login.	Hacker compromises workstation through remote login.	Unauthorized access; Loss or disclosure of information; Malware/worm infection
Access Control	CTRL–ALT–Delete [3] Running with default configuration can expose the desktops to vulnerabilities that circumvent the DAC.	Hacker compromises workstation through known vulnerabilities in default settings.	Unauthorized access; Loss or disclosure of information; Malware/worm infection
Access Control	Weak or no password used to Protect Single–user Mode.	Hacker compromises workstation through known vulnerabilities in default settings.	Unauthorized access; Loss or disclosure of information; Malware/worm infection
Access Control	Open System Accounts: Accounts used for system services and/or daemon are allowed to login interactively.	Hacker compromises workstation through known vulnerabilities in default settings	Unauthorized access; Loss or disclosure of information; Malware/worm infection
Access Control	TCP Wrapper running with default configuration and accessible to all users.	Hacker compromises workstation through known vulnerabilities in default service settings	Unauthorized access; Loss or disclosure of information; Malware/worm infection
Access Control	Scheduler Security: Xinetd enabled and can result in threats originating from telnet, rlogin, wu–ftpd or tftp.	Hacker compromises workstation through known vulnerabilities in default service settings	Unauthorized access; Loss or disclosure of information; Malware/worm infection
Access Control	Weakness in Web Security configuration: Lack of restrictions on cron and at access can be exploited by threat agents to gain unauthorized access All web modules are installed Running with default main configuration file Default Permission on Files in the Document Root	Hacker compromises workstation through known vulnerabilities in default Web service settings	Unauthorized access; Loss or disclosure of information; Malware/worm infection
Confidentiality	Accounts created that are not password protected (empty) facilitates access to systems operating system.	External threat agents can gain easy access to information and resources through empty passwords on default accounts	Unauthorized access Disclosure or loss of information Malicious code Data leakage Network exploitation to disclose data traversing the network.
Confidentiality	Weak password policy governing user Account Limits and lengthy password age.	External threat agents can use this to use 'brute force' type attacks to break and gain access to system	Unauthorized access Disclosure or loss of information Malicious code Data leakage Network exploitation to disclose data traversing the network.
Confidentiality	Sendmail Daemon Mode enabled may Sendmail daemon mode enabled may be used to propagate malware and spam.	A hacker may compromise systems security to enable Sendmail Daemon to disclose data or propagate malicious code.	Unauthorized access Disclosure or loss of information Malicious code Data leakage Network exploitation to disclose data traversing the network.
Confidentiality	Weak DNS Security: No Caching restrictions exposing the network space through sniffing type attacks Lack of zoning can expose the entire network segment to network based attacks	Network exploitation by a hacker sniffing network for vulnerabilities.	Unauthorized access Disclosure or loss of information Malicious code Data leakage Network exploitation to disclose data traversing the network.
Integrity	Disabling automated updates service increases risk for compromise through OS weaknesses.	Desktops not configured to use automatic updates via 'up2date' service will leave environment vulnerable to unmitigated known security holes, which hackers can exploit to compromise systems.	Unauthorized access; Malfunction or operation errors
Availability	Partitioning	Lack of strict permission on partition off directories is likely to result in DoS type attacks.	Lack of Availability; Malfunction or operation errors Unauthorized access; Unauthorized discloser
Availability	Lack of hardening of startup services exposes the environment to threats exploiting unwanted services.	Hacker compromises workstation through known vulnerabilities in enabled startup services.	Lack of Availability; Malfunction or operation errors Unauthorized access; Unauthorized discloser
Accountability	Accounts have empty passwords	External threat agents can gain easy access to information and resources through empty passwords on default accounts	Unauthorized access
Accountability	Default logging results in insufficient information and event audit.	Malicious activity may go undetected for a prolonged period.	Unauthorized access
Non–Repudiation	Unnecessary Accounts resident on workstation are prone to compromise through brute force.	Unnecessary user accounts and groups used by threat agents to gain access	Unauthorized access; Loss of sensitive information
Non–Repudiation	Audit and logging information lacks accurate time	No synchronization of the system clock with your departments trusted time source(s) can result in operational errors and auditing issues	Operational errors; Malfunctioning of the systems

Table 2 below identify the vulnerabilities, threats and risks associated with Mac OS.

Table 2: Mac OS Security Services Vulnerabilities,Threats and Risks

Security Services	Vulnerabilities	Threat	Risks
Identification and Authentication	Password reset using bootable Mac OS X CD media	Unauthorized access through reset password	Unauthorized access; Malware infection; Security Information exposed
Identification and Authentication	Use of 'guest' accounts to access other users file or install cron jobs	Malware type infection attacks by via cron jobs	Unauthorized access; Malware infection; Security Information exposed
Identification and Authentication	"Single User Mode (SUM)' circumvents DAC	'root [4]' level access imparted without authentication	Unauthorized access; Malware infection; Security Information exposed
Identification and Authentication	'Automatically Log In' is enabled on startup	Access to Mac OS X without any I&A challenge response validation	Unauthorized access; Malware infection; Security Information exposed
Identification and Authentication	Using 'ypcat password' or 'nidump passwd' type exploits in NIS domain	Access to user accounts and password	Unauthorized access; Malware infection; Security Information exposed
Identification and Authentication	Weak password policy	Facilitates hackers ability to compromise through weak passwords on user accounts	Unauthorized access; Malware infection; Security Information exposed
Authorization	DAC circumvented when Mac OS X is booted in SUM	Unauthorized access to gain 'root' level access	Unauthorized access;
Authorization	"root' user enabled	Unauthorized access gained and privileges elevated by threat agents	Unauthorized access;
Authorization	The initial account used to administer the system, as well as any accounts created prior to changing the umask, allows all users read access to the files in their home folders, public, sites and drop folders.	Unauthorized access gained and privileges elevated by threat agents	Unauthorized access;
Authorization	Use of remote management [5] allowed for all users to control Mac OS X using Apple's remote management application. This feature is similar in some way to the screen sharing function but with the added ability to control the Mac.	Unauthorized access gained and privileges elevated by threat agents	Unauthorized access;
Access Control	All default user accounts are administrative accounts	Unauthorized access to information and resources	Unauthorized operation; Misconfiguration leading to unauthorized access; Loss of sensitive information
Access Control	Failure to disable root user facilitates extract of sensitive information from a NetInfo directory	Unauthorized access to executables	Unauthorized operation; Misconfiguration leading to unauthorized access; Loss of sensitive information
Access Control	Case–insensitive nature of HFS+ with respect to security resulting from dependencies built into application code	Unauthorized access to executables	Unauthorized operation; Misconfiguration leading to unauthorized access; Loss of sensitive information
Access Control	Improper Set–UID bit (SUID) or set–GID bit (SGID) on executables	Unauthorized access to executables through group membership	Unauthorized operation; Misconfiguration leading to unauthorized access; Loss of sensitive information
Access Control	Lack of Firmware Password protection results in Ability to use the "C" key to start up from an optical disc. Ability to use the "N" key to start up from a NetBoot server. Ability to use the "T" key to start up in Target Disk Mode (on computers that offer this feature). Ability to start up in Verbose mode by pressing the Command–V key combination during startup. Ability to start up a system in Single–user mode by pressing the Command–S key combination during startup. Reset of Parameter RAM (PRAM) by pressing the Command–Option–P–R key combination during startup. Use the Startup Manager, accessed by pressing the Option key during startup. Enter commands after starting up in OF, which is done by pressing the Command–Option–O–F key combination during startup. Ability to start up in Safe Boot mode by pressing the Shift key during startup.	Unauthorized access can be gained by the threat agents using the vulnerabilities related to firmware password	Unauthorized operation; Misconfiguration leading to unauthorized access; Loss of sensitive information
Access Control	Default system–wide security setting enforcement.	Unauthorized access can be gained by the threat agents using the vulnerabilities related to firmware password	Unauthorized operation; Misconfiguration leading to unauthorized access; Loss of sensitive information
Access Control	Using default configuration to displays a list of usernames at the console login prompt.	Unauthorized access can be gained by the threat agents using the vulnerabilities related to firmware password	Unauthorized operation; Misconfiguration leading to unauthorized access; Loss of sensitive information
Access Control	Using Password hints to help users recover their forgotten passwords.	Unauthorized access can be gained by the threat agents using the vulnerabilities related to firmware password	Unauthorized operation; Misconfiguration leading to unauthorized access; Loss of sensitive information
Access Control	Displaying restart, sleep and shutdown buttons on the login window	Unauthorized access resulting from social engineering type exploits	Unauthorized access to information and services
Access Control	No screensaver activation after a short period of inactivity, and/or NO password required to unlock the workstation.	Unauthorized access resulting from social engineering type exploits	Unauthorized access to information and services
Confidentiality	NetInfo filesystem running under default settings	Unauthorized access to any directory information from NetInfo domain Mac OS X client is bound to.	Unauthorized data access; Unauthorized information disclosure
Confidentiality	Users allowed to use of Back to My Mac (BTMM) to connect to their machine from any other Mac Leopard based server over the Internet.	Unauthorized access to any directory information from NetInfo domain Mac OS X client is bound to.	Unauthorized data access; Unauthorized information disclosure
Integrity	'Target Disk Mode' means DAC can be circumvented on HFS+ volume by booting from device other than default boot device	Allow root–level access to HFS+ volumes.	Unauthorized information loss and disclosure
Integrity	Absence or improperly configured Anti Virus and /or malware prevention software installed on Mac OS desktop	Hackers can use this vulnerability to gain unauthorized access to sensitive information or initiate DoS type attacks	Unauthorized information loss and disclosure
Availability	Apache server installed on HFS+ volumes can be vulnerable to case–insensitive nature to HFS+	Unauthorized access may result in malfunction through configuration changes	Misconfiguration leading to unavailability
Availability	Using default setting without disabling unused network interfaces such as Airport wireless interface	Unauthorized access may result in malfunction through configuration changes	Misconfiguration leading to unavailability
Availability	Weakness in the firewall settings leads to compromise the confidentiality, Integrity and availability of the workstation and its information assets.	Unauthorized access may result in malfunction through configuration changes	Misconfiguration leading to unavailability
Availability	Enabling share and control for remote desktops through VNC.	Unauthorized access may result in malfunction through configuration changes	Misconfiguration leading to unavailability
Availability	Using Bonjour, formerly known as Rendezvous is Apple's implementation of the ZeroConf protocol. It uses network broadcasts to advertise system services on the local subnet such as printers,iTunes, iChat, SSH and FTP etc.	Unauthorized access may result in malfunction through configuration changes	Misconfiguration leading to unavailability
Accountability	Unattended workstations with disabled systems password and screensaver (keychain) facilitates compromise to systems confidentiality, integrity and/or availability.	Unauthorized access gained through open shells or windows by threat agents using social engineering techniques	Loss of sensitive information
Accountability	'out–of–box' setting with "NO" login banner at all points of entry to the system.	Unauthorized operations and access of resources	Loss of sensitive information
Accountability	Systems logging and auditing configuration set to default limits capability for adequate logging and incident management.	Host exploitation	Inadequate logging and audit data required to conduct a thorough forensic investigation.
Non–Repudiation	Using 'ypcat password' or 'nidump passwd' type exploits in NIS domain	Access to user accounts and password information	Impermissible as legal and complete evidence during forensic investigation
Non–Repudiation	'Network time' not a default startup service	Audit and logging information lacks accurate time	Impermissible as legal and complete evidence during forensic investigation
Non–Repudiation	Using default keychain functionality allows users and applications to store and access authentication details in one place, including store and access private authentication credentials. The password for this keychain is the same as the login password and the keychain is automatically unlocked when a user logs in and is locked again upon logout.	Audit and logging information lacks accurate time	Impermissible as legal and complete evidence during forensic investigation

Table 3 below identify the vulnerabilities, threats and risks associated with WINDOWS OS.

Table 3: WINDOWS Security Services Vulnerabilities,Threats and Risks

Security Services	Vulnerabilities	Threats	Risks
Identification and Authentication	Weak/Non–existent account policies including local accounts as WINDOWS by default has 'blank or null' password on local administrator account	Weak passwords will expose the entire network to threats related to unauthorized access Intruders can access the cached credentials	Malfunctioning; Information loss or disclosure
Identification and Authentication	Use of LANMAN password encryption	Weak passwords will expose the entire network to threats related to unauthorized access Intruders can access the cached credentials	Malfunctioning; Information loss or disclosure
Identification and Authentication	Storing logon credentials in Cache	Weak passwords will expose the entire network to threats related to unauthorized access Intruders can access the cached credentials	Malfunctioning; Information loss or disclosure
Authorization	Lack of review and hardening of minimum privileges required by users and local administrators	More privileges than required will lead to security issues related to compromised user or local administrator accounts	Unauthorized access; Desktop Malfunction
Access Control	Allowing Null Sessions, commonly referred to as 'Red Button' and used by core functions such as Windows Explorer requires anonymous connections to enumerate shares)	Leads to unauthorized access to information and resources such as usernames, groups, administrators, password change dates, account policy, trust relationships and lockout policy	Information disclosure; Desktop Malfunctioning
Access Control	Weak / Non–existent Lock out Policies, including remote lockout of administrator accounts	Unauthorized access using "brute force" technique to gain access to information and resources	Information disclosure; Desktop Malfunctioning
Access Control	Using default account named 'Administrator'	Default administrator account does not have any lockout enforced thus making them an easy target for 'Brute force' type attacks	Information disclosure; Desktop Malfunctioning
Access Control	Default file and network access applied to anonymous users	Default administrator account does not have any lockout enforced thus making them an easy target for 'Brute force' type attacks	Information disclosure; Desktop Malfunctioning
Access Control	Unrestricted DCOM access	Unauthorized users can change the security setting in the registry keys for DCOM objects to launch applications/malware	Information disclosure; Desktop Malfunctioning
Access Control	Using default settings for 'recycle bin'	Unauthorized users can access deleted files from 'recycle bin'	Information disclosure; Desktop Malfunctioning
Confidentiality	Weak/Non–existent account policies including local accounts as WINDOWS by default has 'blank or null' password on local administrator account	Weak passwords will expose the entire network to threats related to unauthorized access	Malfunctioning; Information loss or disclosure
Confidentiality	Using 'Temp Folder' for terminal services	Common folder used during the terminal services will allow unauthorized disclosure of data files located in shared location	Malfunctioning; Information loss or disclosure
Confidentiality	Temporary folders are not cleaned on exit	Data files left in temporary folders can be used by hackers to access sensitive information	Malfunctioning; Information loss or disclosure
Integrity	Lack of Antivirus and Malware protection on all desktops and/or or inconsistent use updated definition files for both	Publically known vulnerabilities can be exploited by external threat agents to gain unauthorized access	Information disclosure or loss; Malfunctioning or operating errors
Integrity	Windows Messenger active on the desktop	Most anti–virus software don't scan the Windows messenger messages or files thus can be exploited by hackers to launch DoS or malware infection attacks	Loss of availability
Integrity	Automatic downloads and updates allowed for media players	Infected codes and other media files downloaded from the internet will result in platform consistency issues	Loss of availability
Integrity	Running Internet Explorer with following weak policy settings Disable "Security Zones: use only machine settings" Disable "Security Zones: Do not allow users to change policies" Disable "Security Zones: Do not allow users to add/delete sites" Disable "Make proxy settings per–machine" Disable "Disable Automatic Install of Internet Explorer components " Disable " Disable Periodic Check for Internet Explorer software updates" Enable "Disable software update shell notifications on program launch"	Infected updates can be used by hackers to compromise the desktop OS integrity exposing the sensitive information on the network	Unauthorized disclosure; Loss of availability; Malfunction or operation error
Availability	Lack of implementation of service packs	Hackers/disgruntled employee can use this vulnerability to launch DoS attack	Loss of availability
Availability	Unlimited connections allowed to terminal server	Hackers/disgruntled employee can use this vulnerability to launch DoS attack	Loss of availability
Accountability	Desktop rollout with auditing switched off or with minimum auditing	Unauthorized access attempts will not be visible during the regular system security audits	Unauthorized access to information; Loss of information; Malfunctioning or operating errors
Non–Repudiation	Inadequate security of audit logs	Insufficient logging and audit data can work to threat agents advantage as it minimizes the chances of them being tracked	Impermissible as legal and complete evidence during forensic investigation

Annex C – Security Features Checklist for Operating Systems

Table 4 below lists, the recommended security features to mitigate the threats associated with LINUX OS.

Table 4: Security Recommendations – LINUX

Security Category	Securing Guidelines	Recommendation Description	Threats Mitigated
Identification and Authentication	Account/Authentication Configuration	Choose SHA encryption on passwords. Maintain a shadow file to keep passwords in a separate file from user names.	Unauthorized access to sensitive security information
Identification and Authentication	User Account Security	Recommended Password Aging settings in '/etc/login.defs' are PASS_MAX_DAYS 90 PASS_MIN_DAYS 2	Unauthorized access to sensitive security information
Identification and Authentication	Harden the GRUB/LILO	Choose a GRUB password different from 'root' password. GRUB stores the password in clear text. Modify '/etc/grub.conf' file with SHA password hash value created using 'grub–md5–crypt'.	Unauthorized access to sensitive security information
Authorization	File System Security	Restrict access to administration utilities by removing read, write and execute privileges for users that do not own the files or belong to group the owns the files Remove SUID and SGID permissions from executable files that do not require it Remove compiler packages from desktops not used for software development	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure
Authorization	File/Print Security	Disable WuFTPd tied to User File Transfer and Anonymous File Serving capabilities[6]	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure
Authorization	File/Print Security	NFS Client Security for Transient and At–Boot File through configuration setting that include the trusted internal devices/desktops IP address in the '/etc/hosts.allow'.	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure
Authorization	File/Print Security	SAMBA Security with respect to the requirement to run 'netfs' service on the desktop should be carefully evaluated as it extends the network share to the users of desktop.	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure
Authorization	File/Print Security	It is recommended that SCP and SFTP services be disabled on desktops[7].	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure
Access Control	Firewall Configuration	Choose 'Medium' option for firewall configuration to restrict access to services that utilize ports lower than 1023, NFS server port (2049), local X Windows system display for remote X clients, and X–font server port.	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Access Control	Disallow Remote Root Login	Edit '/etc/secuetty' to restrict 'root' login to the local console.	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Access Control	Disable CTRL–ALT–Delete[8]	Edit '/etc/inittab' to comment out the following line: 'ca:ctrlaltdel:/sbin/shutdown t3 r now'	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Access Control	Password Protect Single–user Mode	Password Protect Single–user mode is used for system maintenance and hence provides root level access. It is recommended that this mode be password protected at all times.	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Access Control	Locking System Accounts	Accounts used for system services and/or daemon should never be allowed to login interactively.	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Access Control	Configure access to any enabled services	TCP Wrapper should be configured to deny everything except what is explicitly allowed.	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Access Control	Scheduler Security	Xinetd should be disabled or removed unless telnet, rlogin, wu–ftpd or tftp is required to specifically support a business function on the desktop.	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Access Control	Scheduler Security	Restricting cron and at access through cron.access and at.access file updates. Ensure that scripts/program being executed through cron have adequate permissions	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Access Control	Web Security	Ensure Only necessary Modules are installed	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Access Control	Web Security	Harden the Main Configuration File	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Access Control	Web Security	Check Permission on Files in the Document Root	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Access Control	Web Security	Encrypt Sensitive Traffic using HTTPS	Hackers/ Unauthorized users from gaining access to sensitive information; Unauthorized Information Disclosure Malware infection
Confidentiality	Verify no accounts have empty passwords	Perform search in '/etc/shadow' file for blank second field and all listed accounts should be locked or deleted.	Unauthorized Information Disclosure; Spammers; Network threats
Confidentiality	Miscellaneous Account Limits	Using Pluggable Authentication Module (PAM) enforce the following controls on user accounts System resources limits[9] ('/etc/security/limits.conf') Authorized login origination ('/etc/security/access.conf') Regulating login time ('/etc/security/time.conf')	Unauthorized Information Disclosure; Spammers; Network threats
Confidentiality	Disable Sendmail Daemon Mode	It is recommended that the Sendmail daemon be disabled from all desktops by configuring the '/etc/sysconfig/sendmail' to include DAEMON=no	Unauthorized Information Disclosure; Spammers; Network threats
Confidentiality	DNS Security	Caching–only Nameserver	Unauthorized Information Disclosure; Spammers; Network threats
Confidentiality	DNS Security	Zone Hosting Service	Unauthorized Information Disclosure; Spammers; Network threats
Integrity	Applying Updates and Patches	It is recommended that all desktops be configured to use automatic updates via 'up2date' service. This service should be included in the startup services list.	Desktop Malfunction
Availability	Partitioning	Partition off directories that are most likely to be filled up by an attacker such as /var and /home.	Denial of Service attacks Desktop Misconfiguration; Desktop Malfunction leading the unauthorized disclosure
Availability	Identify Services that should be started	Minimal set at startup should include the following services: keytable syslog network random crond anacron iptables ntpd Other services should be reviewed for applicability before inclusion in startup list.	Denial of Service attacks Desktop Misconfiguration; Desktop Malfunction leading the unauthorized disclosure
Accountability	Verify No Accounts Have Empty Passwords	Perform search in '/etc/shadow' file for blank second field and all listed accounts should be locked or deleted.	Hackers
Accountability	Logging	Configure 'syslogd' service to automatically start on boot Configure the 'syslogd' to send a copy of log messages to remote syslog server Configure 'logrotate' daemon to run following secure setting monthly, rotate 12, and compress. Configure the 'logwatch' to send a copy of alerts log messages via Email	Hackers
Non–Repudiation	Purging Unnecessary Accounts	Remove all unnecessary user accounts and groups	Hackers and unauthorized users
Non–Repudiation	Logging	Configure the 'ntpd' to synchronize the system clock with your departments trusted time source(s)	Hackers and unauthorized users

Table 5 below lists the recommended security features to mitigate the threats associated with Mac OS X.

Table 5: Security Recommendations Mac OS X

Security Services	Security Guidelines	Recommended Description	Threats Mitigated
Identification and Authentication	Strengthen user password and account	Develop and strengthen the organisational password policy, adoption the following good practices is recommended: Users cannot reuse the last 3 passwords Passwords must be at least 8 characters in length Passwords must contain at least 1 alphabetic and 1 numeric character. Passwords must be of mixed case and contain at least 1 special character, 1 numeric this cannot be enforced and should be achieved through user awareness training. After 3 failed authentication attempts the account is locked out.	Unauthorized access and disclosure of sensitive information.
Identification and Authentication	Remove unwanted user accounts	Disable the use of 'guest' accounts or use 'Parental Controls' to lock down 'guest' account permissions and access.	Unauthorized access and disclosure of sensitive information.
Authorization	Disable `root`user where possible	The use of "root" user is strongly discouraged, and it is recommended that installations should use of administrative users and "sudo".	Unauthorized access
Authorization	Harden DAC associated with owners and groups	Review and change so that only owners and groups have read access to the files in their home folders, public, sites and drop folders. This can be achieved using Default Umask and Access Control Lists (ACL)	Unauthorized access
Authorization	Enforce strong password on remote management	It is strongly recommended that a strong password is set before remote management is enabled; this prevents unauthorised access to the machine.	Unauthorized access
Access Control	Harden user accounts	Review default user account settings to remove all administrative access.	Unauthorized access to sensitive information Unauthorized access in environments lacking strict physical access controls
Access Control	Enforce Firmware Password	Enable Firmware Password[10] for all laptops where strict physical access controls are not possible. Firmware Password protection offers the ability to: Block the ability to use the "C" key to start up from an optical disc. Block the ability to use the "C" key to start up from an optical disc. Block the ability to use the "N" key to start up from a NetBoot server. Block the ability to use the "T" key to start up in Target Disk Mode (on computers that offer this feature). Block the ability to start up in Verbose mode by pressing the Command–V key combination during startup. Block the ability to start up a system in Single–user mode by pressing the Command–S key combination during startup. Block a reset of Parameter RAM (PRAM) by pressing the Command–Option–P–R key combination during startup. Require the password to use the Startup Manager, accessed by pressing the Option key during startup. Require the password to enter commands after starting up in OF, which is done by pressing the Command–Option–O–F key combination during startup. Block the ability to start up in Safe Boot mode by pressing the Shift key during startup.	Unauthorized access to sensitive information Unauthorized access in environments lacking strict physical access controls
Access Control	Strengthen system–wide security settings	It is recommended that following system–wide security settings be used to enforce a secure working environment: Set the requirement of a user having to enter a password to wake the computer from sleep/hibernation mode or to unlock the screen saver. Disable automatic login by presenting a logon screen. Require the administrator password to unlock any of the System Preferences panes. Log the user out after being inactive for 15 minutes of inactivity. Make use of secure virtual memory, which stops any information in memory from being read. Disable the remote control function of the system which could otherwise be controlled via infrared. If you need to remotely connect to your Mac, enable SSH and use the SSH command in the terminal to connect.	Unauthorized access to sensitive information Unauthorized access in environments lacking strict physical access controls
Access Control	Login Display lockdown and password hints	Disable displays a list of usernames at the console login prompt.	Unauthorized access to sensitive information Unauthorized access in environments lacking strict physical access controls
Access Control	Login Display lockdown and password hints	Disable Password hints across system–wide.	Unauthorized access to sensitive information Unauthorized access in environments lacking strict physical access controls
Access Control	Login Display lockdown and password hints	Disable restart, sleep and shutdown buttons on the login window.	Unauthorized access to sensitive information Unauthorized access in environments lacking strict physical access controls
Access Control	Enforce inactivity password	Enforce screensaver activation after 15 minutes of inactivity, and enforce required password to unlock the workstation.	Unauthorized access to sensitive information Unauthorized access in environments lacking strict physical access controls
Confidentiality	Use proper data encryption	Enable data encryption using File Vault and Disk utility per user basis as required to support business role.	Unauthorized data access or modifications
Confidentiality	Disable BTMM	Disable the use of BTMM to connect to their machine from any other Mac Leopard based server over the Internet (TCP port 443 and UDP port 4500).	Unauthorized data access or modifications
Confidentiality	File System and Sharing Security	If you do not need to share your Public folder, turn off file sharing altogether. If you need file sharing, be sure that your administrative password is difficult to crack, and Whenever possible, avoid setting file permissions to allow universal write access to folders.	Unauthorized data access or modifications
Integrity	Up–to–date antivirus and malware protection	Ensure that OS is running latest Anti Virus and Malware detection software. Ensure that you set up a scheduled Anti Virus update and scan a minimum of once a week.	Malfunctioning or Operation errors Viruses and Malicious Code Hackers Unauthorized Access
Integrity	Secure install partition	Adopt use of UFS volume for all installs of Mac OS X	Malfunctioning or Operation errors Viruses and Malicious Code Hackers Unauthorized Access
Integrity	OS Patching	Leave Software Update enabled and (optional) configure it to update daily instead of weekly.	Malfunctioning or Operation errors Viruses and Malicious Code Hackers Unauthorized Access
Integrity	Enable and configure Firewalls	OS X includes two firewalls: IPFW–packet–filtering firewall, and Socket Filter Firewall–Application Firewall. Note: ipfw disabled by default.	Malfunctioning or Operation errors Viruses and Malicious Code Hackers Unauthorized Access
Availability	Disable Bluetooth	As a hardening step, disable Bluetooth if it is not required as it adds to the overall security of the system.	Unauthorized access by hackers or unauthorized users
Availability	Harden Firewall access	Enable OS firewall.	Unauthorized access by hackers or unauthorized users
Availability	Remote Control lockdown	ONLY allow sharing and controlling remote desktops through VNC on per user basis as required.	Unauthorized access by hackers or unauthorized users
Availability	Lockdown Bonjour	Lockdown Bonjour or reduce the data being broadcast to discourage hackers.	Unauthorized access by hackers or unauthorized users
Accountability	Limit Administrator Logon	In the environment where there are more than one administrator on a system. The administrative users should be restricted from logging into the system from network services using their administrative accounts. This reduces the risk of authentication credentials being compromised.	Unauthorized access; External attacks such as DoS or Brute Force
Accountability	Login Banner	Enforce display of a login banner at all points of entry to the system, usually, login prompts on the desktop, shell logins and other application access prompts. Consult your organization's legal team for an appropriate login banner language.	Unauthorized access; External attacks such as DoS or Brute Force
Accountability	Enhance logging and auditing	Enhance default 'Logging and Auditing' setting to include the following: Authentication errors; Remote authentication error; and Process accounting Ensure syslog service for storage of log information on a secure remote log server.	Unauthorized access; External attacks such as DoS or Brute Force
Non–Repudiation	Improve Logging security	Enhance the security of the "login" keychain by changing its password to something other than the login password. This ensures that the keychain has to be explicitly unlocked before any items can be accessed and also prevents keychain items from being accessed if the login credentials are compromised.	Unauthorized access

Table 6 below lists the recommended security features to mitigate the threats associated with WINDOWS OS.

Table 6: Security Recommendations – Windows

Security Services	Security Guidelines	Recommended Description	Threats Mitigated
Identification and Authentication	Strengthen password security	Adopt and implement strong password policy including the LOCAL accounts on desktops/laptops. Some suggestions for inclusion in the password policy are[11]: Maximum Password Age=Expires in 90 Days Minimum Password Age = Allow Changes In 5 days Minimum Password Length = At Least 8 Characters (14 for Administrators) Password Uniqueness = Remember 13 passwords	Malfunctioning; Information loss or disclosure
Identification and Authentication	Strengthen encryption of passwords	Disable the use of LANMAN password encryption to improve the strength of password hashes.	Malfunctioning; Information loss or disclosure
Identification and Authentication	Rename administrator account	Rename local account named 'Administrator' to enhance the security posture of the desktop environment	Malfunctioning; Information loss or disclosure
Identification and Authentication	Disable caching of logon credentials	Restrict the stored logon credentials to two or less	Malfunctioning; Information loss or disclosure
Authorization	Harden permissions on all user accounts	Ensure that all administration tasks operate at the minimum necessary privilege level Restrict accounts receiving the right 'Act as Part of the Operating System'.	Unauthorized access to information
Access Control	Disable Anonymous access	"Restrict Anonymous" should be enabled to prevent users from enumerating information related to network	Information disclosure; Malfunctioning or operating errors
Access Control	Enable User Lockout	Implement a strict Lock out policy that includes the following elements[12]. Enable - Account Lockout threshold to "5" Enable - Account Lockout Duration to "30 minutes"; and Disable Rest Account Lockout Threshold after	Information disclosure; Malfunctioning or operating errors
Access Control	Restrict access to %SystemRoot%	Implement a strict ACL control on %SystemRoot% that is in line with minimum privileges required for applications to function efficiently	Information disclosure; Malfunctioning or operating errors
Access Control	Remove "Everyone" from any default file share permissions	Implement a strict ACL control on %SystemRoot% that is in line with minimum privileges required for applications to function efficiently	Information disclosure; Malfunctioning or operating errors
Access Control	Restrict DCOM access permissions	Limit the security setting changes in the registry keys for DCOM objects to administrators Remove registry value for DCOM RunAs Value	Information disclosure; Malfunctioning or operating errors
Access Control	Secure 'Recycle Bin'	It is recommended that the 'Recycle Bin' be configured to "remove files immediately when deleted".	Information disclosure; Malfunctioning or operating errors
Confidentiality	Strengthen user account policies	Strong password on local administrator account	Malfunctioning; Information loss or disclosure
Confidentiality	Disable 'Temp Folder' settings	Setting the 'Do not use temp folders per session' will mitigate the unauthorized disclosure of data files due to common folder during terminal session	Malfunctioning; Information loss or disclosure
Integrity	Up–to–Date Anti Virus and Malware protection	Implement Antivirus and Malware protection on all desktops and use updated definition files for both	Malfunctioning or operating errors
Integrity	Disable Windows Messenger on the desktop	It is recommended that Windows Messenger should be disabled If Windows Messenger is required for use internally a strict lockdown to prevent messenger from accessing internet from desktop	Loss of availability
Integrity	Disable automatic downloads and updates for media players	Enable the "Prevent Codec Download" setting to mitigate the risks resulting in platform consistency issues	Loss of availability
Integrity	Strength Internet Explorer Policy Settings	It is recommended that following Internet Explorer settings be used: Enable "Security Zones: use only machine settings" Enable "Security Zones: Do not allow users to change policies" Enable "Security Zones: Do not allow users to add/delete sites" Enable "Make proxy settings per–machine" Enable "Disable Automatic Install of Internet Explorer components " Enable " Disable Periodic Check for Internet Explorer software updates" Disable "Disable software update shell notifications on program launch"	Loss of availability
Availability	Up–to–date patch management	Implement latest service packs to mitigate security issues from known vulnerabilities Automatic archive process for auditing failures	Unauthorized access; Malfunctioning or operating errors
Availability	Restrict terminal server connection	Implement ONE terminal server session limit	Loss of availability
Accountability	Enhance auditing	Enable auditing with following options: Account logon events both success and failure Logon events Account management Policy change System events Object Access success and failure Files, folders, and registry keys must be configured in sync with audit policy.	Unauthorized access; Malfunctioning or operating errors
Non–Repudiation	Secure audit and logging data	Implement audit logging on all security related success and failure events included. Limit the clearing and editing of the event logs to authorized members of an Auditors group.	Hackers and other external threat agents
Non–Repudiation	Define time synchronization settings	Enable Time synchronization with a secure and authorized time source as this is essential for auditing and authentication purposes	Hackers and other external threat agents

List of Abbreviations and Acronyms

ACL: Access Control List
ANSI: American National Standards Institute
BSD: Berkeley Software Distribution
BTMM: Back to My Mac
CSEC: Communications Security Establishment Canada
CSG: COTS Security Guidance
DAC: Discretionary Access Control
DG: Director General
DNS: Domain Name System
DoS: Denial of Service
FTP: File Transfer Protocol
GC: Government of Canada
GID: Group Identification
GSP: Government Security Policy
HFS: Hierarchical File System
HID: Host Intrusion Detection
HTTP(S): Hypertext Transmission Protocol – Secure
I&A: Identification and Authentication
IIS: Internet Information Service
IP: Internet Protocol
IPP: Internet Printing Protocol
IPSec: Internet Protocol Secure
IT: Information Technology
L2TP: Layer 2 Tunnelling Protocol
LAN: Local Area Network
LDAP: Lightweight Directory Access Protocol
LINUX: Unix–like open source operating system
LPD: Line Printer Daemon
Mac: Apple Macintosh operating system
MD5: Message Digest Version 5
OS: Operating System
PC: Personal Computer
POP3: Post Office Protocol 3
RARP: Reverse Address Resolution Protocol
RBAC: Role–Based Access Control
SCSI: Small Computer System Interface
SHA: Secure Hash Algorithm
SMTP: Simple Mail Transfer Protocol
SNMP: Simple Network Management Protocol
SOW: Statement of Work
SSH: Secure Shell
SSL: Secure Socket Layer
TCP: Transmission Control Protocol
Telnet: Telecommunication Network
TFTP: Trivial File Transfer Protocol
UDP: User Datagram Protocol
UFS: Unix File System
UID: User Identification
WINDOWS: Microsoft operating system
X.509: IEEE Standard for Digital Certificates

Notes

[1] Only required if the desktop is required to support FTP services.
[2] Only allow if the desktop is required to provide some type of file transfer capability for the user per business requirement.
[3] Highly recommended for desktops with limited physical security.
[4] In Mac OS X terms root–level access implies full access to all system resources and data.
[5] Remote management makes use of the popular VNC server to allow users to connect to the Mac and works with other Open Source VNC clients.
[6] Only required if the desktop is required to support FTP services.
[7] Only allow if the desktop is required to provide some type of file transfer capability for the user per business requirement.
[8] Highly recommended for desktops with limited physical security.
[9] Development desktops will require soft limit rather than a hard limit.
[10] Firmware security changes not explicitly endorsed by Apple may result in permanent damage to the computers logic board. Apple has released a graphical tool that sets the firmware password available on the installation disk.
[11] Password management should follow the departmental / agency security policy or guideline.
[12] System owners and administrators need to ensure compliance of lockout policy with organizations security policy.