I have been fortunate to audit operating systems security across several technologies these include Windows, Linux/UNIX, IBMi and Mainframe systems. These audits can be intensive and range from 10 – 200 hours of work and sometimes cover hundreds of controls. Properly securing an operating system will prevent unauthorised changes, execution or deletion of files hosted on servers. It will also prevent malware compromises.

Lately, I’ve been thinking. Which six controls can I recommend for securing any operating system? After some thought I have come up with these six, if implemented well, can give an IT installation reasonable security.

  1. Inventories: Maintain an inventory of servers. Processes should be implemented to find and record servers on an organisation’s network. The main reason for the inventory is to ensure that the controls highlighted below are implemented on all servers.
  1. Restrict network access: Restrict  the network-level access to administer the server operating systems. Simply put, restrict the number of places from where the servers can be accessed and administered. For example, restrict access to remote desktop on port 3389 on Windows systems and for Linux/Unix restrict access to SSH port 22 to specific IP address ranges. These restrictions can be implemented using local or network-level firewalling or a purpose-built security jump box. This control will effectively “hide” the servers from the rest of the network (or internet) and will make them impossible to access and administer, except from some specific administrative devices.
  1. Complex passwords: Enforce complex passwords on all user accounts. Passwords of 12 characters or more requiring numbers and special characters have been proven to be difficult to crack.
  1. User review: Review users with access to server operating systems every six months to ensure that their access to these systems and associated access rights are correct. Even if the controls around adding and removing users are weak, this is a “catch-all” control. On most servers, operating system level access should be limited to a very small number of administrators and some system accounts.
  1. Monitor: Monitor all accesses and access attempts to devices. All operating system level accesses should be logged and sent to some sort of monitoring system (SIEM) for analysis, review, and correlation with other security events. This control is implemented to detect and respond to any unusual activity.
  1. Patch: The last recommended control is to patch systems for the latest vulnerabilities. Most malware or hacks will attempt to exploit vulnerabilities on network services that need to be exposed to the internal network or internet. Implementing rigorous patching processes will go a long way to enhance security.

So that’s it, six controls that if implemented properly cover a significant number of risk scenarios and should make your servers reasonably secure. These controls can be applied to any operating system.