Security Configurations – SY0-601 CompTIA Security+ : 5.2

The default configuration of a system is rarely the most secure. In this video, you’ll learn about secure configurations for web servers, operating systems, application servers, and network infrastructure devices.

If you’ve installed a server, an operating system, or some other device, the default configuration is not secure out of the box. You’ll need to perform some additional steps before that system is secure. So you’ll need a set of guidelines that can help you understand what features need to be enabled and disabled to make this device as safe as possible.

Fortunately, every major operating system and service has a series of hardening guides that can help you understand what configurations are safe for the system. This usually comes directly from the manufacturer or the developer of the software. And you can often find additional security measures on internet interest groups. For very complex software or implementations, you may also find websites and blogs that have detailed security information for the product that you’re using.

One of the most popular server types on the internet is the web server. And you’ll find web server software running on Microsoft Windows with the Microsoft Internet Information Server. Or in other operating systems, you may find Apache HTTP Server and there are also many other web servers available.

Because this is often a device that is publicly facing and accessible to the internet, there’s always the concern for having some type of data leakage. You could also, inadvertently, provide access to the server itself if you don’t have the right configurations in place.

A hardening guide for a web server might include information on how to prevent information leakage by adding banner information and disabling any type of directory browsing. It will also provide best practices for understanding how this service should run in the operating system. For example, a web server should run from a non-privileged account and there should be specific file permissions for the web server software and the configurations.

If you want to enable encrypted communication to the web server, then you’ll need to configure SSL. This usually takes a number of steps to be able to implement. And usually, it’s part of any good hardening guide. And one of the key pieces of information you can get from any web server are the logs that are kept for that service. So you need to have some way to monitor and report on access logs and error logs.

In your environment, there will be many different operating systems in use. You might be running Windows, Linux, Mac, OS, Android, iOS and many others. And there are many hardening guides available that are specifically written for these operating systems.

Very commonly, these hardening guides include a section on updates and making sure that you’re running the latest operating system updates or, in the case of Windows, the latest service packs. There’s often security patches that are required for all of these operating systems, so it’s important to always stay up to date.

For the user accounts that are configured on these systems, there should be a minimum password length and complexity. And there may be configurations that limit the ability for these accounts to operate inside the operating system. There are user accounts that are configured in these operating systems. So there needs to be a minimum password length and a minimum complexity for these passwords.

On the network side, we need to consider what this device will be communicating with and who will be communicating inbound to this server. And we should also have some way to constantly monitor the security on the system through antivirus, anti-malware, or some other type of endpoint security software.

Some of these systems will be running application server software, which might include programming languages or libraries that are required for these applications to operate. This is usually a layer of software that sits between the web server and the data itself. Sometimes you may hear this referred to as middleware.

This type of server has a very specific function. So if there are capabilities outside the scope of this application server, we should make sure that those capabilities are disabled. As always, we want to be sure that the operating system running on this application server is up to date with the latest security patches.

And we should configure the application server software to have the correct permissions on the system. We want to be sure the application server has the ability to perform the functions that it needs. But we should also make sure that it has limited access to the operating system.

Another area that’s important to keep secure is the networking infrastructure itself. This would be your switches, routers, firewalls, and anything else that you have connected to the network. These devices don’t commonly run the same operating system that we’re using on our laptops or desktop computers. Instead, they are purpose built devices with their own embedded operating systems.

When you first install a switch, a router, or a firewall, you’ll notice that there is a default username and password associated with that configuration. So it’s important that you always change the default settings for the authentication so that no one else can use those same default credentials to gain access to your systems.

And because these are purpose built appliances, we don’t commonly see the same number of security patches that you might see for an operating system that you run on your laptop. But there are occasionally updates to these operating systems, so you want to be sure to check with the manufacturer so that you’re running the latest software on these systems.