CompTIA Security+ SY0-601 – 3.2 Implement host or application security solutions Part 2
March 31, 2023

5. Hardening systems

In this video we’re going to be talking about hardening your computer. Now I’m going to go through a set of things that you guys are probably already know already when it comes to securing your computer. But just a couple of things here to keep in mind as we go through it. Hardening your computer is a basic security concept that all security administrators should be doing on all of their computers. Let’s take a look at what they are. So the first thing up is having open ports and services. First of all, open ports. What can we do to lock up ports on our computer and put a firewall on it? By default your computer has 65,500 and something ports. Logical ports. Remember things like web traffic comes to port 80. Remote desktop comes to 33, 89, SSH on 22, FTP on 21. Or is that telnet port numbers? Yes. Good luck memorizing port numbers guys. That’s always a hard part there of the exam, but you need to know it. Okay, so we know that, hey, applications run through these ports but you want to make sure you block them. How do we lock ports on our computer? By installing firewalls. Now. Windows, of course. Comes with a windows firewall.

 Different operating systems will have different Firewall applications. Or you could download third party applications to do it. One of the things we mentioned earlier was endpoint protection software can help with this. The other thing here are called services. Now basically services increases your exposure factor the more services the computers weren’t in. So if I right click here and I go to where is my computer management? Computer management. And sometime now this will open up. Where is it? Computer Management. Okay, here we go. Okay, so here it could open up twice now. Okay, so in computer management you’ll notice that I have services here and here you have a whole bunch of services that are running. Now I don’t recommend turning these services off.

 If I click on status twice, you’ll notice that I have all of these services that are running. Now some of these services are critical for Windows to be running and some of them are not. The more services you have running on your computer, the more vulnerable your machine becomes. Basically because your attack surface is bigger, there’s more things to exploit. Like here I have my Corsair gaming auto configuration service. Not too sure what that is.

 It probably has something with this case lights up and there’s all kinds of lights in there. Probably has something to do with that. But maybe I can go in there and I can just shut it off. But I don’t recommend doing this unless you really are sure what you’re doing. Because turning off services could have drastic impact on your computer. Okay, the next thing is your registry. Your Windows Registry contains all the configuration for your operating system and your user account.

Viruses and malware likes to get into these particular unchanged registry information. That’s how they can manipulate what’s happening in Windows. So protect your registry by having things such as Windows Update, don’t login user and administrator accounts, just have standard user accounts and of course, have an antivirus anti malware software. Now another thing we can do is encrypt our hard drive with this base encryption. Later on in the class, we’ll take a look at how to do a TPM encryption using a TPM, using a TPM chip or USB sticks in order to encrypt our hard drives. So this year, all data in the machine would be encrypted.

 That way if you ever lose your information, lose your computer, it would stay secure. The other thing I have is the operating system. So how do we secure the operating system? Harden the operating system by doing everything such as installing your firewalls, removing services not needed. And one of the most important thing you can ever do to secure your operating system is to update it. You got to keep your OS updated. You got to remember something when they’re installing a patch. Like, look at this wall behind me. I don’t need a patch on this wall because there’s no holes on this wall. So when Microsoft says, hey, patch your OS, they’re basically saying that, you know what, there’s a hole right here. I said, there’s no patch, there’s a hole right here. So maybe we could patch this hole here by getting a piece of brick and put it in there. So remember, if you’re not patching the OS’s, you basically have holes left open. Imagine how that sounds. You don’t want that. You want them to have good patch management in your operating system. Now updates, you’re going to have a lot of third party applications and hardware that may be connected to your computer.

Just don’t think of OS updates, think of third party updates. A lot of time we use in different apps on our computer. You want to make sure the dose stay updated also, because if they can exploit those apps, they can get right back to you. Now, putting in Auto update on a homebased system, it may be okay to do auto updates. It’s probably just fine to do auto updates. But Auto updates I’ve seen in big businesses can lead to issues. In big businesses. You want to make sure that you test the patch before deploying the patch. Auto update is good, keeps your machine updated consistently. This machine is set to it. My desktop that I use all the time over there is set to it.

But Auto update could have issues because if you push out updates, it hasn’t been tested, it could crash your machine. I’ve seen it destroy drivers. I’ve seen it crash applications. And the updates have to be rolled back. So just make sure you test it before you push it out there. Maybe keep the Auto update for non corporate machines. Okay, so these are some of the things here that you should be familiar with when hardening you’re or systems.

6. Drive Encryption and sandboxing

In this video, I’m going to be talking about a variety of different things we can do to secure our machines, such as the hardware root of trust, self encryption drives using a TPM chip, and what exactly is sandboxing? So let’s get started. So the first thing we want to talk about is this term that you may see appear on your exam called a hardware root of trust. But what is that? Hardware root of trust. So the hardware root of trust is basically a starting point from where trust starts. The root of trust starts basically in the BIOS of the machine, the UEFI. So we did another video when we had talked about boot integrity and ensuring that the bias itself is secure.

 The hardware itself is secure. This is where the trust factor starts from. Dell Service is famous for this. They build a lot of security into their biases to ensure people can’t install like rootkits or malicious software into them, because these Dell servers will have things like Windows servers powering them up. And these particular types of servers can be used for database file databases, file servers, web servers, and so on. So you want to make sure that they’re really secure and the hardware route of trust is enabled or set up. Now, this is not something that you’re going to be doing.

This is more something that is going to be built into their hardware. Okay, next thing here I want to mention is something called the self encrypted drive. Full disk encryption. One of the standard here is the Opel standard. So the Opel standard, Opel Disk Standards is basically a standard that says to me, it talks about encrypting and providing drive level security. Now, one thing we want to mention is something called a self encrypted hard drive. What is that? A self encrypted hard drive? It’s a hard drive that here’s one. This is a self encrypted hard drive. These are basically hard drives that has cryptographic chips inside of them that does the encryption for you. You don’t have to use things like TPM, like I’m about to set up here with you guys. You don’t have to use or even USB sticks. These things come built in with cryptographic chips. You notice it says here Product Detail. It supports 256 bit AES encryption, and it is a self encrypted drive.

 Now this is great because if you are doing a lot of data transfer and you’re storing confidential data, this is the best thing to use. Now, the other thing here that I want to mention to you guys is going to be full disk encryption. And I’m going to show you this by using TPM chips. And my lines are off by using a TPM chips. Now, TPM chips in Windows uses BitLocker encryption. So you got a hard drive here’s my laptop. We got a hard drive in it. We got confidential data stored on it.

 I lose the laptop, I go traveling with it. I lose the laptop. Somebody, they want my data. They don’t have my Windows password. That’s okay. All they got to do is remove the drive, open the laptop, take out the drive, mount it somewhere, and they have all my data. Unless if I encrypt that drive and store the encryption keys on the laptop itself in a hardware device.

Hardware chip called a TPM trusted Platform modules are chips that stores cryptographic keys for when we do these types of hard drive base encryption. I recommend to everyone, especially if a laptop you’re traveling around with a lot of confidential data, I recommend to everyone to use TPM to use BitLocker encryption with the TPM chips. If your notebook supports it, most business class notebooks will support this. You can also do TPM and BitLocker encryption on your desktop or your server.

Now, my desktop here does not have a TPM chip, but you can actually buy expansion cards that does. So I want to show you in this video how easy this is to set up, all right? How easy this is. So I’m going to remote desktop into this laptop so we can get a view of it, all right? So I’m going to go to run to get to the Run boxes, the window R, by the way. And we’re going to type Ms TSC sensor, microsoft Terminal Service Console to open up a remote desktop. And we’re going to put in the IP address of this laptop that I have here. And now I already have a user account called Bob. We’re going to put in Bob’s password in here. Yes. By the way, this is a certificate notice. Just a quick review. Remote Desktop is secured with a certificate. All right? So let’s take a look here at how to set up BitLocker. So let’s say it’s not set up and you want to set it up on the computer. And I’m going to walk you guys through this. I’m not going to set it up because I want to wipe this computer up. So we’re going to go to start and we’re going to open up our control panel. And right here in it, we’re going to say BitLocker drive encryption. That just brings up the screen here. And we’re going to go to just a very simple turn on. Now watch how easy this is. Now it’s going to check to make sure that it has all the required hardware, especially the TPM chip. Now it will need to save a recovery file. That in case you have problems logging in or unlocking the computer, because if you do, you permanently lose your data. All right? That does not do it.

You just permanently lose your data. So we’re going to click save to a file. And I have a USB stick that I have inserted here. So I’m going to save it to that right here. I got the USB stick. I’m going to save it right there and I am going to go ahead and click on next. Choose how much of your drive you want to encrypt. Now notice we could just encrypt the use this space only. So whatever is on the machine, we could just encrypt that. Or do you want to encrypt the whole thing? I want to grip the whole thing. Do you want a new encryption mode? This is for fixed drives and you have compatible mode, so the drives may be removed. So we’re going to say new encryption mode because we want to do it for all.

And then we start the encryption process. And this can take a couple of minutes. That I’m not going to do because it can take a while. Now it does say a while is being encrypted. It may run slowly. So when I’m finished reformatting this machine, getting rid of all the data, then I’m going to actually do this. So I’m not doing it right now. So I’m going to cancel this. By the way, you do have the option of doing BitLocker to go. This is a newer thing. This allows you to encrypt your USB sticks. Okay, that is bit locker with the TPM chip there. Know that. So your exam is a hot topic. The other one here is sandbox. So sandbox in your phones are basically sandboxed.

Here’s what sandboxing is. Let’s say I’m doing some online banking on my phone, open a banking app, login, checking my account, I’m transferring funds, and then I just put it back to home screen. I go to my browser and I start browsing some websites. And for whatever reason, I get infected with malware. Can the malware from the browser get into the memory space of the banking app and manipulate and steal data from it? The answer is no. And the reason for that is because these things are sandboxed. So imagine that this pad on the desk here, can you guys see that? Yes. Can you imagine the pad on the desk here is basically a sandbox. So all the application memory and tasks and activities is within this box.

Let’s say there’s another one here. Let’s say there’s two of these paths. Then, hey, data cannot leak out from here and get into here. So that would be application sandboxing. In other words, you’re sandboxing that you’re restricting the memory space that the applications can access. In other words, you’re saying, you know what, you can’t access any other memory space but the memory that you’re in right now. So sandboxing is good for security and certain applications and application makers and operating system supports that. Anytime you get a word sandboxing, just think of restricting that app certain sectors of memory. Okay? A lot of good stuff here, guys.

 I do recommend, first of all, I do recommend for you guys to go set up bit locker. If you have a traveling laptop and your laptop supports it, please do it. You never know one day you lose your laptop and somebody made to steal your data. But if you have to lose your laptop, at least you have that peace of mind that no one can steal your data. Okay, so the hardware root of trust is basically the starting point for security. Generally, the bias of the machine. We talk about full disk encryption, self encrypted drive. We saw one TPM chip and we just discovered Sandboxing.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!