- June 10, 2015
- Posted by: atlantadmin
- Category: Blog
Use BSD (FreeBSD/OpenBSD) whenever possible. Use Linux when you can. Enable security auto-updates when you can. Use Windows 8/10 64 bit when you can. And if you really, really care about security – use Qubes OS.
Before getting into the discussion which OS is more or less secure – let me clarify one thing. Even Windows XP can be configured in such a way that it will become a very, very difficult target to exploit.
For example: enable SRP application whitelisting and configure SRP properly. Install Browser-in-a-Box, only browse from that application, install all the latest updates, install EMET (the latest supported version for XP) and configure it properly. Install a proper AV, such as 360 Total Security (Chinese) (XP might still benefit from it), set up a Guest user account and a regular user account, set up proper passwords for all and only use the machine daily as a Guest-level account. When installing, elevate with Run-As. Regularly update the HOSTS file with blocked malicious domains (this is available from multiple sources and the task can be automated). Delete CMD.EXE, debug.exe, command.com and uninstall powershell. Delete reg.exe and regedit.exe after everything is set up and installed – use them from an external device if needed. Here you go! One paragraph, and the most “insecure” OS – Windows XP – has been secured properly.
This only goes on to say that no OS is secure unless properly configured by a knowledgeable admin. Even FreeBSD can become less secure than Windows XP – so please, pay attention to best practices, SRG/STIGs and you will be fine.
The *BSD family of operating systems is currently the least targeted and the most secure, if you count publicly released exploits / vulnerabilities per OS. Next comes Linux in its various flavors. The least secure (by default) operating system family is, of course, Microsoft Windows – just because of its wide use and incredibly large codebase.
One benefit of using *BSD systems as servers (especially web servers) is the concept of ‘jails’ they employ. This is similar to virtualization – but instead of virtualizing a whole OS for the sake of a single application, you run the application in its own container, called a ‘jail’.
This concept is weaker in Linux (called ‘chroot’) and non-existent in Windows. The closest thing in Windows to a jail is a sandbox – and it is not at least to my knowledge a practice to run web applications inside a sandbox on Windows.
*BSD as a Desktop
Contrary to popular opinion, BSD can be used as a desktop OS as well. Even in corporate environments (check out http://www.desktopbsd.net/ ).
Think about it – how many users in a company do not need specialized software to do their job? Call center operators, mail room operators, non-skilled workers, developers (some programming jobs do not require Windows) and many others. You can run your file servers on BSD, your web servers (which is actually recommended due to the aforementioned ‘jails’), your print servers, – the possibilities are endless. And since it can easily integrate with Windows Active Directory, what’s stopping you from experimenting?
Qubes OS is appropriate for sensitive situations, when there is a high risk of attack against a workstation in the form of an exploit. It has been created by Joanna Rutkowska with security in mind.
I would put Qubes OS on the desktops of the administrative assistants of the C-level executives without any hesitation, as they are the ones most frequently compromised due to their low level of technical skills and security awareness combined with their high value as targets.
In essence the operating system isolates all applications (such as browsers, editors, etc) in their own VMs. It is very similar in operation to a regular Linux desktop with the exception that the user needs to get used to the concept of application isolation. Office packages such as Kingsoft Office (described later on) are perfect for it and if all one needs to do is work with documents, print, scan, read and write e-mail, just regular office work – Qubes OS and Linux are perfectly appropriate alternatives, providing security from the most widely spread malware and exploits and making it very difficult for attackers to propagate in them if your other operating systems are compromised.
This OS cannot be ran in a virtual machine – it has to be installed in a physical box – so in order to test it you will need a spare physical box with the right components inside. A hardware compatibility list is available on the project’s website – https://www.qubes-os.org/
The level of maturity of the Linux family of operating systems (distributions) is enough for regular business use. Tools exist to run Windows applications on Linux too – and there are quite good alternatives to most frequently used Windows software for Linux.
Office productivity suites for Linux
Libre Office (Open Office) has been dominating the space for quite some time, until the appearance of KingSoft Office – http://ksosoft.com/product/office-2013-linux.html , but both are good for their respective audiences. It only boils down to testing and seeing which one fits you most.
Differentiate and decrease your attack surface when using 3rd Party Software
There are many alternatives for PDF readers, audio/video players, even for office packages. For example, we know how frequently attackers exploit Microsoft Office ® vulnerabilities and use Macro viruses to attack your endpoints.
So why not use Libre Office or Kingsoft Office? Okay, maybe Libre Office is not really ready for most commercial environments, but I bet most people have not used Kingsoft Office! There is a fully free, fully-featured version available and I might say the functionality and UI of this software package are pretty good for the price. http://www.kingsoftstore.com/software/kingsoft-office-freeware
Image credit: linuxundich.de
I would like to emphasize that Kingsoft® Office is available for both Linux and Windows® operating systems. The quality of the suite is better than that of Libre Office, in my personal opinion – or I least I find it better suited to my needs. It is up to you to decide – test both and see for yourself.
For PDF reading make sure to eradicate Adobe© Acrobat Reader © from as many of your endpoints as possible. It is just ridiculous how many vulnerabilities have been found in a PDF reading package! Foxit Reader is good enough. There are many other alternatives. But for all that’s holy, stop using Adobe Acrobar Reader, until Adobe fixes the way it writes software – for me, seeing vulnerabilities in a software package all the time means I should use this software package. It is not worth the risk.
Some might call this security through obscurity – and yes, you are not solving the problem by switching your pdf reader. But for me a decrease in attack surface is still a decrease in attack surface. If 95% of the exploits written for pdf reader are for Adobe® Acrobat™ – and 5% for the other readers, I am all for using other alternatives.
Just make sure whatever software package you choose you have a plan (tested and working) on properly automatically updating them to their latest versions, either using SCCM/other internal software management system or using their official channels.
Oh, Flash. Need we even discuss… Please remove all flash plugins / remains from all your endpoints, unless there is a dramatically important business critical reason to use it – even then you should only use Flash in a hardly sandboxed environment. Just get rid of it. The amount of exploit packs using 0-days for Flash is … over 9000.