CMPS 476 Lab 6

Lab 6 - Securing Operating Systems

Due: Wednesday at 5:00pm
This lab is worth 10 points.

This week's topic in class has been trusted operating systems. For last week's lab, we looked at several operating systems that implement mandatory access control. This week, we will look at what one has to do to modify a commercial operating system to meet minimum evaluation criteria as defined by some certification specification (we will discuss the specifics of evaluation criteria and certification in lecture on Wednesday). The basic idea is to perform a series of configuration changes to increase the assurance one has in certain features of the system. For example, we might increase the assurance that the audit trail keeps an accurate record of events. Most systems that have been certified will publish a checklist of all the configuration changes needed to obtain that certification. In this lab, we will look at a few of those checklists to see what one has to do to secure an operating system "after the fact" rather than using a trusted OS.

Browse through the configuration guides for the following operating systems:

Microsoft Windows 2000 - This is the main page for Windows 2000's evaluation under the Common Criteria certification method. The Security Configuration Guide contains the checklist of all changes needed to Windows 2000 to get it to the level of assurance for the Common Criteria evaluation level listed on the website.
Microsoft Windows XP and Windows Server 2003 - This is the main page for these two Microsoft operating systems, also under the Common Criteria method. There are several configuration guides depending on which flavor of XP or 2003 you need to configure. Choose one flavor (such as XP Professional or 2003 with x64 hardware) and browse through its configuration guide. Note that these configuration guides are all zip files, so save to disk and unzip to read.
In case you are wondering, Vista has not completed the certification process so there is no "official" checklist yet.
Solaris 10 - Solaris has also been evaluated under Common Criteria. This website has a list of the various versions of Solaris 9 and 10 that have been certified. Browse Chapter 3 of Solaris 10 11/06 Security Release Notes to see the configuration changes (beyond applying the patch set mentioned on the webpage) needed.
Mac OS X - Again, Mac OS X has been evaluated under the Common Criteria method. Browse the Common Criteria Configuration and Administration Guide.

For your writeup, give your overall impression of the ease (or lack of) of securing each system for their Common Criteria evaluation level. What do you see as the biggest issue when implementing the configuration changes listed in the documents? Do you think it would be more or less difficult to instead use a trusted operating system, such as one of the ones we looked at last week with mandatory access control? Your writeup should be 2-3 paragraphs of thoughts on these matters.