Security+ Domain 3.0: Secure Systems Design and Deployment: Chapter 12

Chapter 12: Secure Systems Design and Deployment

System Security is our initial set of best practices. It includes:

    • Disabling non-essential systems and services
    • Hardening operating systems by
      • Applying updates and
      • Securing file systems
    • Hardening applications by
      • Hardening servers (daemons or services) and
      • Hardening data stores
    • Hardening networks through
      • Firmware upgrades and
      • Secure network configuration

Hardware / Firmware Security

Firmware upgrades

Computers, routers and other network equipment store fixed firmware in ROM modules, including:

  • Erasable Programmable Read-Only Memory (EPROM)
  • Electronically Erasable Programmable Read-Only Memory (EEPROM)Computer manufacturers (such as Dell), chipset manufacturers (such as Intel) and router manufacturers (such as Cisco) frequently issue firmware updates. The system administrator is responsible for knowing about and implementing these updates.

Cisco routers in particular must be carefully updated. More than one bad update has been issued by Cisco, but Cisco users will still have to do their best to keep up-to-date.





Secure Boot and Attestation

Supply Chain

Hardware Root of Trust


Operating Systems

Patch Management

In Windows:

        • Service Packs are cumulative sets of updates
        • Hotfixes are single-issue fixes, typically correcting software problems, not security issues
        • Patches are software updates, often to correct security problems

Popular Patch Management Systems for Windows are Windows Update Services (for standalone computers), Microsoft Operations Manager (MOM, formerly known as Software Update Services, SUS, and by other names), and the Shavlik family of security/patch management tools.

In Linux:

        • Patches typically require re-compiling software, or performing an upgrade installation of binary software distributions

          Red Hat provides update services through the Red Hat Network update system.

Disabling Unnecessary Ports and Services

In Windows, view Services:
Start > Settings > Control Panel > Administrative Tools > Services
the msconfig command from Start > Run
the services.msc command from Start > Run

Visit or for discussion of any services with which you’re not familiar.
Note that services can be Automatic, Manual or Disabled.

Probably the single most dangerous service is UPnP, Universal Plug-and-Play. Unless you have a specific, compelling reason to enable this, disable it.

Service names and display names in the Services applet are not always the same.

In Linux, view processes with:

ps -aux

Generally, services are processes ending with a “d,” e.g. httpd.

Services, Port Numbers and Sockets:

The combination of an IP address and a port number is a socket (e.g.
Most ports are available to both TCP and UDP.
A total of 65,535 ports are available.
The first 1,023 are called the “well-known port numbers.”

Least Functionality

Secure Configurations

Trusted Operating System

Application Whitelisting / Blacklisting

Disable Default Accounts / Passwords


Wireless keyboards

Wireless mice


WiFi-enabled SD cards

Printers / MFDs


Digital Cameras







Secure Baseline

Integrity Measurement