Further Reading: Operating System Security

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order; you do not need to read everything before Chapter 12. Treat the benchmarks as references to consult while building, not cover-to-cover reads.

Suggested order

  1. Download the CIS Benchmark for one operating system you actually run, and read its first dozen recommendations to feel what "hardened" concretely means.
  2. Skim NIST SP 800-123 for the principles (least functionality, secure configuration, patching) that sit beneath every benchmark.
  3. Read the Microsoft Defender ASR rules and LAPS docs if you run Windows; the SELinux or AppArmor project docs if you run Linux.
  4. Bookmark the MITRE ATT&CK Execution / Lateral Movement / Defense Evasion tactics to see which attacker behaviors your hardening removes or records.

Standards & primary documents (Tier 1)

  • CIS Benchmarks (Center for Internet Security, cisecurity.org). 🏗️📋📜 The most widely used, platform-specific hardening checklists (Windows, Linux distros, macOS, databases, browsers, cloud), with Level 1/Level 2 profiles. Your default starting point for any baseline; pair each with the CIS Controls v8 (Control 4, Secure Configuration) for the program-level framing.
  • NIST SP 800-123, Guide to General Server Security. 🏗️📋 The principles behind server hardening — least functionality, secure configuration, patching, and monitoring. Short and foundational; read it once and the benchmarks make more sense.
  • NIST SP 800-40, Guide to Enterprise Patch Management Planning. 🏗️📋 The authoritative treatment of patch management as a process (risk-based timelines, testing, deployment); the backbone of §11.6, with the prioritization signals (CVSS/EPSS/KEV) developed further in Chapter 23.
  • DISA STIGs (Security Technical Implementation Guides) (public.cyber.mil). 🏗️📜 The U.S. government's detailed hardening guides — stricter and more prescriptive than CIS, an excellent cross-reference when a setting's rationale is unclear. Even non-government engineers mine STIGs for specifics.
  • Microsoft Security Baselines (via the Microsoft Security Compliance Toolkit). 🏗️ Hardened starting GPOs you can import and adjust rather than clicking through hundreds of Group Policy settings — the vendor's own answer to "what should this be set to?"
  • MITRE ATT&CK (attack.mitre.org). 🛡️🏗️ The shared catalogue of attacker techniques. Read the Execution, Lateral Movement, Defense Evasion, and Persistence tactics specifically to map each hardening control in this chapter to the technique it defeats or records (e.g., LAPS vs. T1550 use-of-alternate-credentials; allowlisting vs. malicious execution).

Vendor & project documentation (Tier 1)

  • Microsoft LAPS / Windows LAPS documentation. 🏗️ How to deploy unique, rotated local-admin passwords — the single control most directly aimed at the shared-credential lateral movement of §11.2 and Case Study 1. Read it before your next gold image.
  • Microsoft Defender for Endpoint — Attack Surface Reduction rules. 🏗️🛡️ The catalogue of ASR rules (block Office child processes, LSASS credential theft, executable email content) with deployment and audit guidance; concrete, high-value, and free with the platform.
  • SELinux Project documentation (and Red Hat's SELinux guides). 🏗️ The label-based MAC model, the enforcing/permissive/disabled modes, and — crucially — ausearch/audit2allow for fixing a denial correctly instead of disabling SELinux. The antidote to the setenforce 0 reflex.
  • AppArmor documentation (Ubuntu/SUSE). 🏗️ The path-based profile model, simpler to author than SELinux; read this if your Linux estate is Debian/Ubuntu-family.
  • Apple Platform Security Guide. 🏗️📋 Apple's account of SIP, Gatekeeper, FileVault, XProtect, and secure boot on Apple silicon — the basis for managing (not ignoring) macOS in §11.4. Pair with your MDM vendor's macOS hardening docs.

Books (Tier 1)

  • Garfinkel, S., Spafford, G., & Schwartz, A., Practical UNIX and Internet Security. 🏗️ The classic on UNIX/Linux hardening principles; dated in specifics, durable in mindset (the chapter's epigraph is its spirit). For the modern command detail, supplement with current distro hardening guides.
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide. 📜 Covers hardening, secure baselines, least functionality, EDR vs. AV, application control, and Secure Boot/TPM at exam depth — an excellent companion for the certification crosswalk in this chapter's key-takeaways.md.
  • Harris, S., & Maymí, F., CISSP All-in-One Exam Guide. 📜📋 The Security Architecture & Engineering and Security Operations chapters cover configuration management, MAC/DAC, and host controls for the management track.
  • Anderson, R., Security Engineering (3rd ed.). 🏗️ For the deeper "why" — access-control models (including mandatory access control), the limits of host defenses, and how real systems are compromised. Dip into the access-control and systems chapters.

Free online & talks (Tier 1 / Tier 2)

  • CISA hardening guidance and the Known Exploited Vulnerabilities (KEV) Catalog (cisa.gov). 🛡️📋 The KEV list is the real-world "patch this first" feed that drives the emergency tier of §11.6's patch timelines; CISA also publishes platform and configuration hardening advisories.
  • The WannaCry / NotPetya retrospectives (2017). 🛡️📋 Any well-sourced account. These worm outbreaks spread via SMBv1 — the exact protocol §11.2 disables — and are the clearest real-world argument for attack-surface reduction at the host. (Tier 2: specifics vary by retelling; read a reputable source.)
  • Sysinternals Sysmon documentation and community configuration files (e.g., widely used open configs). 🛡️ How to turn on the rich process/network/image-load telemetry §11.2 recommends, in a form a SIEM (Chapter 21) ingests. (Tier 2 for community configs: vet before deploying.)

Tools to explore (in your own lab only)

  • A CIS-Benchmark assessment tool (e.g., CIS-CAT, or an open-source equivalent) against a lab VM you own. 🏗️📋 See your own machine scored against a benchmark — the real-world version of this chapter's harden.py audit. Note how many "failures" are intended defaults you never switched off.
  • A hardened build in a lab: take a default Linux or Windows VM, apply a CIS Level 1 baseline, and diff the before/after attack surface (ss -tulpn, listening services, accounts). 🏗️ The §11.1 lesson becomes visceral when you watch the open ports and enabled features disappear.

⚖️ Authorization & Ethics reminder: Several resources here describe attacker techniques (lateral movement, credential theft, evasion) so you can defend against them. Apply any assessment or hardening tool only to systems you own or are explicitly authorized to administer (Chapter 39). Auditing your own baseline is defense; scanning or reconfiguring someone else's host is not yours to do.