Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques.

• Turn off SMBv1, LLMNR, and NetBIOS where not needed.
• Disable remote registry and unnecessary services.

• Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows.
• Use AppArmor or SELinux on Linux for mandatory access controls.

• Enable User Account Control (UAC) for Windows.
• Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

• Implement least-privilege access for critical files and system directories.
• Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

• Restrict RDP, SSH, and VNC to authorized IPs using firewall rules.
• Enable NLA for RDP and enforce strong password/lockout policies.

• Enable Secure Boot and enforce UEFI/BIOS password protection.
• Use BitLocker or LUKS to encrypt boot drives.

• Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

• Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings.
• Windows Defender Exploit Guard: Built-in OS protection against exploits.
• CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

• AppArmor/SELinux: Enforce mandatory access controls.
• Lynis: Perform comprehensive security audits.
• SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

• Ansible or Chef/Puppet: Automate configuration hardening at scale.
• OpenSCAP: Perform compliance and configuration checks.

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled.

• Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
• Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

• Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
• Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

• Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
• Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

• Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
• Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

• Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
• Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.