Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Not so fast: Some security defaults shouldn't change

Roger A. Grimes | June 29, 2016
Contrary to popular belief, changing default settings doesn't always improve security -- and often backfires

When to change the defaults

You certainly want to change any default passwords or passwords given to you by a vendor or anyone else, especially if it's non-unique and written down in documentation. This describes most default logon passwords for network devices, wireless access points, and other common consumer computer devices.

Some network devices use their unique MAC address (or some variation of it) for the default password. This is better than sharing a non-unique, documented, default password -- but only slightly better. The MAC addresses on those devices are almost always transmitted wirelessly in the clear, where any attacker can sniff them up. Make sure to change any of these sorts of passwords.

Change default wireless SSIDs and SSID passwords or keys. Wireless SSIDs really aren't that risky to leave unchanged, but leaving them at the default SSID value has caused issues in the past (such as unwanted auto-connections) and could be a sign to attackers that the owner isn't overly sophisticated and should be scrutinized more. SSID password keys should definitely be changed to something long and unique.

There is also some value in changing default storage paths if the storage paths might allow an attacker to fill up the available free space and crash the system. For this reason, many installers make sure that storage paths lead to big storage areas that would be hard to fill up, or at least point them to areas not shared by the operating system.

When not to change the defaults

In general, most popular operating systems (Windows, MacOS, Linux, BSD, iOS, Android, etc.) have fairly strong default settings. Certainly they have a nice balance of security and operational considerations deployed. Further, you'll invariably find that the vendors or organizations behind these operating systems have recommendations regarding which defaults you should change.

For example, Microsoft Security Compliance Manager has been relied upon by millions of users to see what the defaults are and what Microsoft recommends be changed if you're worried about security. It contains hundreds and hundreds of settings. In most cases the operating system's defaults are adequate. In some areas, Microsoft recommends more secure settings, such as increasing the minimum password size from 6 to 12 characters.

The leading vendors are so good at picking good defaults (notice I say good, not perfect) that if I wrote a book today about tightening operating system settings it would contain just a few words: "Don't muck it up!" That's because when you change a default, you are often making a change you don't fully understand. Anything you don't understand is insecure, even if some well-known and respected group has told you to make the change.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.