← Concepts
Security OperationsSY0-701 · Task 4.5

Operating system security controls — SY0-701

Learn OS security controls for CompTIA Security+ SY0-701: hardening, patch management, access control, and audit logging — grounded in NIST definitions.

WHAT IT IS

Operating system security controls are the safeguards and countermeasures applied directly to an OS to protect the confidentiality, integrity, and availability of the information it handles. A security control is "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements" (NIST CSRC Glossary). Applied at the OS layer, these controls govern what the system runs, who can access it, how changes are tracked, and how its attack surface is reduced.

The four pillars you need to know for Task 4.5 are hardening, patch management, access control, and audit logging.

Mental model

Think of the OS as the platform every other control depends on. If the OS is misconfigured or unpatched, every application and network control built on top of it is undermined. OS security controls answer four sequential questions:

  1. Reduce surface — Is the OS stripped of everything non-essential? (Hardening)
  2. Stay current — Are known weaknesses fixed? (Patch management)
  3. Limit reach — Can subjects only do what they must? (Access control / least privilege)
  4. Know what happened — Is there a record of accesses and operations? (Audit logging)

Each pillar maps to a distinct failure mode; they are complementary, not redundant.

When to use it

The exam frequently presents a scenario where one control is already in place and asks which additional control addresses a residual gap. Use this table to match the gap to the right control:

Scenario / GapRelevant OS ControlWhy
A service is exploited via a known flaw that a vendor fix exists forPatch managementPatch management is "the systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions" (CNSSI 4009-2015 via NIST). It closes known vulnerabilities.
Users can access resources beyond their job functionLeast privilege / access controlLeast privilege restricts access privileges "to the minimum necessary to accomplish assigned tasks" (CNSSI 4009-2015 / NIST SP 800-12 Rev. 1).
An attacker pivots through an unneeded network service left running on a hostHardeningHardening is "a process intended to eliminate a means of attack by patching vulnerabilities and turning off nonessential services" (NIST SP 800-152). Disabling the service removes the attack vector entirely.
An incident responder cannot determine when a file was accessedAudit loggingAn audit log is "a chronological record of system activities" including "records of system accesses and operations performed in a given period" (CNSSI 4009-2015). Without it, forensic reconstruction is impossible.
Policy must be enforced centrally across many endpoints consistentlyConfiguration managementConfiguration management is "a collection of activities focused on establishing and maintaining the integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring the configurations" (NIST SP 800-128).

COMMON MISCONCEPTION

Hardening and patch management are the same thing.

They are not. Hardening is specifically about reducing the attack surface by "turning off nonessential services" and eliminating means of attack (NIST SP 800-152). A fully patched OS that still runs dozens of unused services, default accounts, and open ports is not hardened — it is merely current. Patch management addresses known vulnerabilities through code revisions (CNSSI 4009-2015); hardening addresses configuration exposure through service and feature reduction. Both are necessary; neither substitutes for the other.

A second trap: candidates sometimes treat access control as a single uniform mechanism. NIST distinguishes between discretionary access control (DAC), where an object's owner "can determine who should have access rights to an object and what those rights should be" (NIST SP 800-192), and mandatory access control (MAC), where policy is "uniformly enforced across all system subjects and objects" and even the data owner cannot override it (NIST SP 800-53 Rev. 5). The OS enforces whichever model is configured — the exam tests whether you can tell them apart by their enforcement mechanism, not by their name alone.

How it shows up on the exam

The cognitive target for this topic is application — you will be asked to select the right control given a described operational condition, not merely recall a definition. Candidates often confuse the intent of a control with its mechanism:

  • A scenario describing an organization that cannot track which administrator changed a system setting tests whether you recognize audit logging as the detective control, not hardening or patch management.
  • A scenario describing a host compromised through a service it "did not need to be running" points to a hardening gap (nonessential services not disabled), even if the OS was fully patched.
  • Signal phrases to watch for: "minimum necessary," "need to know," or "least privilege" — these anchor to the access control pillar and the principle that systems should restrict privileges "to the minimum necessary to accomplish assigned tasks" (CNSSI 4009-2015).
  • "Systematic notification, identification, deployment" language points squarely to patch management.
  • Scenarios that describe divergent configurations across many endpoints with no central enforcement mechanism implicate configuration management, not simply patching.

When a question presents two apparently correct controls, ask: what is the specific gap in the scenario? The gap determines the control.

Related concepts

  • Firewall rules — network-layer controls that complement OS-layer access controls; OS hardening often includes host-based firewall configuration.
  • Web filtering — application-layer control that limits outbound content access; distinct from OS-level controls but part of the same layered defense.
  • DNS filtering — name-resolution controls that can block malicious destinations; operates at a different layer than OS security controls but is part of the same operational security posture.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.