The OS as Security System
Security is not a feature that gets bolted onto an operating system after the fact. It is woven into the OS's fundamental responsibilities. The OS controls access to files, memory, devices, and CPU time. It decides which processes can do what. It mediates every interaction between software and hardware. That central position makes it both the natural first line of defense and, when it fails, the most dangerous point of failure.
OS security threats come from two directions: outside the system (unauthorized users trying to gain access) and inside it (authorized users — or processes running under their accounts — trying to exceed their permitted privileges). This reading focuses on outside threats. Reading 2 addresses what happens once someone is inside.
Three Things Worth Protecting: The CIA Triad
Before diving into the specific mechanisms the OS uses, it helps to have a framework for thinking about what security is actually trying to protect. Information security professionals organize this around three properties, collectively called the CIA triad:
- Confidentiality — Information is accessible only to those authorized to see it. An unauthorized person cannot read your files, view another student's grades, or intercept a private message. Most of what we think of as "keeping things secure" is really about confidentiality.
- Integrity — Information is accurate and has not been tampered with. Data stored or transmitted is the same data that was originally created — not modified by an attacker, corrupted in transit, or altered without authorization. A gradebook system that an attacker can silently edit has failed on integrity even if the data was never made public.
- Availability — Systems and data are accessible when legitimate users need them. A system that is locked down so tightly that authorized users cannot get their work done, or that is taken offline by an attack, has failed on availability even if nothing was stolen or modified.
In a school context: Consider a district's student information system. Confidentiality means only authorized staff can view student records — not other students, not the general public. Integrity means grades and attendance data cannot be altered by anyone who shouldn't be changing them — including a student trying to improve their own record. Availability means the system is actually up and working when a teacher needs to take attendance or a counselor needs to pull a transcript. All three matter; protecting one while neglecting the others is not real security.
The mechanisms described in this reading — accounts, passwords, administrator privileges, auditing software, and MFA — are primarily confidentiality controls: they determine who gets in. Reading 2's discussion of privilege levels and memory bounds enforcement addresses integrity: it limits what an authorized (or malicious) process can do once inside. Availability becomes especially relevant in Week 4 when we examine denial of service attacks, which aim specifically at making systems unreachable.
Keeping the CIA triad in mind as you work through these two readings will help you see each security mechanism not just as a technical detail, but as a response to a specific kind of threat.
Accounts and the Login Procedure
On any computer used by more than one person — a school lab, a shared family computer, a university server — the OS maintains a set of accounts. Each account is a record that stores, at minimum:
- The user's name or username
- A password (stored in a protected, typically encrypted form)
- The privileges granted to that user — what they are and are not allowed to do on the system
When a user starts a session, they go through the login procedure: a sequence of transactions in which they establish contact with the OS by providing their credentials. The OS checks the supplied username and password against its account records. If they match, the session begins and the user gains access to whatever privileges their account specifies. If they do not match, access is denied.
This sounds straightforward. In practice, the security of the entire system rests on the integrity of this process. If an attacker can get past the login procedure — by guessing a password, exploiting a flaw in the login software, or tricking a user into handing over their credentials — everything the system is protecting becomes accessible.
The Administrator: Special Privileges, Special Responsibility
Not all accounts are equal. One account — the administrator (also called the super user on Unix-based systems) — has elevated privileges that ordinary user accounts do not. An administrator can:
- Create, modify, and delete other user accounts
- Change the privileges granted to any user
- Modify critical OS settings and software
- Access files belonging to any user
- Terminate any process on the system
- Monitor all activity on the system
The administrator account exists because someone has to be able to manage the system. But it also represents the highest-value target for an attacker. Gaining access to the administrator account means gaining unrestricted access to everything. This is why the administrator password is treated as especially sensitive, and why most security guidance recommends that everyday computing be done from a standard (non-administrator) account — limiting the damage that can be done if the account is compromised.
In a school context: When your school's IT department sets up classroom computers so that students cannot install software, change system settings, or access other students' files, they are configuring account privileges. The IT staff hold administrator accounts. Student accounts have restricted privileges. This is the OS's account system doing exactly what it was designed to do.
Auditing Software: Watching for Trouble
The OS can be augmented with auditing software — utilities that record and analyze system activity to detect suspicious behavior. Auditing software can flag:
- A flood of failed login attempts (suggesting an automated attack trying to guess a password)
- An account suddenly accessing files or running software outside its normal pattern (suggesting the account may have been compromised)
- Attempts to access resources outside a user's privileges
- The presence of sniffing software — programs that run silently in the background, recording keystrokes or other activity and reporting them to an attacker
A classic sniffing attack involves a program that mimics the OS's own login screen. A user sits down at a terminal, sees what looks like the normal login prompt, types their username and password — and hands them directly to an attacker. The fake login then displays an error message and quits, leaving the real login screen to appear. The user assumes they mistyped something and logs in normally. They never know their credentials were stolen.
The Human Problem: Passwords
Despite the sophistication of OS security features, one of the most persistent
vulnerabilities is human behavior around passwords. The technical complexity of
a system can be completely undermined by a user who chooses password123
as their password or writes their credentials on a sticky note attached to their
monitor.
Common password mistakes include:
- Choosing passwords based on easily discoverable personal information (names, birthdays, pet names)
- Using the same password across multiple accounts
- Sharing passwords with colleagues or friends
- Failing to change passwords after a suspected compromise
- Using short passwords that can be exhaustively guessed by automated software
What Makes a Password Strong?
A strong password is one that resists two attack strategies: guessing (trying likely passwords based on knowledge of the user) and brute force (systematically trying every possible combination). Modern automated attack software can try billions of password combinations per second, which means short passwords — even "random-looking" ones — can be cracked quickly.
The most effective defense against brute force is length. A longer password exponentially increases the number of combinations an attacker must try. A password made of four random common words (a "passphrase") can be both easier to remember and harder to crack than a short string of random characters.
Beyond length, strong passwords avoid dictionary words used alone, use a mix of character types (uppercase, lowercase, digits, symbols), and are unique to each account. The challenge, of course, is that humans are not good at generating or remembering many such passwords — which is why password managers (software that generates and securely stores complex passwords) are now widely recommended.
A memorable example: One computer science textbook describes
a house-sitting scenario involving feeding dog biscuits to feral raccoons and
applying mayonnaise to houseplant leaves to make them shiny. The resulting
password Racc00nTreat&May0Sh1n3 was easy to remember (it told
a story) but hard to guess. The principle: a password derived from a vivid,
specific, personal narrative can be both memorable and secure.
Password Policies in Institutions
Most organizations with significant computer infrastructure enforce password policies: minimum length requirements, complexity rules, mandatory periodic changes, and prohibition of password reuse. Schools are no exception — if your district has a policy requiring you to change your password every 90 days and forbidding you from reusing your last five passwords, that policy exists because human nature, left to itself, tends toward convenience over security.
Multi-Factor Authentication
A password alone is a single point of failure. If it is guessed, stolen, or leaked, the account is compromised. Multi-factor authentication (MFA) addresses this by requiring more than one piece of evidence before granting access.
Authentication factors fall into three categories:
| Factor Type | What It Is | Examples |
|---|---|---|
| Something you know | Knowledge that only the legitimate user should have | Password, PIN, security question answer |
| Something you have | A physical object in the user's possession | Smartphone (for a texted code), hardware security key, ATM card |
| Something you are | A biometric characteristic unique to the user | Fingerprint, face recognition, retinal scan, voice pattern |
The most common form of MFA in everyday use is two-factor authentication (2FA): a password (something you know) plus a one-time code sent to a smartphone (something you have). Even if an attacker obtains the password, they cannot log in without also having physical access to the user's phone.
MFA is not foolproof. Attackers have found ways to intercept texted codes, trick users into approving fraudulent login attempts, or social-engineer customer service representatives into changing account phone numbers. But MFA dramatically raises the difficulty of unauthorized access, and its adoption has significantly reduced account compromise rates even when passwords are leaked.
For K–12 teachers: If your school or district uses Google Workspace or Microsoft 365, you may already use MFA every time you log in from a new device. The "check your phone for an approval request" step is exactly the "something you have" factor in action. It is worth explaining this to students — many use it daily without knowing what it is or why it exists.
What Comes Next
Controlling who gets into the system is essential, but it is not sufficient. Once someone is inside — whether a legitimate user, a compromised account, or a malicious process — the OS must still enforce boundaries on what they can do. Reading 2 examines how the OS and CPU work together to contain processes within their permitted boundaries, and what happens when those boundaries are breached.