1 / 24

Host Hard ening

Host Hard ening. Series of actions to be taken in order to make it hard for an attacker to successfully attack computers in a network environment. (March 19, 2014). © Abdou Illia – Spring 2014. Computer system #1. Intel® Core® i7 Processor (3.20GHz)

cais
Télécharger la présentation

Host Hard ening

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Host Hardening Series of actions to be taken in order to make it hard for an attacker to successfully attack computers in a network environment (March 19, 2014) © Abdou Illia – Spring 2014

  2. Computer system #1 • Intel® Core® i7 Processor (3.20GHz) • 2GB SDRAM PC3200 (800MHz), Dual Channel • 1TB Serial ATA 7200rpm Hard Disk Drive • 16x Multi-Format DVD Writer (DVD±R/±RW) • Gateway 7-Bay Tower Case • Integrated Ultra ATA Controller • (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use • (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire Ports, Parallel, Serial and (2) PS/2 • 20" Black LCD Flat Panel Display (19" viewable) • Gateway Premium 104+ Keyboard • Two-Button PS/2 Wheel Mouse • Napster 2.0 and 150 Song Sampler • Intel® High Definition Audio • GMAX 2100 2.1 Speakers with Subwoofer • 56K PCI data/fax modem • 10/100/1000 (Gigabit) Ethernet • Microsoft Office 2010 Professional on DVD

  3. Computer Hardware & Software Productivity Software Operating System Computer Hardware

  4. Computer system #2 • Intel® Core® i7 Processor (3.20GHz) • 2GB SDRAM PC3200 (800MHz), Dual Channel • 1TB Serial ATA 7200rpm Hard Disk Drive • 16x Multi-Format DVD Writer (DVD±R/±RW) • Gateway 7-Bay Tower Case • Integrated Ultra ATA Controller • (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use • (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire Ports, Parallel, Serial and (2) PS/2 • 20" Black LCD Flat Panel Display (19" viewable) • Gateway Premium 104+ Keyboard • Two-Button PS/2 Wheel Mouse • Napster 2.0 and 150 Song Sampler • Intel® High Definition Audio • GMAX 2100 2.1 Speakers with Subwoofer • 56K PCI data/fax modem • 10/100/1000 (Gigabit) Ethernet • Windows 7 Professional • Google Chrome 16 installed • Microsoft Office 2010 Professional installed

  5. Computer Hardware & Software Web browserProductivity Software Operating System Computer Hardware

  6. Computer system #3 • Intel® Core® i7 Processor (3.20GHz) • 2GB SDRAM PC3200 (800MHz), Dual Channel • 1TB Serial ATA 7200rpm Hard Disk Drive • 16x Multi-Format DVD Writer (DVD±R/±RW) • Gateway 7-Bay Tower Case • Integrated Ultra ATA Controller • (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use • (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire Ports, Parallel, Serial and (2) PS/2 • 20" Black LCD Flat Panel Display (19" viewable) • Gateway Premium 104+ Keyboard • Two-Button PS/2 Wheel Mouse • Napster 2.0 and 150 Song Sampler • Intel® High Definition Audio • GMAX 2100 2.1 Speakers with Subwoofer • 56K PCI data/fax modem • 10/100/1000 (Gigabit) Ethernet • Windows Server 2008 Enterprise installed • Internet Explorer 8 installed • IIS 6.0 installed

  7. Web service software (IIS, Apache, ...)Web browserProductivity Software Client & server application programs Operating System Computer Hardware Computer Hardware & Software

  8. Your knowledge about Host hardening • Which of the following is most likely to make a computer system unable to perform any kind of work or to provide any service? • Client application programs get hacked • Server application programs (web service software, database service, network service, etc.) get hacked • The operating system get hacked • The connection to the network/Internet get shut down

  9. OS Vulnerability test2010 by omnired.com • OS tested: • Win XP, Win Server 2003, Win Vista Ultimate, • Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger • FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse Enterprise 10, Ubuntu 6.10 • Tools used to test vulnerabilities: • Scanning tools (Track, Nessus) • Network mapping (Nmap command) • All host with OS installation defaults • Results • Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities and allow for executing malicious code • The UNIX and Linux variants present a much more robust exterior to the outside • Once patched, however, both Windows and Apple’s OS are secure. OS market share

  10. Your knowledge about Host hardening • You performed an Out-of-the-box installation of Windows XP and Linux FreeBSD 6.2 on two different computers. Which computer is more likely to be secure ? • Windows XP • Linux FreeBSD 6.2 • They will have the same level of security • What needs to be done, first, in order to prevent a hacker from taking over a server with OS installation defaults that has to be connected to the Internet? • Lock the server room • Configure the firewall to deny all inbound traffic to the server • Download and install patches for known vulnerabilities

  11. Security Baseline • Because it’s easy to overlook something in the hardening process, businesses need to adopt a standard hardening methodology: standard security baseline • Need to have different security baseline for different kind of host; i.e. • Different security baselines for different OS and versions • Different security baselines for different types of server applications (web service, email service, etc.) • Different security baselines for different types of client applications.

  12. Options for Security Baselines • Organization could use different standards • OS vendors’ baselines and tools • e.g. Follow MS Installation procedure and use Microsoft Baseline Security Analyzer (MBSA) • Standards Agencies baselines • e.g. CobiT* Security Baseline • Company’s own security baselines • Security Baseline to be implemented by • Server administrators known as systems admin * Control Objectives for Information and Related Technology

  13. Elements of Hardening • Physical security • Secure installation and configuration • Fix known vulnerabilities • Remove/Turn off unnecessary services (applications) • Harden all remaining applications • Manage users and groups • Manage access permissions • For individual files and directories, assign access permissions to specific users and groups • Back up the server regularly • Advanced protections According to baseline

  14. Example of Security Baseline for Win XP Clients • OS Installation • Create a single partition on HDD • Format disk using NTFS file system • Install Win XP and Service Pack 3 • Fixing OS vulnerabilities • Download and install latest patches • Turn on Windows’ Automatic Updates checking • Configure Windows Firewall • Block incoming connections except KeyAccess and Remote Assistance • Turn off unnecessary services • Turn off Alerter, Network Dynamic Data Exchange, telnet • Application Installation • Centrally assign applications using group policies • Fixing applications’ vulnerabilities • Turn on each application’s automatic update checking

  15. Hardening servers • The 5 P’ s of security and compliance: Proper Planning Prevents Poor Performance • Plan the installation • Identify • The purpose of the server. Example: provides easy & fast access to Internet services • The services provided on the server • Network service software (client and server) • The users or types of users of the server • Determine • Privileges for each category of users • If and how users will authenticate • How appropriate access rights will be enforced • Which OS and server applications meet the requirements • The security baseline(s) for installation & deployment • Install, configure, and secure the OS according to the security baseline • Install, configure, and secure server software according to sec. baseline • Test the security • Add network defences • Monitor and Maintain

  16. Hardening servers (cont.) • Choose the OS that provides the following: • Ability to restrict admin access (Administrator vs. Administrators) • Granular control of data access • Ability to disable services • Ability to control executables • Ability to log activities • Host-based firewall • Support for strong authentication and encryption • Disable or remove unnecessary services or applications • If no longer needed, remove rather than disable to prevent re-enabling • Additional services increases the attack vector • More services can increase host load and decrease performance • Reducing services reduces logs and makes detection of intrusion easier

  17. Hardening servers (cont.) • Configure user authentication • Remove or disable unnecessary accounts (e.g. Guest account) • Change names and passwords for default accounts • Disable inactive accounts • Assign rights to groups not individual users • Don't permit shared accounts if possible • Configure time sync • Enforce appropriate password policy • Use 2-factor authentication when necessary • Always use encrypted authentication

  18. UNIX / Linux Hardening • Many versions of UNIX • No standards guideline for hardening • User can select the user interface • Graphic User Interface (GUI) • Command-Line Interfaces (CLIs) or shells • CLIs are case-sensitive with commands in lowercase except for file names

  19. UNIX / Linux Hardening • Three ways to start services • Start a service manually (a) through the GUI, (b) by typing its name in the CLI, or (c) by executing a batch file that does so • Using the inetd program to start services when requests come in from users • Using the rc scripts to start services automatically at boot up Inetd = Internet daemon; i.e. a computer program that runs in the background

  20. UNIX / Linux Hardening • Starting services upon client requests • Services not frequently used are dormant • Requests do not go directly to the service • Requests are sent to the inetd program which is started at server boot up Program A 1. Client Request To Port 123 4. Start and Process This Request Program B inetd Program C 2. Port 123 Program D 3. Program C Port 23 Program A Port 80 Program B Port 123 Program C Port 1510 Program D /etc/inetd.config

  21. UNIX / Linux Hardening • Turning On/Off unnecessary Services In UNIX • Identifying services running at any moment • ps command (process status), usually with –aux parameters, lists running programs • Shows process name and process ID (PID) • netstat tells what services are running on what ports • Turning Off Services In UNIX • kill PID command is used to kill a particular process • kill 47 (If PID=47)

  22. Advanced Server Hardening Techniques • File Integrity Checker • Creates snapshot of files: a hashed signature (message digest) for each file • After an attack, compares post-hack signature with snapshot • This allows systems administrator to determine which files were changed • Tripwire is a file integrity checker for Linux/UNIX, Windows, etc.: www.tripwire.com (ftp://coast.cs.purdue.edu/pub/tools/unix)

  23. Advanced Server Hardening Techniques Reference Base File 1 File 2 … Other Files in Policy List File 1 Signature File 2 Signature … … 1. Earlier Time Tripwire 3. Comparison to Find Changed Files Post-Attack Signatures File 1 File 2 … Other Files in Policy List File 1 Signature File 2 Signature … … 2. After Attack Tripwire File Integrity problem: many files change for legitimate reasons. So it is difficult to know which ones the attacker changed.

  24. Other types of host that can be Hardened • Internetwork Operating System (IOS) • For Cisco Routers, Some Switches, Firewalls • Even cable modems with web-based management interfaces

More Related