1 / 29

Windows Desktop Security

Windows Desktop Security.  Assign a good & difficult administrator password.  Don’t ever enable the password remember option.  If a machine is cracked/lost, change all passwords.  Use & update Anti-virus s/w (e.g. AVG) regularly.  Set up automatic updating on a regular basis.

marshallgreer
Télécharger la présentation

Windows Desktop Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Desktop Security  Assign a good & difficult administrator password.  Don’t ever enable the password remember option.  If a machine is cracked/lost, change all passwords.  Use & update Anti-virus s/w (e.g. AVG) regularly  Set up automatic updating on a regular basis  Schedule Virus Scans automatically.  Use Good spy removal software  Microsoft antispy or Spybot destroyer  Take the backup of Registry. Run regedit  Control Panel   Add / Rem S/w   remove  my Search Bar, Date manager  weather tool, Bonzy Buddy etc,

  2. Windows Desktop Security  Keep OS up to date  Visit http://windowsupdate.microsoft.com regularly  Start  Settings  Control Panel  Automatic Updates  Install & run 'Critical Update Notification' patch.  Automatically checks and notifies about patches.  Keep your applications updated:  Update Web browsers and word processing applns.  Decide if the upgrade is appropriate for your h/w.  Backup your files:  Have critical files on any machine which is backed up.  Back up the entire system on a regular basis.

  3. WDS - Risk of File Sharing  Reduce sharing files thru floppies.  Don’t open doubtful (.scr,.pif,.exe) attachments in mails.  Accessing a file over a n/w neighborhood.  Keep physical control of m/c & limit access to your system  Disable File and Print sharing button  Control Panel  N/w  LAN  Prop  F & P Sharing  Don't ever share the entire C: drive.  Share only the folder having files to be shared.  Establish a good password for shared access.  Enable sharing on IPX/SPX protocol instead of TCP/IP.  N/w  Prop  F&P Shg  Install  Protocol  IPX  N/w  Prop  Advanced  Advanced Settings Adapters & Bindings  F&P Shg  IPX/SPX  http://www.tifr.res.in/~cc/ipx.htm

  4. Windows Desktop Security  DO NOT say yes to all questions while browsing.  Use Personal firewalls :  Norton internet security,  Zone Alarm or  Sygate personal firewall etc  Check what all Ports your PC is listening.  Usually 10-15 TCP/UDP ports will be listening.  Unusual: Series of high no. ports opening to some particular IP Sign of Virus/Spy  Remove the application not installed by you.  Download and run Microsoft's BSA  Ref: Google  ”Securing windows”

  5. C:\>netstat -an |more Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:7 0.0.0.0:0 LISTENING TCP 0.0.0.0:9 0.0.0.0:0 LISTENING TCP 0.0.0.0:13 0.0.0.0:0 LISTENING TCP 0.0.0.0:17 0.0.0.0:0 LISTENING TCP 0.0.0.0:19 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1035 0.0.0.0:0 LISTENING TCP 0.0.0.0:1730 0.0.0.0:0 LISTENING TCP 0.0.0.0:1731 0.0.0.0:0 LISTENING TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING Proto Local Address Foreign Address State UDP 0.0.0.0:7 *:* UDP 0.0.0.0:9 *:* UDP 0.0.0.0:13 *:* UDP 0.0.0.0:17 *:* UDP 0.0.0.0:19 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1028 *:* UDP 0.0.0.0:1029 *:* UDP 0.0.0.0:1058 *:* UDP 0.0.0.0:1289 *:* UDP 127.0.0.1:123 *:* UDP 127.0.0.1:1900 *:* UDP 127.0.0.1:2282 *:* UDP 158.144.49.8:123 *:* UDP 158.144.49.8:1900 *:*

  6. Overview Advantage Linux Threats to Linux machines. Securing Linux better.   

  7. Advantage Linux  User vs. administrator  Only root can install software or change system settings.  More difficult for viruses to spread.  Commands, utilities, even the desktop run separately from the Kernel.  Security updates are easier, quicker to deploy.

  8. Threats to Linux machines  Reasons for Break-in.  Loose Passwords  Improper Permissions  Careless Security  Unwanted Vulnerable Services  Brute force password attacks  Buffer overflows in network services.  int main () {int buffer[10];  Aim: overwrite some control information to change the flow of control in the program. buffer[20]=10;}

  9. Securing Linux Secure the console Set good passwords Set right permissions Secure the network connection Restrict Access Iptables Firewalls, Ports & Services Handling / Restricting Services Adding security to desktop 10. Keep the system up to date 1. 2. 3. 4. 5. 6. 7. 8. 9.

  10. Securing the console  Physical Security  Password protect the screensaver.  Set a password on the boot loader (lilo / grub).  Use xlock or xautolock while away.  Do NOT normally login as root in own machine.  Set BIOS Password.  Machine in safe location.  Set boot hierarchy to HDD first (not CD,HDD).  Restrict Remote access.  Set up an idle timeout, to logout idle users.

  11. Passwords Use strong, unique passwords (especially for root) Must have a minimum length of 8 characters. Must be alpha-numeric not based on dictionary words. Password must be changed every 30 days. Account will be locked out after 3 consecutive unsuccessful login attempts. Don’t write down passwords or User-id & password. Passwords must contain multiple characters (Lower / Upper Case, numbers, punctuation etc.) Root password should be very hard to crack.        

  12. Permissions  Correct permissions & ownerships on all directories & files.  Never make files world-writable / world readable.  Search for world-writable files in pwd  find . -perm -2 -print  Improper file permissions in /dev : read/write directly to hardware like hard disks and network interfaces.  /dev files should only be writable by root & readable only by their group  Exception : /dev/tty, /dev/pty, /dev/null, /dev/zero.  find /dev -perm -2 -print  chmod -R 700 /etc/rc.d/init.d/*  Lock the /etc/services file so that no one can modify it

  13. Securing the Network  Remove all unwanted users and groups.  Enable nospoof option in /etc/host.conf.  Don't create /etc/hosts.equiv or a .rhosts file  Don't run rlogind or rshd. (pw in plain text)  Run sshd to allow remote access via SSH  Use TCP Wrappers “tcpd”  Use /etc/hosts.deny & /etc/hosts.allow  hosts.allow overrides hosts.deny  Disable unwanted services thru xinetd.conf also  Ref: man hosts_access  http://linux.about.com/od/commands/l/blcmdl5_hostsal.htm  http://www.userlocal.com/security/securinginetdetc.php

  14. More of /etc/access.[allow|deny]  /etc/hosts.deny  Only Local host allowed access  ALL:ALL  /etc/hosts.allow  sshd: ALL @.tifr.res.in  ALL: .tifr.res.in EXCEPT xyz.tifr.res.in  Allow localhost  ALL : 127.0.0.1  Allow another m/c to connect to any service  ALL : 192.168.1.2  Let all ssh except 192.168.1.3 and 192.168.1.4  sshd: ALL EXCEPT 192.168.1.3, 192.168.1.4

  15. Firewalls  Hardware firewall - A device between Internet & LAN.  Software firewall: Software on a desktop/server that rejects certain types of network traffic.  Consider implementing a firewall. man iptables  Restrict n/w traffic to a machine or network segment.  Improves security and network performance.  Why do I need a software firewall?  Protects the m/c even if the h/w firewall is compromised.  Protects the m/c against compromised m/c s on n/w.  When can't one use a firewall?  Some services (like Samba) may use unspecified ports.  Some applications want to use arbitrary ports.

  16. Iptables  System Settings > Security Level  System Settings > Server Settings > Services  Activate iptables in runlevels 3 & 5  Chains: INPUT, OUTPUT,FORWARD.  Effects : ACCEPT, DENY, DROP  List all iptables rules  # iptables –L  # iptables -A INPUT -s <SIP> -j DROP  # iptables -D <Chain name> <Rule no>

  17. Iptables (Contd…)  Drop all incoming telnet packets  # iptables -A INPUT -j DROP -p tcp --destination-port telnet  Block any incoming tcp packets on 2nd Eth card (eth1)  # iptables -A INPUT -j DROP -p tcp -i eth1  Drop incoming sync ie. anything not initiated by our PC  # iptables -A INPUT -p tcp --syn -j DROP  Block by mac address  iptables -A INPUT --mac-source 00:0B:DB:45:56:42 -j DROP  Ref:  http://www.cae.wisc.edu/site/public/?title=liniptables  http://www.redhat.com/docs/manuals/enterprise/RHE L4Manual/refguide/chiptables.html

  18. Ports  What are ports?  Network connection analogous to a lane highway.  Each type of traffic needs to be in its own lane  A port is analogous to a lane on the highway; different types of traffic (http, ftp, ssh, etc.) use different ports (80,21,22 etc)  What ports need to be open?  Open the ports for services you need to use and/or offer others.  SSH (remote access to your machine): 22  FTP (file sharing server): 21  Web server: 80  X (display graphics on remote machines): 6000  See /etc/services for an exhaustive list.  Close unused ports/terminate unwanted services.

  19. Services / Daemons  Services :  Special applications that start before any login  Web server (httpd or Apache)  File services (samba, NFS, ftpd)  Print services (lpd, CUPS)  Remote access (telnetd, sshd, vncserver)  Management tools (crond, rhnsd)  Why can services be dangerous?  Many services offer themselves to local & remote m/c s  If a flaw exists in the program providing the service, an attacker can exploit this flaw and break into the machine  RULE: don't run any services you don't need.  RULE: if you're running a service, restrict access possible.

  20. Handling Services  How services work ?  1 -- singleuser mode  2 -- multi-user without networking  3 -- normal multi-user text mode  4 -- custom runlevel, not normally used  5 -- normal multi-user, graphical desktop  Default level is chosen in /etc/inittab  How are Services started ?  /etc/inittab (startup configuration file)  /etc/rc.d/rc.sysinit (configuration file)  /etc/rc.d/rcN.d  xinetd (service that starts network services as u need)  Identify running services using redhatconfigservices OR /usr/sbin/ntsysv OR /sbin/chkconfig list

  21. Restricting Services  What services are unnecessary & how to stop ?  Use ssh instead of the r* services (rlogin, rsh, etc.)  telnet, ftp, NFSrelated services (portlock, nfslock, netfs)  Substitute for ftp -- use scp and sftp  sendmail – can use SMTP server (mailhost.tifr.res.in)  redhatconfigservices : Highlight service & Stop  Uncheck the service not required for each run level.  Use /usr/sbin/ntsysv OR  /etc/rc.d/init.d/servicename stop OR  /sbin/chkconfig service off commands.  Secure each service using its configuration files.

  22. Adding Security to Desktop  Prevent remote root login.  Login as a real user and then su to root.  /etc/securetty has no entry starting "ttyp" / "pts".  /etc/sshd_config change PermitRootLogin "no".  Insert StrictHostKeycheck in /etc/sshd_config.  Turn off / uninstall all unwanted services  chkconfig --list | grep on  Turn off boot time “ON” of unwanted services  e.g.: exec, finger, ftp, httpd, login, lpd, nfs, ntalk, rexd, sendmail, shell, talk, telnet, tftp, uucp etc  chkconfig uucp off  Use SSH rather than the "r*" commands  ssh -l id remotehost : secure remote login (rlogin / telnet).  ssh -l id remotehost command :issue remote command (rsh).  scp localfile id@remotehost:remotefile : secure copy (rcp).

  23. Adding Security to Desktop (Contd..)  Disable unwanted suid and sgid files  find -type -perm -04000 -o perm 02000.  Eg.: gpasswd, wall, and traceroute  Install sxid to keep an eye on suid and sgid scripts.  http://linux.cudeso.be/linuxdoc/sxid.php  Install libsafe  Protects against Buffer Overflow Attacks in Process stacks  Install tmpwatch to delete the unused files from /tmp  Check for unwanted scripts in /root, /usr/local, /var/spool/mbox.

  24. Adding Security to Desktop (Contd..)  Check your machine's uptime: uptime  Linux doesn't crash or reboot under normal conditions.  If rebooted, try to find out the actual reason behind it  Take regular backups  Use rpm -Va to find out if an rpm is modified.  Apply security patches / upgrade vulnerable software  patch -p1 < patch file  Check system logs (eg: /var/log/messages, /var/log/secure)  Detect Intrusions with proper tools  Use Tripwire / aide to detect unauthorized changes to files.  System logs should be checked regularly for any trouble.  Install a log-checking tool. Freeware: webalizer, awstats  Do penetration test with tools like nessus, nikto, and nmap and see how well your machine is secured.

  25. System up2date  Install system updates as soon as they become available.  Register system with RedHat N/w: /usr/sbin/rhn_register  Config up2date :: up2date-config  update up2date itself :: up2date u up2date  Update a package using up2date u “packagename”  Updating Everything :: up2date update  Create a cron job to run up2date every night.  # mkdir /redhat to mount the Red Hat mirror.  Automount redhat mirror at boot in /etc/fstab  linuxserver:/redhat /redhat nfs intr, bg 0 0  Run script /usr/sbin/getupdates in crontab Monday midnight  0 0 * * 1 /usr/sbin/getupdates  0 min 0 hr All months

More Related