300 likes | 486 Vues
Lesson 14-Security Baselines. Securing systems effectively and consistently requires a structured and logical approach called baselining: Determining the processes and applications on the system. Removing or disabling anything that is not required.
 
                
                E N D
Securing systems effectively and consistently requires a structured and logical approach called baselining: • Determining the processes and applications on the system. • Removing or disabling anything that is not required. • Applying appropriate patches, hotfixes, and settings to protect and secure the systems. • Examining the intended functions and capabilities. • Any similar configuration can be built with the same baseline. Background
Password Policy Guidelines • A password policy should be created, distributed and enforced for system administrators and users. • Password Rules • Set a minimum number of characters (8). • Implement password aging (30 – 90 days). • Do not accept passwords based on dictionary words. • Do not allow users to reuse passwords. • Audit password files with some popular password-cracking utilities on a regular basis. • It should never be the same as the login name or contain the login name. • It should not contain the user's first or last name, family member's names, birth dates, pet names, or any other item that is easily identified with the user. • It should have at least three of the following four elements: • One or more uppercase letters (A – Z) • One or more lowercase letters (a – z) • One or more numerals (0 – 9) • One or more special characters or punctuation marks (!@#$%^&*,.:;?)
Selecting a Password • There are two methods of selecting a password. • They range from random generation to one-time use. • The best compromise between security and usability is the selection of secure passwords using a passphrase. • Taking the first letter of each word in a sentence. • Taking the first letter from the first word, second letter from the second word, and so on. • Combining words. • Replacing letters with other characters • Sentence 1: I love to drive my 1969 Mustang! • Password: Iltdm69M! • Sentence 2: Bad to the Bone • Password: Bad2theB1
Hardening Operating Systems • Hardening of operating systems is the first step towards safeguarding systems from intrusion. • Minimize the potential avenues of attack (attack vector): • Guessing passwords, buffer overflows, taking advantage of non essential tools and utilities that are loaded on new computers, etc. • Following this, the hardening process will ensure that all appropriate security features are activated and configured correctly. • Some vendors have now recognized that a market exists for pre-hardened systems; see Trusted Operating Systems.
Hardening Windows • Hardening of Microsoft systems focuses on: • Windows NT • Windows XP family of operating systems • Older Microsoft operating systems, such as Windows 3.11, Windows 95, Windows 98, and Windows ME, were designed with few security capabilities. • Steps recommended by Microsoft's security team include: firewalls, service packs, securing accounts, antivirus, VPN, Disable unused services, password bios, use NTFS, boot only from c: drive, segment the system with VLANs, backups and close unused ports.
Windows Security Checklist • Use NTFS permissions. • Microsoft's permissions consist of none, read, write, execute, delete, change permissions, and take ownership can be used on files and directories. • Verify that the “superuser” account has a strong password. • The “Administrator” account on Windows O/Ss and “root” account on UNIX systems.
Windows Security Checklist • Accounts • Disable or delete unnecessary accounts. • Make sure the Guest account is disabled. • The Administrator account can be renamed to something obscure that does not indicate that this is the administrator level account. • Restrict anonymous connection with the Local Security Policy. • Remove File And Printer Sharing protocol to prevent accidental sharing of directories and files.
Windows Security Checklist • Access Control List (ACL) • Operating Systems can restrict access to files and directories by using access control lists (ACLs). • An ACL is a list of permissions that controls who may write, modify, delete, or access a specific file or directory.
Windows Security Checklist • Set stronger password policies using the Local Security • Account Lockout Duration • Account Lockout Threshold • Reset Account Lockout Counter After
Windows Security Checklist • Use VPNs. • Install antivirus software and updates. • The Internet Information Server (IIS) Lockdown Tool helps secure IIS servers from attack. • Like any operating system baselining process: • Remove unnecessary components and services. • Restrict and limit access to files and directories. • Apply the latest patches. Protect the Registry from anonymous access. By default Windows doesn’t restrict remote access to the registry.
Windows Security Checklist • The Microsoft checklist does not cover logging. • logins, program executions, and file or directory modifications. • Three event logs: Application Log, Security Log, or System Log. • Determining logging and auditing requirements is part of the baselining process. • Decide: • Which events to record. • What the records will be used for. • When and how to examine the records. • How long to maintain these records.
Windows Checklist • Disable unnecessary services. • Any service not required to support the function of the server should be disabled or completely removed from the system. • Use this utility to stop or start specific services, as well as disable services that should not be running on the system.
General UNIX Baselines • General UNIX baselining is the same as for Windows operating systems: • Disable unnecessary services. • Restrict permissions on files and directories. • Remove unnecessary software. • Apply patches. • Remove unnecessary users. • Apply password guidelines. • Unlike Windows, UNIX systems can have different run levels. • The system can be configured to bring up different services depending on the run level selected.
General UNIX Baselines • User information is stored in the passwd file in the /etc directory. • User accounts on a system can be added, deleted, or modified by editing this file. • On UNIX systems, if a user account is removed from the passwd file, the files belonging to that user must be manually removed. • On a UNIX system, the processes, applications, and services that are running can be seen using the process status or ps command and deleting the process identifier or PID and then use the kill command.
Mac OS X • The same rough guidelines for all UNIX systems apply to Mac OS X. • Mac OS X is a UNIX variant. • Disable unnecessary services, such as web, mail, and FTP. • Alternatively, they must be properly configured and secured. • Mac OS X simplifies the task of identifying and disabling unwanted services as compared to other operating systems. • Apple located the services and the firewall functions together. • By default, the Mac OS X limits a user's ability to access or modify areas of the file system including those areas containing system binaries. • These restrictions can be circumvented by a user with the appropriate permissions or by third-party applications.
Hotfixes, Service Packs, and Patches It is important to keep systems up to date regardless of the method used. • Hotfix updates • A small software update designed to address a specific problem. • Patch • Applied to a more formal, larger software update that may address several or many software problems. • Patches contain enhancements or additional capabilities and fixes for known bugs. • Patches are usually developed over a longer period of time. • Service Pack • A collection of patches and hotfixes rolled into a single, large package. • Service packs are designed to bring a system up to the latest known, good level all at once.
Network Baselining • Network baselining is the act of measuring and rating the performance of a network in real-time situations. • Providing a network baseline requires testing and reporting of the physical connectivity, normal network utilization, protocol usage, peak network utilization, and average throughput of the network usage. • Such in-depth network analysis is required to identify problems with speed and accessibility, and to find vulnerabilities and other problems within the network.
Network Hardening • Proper controls over network access must be established. • control open services and the ports on servers, workstations, network devices, such as routers, switches, and modems • Network infrastructure components are similar to other devices on the network. Ports are open for: • Direct connection to the operating system and various services. • remote management capabilities • Managed equipment (PCs as well as WAN equipment) responding on network ports has some software or firmware controlling it. • This software or firmware needs to be updated on a regular basis.
SNMP • SNMPv1 passwords are passed in the clear. • SNMPv3 provides three levels of security. The highest level is with authentication and privacy. The middle level is with authentication and no privacy and the bottom level is without authentication or privacy. • The perfect example of why SNMP security is important is its ability to reboot devices. • The SNMP service should be limited to connections from the management station's IP address. • If the SNMP is not used, it should be disabled. • Ports for SNMP should not be accessible from anywhere on the external or internal network. • An SNMP community string is basically the password that is needed to access an SNMP agent. There are two flavors: read-only and read-write. • "public" as the default read-only community string and "private" as the default read-write community string.
Network Ports/Services • Close ports - For any networked machine, open only the ports that are used. • At very minimum TCP ports 135, 139, and 445, and UDP ports 135, 137, and 445 should be blocked as well as all the other unused ports. • While not all ports are dangerous, they might provide information to any hacker with a port scanner. • Remove or disable programs or services. • Most servers are only used to provide one or two services. • The most prevalent service on Internet servers are Web and secure Web, or 80/tcp and 443/tcp, respectively. • Web servers that run telnet, SMTP, or POP3 provide multiple paths for an attacker. • They also require more administration and updated patches..
Router Filters • Some equipment doesn’t allow disabling running services. • Perform filtering with access control lists. • Filtering is one of the common tools used in security and works on the principle of pattern matching. • They all consist of rules to accept or deny traffic. • A common place to do filtering is at the border routers which forwards traffic between networks, however ACLs do not make a router into a true firewall. • At very high data rates, or for very long lists of rules, this is computationally intensive and a drain on resources • Filtering on a router should primarily be used to drop large blocks of the Internet that are known or to drop all traffic from the entire Internet.
Protecting DMZ with 2 firewalls 2 firewalls DMZ • The next piece of equipment is the firewall. • This is where the most complex filtering is performed. • It is done with ACL-like statements. • One controls traffic to DMZ while the other controls traffic to internal LAN • Second firewall can serve as a failover firewall • Firewalls should have all their open ports and services restricted to a limited number of source addresses.
Application Patches • Application hardening is as important as operating system and network hardening • Hardening applications is similar to hardening operating systems. • Remove the unneeded functions or components. • Restrict access where you can, close ports. • Make sure the application is kept up-to-date with patches • Web Servers Hardening • E-Mail Server and NNTP Server Hardening • FTP Servers Hardening • DNS Server Hardening • File and Print Server Hardening • DHCP Server Hardening • Directory Services and Databases Hardening
Microsoft's Internet Information Server • Microsoft's Internet Information Server (IIS) is one of the most popular Web server applications in use and, also, attacked. • To secure an IIS server: • Remove all sample files. • Set the permissions for the Web server's files and directories using ACLs • There are two tools designed to help secure IIS servers: the URLScan and IIS LockDown tools. • URLScan is a monitoring utility and preprocessor that examines all incoming URLs and rejects any requests for files, directories, or services outside the intended scope of the Web site. • IIS LockDown can deny write permissions for anonymous accounts, disable WebDAV, remove dynamic script type associations, restore default security settings, and back up the IIS Metabase and ACLs.
Apache • The first step in securing an Apache Web server is to secure the host operating system and lock down file and directory permissions is also important. • Create an unprivileged account that will run the Apache server. • This account, typically called “httpd” or “apache,” is given the minimum permissions necessary • Additional security measures include locking the account so it can never be used to log on to the system and assigning it to a special group where it is the only member. • It is essential to delete unneeded files and directories immediately after installation. • Any source code files, samples, cgi-bin scripts, HTML pages, or documentation files should be removed from the system • Patching an Apache server is just as critical
Mail Servers • Disabling unwanted functionality and ensuring the software is patched. • Attacks focus on three areas: • Reconnaissance or scanning pulls Names and addresses of valid user accounts from the system through port 80 on the computer, used later to compromise networks. • Relaying • Buffer overflows • Relaying occurs when a mail server handles a message and neither the sender nor the recipient is a local user. • Attackers can take advantage of the mail server to send e-mails on their behalf, even though they are not legitimate users of that system. • Sendmail was the initial mail server software. • Buffer overflows have been a frequent problem for Sendmail. • The best defense is to ensure the Sendmail software is patched and up to date.
FTP Servers/DNS • FTP servers need security • configure as read-only services. • restrict which external IP addresses are allowed to connect to the FTP service. • The most common attack is a buffer overflow. • The Domain Name Service (DNS) is built as a hierarchical structure of the top 13 root nameservers that provide answers for all DNS queries. • The two most common types of attacks against DNS servers are reconnaissance attacks and buffer overflows. • Reconnaissance attacks against DNS servers usually consist of an attacker attempting a zone transfer (updates zone information between nameservers) • Buffer overflows are best defeated by ensuring the DNS software is patched and up to date.
File and Print Services • File and Print servers are exposed to the same vulnerabilities as other servers: • Data modification • Denial of Server (DOS) attacks • Increased attack surface – file sharing uses NetBIOS • Network print services should be configured so that they receive print jobs from authorized, authenticated users. • Only administrators should be able to control or modify the entire print queue or the printer itself.
Active Directory • Active Directory allows single login access to multiple applications, data sources, and systems, and includes advanced encryption capabilities, such as Kerberos and PKI. • Active Directory is built around a database, called a schema, containing information about all network objects. • Each object is placed into a domain, which can then be used to control which users may access which objects. • Each domain has its own security policies, administrative control, privileges, and relationships to other domains. • Each object in Active Directory also has an ACL to determine who can view the object, what attributes they can read, and what actions each user can perform on the object. • Access controls can be inherited or passed down from a parent to a child. • To update and query Active Directory, Microsoft uses the Lightweight Directory Access Protocol (LDAP). • Every object in Active Directory has a unique name for use in LDAP queries and updates. • The key to securing Active Directory is planning and using appropriate permissions.