Chapter 12 – Security Baselines doc

Next slide • Official Security Guides for securing services • Security Configuration Wizards – easily install and lockdown services • Software Restriction policy – allows an administrato

All-In-One Edition Chapter 12 – Security Baselines

Brian E Brzezicki

Hardening and Baselines

Operating systems and software are written to

be functional and easy to use and install

Otherwise vendors will have a hard time

selling them ;-)

Unfortunately they generally come configured insecure (or less secure that possible) out of the box

There are two important terms we need to

understand in regards to securing systems

Hardening – the process of securing a system as

much as possible for production

– Restricting access to authorized users

• Installing add on host based tools such as firewalls and anti-virus.

Baseline – The row of shields above

your fighter that protects

you from

attack by

hordes of

aliens

Close actually…

Baselines – the process of establishing a

minimum set of protections that protects a computer system/network from attack from the hordes of script-kiddies and crackers

• MINIMUM set of protections and

configurations

• Important to have baselines in any

organization – why?

Password Policies (340)

One baseline concept that is often

overlooked is the idea of requiring strong password practices (policy)

Why is a password policy important?

(more)

Password Policy Concepts (343)

What are all these things?

• Minimum password lengths - 8

• Minimum password ages – days to weeks

• Maximum password ages 60 - 90 days

• Case changes, number and special characters

Password Usability vs Security

However you have to balance “usability” vs security

• what do I mean by this

• What problems occur with “too secure” passwords?

I like to use a “passphrase” to generate a password

“I Like to drink Iced Tea and Lemon”

I L T D I T A L

1 L t d 1 t @ l

Attacks against passwords (342)

Some types of attacks that you should

understand the terminology of

• Dictionary Attack – go through the

• Windows Group Polices (Windows 2000+)

• Npasswd or PAM on Unix/Linux

You should also try to “crack” passwords periodically

• Cain and Abel (windows)

• John the Ripper (windows, Unix)

Random password term

Virtual password – Some software asks you

to type passphrase, like a sentence

Software often takes the passphrase and uses it to create a “virtual password”

Anyone have any ideas how they could do that?

Hardening

Windows 2003 (345)

Windows 2003 was MS first product using their

“Trustworthy Computing Initiative” Concept was

“Secure by design, secure by default” This included

• Fewer default installed features (19 less than 2000 Next slide)

• Official Security Guides for securing services

• Security Configuration Wizards – easily install and lockdown services

• Software Restriction policy – allows an administrator

to define what software should be allowed to run on

a system – Why is this important?

Services

Windows 2003

• IIS – allows isolation between web

applications

• Enhanced auditing features

• Network Access Quarantine – explain this

• MBSA – Microsoft Baseline Security

Analyzer… this is a type of vulnerability

assessment program for MS OS and

software You should run this on all MS

machines

Windows 2008 (346)

• Bit locker – drive encryption software

• Roles-based installation of network services (Web server only installs Web server, not

DNS etc)

• Read only Domain Controllers

• NAP – controls access to networks resources based on computers compliance to security policy

Difference between NAQ and NAP

http://technet.microsoft.com/en-us/library/bb726973.as px

Always Make sure your up to date

Updates can be applied, either manually or

automatically They can also be downloaded

automatically and stored until install.

Unix (347)

• Keep software up to date (see next slide)

• Disable/remove un-necessary accounts

• Disable un-necessary software (remove it actually)

• Turn off un-necessary services out of /etc/rc.*

• Turn off un-necessary services out of “xinetd” (2 slides away)

• Remove compilers

• Tighten file/directory permissions

• Remove SUID programs

• Install TCP wrappers (in a few slides)

• Configure host based firewall

• Install and maintain tripwire scanning

yum-updatesd (n/b)

yum

Xinetd (354)

• Xinetd is a program that manages various

services and starts up an instance of a

service when a user tries to access this

service Services are defined by text

configuration files in /

The predecessor to xinetd is “inetd” Still used

in Solaris last time I checked (Solaris 9)

Xinetd config file example next slide

Xinetd

/etc/host.deny (tcpwrappers)

/etc/hosts.deny (tcpwrappers)

Verifying (All OSes) (n/b)

• After applying baselines you should

ALWAYS verify your settings have been

taken One good way is to look at what ports are open and what services are running

• nmap (screen shot next screen)

• netstat (screen shot in a few)

NMAP

netstat

PS and Task Manager (n/b)

Another step for verifying is to use “ps”

(Unix) or task manager (windows) to see what processes are running You should always familiarize yourself with your OS and know what processes are necessary for operation so you can make sure no un-necessary processes are running And

Also identify “rogue” processes

Network Hardening (363)

Switches and Routers also need to be secured

• They ALSO need to have patches applied in a timely manner! They run OSes and are

attacked Network equipment provides direct access into your network, and it’s often not

maintained!

• Use good password policies on these devices

(more)

Network Hardening (363)

• Turn off SNMP, or change public/private community passwords (SNMP next slide)

• Use encrypted management interfaces

(what’s this? See a few slides from now)

• Restrict access to management interfaces

• Do Network Mapping, Vulnerability

Assessment and Penetration Testing (in a

few slides)

Simple Network Management Protocol

• Used for network management

• Allows for “reads”

– Ex How many packets were routed

– Ex How many web pages were served

• Allows “writes”

– Ex Reboot

– Ex Shutdown interface

• Plain text communication (earlier versions)

• Communities (like passwords) – Public/Private for read and write access

Vulnerability Assessment and

Penetration Testing (n/b)

Network Mapping – The act of using software

to try to determine the topology and

software/services of your network

Vulnerability Assessment – The process of

scanning/probing your systems to determine what software exists and what holes might exist on the network/systems All systems

should have Vulnerability Assessments

done

Vulnerability Assessment and

Penetration Testing (n/b)

Penetration Testing – A process of actually

trying to test your security posture by

exploiting holes determined in the

vulnerability testing stages Penetration

testing can DAMAGE the network and should not be done without management approval, and should ONLY be done if the testing itself cannot do serious damage

Management

Interfaces

Securing Various Network

Services

Web Servers

Web Servers

What is a web server?

What protocols and ports does it use?

Web Servers (IIS) (375)

IIS is Microsoft's Web Server Software and is a

popular attack target

• Secure the host OS, remove all un-necessary

services! Try to only run the web service.

• Remove all sample files (especially before 6)

– \InetPub\IISamples

– \Winnt\Help\IIShelp

– \Program files\Common Files\Systems\MSadc

• Set permissions properly, only allow read access for non-web developers

• Run IIS LockDown (MS tool for older versions)

• Patch… Patch… Patch

• Restrict permissions on web directories

• Restrict IP addresses if necessary

• Delete example CGI files

• URL encoding issues

• Unchecked inputs to server side programs

– Ex

http://www.myapp.com/app?username=me;”drop

database applog”

Mail Servers

Email (379)

What is email?

What is the protocol for Email called?

What is the port number for email?

What are some security issues (in running email)

• Relaying

• Reconnaissance

• Buffer overflows

• What is relaying (next slide)

Relaying (n/b)

Using email for Reconnaissance

• expn and vrfy commands

• Can get your mail server blacklisted quick

• Wastes your bandwidth and CPU time

• Restrict relaying for internal addresses

ONLY

• Use authentication mechanisms before allowing users to send mail out of your

SMTP server

Securing Exchange (378)

• Secure OS

• Run only email services

• Run the MBSA

• Patch, patch, patch

• Restrict relaying

Securing Sendmail (379)

• Secure the OS

• Don’t run as root (run as smtp)

• Turn off expn and vrfy

– PrivacyOptions=noexpn novrfy

• Restrict relaying

FTP (379)

What is FTP?

What are the port numbers?What is a problem with FTP?

Securing FTP

• Don’t run FTP… seriously, use something else like scp or sftp

• Turn off anonymous access

• Restrict access to authorized IPs only

(internal hopefully!)

• Patch, patch, patch

DNS (379)

What is DNS

What ports does it run on?

Attacks against DNS servers (next slides)

• Buffer Overflows

• Reconnaissance Attacks

• DNS cache poisoning

Buffer Overflows

You’ll learn about these next chapter!

Countermeasures

• Run DNS server as an unprivileged account

• Patch, Patch, Patch

Reconnaissance with DNS

Zone transfers allow hackers to learn your servers and IP addresses

Zone Transfers

Countermeasures

• Only allow Zone Transfers from slave DNS servers

DNS cache poisoning

The IP addresses for www.bankofamerica.com

is currently 172.16.193.173 What happens if

I can trick your computer to thinking

www.bankofamerica.com is at IP

130.85.5.14, and I actually run 130.85.5.14?

File and Print Servers (380)

Attacks

• Buffer Overflows – patch, patch, patch

• Sniffing –encrypt data, use switches

• Unauthorized / too much access (next)

Groups Polices and Security

Templates

Too Much Privileges

People have more access then they need

Countermeasures

• Require authentication to resources

• Ensure proper permissions on files (least

Group Policies (382)

What are Group Policies – “an infrastructure to deliver and apply configurations and policy settings”

What do they require?

What tool do you use to manage them (GPMC)Show example with MMC

Group Policies (382)

What are some thing you might set in a GPO?

• Password policies

• Server login rights

• Access to USB drives

• What services start on a computer

• IE settings

• Network Sharing encryption settings

• What software can be run

• Logon banners

• Others?

Group Policy Ordering

In windows Group Policies can exist on multiple

“groups” The order which they are applied is as follows, the later ones can override settings from earlier ones*

• Local Computer

• Local User GPO

• Site GPO

• Domain GPO

• Organizational Unit GPO

* There is a way for earlier GPOs to block settings from being overwritten.

Security Templates can be stand alone and applied to

a system, or pushed out via group policy.

Chapter 12 – Review

Q If I had a host based firewall that blocks access to ssh (port 22/tcp) to only allowed IP addresses

Should I still use TCP wrappers to block access?

Why or Why not?

Q What is a program that you can use to scan your computer for open network ports?

Q What is a program that tells you what programs are running and using what ports?

Q What is a security template

Chapter 12 - Review

Q What is a Group Policy?

Q Name 3 steps in hardening ANY OS?

Q If you are a security admin, what is the best practice to defeat buffer overflows attacks?

Q What does the inetd/xinetd daemon do?

Chapter 12 - Review

Q What is a hot fix, how is it different than a service pack?

Q What is the idea of a password history?

Q What is the idea of a minimum password age, what does it help enforce?