Security Baselines

Security Baselines

Chapter 4: Security Baselines

Security+ Guide to Network Security

Fundamentals Second Edition

Objectives

Disable nonessential systems

Harden operating systems

Harden applications

Harden networks

Disabling Nonessential Systems

¢ First step in establishing a defense against computer attacks is to turn off all nonessential systems

¢ The background program waits in the computer's

random access memory (RAM) until the user presses

a specific combination of keys (a hot key), such as Ctrl+Shift+P

¢ Then, the idling program springs to life

Disabling Nonessential

¢ Early terminate-and-stay-resident (TSR) programs performed functions such as displaying an instant

calculator, small notepad, or address book

¢ In Microsoft Windows, a background program, such

as Svchost.exe, is called a process

¢ The process provides a service to the operating

system indicated by the service name, such as

AppMgmt

Disabling Nonessential

Sorvices (| ocal]

Sedat giản Lo x 2 d* + y giết: xana ˆ° Ì 0x:rrtma ^

Aig A wher Hades cde edinasad eaters Ê ghêẻ tỉa

By cocks Laver Gkewyy Sauce

#ệu “cck-3:en *4sr-+=trer '-4đẨŸˆ Aton’ liars

#§uLs:Lg *cu+d :ksl ce+: Ï-anz°er xexke

yc phat

Sows Qvert Seton

SÊúC 4+ zin 2ccl-#cn Pay caneuter Pq x2z+

C*/P:C0 4D": Sertces

elo? Oe

SBy0 sbtured Lins Tracing Cken:

Eat ehbuced (rv seo ae kaslx

Fans chert

#§uLn or Kepotng lene

ON iy

ByFast Use Succhire Compe b ity

"eghas end Sapeoutt Baker Irter "ace Desire Access

8p MOFL Cours LOM 58v có

4) een) Serine Splvere: Cornscticn ems (OP) irtervet Conmecton Shanna (023;

Eg PSEC Services

reve trtsenst Conmect on Fired

*BaLeg cal Lash, Manager

Felons IS Miawdz Acted tine Sivan

Mattos on upconed Ist of commuters or the ta š Provides three mansegemert seroces: Letslog Detsbes Mages tasorkon ipra oily egderngendipd Mairttars bies setwnen TPS Pies thins comouter 2 Coo devebes trencectors thet en mubple rescuce ý Resales and coches Conan Mane Sten (00.5) none Ales ero neportop for services anc ancbsuors nurn

Fi gids eyed Oy We se gers is sual bry ‘si hes k«£({

Provides mameqamert foe anebrations chaz recure asst Evade Heals end Soper Center Lorgacn becoepe Eroniss ceva ¢ rpuf octess ce Auman vetoes Revio Menrages LU ecovcirg Wap Lnace Macte ing Oppl ced:

Tibco beds gai rael E*srllk‹ đils-ieolr+

Provides t3 |: 44z†*22 tra 2|st vì, x4crez4xg ner Menages 2 sec ¿ Kế ý «sec {6 ÍSAKFP62¿hh Provides nus on preve tion sarvice Fora oe oF sire Umects endmortas vevbac dsi drves anc cence cc Catgre ealemicnesn ender Trewin Traremrks nt seve avd Alster sx vice messaces Set:

Manages co ftmarebesed vouns Sed copes behen Supoerts pass touch stverticotien & sccourtioees Crates en stoor zed user to scoees bes comeuter rer Mor ages oopats ocheheteok end Da Lo Cowe:tine Proetces mean bawoert avd secu ty for ieran oe

i

Figure 4-1 Service display name

| Display name of the

| AppPMgmt service

File Options View ShutDœ+n Help

“Applications | Processes | Performance | Networking | Users |

Process name

Image Name PID User Name cPU) Mem *

Navapsyc.exe 1592 SYSTEM oo 1

DrgToDsc.exe 1588 Windows XP oo

alg.exe 1556 LOCAL SERVICE oo 1

ccEvtMar exe 1404 SYSTEM an

spoolsy.exe 1376 SYSTEM an 2

svchost.exe 1128 LOCAL SERVICE oo 2

svchost.exe 1116 NETWORK SERVICE oo

[_] Show processes from all users

Processes: 36 CPU Usage: 2% Commit Charge: 215264K / 5602" :

Figure 4-2 Task Manager processes

¢ Besides preventing attackers from attaching

malicious code to services, disabling nonessential services blocks entries into the system

Disabling Nonessential

The User Datagram Protocol (UDP) provides for a

connectionless TCP/IP transfer

TCP and UDP are based on port numbers

socket: combination of an IP address and a port

number

— The IP address is separated from the port number by a

colon, as in 198.146.118.20:80

Hicrosoft Windows ÁP [Version 5.1.2688 ]1

CC) Copyright 1985-2661 Microsoft Corp

C:\Docunents and Settings\Windows XP>netstat -ano

Active Connections

Address 6:135

„8:44 ,8:1825 8:1826 „8:38108

mS eae od

„8:382"”

.8:3182

aS 4:3:

Hardening Operating Systems

¢ Hardening: process of reducing vulnerabilities

¢ A hardened system is configured and updated to

protect against attacks

¢ Three broad categories of items should be hardened:

— Operating systems

— Applications that the operating system runs

— Networks

Hardening Operating systems (continued)

¢ You can harden the operating system that runs on the local client or the network operating system

(NOS) that manages and controls the network, such

as Windows Server 2003 or Novell NetWare

Applying Updates

Operating systems are intended to be dynamic

As users’ needs change, new hardware is introduced,

and more sophisticated attacks are unleashed,

operating systems must be updated on a regular

basis

However, vendors release a new version of an

operating system every two to four years

Vendors use certain terms to refer to the different

types of updates (listed in Table 4-3 on page 109)

Applying Updates (continued)

¢ A service pack (a cumulative set of updates including fixes for problems that have not been made available through updates) provides the broadest and most

complete update

¢ A hotfix does not typically address security issues; instead, it corrects a specific software problem

Applying Updates (continued)

Table 4-3 Software updates

Security patch A broadly released fix for a specific product addressing a

security vulnerability Critical update A broadly released fix for a specific problem addressing a

critical, nonsecurity related bug Update A broadly released fix for a specific problem addressing a

noncritical, nonsecurity related bug Hotfix A single package composed of one or more files that

addresses one user's problems and is generally not distrib- uted to others

Update rollout A collection of security patches, critical updates, updates,

and hotfixes released as a one package Service pack A cumulative set of hotfixes, security patches, critical

updates, and updates created since the release of the product, including many resolved problems that have not been made available through any other software updates, and design changes or features requested by users

Integrated service pack A version of a product released with a service pack in one

package Feature pack A release of a product that adds functionality but does

not address security issues (usually included in the product

in the next version of the software)

Version A major new release of the software incorporating all pre-

vious updates along with new features

Applying Updates (continued)

¢ A patch or a software update fixes a security flaw or other problem

— May be released on a regular or irregular basis,

depending on the vendor or support team

— A good patch management system includes the

features listed on pages 111 and 112 of the text

Securing the File System

¢ Another means of hardening an operating system is

to restrict user access

¢ Generally, users can be assigned permissions to access folders (also called directories in DOS and UNIX/Linux) and the files contained within them

securing the File System (continued)

Microsoft Windows provides a centralized method of defining security on the Microsoft Management

securing the File System (continued)

¢ Group Policy settings: components of a user’s

desktop environment that a network system

administrator needs to manage

¢ Group Policy settings cannot override a global setting for all computers (domain-based setting)

¢ Windows stores settings for the computer's hardware and software in a database (the registry)

Hardening Applications

¢ Just as you must harden operating systems, you

must also harden the applications that run on those systems

¢ Hotfixes, service packs, and patches are generally available for most applications; although, not usually with the same frequency as for an operating system

Hardening Servers (continued)

messages

¢ In anormal setting, a mail server serves an

organization or set of users

¢ All e-mail is sent through the mail server from a trusted user or received from an outsider and

intended for a trusted user

Hardening Servers (continued)

Hardening Servers (continued)

In an open mail relay, a mail server processes e-mail messages not sent by or intended for a local user

File Transfer Protocol (FTP) server is used to store and access files through the Internet

— Typically used to accommodate users who want to

download or upload files

Hardening Servers (continued)

Sends spam e-mail message

Hardening Servers (continued)

¢ FIP servers can be set to accept anonymous logons using a window similar that shown in Figure 4-8

¢ A Domain Name Service (DNS) server makes the Internet available to ordinary users

— DNS servers frequently update each other by

transmitting all domains and IP addresses of which they are aware (zone transfer)

Hardening Servers (continued)

th To log on to this FTP server, type a user name and password

FTP server: firefly volstate,edu

Liser name: | Anonymous |

After you log on, you can add this server to your Favorites and return to it easily

The FTP server will use the e-mail address to identify anonymous users,

/*, FTP does not encrypt or encode passwords or data before sending them to the

server, To protect the security of your passwords and data, use Web Folders

Hardening Servers (continued)

IP addresses and other information can be used In an attack

USENET is a worldwide bulletin board system that can be accessed through the Internet or many online

services

The Network News Transfer Protocol (NNTP) is the

protocol used to send, distribute, and retrieve

USENET messages through NNTP servers

Hardening Servers (continued)

Print/file servers on a local area network (LAN) allow

users to share documents on a central server or to

share printers

Hardening a print/file server involves the tasks listed

on page 119 of the text

A DHCP server allocates IP addresses using the

Dynamic Host Configuration Protocol (DHCP)

DHCP servers “lease’ IP addresses to clients

Hardening Data Repositories

¢ Data repository: container that holds electronic

information

¢ Two major data repositories: directory services and company databases

¢ Directory service: database stored on the network

that contains all information about users and network devices along with privileges to those resources

Hardening Data

Active Directory is the directory service for Windows

Active Directory is stored in the Security Accounts Manager (SAM) database

The primary domain controller (PDC) houses the

SAM database

Hardening Networks

¢ Two-fold process for keeping a network secure:

— Secure the network with necessary updates

— Properly configure it

Firmware Updates

¢ RAM Is volatile—interrupting the power source

causes RAM to lose its entire contents

¢ Read-only memory (ROM) is different from RAM in two ways:

— Contents of ROM are fixed

— ROM is nonvolatile—disabling the power source does not erase its contents

Firmware Updates (continued)

¢ ROM, Erasable Programmable Read-Only Memory (EPROM), and Electrically Erasable Programmable Read-Only Memory (EEPROM) are firmware

¢ To erase an EPROM chip, hold the chip under

ultraviolet light so the light passes through its crystal window

¢ The contents of EEPROM chips can also be erased using electrical signals applied to specific pins

Network Configuration (continued)

Rule base or access control list (ACL): rules a

network device uses to permit or deny a packet

(not to be confused with ACLs used in securing a

file system)

Rules are composed of several settings (listed on

pages 122 and 123 of the text)

Observe the basic guidelines on page 124 of the text when creating rules

Network Configuration (continued)

Table 4-6 Sample rule base

Trans- Source IP Source Destination IP Destination

summary (continued)

¢ Applications and operating systems must be

hardened by installing the latest patches and updates

¢ Servers, such as Web servers, mail servers, FTP

servers, DNS servers, NNTP servers, print/file

servers, and DHCP servers, must be hardened to

prevent attackers from corrupting them or using the

server to launch other attacks