Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)



Similar documents
CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

Linux Boot Camp. Our Lady of the Lake University Computer Information Systems & Security Department Kevin Barton Artair Burnett

Security Advice for Instances in the HP Cloud

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

1. Installation Overview

Windows Operating Systems. Basic Security

Security Best Practice

Activity 1: Scanning with Windows Defender

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Installation Overview

Five Steps to Improve Internal Network Security. Chattanooga ISSA

GE Measurement & Control. Cyber Security for NEI 08-09

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

SECURE YOUR NETWORK WITH FIREWALL BUILDER

Nixu SNS Security White Paper May 2007 Version 1.2

GFI White Paper PCI-DSS compliance and GFI Software products

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

A Decision Maker s Guide to Securing an IT Infrastructure

Security Correlation Server Quick Installation Guide

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

PARALLELS SERVER 4 BARE METAL README

Kaspersky Endpoint Security 10 for Windows. Deployment guide

The Risks that Pen Tests don t Find. OWASP 13 April The OWASP Foundation

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

FREQUENTLY ASKED QUESTIONS

EZblue BusinessServer The All - In - One Server For Your Home And Business

Security Audit Report for ACME Corporation

Worms, Trojan Horses and Root Kits

Lab Configuring Access Policies and DMZ Settings

IDS and Penetration Testing Lab ISA656 (Attacker)

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

How To Secure An Rsa Authentication Agent

Remote Desktop Administration

SCP - Strategic Infrastructure Security

ACL Compliance Director FAQ

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

Locking down a Hitachi ID Suite server

A radical approach to secure LAN network using novel hardening techniques

8 NETWORK SERVERS AND SERVICES FUNDAMENTALS

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

2X SecureRemoteDesktop. Version 1.1

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

Firewalls and Software Updates

Linux Operating System Security

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com

Parallels. for your Linux or Windows Server. Small Business Panel. Getting Started Guide. Parallels Small Business Panel // Linux & Windows Server

EZblue BusinessServer The All - In - One Server For Your Home And Business

Chapter 4 Application, Data and Host Security

freesshd SFTP Server on Windows

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

How To Set Up A Macintosh With A Cds And Cds On A Pc Or Macbook With A Domain Name On A Macbook (For A Pc) For A Domain Account (For An Ipad) For Free

Shellshock Security Patch for X86

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Implementing Security Update Management

SonicWALL PCI 1.1 Implementation Guide

Security. TestOut Modules

Windows Remote Access

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

SysPatrol - Server Security Monitor

Self Service Penetration Testing

Linux Security Ideas and Tips

Codes of Connection for Devices Connected to Newcastle University ICT Network

Administering the Network Analysis Module. Cisco IOS Software. Logging In to the NAM with Cisco IOS Software CHAPTER

Secure Access Using VPN

Course Description and Outline. IT Essential II: Network Operating Systems V2.0

Where can I install GFI EventsManager on my network?

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

IBM WebSphere Application Server Version 7.0

System Security Policy Management: Advanced Audit Tasks

A Roadmap for Securing IIS 5.0

BM482E Introduction to Computer Security

Terminal Server Guide

Introweb Remote Backup Client for Mac OS X User Manual. Version 3.20

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

Linux Security on HP Servers: Security Enhanced Linux. Abstract. Intended Audience. Technical introduction

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Configuring SSL VPN on the Cisco ISA500 Security Appliance

AN OVERVIEW OF VULNERABILITY SCANNERS

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Online Backup Client User Manual

Freshservice Discovery Probe User Guide

PARALLELS SERVER BARE METAL 5.0 README

Network and Host-based Vulnerability Assessment

Remote Support Jumpoint Guide: Unattended Access to Computers in a Network 3. Requirements and Considerations to Install a Jumpoint 4.

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Network Defense Specialist. Course Title: Network Defense Specialist: Securing and Troubleshooting Network Operating Systems

Remote Application Server Version 14. Last updated:

Global Partner Management Notice

Transcription:

Host Hardening (March 21, 2011) Abdou Illia Spring 2011 CERT Report on systems vulnerabilities Source: CERT Report @ http://www.kb.cert.org/vuls/bymetric 2 OS Vulnerability test Source: http://www.omninerd.com/articles/2006_operating_system_vulnerabilit y_summary OS market share for 2006 OS tested: Win XP, Win Server 2003, Win Vista Ultimate, Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse Enterprise 10, Ubuntu 6.10 Tools used to test vulnerabilities: Scanning tools (Track, Nessus) Network mapping (Nmap command) 3 1

Your knowledge about Host hardening Today, how long it will take for a hacker to own a server with OS installation defaults that is connected to the Internet? a) A week b) A day or two c) Two weeks What needs to be done, first, in order to prevent a hacker from taking over a server with OS installation defaults that has to be connected to the Internet? a) Lock the server room b) Configure the firewall to deny all inbound traffic to the server c) Download and install patches for known vulnerabilities 4 Your knowledge about Host hardening You performed an Out-of-the-box installation of Windows XP and Linux FreeBSD 6.2 on two different computers. Which computer is more likely to be secure? a) Windows XP b) Linux FreeBSD 6.2 c) They will have the same level of security 5 What is Hardening Host Computers? A series of actions to be taken in order to make it hard for an attacker to successfully attack computers in a network environment Because it s easy to overlook something in the hardening process, businesses need to adopt a standard hardening methodology or a standard security baseline Need to have different security baseline for different kind of host; i.e. Different security baselines for different OS and versions Different security baselines for different types of servers (web servers, mail servers, etc.) and applications 6 2

Security Baseline Organization could use different standards OS vendors baselines and tools e.g. Follow MS Installation procedure and use Microsoft Baseline Security Analyzer (MBSA) Standards Agencies baselines e.g. CobiT* Security Baseline Company s own security baselines Security Baseline to be implemented by Server administrators known as systems admin * Control Objectives for Information and Related Technology 7 Elements of Hardening Physical security Secure installation and configuration Fix known vulnerabilities Remove/Turn off unnecessary services (applications) Harden all remaining applications Manage users and groups Manage access permissions For individual files and directories, assign access permissions to specific users and groups Back up the server regularly Advanced protections A c c o r d i n g t o b a s e l i n e 8 Example of Security Baseline for Win XP Clients OS Installation Create a single partition on HDD Format disk using NTFS file system Install Win XP and Service Pack 3 Fixing OS vulnerabilities Download and install latest patches Turn on Windows Automatic Updates checking Configure Windows Firewall Block incoming connections except KeyAccess and Remote Assistance Turn off unnecessary services Turn off Alerter, Network Dynamic Data Exchange, telnet Application Installation Centrally assign applications using group policies Fixing applications vulnerabilities Turn on each application s automatic update checking 9 3

Hardening servers Be aware of the 5 P s of security and compliance Proper Planning Prevents Poor Performance Plan the installation Identify The purpose of the server. Example: provides easy & fast access to Internet services The services provided on the server Network service software (client and server) The users or types of users of the server Determine Privileges for each category of users If and how users will authenticate How appropriate access rights will be enforced Which OS and server applications meet the requirements The security baseline(s) for installation & deployment Install, configure, and secure the OS according to the security baseline Install, configure, and secure server software according to sec. baseline Test the security Add network defenses Monitor and Maintain 10 Hardening servers (cont.) Choose the OS that provides the following: Ability to restrict admin access (Administrator vs. Administrators) Granular control of data access Ability to disable services Ability to control executables Ability to log activities Host-based firewall Support for strong authentication and encryption Disable or remove unnecessary services or applications Remove rather than disable to prevent re-enabling Additional services increases the attack vector More services can increase host load and decrease performance Reducing services reduces logs and makes detection of intrusion easier 11 Hardening servers (cont.) Configure user authentication Remove or disable unnecessary accounts (e.g. Guest account) Change names and passwords for default accounts Disable inactive accounts Assign rights to groups not individual users Don't permit shared accounts if possible Configure time sync Enforce appropriate password policy Use 2-factor authentication when necessary Always use encrypted authentication 12 4

Windows Hardening Most Windows hardening done using Graphical User Interface 13 Windows Hardening Turning services and applications on/off in Windows 14 Q: Reducing services can increase host load and decrease performance: T F Windows Hardening Domain configuration and directory service needed for central security setting Windows 2000 introduced hierarchical domain structure with Active Directory Domain is a collection of resources Domain contains one or more domain controllers, member servers, client PCs Group policy objects (GPOs) on a domain controller can implement security policies throughout a domain 15 5

UNIX / Linux Hardening Many versions of UNIX No standards guideline for hardening User can select the user interface Graphic User Interface (GUI) Command-Line Interfaces (CLIs) or shells CLIs are case-sensitive with commands in lowercase except for file names 16 UNIX / Linux Hardening Three ways to start services inetd program used to start services when requests come in from users rc scripts to start services automatically at boot up Start a service manually by typing its name or executing a batch file that does so Inetd = Internet daemon; i.e. a computer program that runs in the background 17 UNIX / Linux Hardening Starting services upon client requests Services not frequently used are dormant Requests do not go directly to the service Requests are sent to the inetd program which is started at server boot up Program A Program B Program C Program D 4. Start and Process This Request inetd 3. Program C 2. Port 123 1. Client Request To Port 123 Port 23 Program A Port 80 Program B Port 123 Program C Port 1510 Program D /etc/inetd.config 18 6

UNIX / Linux Hardening Turning On/Off unnecessary Services In UNIX Identifying services running at any moment ps command (processor status), usually with aux parameters, lists running programs Shows process name and process ID (PID) netstat tells what services are running on what ports Turning Off Services In UNIX kill PID command is used to kill a particular process kill 47 (If PID=47) Q: You kill some services but see that they are running again the next day. Explain why? 19 Advanced Server Hardening Techniques Need to read Event Logs to diagnose problems Failed logins, changing permissions, starting programs, kernel messages, etc. 20 Advanced Server Hardening Techniques File Encryption Protects files even if attacker breaks in Key escrow: Copy of encryption key is kept elsewhere to protect in case of key loss Windows Encrypting File System (EFS) Select file in Windows Explorer, select Properties Click on General tab s Advanced button Click on the box Encrypt contents to secure data 21 7

Advanced Server Hardening Techniques File Integrity Checker Creates snapshot of files: a hashed signature (message digest) for each file After an attack, compares post-hack signature with snapshot This allows systems administrator to determine which files were changed Tripwire is a file integrity checker for Linux/UNIX, Windows, etc.: www.tripwire.com (ftp://coast.cs.purdue.edu/pub/tools/unix) 22 Advanced Server Hardening Techniques Reference Base 1. Earlier Time File 1 File 2 Other Files in Policy List Tripwire File 1 Signature File 2 Signature 2. After Attack File 1 File 2 Other Files in Policy List 3. Comparison to Find Changed Files Tripwire Post-Attack Signatures File 1 Signature File 2 Signature File Integrity problem: many files change for legitimate reasons. So it is difficult to know which ones the attacker changed. 23 Other types of host that can be Hardened Internetwork Operating System (IOS) For Cisco Routers, Some Switches, Firewalls Even cable modems with web-based management interfaces 24 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information