The Ten Most Important Steps You Can Take to Protect Your Windows-based Servers from Hackers



Similar documents
Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

Did you know your security solution can help with PCI compliance too?

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Global Partner Management Notice

System Security Policy Management: Advanced Audit Tasks

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

31 Ways To Make Your Computer System More Secure

GFI White Paper PCI-DSS compliance and GFI Software products

Common Cyber Threats. Common cyber threats include:

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

The Self-Hack Audit Stephen James Payoff

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Firewalls Overview and Best Practices. White Paper

Locking down a Hitachi ID Suite server

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Cyber Security: An Introduction

Firewalls and Software Updates

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

Cyber Self Assessment

Activity 1: Scanning with Windows Defender

Contents Introduction xxvi Chapter 1: Understanding the Threats: Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers

Computer Security Maintenance Information and Self-Check Activities

Windows Remote Access

ViRobot Desktop 5.5. User s Guide

Security Audit Report for ACME Corporation

How To Audit The Mint'S Information Technology

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Windows Operating Systems. Basic Security

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Symantec Mail Security for Domino

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

SonicWALL PCI 1.1 Implementation Guide

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:


Defense Security Service Office of the Designated Approving Authority Standardization of Baseline Technical Security Configurations

Network Incident Report

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

WhatsUp Gold v16.1 Installation and Configuration Guide

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Running A Fully Controlled Windows Desktop Environment with Application Whitelisting

NetBrain Security Guidance

FIREWALL POLICY November 2006 TNS POL - 008

Guide to Vulnerability Management for Small Companies

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Network and Host-based Vulnerability Assessment

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

ICTN Enterprise Database Security Issues and Solutions

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

HIPAA Security COMPLIANCE Checklist For Employers

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

information security and its Describe what drives the need for information security.

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Information Technology Security Procedures

MONTHLY WEBSITE MAINTENANCE PACKAGES

Effective Software Security Management

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Foundstone ERS remediation System

74% 96 Action Items. Compliance

Database Security Guide

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

Data Stored on a Windows Server Connected to a Network

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Sygate Secure Enterprise and Alcatel

NETWORK AND INTERNET SECURITY POLICY STATEMENT

PCI Data Security Standards (DSS)

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

How to Configure Windows Firewall on a Single Computer

Introduction. PCI DSS Overview

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Nixu SNS Security White Paper May 2007 Version 1.2

Secure Software Programming and Vulnerability Analysis

Best Practices for Building a Security Operations Center

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Cyber Essentials Scheme

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Network Segmentation

Network Security Policy

Alert (TA14-212A) Backoff Point-of-Sale Malware

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Standard: Event Monitoring

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Transcription:

The Ten Most Important Steps You Can Take to Protect Your Windows-based Servers from Hackers University of California, Riverside Computing and Communications Author: Joel Nylander Document Goal This document is offered as a guide for campus system administrators to assist them in securing their Windows NT and Windows 2000 servers against possible hacking attacks. In addition, this paper will describe the current state of Windows-based server security at UCR and will cite a few examples of recent attacks. No system can be completely safe from attack. There is no guarantee, even if you follow all of the recommendations contained in this white paper, that your systems will be impenetrable. However, if you choose to follow the suggestions outlined below, your risk will be greatly reduced. Introduction In recent months, our campus has witnessed a steadily increasing problem with hackers. These malicious individuals have been attacking several high-profile servers (Human Resources, Parking and others) on campus. These serious assaults have greatly impacted the departments who administer these servers by creating long service outages and by causing many hours of unproductive time for the department s technical staff. The campus microcomputer support capability is also affected by these incursions by way of the many hours that are required to assist the technical staff in other departments in getting their systems back online. These incidents are not unique to UCR and they are not necessarily aimed specifically at our campus. Many of them are carried out by automated hacking tools that can be programmed to scan the internet for vulnerable systems and attack when a hole is found. These types of tools are becoming more sophisticated and more readily available 1. The common theme running through nearly all of these incidents is that the servers being targeted are using the Windows NT 4.0 or Windows 2000 2 operating systems. The reasons that can be enumerated for Windows systems being more vulnerable are many and varied. The fact that Microsoft has issued forty-three security bulletins this year alone (as of 8/20/02) is indicative of the un-ending supply of newly discovered security holes in Microsoft operating systems. In addition, servers that are not centrally administered and housed by Computing and Communications are more vulnerable to attack for the following reasons: They are less likely to be using a more hacker resistant operating system like UNIX or LINUX. They are more likely to be administered by someone whose job function is not limited to their IT responsibilities and who are therefore limited in the amount of time and resources they can spend on staying current with up-to-date info on security and server protection routines. There is more likely to be a lack of physical security 3. Departmental servers are often housed in areas which do not provide the level of physical security recommended for mission critical systems.

Mitigative Actions by Computing & Communications (ongoing and planned) Although Computing and Communications can only take responsibility for assuring that the servers that we administer are as fully protected from attack as possible, we have taken steps to assist other campus departments in securing their exposed servers. To achieve this end we have: Applied ACL s (access control lists) on the campus network that function to control the type of traffic which can flow to and from a particular server on our network. These types of tools can be used to block unwanted off-campus traffic from reaching servers for which there is no legitimate need for off-campus access. Placed anti-spoofing rules at the border between the campus network and the rest of the world 4. These rules prevent attackers from using internet addresses (IP numbers) that are not registered to them (they do so to hide their tracks). C&C blocks traffic where: o Incoming packets have a source address from our network. o Incoming packets do not have a destination address that is within our network. o Outgoing traffic does not have a source address from our network. o Outgoing traffic has a destination address of our internal network. Used traffic monitors to scan the campus network for suspicious traffic. Within months, Computing and Communications plans to offer, for a fee, firewall services to any department who desires further protection from attack. A firewall acts to filter data to and from servers and workstations on campus, allowing only legitimate traffic to pass through. Although they cannot prevent all types of attacks 5, firewalls have proven to be a useful tool in many environments. The firewall solution currently being tested and readied for deployment offers the greatest protection at the least possible cost to departments. Critical Security Recommendations for Windows-Based Servers There are numerous steps that system administrators can take to protect their servers from attack. The increase in the number and severity of hacking attempts in recent years has lead to the forming of many organizations that offer consultation on issues of computer security. Many of these organizations freely offer lists of recommended best practices to counter the hacker problem. We have examined many of these documents and based on the most current data available, we have compiled our own set of recommendations. Most of the attacks that we have experienced on campus would have been prevented or at least minimized had the recommendations below been in place. Our recommendations are listed in order of importance. Each of them is important, but if you have limited time or limited resources, we suggest you start at the top of the list and work down. 1. Check all servers at least weekly for compliance with respect to all available Service Packs, patches and Hotfixes. This is the most critical action one can take to reduce the likelihood of an attack. Once a bug or vulnerability is made public, hackers begin to search for systems that have not been patched. The possibility of an attempted assault increases with each passing day. System administrators should make this step their highest ongoing priority. August 26, 2002 2 of 2

There are numerous techniques and tools available to assist administrators in keeping their servers upto-date with patches and hotfixes. Here is a list of some of those resources: Microsoft s Best Practices for Applying Service Packs, Hotfixes and Security Patches http://www.microsoft.com/technet/security/bestprac/bpsp.asp Microsoft s Hfnetcheck tool: http://support.microsoft.com/default.aspx?scid=kb;en-us;q303215 Microsoft Baseline Security Analyzer: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsahome.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsawp.asp IIS Lockdown Tool http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsawp.asp 2. Verify that all users (and especially those users with administrative rights) have strong passwords. Enforce stronger password policies. The only thing standing between a potential intruder and complete control of your server is your administrator enabled account password(s). If an attacker can obtain the password for an account with administrator privileges, they can do ANYTHING. Each and every account with administrator rights should have a strong password. Individual user accounts should also have strong passwords, but there are human factors which may limit your ability to enforce stricter password policies on the average user. There is a fine balance between enforcing password policies and creating a burden on users that will actually lead to a net loss of protection. For example, if you force users to change their passwords too often, they may resort to writing them down on post-it notes and sticking them on their monitor. Strong password characteristics: Passwords should contain a minimum of eight characters. Passwords should NOT contain dictionary words. Passwords should use a combination of uppercase, lowercase, numeric and special characters. Enable strong password functionality by doing the following: Win NT 4.0: http://support.microsoft.com/default.aspx?scid=kb;en-us;q161990 Win 2K: http://support.microsoft.com/default.aspx?scid=kb;en-us;q225230 Accounts should be locked out after a maximum of five invalid login attempts. Maximum password duration should be no more than 60 days (a 60 day maximum password duration setting would cause a password to expire after 60 days). Minimum password duration should be set to two or three days to prevent users from changing their passwords when required, then immediately changing them back to what they were previously. Do not allow null passwords (setting a minimum password length as mentioned in the first point above will accomplish this). August 26, 2002 3 of 3

3. Provide at least a minimum level of physical security for all servers Physical Security Minimums: Every server should be behind a locked door with access limited to only those individuals who have a legitimate need for access. When there is no one working at the server console, the console session should be either logged out or locked so that a password is required to gain access. The server room should be arranged in a way that people outside the room cannot see the keyboard (thus seeing users/admin passwords) 6. Written evidence of user ID s and passwords should not be left lying around the server room. 4. Implement backup procedures for all systems. Create and maintain backup copies of at least the data files on all servers. Backups should be created regularly using well conceived procedures that should include some form of off-site storage of backup media in case of loss of the facility. Create and maintain a current Emergency Repair Disk (ERD) for all systems. This often overlooked measure is just as important as backing up your data files 7. NT 4.0 - http://support.microsoft.com/default.aspx?scid=kb;en-us;q231777 Win 2K - http://support.microsoft.com/default.aspx?scid=kb;en-us;q156328 Regularly test your restore procedures to verify that your backups are valid and restorable. Microsoft article on Backup/Recovery procedures: http://support.microsoft.com/default.aspx?scid=kb;en-us;q287061 5. Use up-to-date anti-virus software Anti-virus software on a server may not stop hacking attempts, but they can detect many of the Trojan horse programs that hackers often use to sneak into your systems. After installing anti-virus software, be sure that you routinely update the virus info to ensure that the software will be able to detect all virus, including the most recently discovered ones. 6. Block access to/from any unnecessary TCP/UDP ports. There are over 65,000 TCP and UDP ports on any given server, most of which could become the path used by an attacker to gain unauthorized access to your systems. You should use whatever means at your disposal to block access to the ports on your server that there is no legitimate use for. The most common and effective way to block access to these ports is the use of a firewall. Firewalls can be separated into two categories: Personal Firewall A personal firewall can be installed on the server itself and can be extremely effective at blocking unwanted traffic to and from your server. Below is a list of a few such products: August 26, 2002 4 of 4

ZoneAlarm Pro www.zonealarm.com BlackICE Server Protection http://www.iss.net/products_services/hsoffice_protection/blkice_protect_server.php Sygate Personal Firewall Pro 5 http://soho.sygate.com/default.htm Network Firewall This type of firewall is placed on the campus network, between your server and the rest of the world. The network firewall s job is to block access to/from any particular port on your server. Computing and Communications will offer a firewall service in the next few months. Firewalls cannot prevent every type of attack and they can be somewhat difficult to configure. Determining which ports to leave open to allow the traffic you DO want and which ones to block to filter the traffic you DON T want can be a lengthy and tedious process. Additional firewall information resources: Firewall Guide Reviews http://www.firewallguide.com/software.htm#sybergen Yahoo Directory - Firewalls http://dir.yahoo.com/computers_and_internet/security_and_encryption/firewalls/ 7. Enable security logging on all servers. Prevention is ideal, but detection is a must 8 is a commonly repeated axiom in the computer security world. Hence, security forensics is one of the many keys to securing your Windowsbased servers. Turning on the auditing features on your Windows-based servers can enhance your ability to determine how an attempted attack was carried out and to what extent, if at all, your systems were compromised. Auditing can also help administrators detect unsuccessful attacks so that configuration changes can be made to defend against future attacks. Follow the steps outlined at the links below to enable auditing on your servers: NT 4.0 - http://support.microsoft.com/default.aspx?scid=kb;en-us;q157238 Win 2K - http://support.microsoft.com/default.aspx?scid=kb;en-us;q300549 Enable logging of the following events: Logon and Logoff Success and Failure File and Object Access Failure only Use of User Rights Failure only User and Group Management - Success and Failure Security Policy Changes - Success and Failure Restart, Shutdown and System - Success and Failure Process Tracking None August 26, 2002 5 of 5

IMPORTANT NOTE: Once you have enabled auditing, make a habit of scanning the security logs on a regular basis. You may discover events that could tip you off to an attack that was unsuccessful and provide the information required to stop future attacks. Another article on auditing from Ernest Orlando Lawrence Berkeley National Laboratory: http://www.lbl.gov/icsd/security/systems/auditing.html 8. Disable any unnecessary services. If you perform a default installation, Windows NT/2000 servers are configured to run many services which may not be required. Running services on your servers that you don t need is like having doors on your house that you never go through. Why risk someone breaking in when you can eliminate the door altogether? Examine each of your servers and look at each service that is running and ask yourself Do I really need this? If the answer is no, then disable or remove the service. A freeware tool from Foundstone (a computer security company) called Vision can help you identify the services running on your server and the TCP/UDP ports they are associated with. The article referenced below can help you determine which services you need and which ones you don t: Default Services Required for Internet Information Server Services http://support.microsoft.com/default.aspx?scid=kb;en-us;q164885 9. Disable anonymous user account enumeration. By default on all Windows NT systems and on some Windows 2000 systems, a user can log on without a user name and password and can then list all of the user account names on the system. In addition to being able to enumerate the user names, the attacker can is also provided with the information they need to determine which listed accounts have administrator privilege. This security hole has been used recently against campus servers to allow hackers to gain access to a list NT/2000 server usernames, including information regarding which accounts have administrator privileges. Using the RestrictAnonymous registry entry, you can block routine access to user information. NT 4.0 - http://support.microsoft.com/default.aspx?scid=kb;en-us;q143474 Win 2K - http://support.microsoft.com/default.aspx?scid=kb;en-us;q246261 10. Use NTFS All Windows NT and Windows 2000 systems should be formatted using NTFS and not FAT/FAT32. Neither FAT nor FAT32 utilize file level security and using them represents substantial risk of compromise. August 26, 2002 6 of 6

Summary The most important idea to take away from this white paper is this: Securing your windows-based servers is a journey, not a destination 9. There will never be a point at which you can stop and say I m finished now all of my servers are secure. Computer security means staying constantly vigilant both proactively and reactively. Here are some tips: Use checklists to help remind you what steps should be taken and when. Subscribe to e-mail lists that focus on security. o http://infosecuritymag.bellevue.com/ o http://www.cert.org/other_sources/usenet.html Visit security-focused web sites on a regular basis. Subscribe to one or more of the many periodicals that discuss security related issues: o http://www.scmagazine.com/ o http://www.infosecuritymag.com/ Create written procedures for all security related activities so that others can complete important security tasks if you are away. If you would like to learn more about Windows NT/2000 security we have included links to some very informative web resources: Securing NT by SecurityFocus http://online.securityfocus.com/infocus/1340 Security and Privacy By Microsoft Enterprise Security By Security Focus http://www.microsoft.com/security/ http://www.securityfocus.com/ CERT (Computer Emergency Response Team) By CERT http://www.cert.org Security Tools and Checklists By Microsoft http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp Free Security Tools By Foundstone, Inc. http://www.foundstone.com/knowledge/free_tools.html Acknowledgments The following individuals helped in the creation of this document by providing tips and helpful ideas. Tom Lee, Computer Security Expert, Foundstone Inc. William Easley, IT Manager, University of California, Riverside Lisa Parks, Network Operations Analyst, University of California, Riverside 1 http://www.cert.org/archive/pdf/attack_trends.pdf Copyright 2002 Carnegie Mellon University. 2 http://www.cnn.com/tech/computing/9803/04/microsoft.attack/ Hacker attacks target Windows NT computers, CNN Interactive, March 4, 1998, Copyright 1998 Cable News Network, Inc 3 http://www.cert.org/security-improvement/practices/p037.html Copyright 1999, 2000, 2001, 2002 Carnegie Mellon University. 4 As per recommendations found in the SANS report, The Twenty Most Critical Internet Security Vulnerabilities, Copyright 2000-2002 SANS Institute 5 http://security.oreilly.com/news/firewalls_0700.html 12 Tips on Building Firewalls, Tip #4, Copyright 2001, O'Reilly & Associates, Inc. 6 http://www.activsupport.com/network/vpn_security/physical_security.html Physically securing the servers, Copyright 2001 Activsupport Inc. 7 http://support.microsoft.com/default.aspx?scid=kb;en-us;q156328 Description of Windows NT Emergency Repair Disk, Copyright Microsoft Corp. 8 http://www.sans.org/top20.htm The Twenty Most Critical Internet Security Vulnerabilities, Sans Institute, Copyright 2000-2002 SANS Institute 9 http://www.landfield.com/isn/mail-archive/2000/oct/0005.html August 26, 2002 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information