CIS-162. Security Baselines. Security Baselines. Best Practice aka Beer and Pizza. Remove all unneeded processes



Similar documents
How to create a default user profile in Windows 7

How to recover your Exchange 2003/2007 mailboxes and s if all you have available are your PRIV1.EDB and PRIV1.STM Information Store database

How to SYSPREP a Windows 7 Pro corporate PC setup so you can image it for use on future PCs

How To Use A Network On A Network With A Powerline (Lan) On A Pcode (Lan On Alan) (Lan For Acedo) (Moe) (Omo) On An Ipo) Or Ipo (

Alarm transmission through Radio and GSM networks

Distributed Computing and Big Data: Hadoop and MapReduce

Database Management Systems

Firstmark Credit Union Commercial Loan Department

Welcome to the Cloud Stream. Sponsored by:

Smarter Transportation: The power of Big Data and Analytics

Hitachi Virtual Storage Platform

Cisco 1841 Integrated Services Router with AIM-VPN/SSL-1. And. Cisco 2801 Integrated Services Router with AIM-VPN/SSL-2

HEALTHCARE INTEGRATION BASED ON CLOUD COMPUTING

College of Engineering Bachelor of Computer Science

Cisco 3825 and Cisco Integrated Services Routers. with AIM-VPN/SSL-3

Automatic Testing of Neighbor Discovery Protocol Based on FSM and TTCN*

The transport performance evaluation system building of logistics enterprises

How to create RAID 1 mirroring with a hard disk that already has data or an operating system on it

Over-encryption: Management of Access Control Evolution on Outsourced Data

ENTERPRISE LINUX NETWORKING SERVICES

Ou Appoach and Types of attack

GL275 - ENTERPRISE LINUX NETWORKING SERVICES

Methods for the specification and verification of business processes MPB (6 cfu, 295AA)

Things to Remember. r Complete all of the sections on the Retirement Benefit Options form that apply to your request.

Software Engineering and Development

Application for Admission GENEVA COLLEGE

COMPLYING WITH THE DRUG-FREE SCHOOLS AND CAMPUSES REGULATIONS

Lab Tasks 1. Configuring a Slave Name Server 2. Configure rndc for Secure named Control

Getting Started in Red Hat Linux An Overview of Red Hat Linux p. 3 Introducing Red Hat Linux p. 4 What Is Linux? p. 5 Linux's Roots in UNIX p.

Cisco 2811 and 2821 Integrated Services Router with AIM-VPN/SSL-2

Public Health and Transportation Coalition (PHiT) Vision, Mission, Goals, Objectives, and Work Plan August 2, 2012

GL-275: Red Hat Linux Network Services. Course Outline. Course Length: 5 days

An Epidemic Model of Mobile Phone Virus

In the Supreme Court of British Columbia

Ilona V. Tregub, ScD., Professor

ENTERPRISE LINUX NETWORKING SERVICES

"Charting the Course... Enterprise Linux Networking Services Course Summary

DOCTORATE DEGREE PROGRAMS


What is included in the ATRC server support

Centralized and structured log file analysis with Open Source and Free Software tools

Personal Saving Rate (S Households /Y) SAVING AND INVESTMENT. Federal Surplus or Deficit (-) Total Private Saving Rate (S Private /Y) 12/18/2009


Module Availability at Regent s School of Drama, Film and Media Autumn 2016 and Spring 2017 *subject to change*

Mac OS X Directory Services

Cisco 2951, Cisco 3925 and Cisco 3945 Integrated Services Routers (ISRs)

Faithful Comptroller s Handbook

BIOS American Megatrends Inc (AMI) v02.61 BIOS setup guide and manual for AM2/AM2+/AM3 motherboards


Ubuntu Sever Administration

Give me all I pay for Execution Guarantees in Electronic Commerce Payment Processes

COURCE TITLE DURATION LPI-202 Advanced Linux Professional Institute 40 H.

Questions & Answers Chapter 10 Software Reliability Prediction, Allocation and Demonstration Testing

Comparing Availability of Various Rack Power Redundancy Configurations

883 Brochure A5 GENE ss vernis.indd 1-2

Chapter 1: Introduction BELSORP analysis program Required computer environment... 8

Instructions to help you complete your enrollment form for HPHC's Medicare Supplemental Plan

Ashfield Girls High School. Critical Incident Policy

Security Best Practice

AN IMPLEMENTATION OF BINARY AND FLOATING POINT CHROMOSOME REPRESENTATION IN GENETIC ALGORITHM

nitrobit update server

Power Monitoring and Control for Electric Home Appliances Based on Power Line Communication

GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III

A framework for the selection of enterprise resource planning (ERP) system based on fuzzy decision making methods

Cisco 1905, Cisco 1921, Cisco 1941, Cisco 2901, Cisco 2911, and Cisco 2921 Integrated Services Routers (ISRs)

CUIT UNIX Standard Operating Environment and Security Best Practices

9:6.4 Sample Questions/Requests for Managing Underwriter Candidates

Internet Security [1] VU Engin Kirda

BorderWare Firewall Server 7.1. Release Notes

APPLICATION AND AGREEMENT FORM FOR TELECOMMUNICATION SERVICES BUSINESS APPLICATION

Financial Derivatives for Computer Network Capacity Markets with Quality-of-Service Guarantees

HC INSTALLATION GUIDE. For Linux. Hosting Controller All Rights Reserved.

Towards Automatic Update of Access Control Policy

ENTERPRISE LINUX SECURITY ADMINISTRATION

Mac OS X Security Checklist:


System Security Policy Management: Advanced Audit Tasks

Do Vibrations Make Sound?

Network Security and Firewall 1

A Roadmap for Securing IIS 5.0

Cloud Service Reliability: Modeling and Analysis

Confirmation of Booking

Effect of Contention Window on the Performance of IEEE WLANs

INITIAL MARGIN CALCULATION ON DERIVATIVE MARKETS OPTION VALUATION FORMULAS

Avira AntiVir MailGate 3.2 Release Notes

Comparing Availability of Various Rack Power Redundancy Configurations

CAC AND KERBEROS FROM VISION TO REALITY

Nessus Agents. October 2015

ICD-10. Implementation

Transmittal 198 Date: DECEMBER 9, SUBJECT: Termination of the Existing Eligibility-File Based Crossover Process at All Medicare Contractors

Transcription:

CIS-162 Intoduction to Netok Secuity Comptia Secuity+ Eam Domain 3 Secuity Baselines Secuity Baselines Standad that oganization systems must comply Establish the nom of consistency Detect the anomaly Pefom pio to binging into poduction Hadening the system Establish system secuity state base line Unifom baselines Maintenance cost eduction Use secuity template Best Pactice aka Bee and Pizza Remove all unneeded pocesses System utilities and sevices Default installation (IIS) Applications Netok sevices Apply patches (see above) Apply hot fies Apply (secuity) settings 1

Passod Secuity / Passod Policy Usename and passod fist line of defense Compleity Mi Alphabetic (A-Z and a-z) Numeic (0-9) Special chaactes as pemitted by OS No ods in dictionay Do not pemit use o pat of login name Length (Windos 8 o moe, Uni 6 o moe) Passod histoy etention Passod aging (maimum and minimum) Passod Secuity Enfoce passod policy Though OS passod policy settings System utilities: Windos NT 4.0 Sevice Pack 2 PASSFILT.DLL Linu NPassd PAM (Pluggable Authentication Modules) Solais PAM Pefom passod audit Shado file (only the shado knos) Passod Auditing Utilities Black-hat tools ae you tools L0phtCack - cuently LC5 (Windos) John the Rippe (Uni and DOS) Cack (Uni) Attacks Dictionay 2 million ods unabidged Bute Focing passod length of 8 chaactes 26 Uppe case 26 Loe case 10 Digits 32 Special chaactes Passod length of 8: 6,704,780,954,517,120 o Si Quadillion 2

Hadening Windos Restict pemission on citical files Restict pemission on the Registy Disable all unnecessay sevices Detemine unnecessay sevices and dependencies Block unneeded pots Eecutables Apply secuity pemissions Remove unnecessay eecutables At the least ename o move them Apply sevice packs, patches and hot-fies Hadening Windos Use accounts Remove all unnecessay use accounts Rename Administato Ceate dummy administato account Disable o emove Guest Enfoce passod secuity policy Minimum passod length 8 chaactes Hadening Windos Enfoce passod secuity policy Revie secuity on upgaded systems File / Folde Shae Remove unnecessay shaes Apply estictions Be aae of administative shae (disable as needed) Install antivius No entepise fieall? Install host fieall 3

Hadening Windos Monitoing Event viee Application log Secuity log System log Set log aning Auditing Hadening Windos Follo established guidelines Micosoft NSA http://nsa2..conion.com/in2k/donload.htm Modify to fit you needs Use the Baseline Secuity Analyze Penetation testing Hadening Uni Uni flavos Solais BSD (Bekeley Univesity) Mac OS X (Uni based) Linu distibutions Red Hat SuSE Debian Knoppi Lycois Mandake Slackae (College Linu) Yello Dog Tubo Linu TSL Fedoa Poject Gentoo Ubuntu 4

Uni File / Diectoy Attibute Othes One Goup Wold File - Diectoy d Bit Value 4 2 1 4 2 1 4 2 1 Eample: = Read, = Wite, = Eecute chmod a+ filename (ead to eveyone) chmod go+ filename (goup and othes ite and eecute) chmod u- filename (one inhibit ite) Uni File / Diectoy Commands Uni File / Diectoy Attibute Command chmod File o diectoy attibutes chon chgp Uni Oneship Commands Change oneship attibutes Change goup attibutes Uni Unmask Command Unmask Command Unmask command gants o denies pemissions It uses invese bits Eample: Unmask 077 0 = gants to one 77 = denies to goup and old. 5

Solais pkgadd pkgm patchadd patchm pkgpaam smpatch Inetd.conf tcp appe Add binay distibution packages Remove binay distibution packages Add patch to system Remove patch fom system List installed patches Signed patches pocessing List of sevices - location /etc hosts.allo hosts.deny (ALL:ALL) Solais Use account in /etc/passd Goup in /etc/goup Maintenance Manual edit Useadd utility Management console Passd command /etc/default/passd Common Desktop Envionment (CDE) Linu (Red Hat) pm pm qa m -e useadd usedel Xinetd tcp appe Red Hat Package Manage List installed softae packages Remove softae package Add use account /etc/passd Delete use account /etc/passd Etended Intenet Sevice daemon (listen) /etc/inetd.d hosts.allo hosts.deny (ALL:ALL) 6

Softae Updates Hotfi Patch Sevice Pack Fimae Upgades Addesses specific poblem Addesses multiple poblems Fomal updates Rolled up patches Hadae specific Softae vesion/elease change Online Update Windos Automatic Update System based Red Hat Update Agent Pofile based Netok Hadening SNMP default community passod public ead community pivate ead/ite community Pots and Sevice blocking Taffic filteing Route access contol list (ACL) Route and fieall configuation 7

Application Hadening Webseve Intenet Infomation Seve (IIS) Micosoft IIS guidelines Remove sample files Set file and folde pemissions Apache Open souce guideline Remove sample files Set file and diectoy pemissions Application Hadening Mail Seves iz gives intude full system access vfy veifies valid email account epn epands an alias list to full addess list Eample: epn all-uses Open elay (spam) Buffe oveflo patch Micosoft Echange Sendmail Application Hadening File Tansfe Potocol (FTP) Seves Disable anonymous Conside using secue potocol Active mode (Seve sends) Client pot > 1024 to seve 21 Client pot seve to connect back to data pot+1 Seve send data pot 20 to client data pot+1 Passive mode (Seve is passive) Client open pots fo contol, +1 fo data Client pasv tells seve to open its data pot Seve pot tells client of its data pot Client initiates its data pot +1 to seve data pot y 8

Domain Name System (DNS) UDP and TCP pot 53 (Zone Tansfe) 13 oot seves Bekley Intenet Name Domain (BIND) Dynamic DNS (Micosoft) and AD Secuity Attack: Buffe oveflo DoS Cache poisoning File / Pint Sevices and Active Diectoy File and Pint Sevices Requie authentication Pemission settings Disable if not needed Active Diectoy Domain, tee and foest Schema Distibuted management pemission LDAP, LDIF and DET (Diectoy Enty Table) 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information