CIS-162 Intoduction to Netok Secuity Comptia Secuity+ Eam Domain 3 Secuity Baselines Secuity Baselines Standad that oganization systems must comply Establish the nom of consistency Detect the anomaly Pefom pio to binging into poduction Hadening the system Establish system secuity state base line Unifom baselines Maintenance cost eduction Use secuity template Best Pactice aka Bee and Pizza Remove all unneeded pocesses System utilities and sevices Default installation (IIS) Applications Netok sevices Apply patches (see above) Apply hot fies Apply (secuity) settings 1
Passod Secuity / Passod Policy Usename and passod fist line of defense Compleity Mi Alphabetic (A-Z and a-z) Numeic (0-9) Special chaactes as pemitted by OS No ods in dictionay Do not pemit use o pat of login name Length (Windos 8 o moe, Uni 6 o moe) Passod histoy etention Passod aging (maimum and minimum) Passod Secuity Enfoce passod policy Though OS passod policy settings System utilities: Windos NT 4.0 Sevice Pack 2 PASSFILT.DLL Linu NPassd PAM (Pluggable Authentication Modules) Solais PAM Pefom passod audit Shado file (only the shado knos) Passod Auditing Utilities Black-hat tools ae you tools L0phtCack - cuently LC5 (Windos) John the Rippe (Uni and DOS) Cack (Uni) Attacks Dictionay 2 million ods unabidged Bute Focing passod length of 8 chaactes 26 Uppe case 26 Loe case 10 Digits 32 Special chaactes Passod length of 8: 6,704,780,954,517,120 o Si Quadillion 2
Hadening Windos Restict pemission on citical files Restict pemission on the Registy Disable all unnecessay sevices Detemine unnecessay sevices and dependencies Block unneeded pots Eecutables Apply secuity pemissions Remove unnecessay eecutables At the least ename o move them Apply sevice packs, patches and hot-fies Hadening Windos Use accounts Remove all unnecessay use accounts Rename Administato Ceate dummy administato account Disable o emove Guest Enfoce passod secuity policy Minimum passod length 8 chaactes Hadening Windos Enfoce passod secuity policy Revie secuity on upgaded systems File / Folde Shae Remove unnecessay shaes Apply estictions Be aae of administative shae (disable as needed) Install antivius No entepise fieall? Install host fieall 3
Hadening Windos Monitoing Event viee Application log Secuity log System log Set log aning Auditing Hadening Windos Follo established guidelines Micosoft NSA http://nsa2..conion.com/in2k/donload.htm Modify to fit you needs Use the Baseline Secuity Analyze Penetation testing Hadening Uni Uni flavos Solais BSD (Bekeley Univesity) Mac OS X (Uni based) Linu distibutions Red Hat SuSE Debian Knoppi Lycois Mandake Slackae (College Linu) Yello Dog Tubo Linu TSL Fedoa Poject Gentoo Ubuntu 4
Uni File / Diectoy Attibute Othes One Goup Wold File - Diectoy d Bit Value 4 2 1 4 2 1 4 2 1 Eample: = Read, = Wite, = Eecute chmod a+ filename (ead to eveyone) chmod go+ filename (goup and othes ite and eecute) chmod u- filename (one inhibit ite) Uni File / Diectoy Commands Uni File / Diectoy Attibute Command chmod File o diectoy attibutes chon chgp Uni Oneship Commands Change oneship attibutes Change goup attibutes Uni Unmask Command Unmask Command Unmask command gants o denies pemissions It uses invese bits Eample: Unmask 077 0 = gants to one 77 = denies to goup and old. 5
Solais pkgadd pkgm patchadd patchm pkgpaam smpatch Inetd.conf tcp appe Add binay distibution packages Remove binay distibution packages Add patch to system Remove patch fom system List installed patches Signed patches pocessing List of sevices - location /etc hosts.allo hosts.deny (ALL:ALL) Solais Use account in /etc/passd Goup in /etc/goup Maintenance Manual edit Useadd utility Management console Passd command /etc/default/passd Common Desktop Envionment (CDE) Linu (Red Hat) pm pm qa m -e useadd usedel Xinetd tcp appe Red Hat Package Manage List installed softae packages Remove softae package Add use account /etc/passd Delete use account /etc/passd Etended Intenet Sevice daemon (listen) /etc/inetd.d hosts.allo hosts.deny (ALL:ALL) 6
Softae Updates Hotfi Patch Sevice Pack Fimae Upgades Addesses specific poblem Addesses multiple poblems Fomal updates Rolled up patches Hadae specific Softae vesion/elease change Online Update Windos Automatic Update System based Red Hat Update Agent Pofile based Netok Hadening SNMP default community passod public ead community pivate ead/ite community Pots and Sevice blocking Taffic filteing Route access contol list (ACL) Route and fieall configuation 7
Application Hadening Webseve Intenet Infomation Seve (IIS) Micosoft IIS guidelines Remove sample files Set file and folde pemissions Apache Open souce guideline Remove sample files Set file and diectoy pemissions Application Hadening Mail Seves iz gives intude full system access vfy veifies valid email account epn epands an alias list to full addess list Eample: epn all-uses Open elay (spam) Buffe oveflo patch Micosoft Echange Sendmail Application Hadening File Tansfe Potocol (FTP) Seves Disable anonymous Conside using secue potocol Active mode (Seve sends) Client pot > 1024 to seve 21 Client pot seve to connect back to data pot+1 Seve send data pot 20 to client data pot+1 Passive mode (Seve is passive) Client open pots fo contol, +1 fo data Client pasv tells seve to open its data pot Seve pot tells client of its data pot Client initiates its data pot +1 to seve data pot y 8
Domain Name System (DNS) UDP and TCP pot 53 (Zone Tansfe) 13 oot seves Bekley Intenet Name Domain (BIND) Dynamic DNS (Micosoft) and AD Secuity Attack: Buffe oveflo DoS Cache poisoning File / Pint Sevices and Active Diectoy File and Pint Sevices Requie authentication Pemission settings Disable if not needed Active Diectoy Domain, tee and foest Schema Distibuted management pemission LDAP, LDIF and DET (Diectoy Enty Table) 9