Security Advice for Instances in the HP Cloud



Similar documents
Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Locking down a Hitachi ID Suite server

Nixu SNS Security White Paper May 2007 Version 1.2

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Windows Remote Access

How To Secure An Rsa Authentication Agent

FileCloud Security FAQ

Building A Secure Microsoft Exchange Continuity Appliance

HP ProLiant Essentials Vulnerability and Patch Management Pack Server Security Recommendations

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

Getting Started With Halo for Windows For CloudPassage Halo

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

SSL Tunnels. Introduction

RemotelyAnywhere. Security Considerations

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Research Information Security Guideline

Configuring Security Features of Session Recording

HP IMC Firewall Manager

NetPoint Configuration Guide. for thin clients

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

HP Education Services

WDM Security Guidelines

Install and configure SSH server

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

SERVER HARDENING. Presented by: Daniel Waymel and Corrin Thompson at TexSAW 2014 at the University of Texas at Dallas

Supplier Information Security Addendum for GE Restricted Data

SonicWALL PCI 1.1 Implementation Guide

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Global Knowledge MEA Remote Labs. Remote Lab Access Procedure

Did you know your security solution can help with PCI compliance too?

Security Configuration Guide P/N Rev A05

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Network Access Control ProCurve and Microsoft NAP Integration

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

VoipSwitch Security Audit

HP Device Manager 4.6

Desktop : Ubuntu Desktop, Ubuntu Desktop Server : RedHat EL 5, RedHat EL 6, Ubuntu Server, Ubuntu Server, CentOS 5, CentOS 6

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

How it works. b) IP addresses are allocated dynamically and may change any time.

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Nessus Agents. October 2015

USB Secure Management for ProCurve Switches

HP Device Manager 4.6

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

Getting Started With Halo for Windows

Cloud Security:Threats & Mitgations

Monitoring Clearswift Gateways with SCOM

SSH and FTP on Ubuntu WNYLUG Neal Chapman 09/09/2009

October P Xerox App Studio. Information Assurance Disclosure. Version 2.0

Alert (TA14-212A) Backoff Point-of-Sale Malware

Installing and Configuring vcenter Multi-Hypervisor Manager

FTP Server Configuration

AT&T CLOUD SERVICES. AT&T Synaptic Compute as a Service SM : How to Get Started. Version 2.0 January 2012

Deploy Remote Desktop Gateway on the AWS Cloud

Syncplicity On-Premise Storage Connector

HP A-IMC Firewall Manager

Chapter 11 Cloud Application Development

Linux Security Ideas and Tips

Web Plus Security Features and Recommendations

Grandstream Networks, Inc. UCM6100 Security Manual

Thinspace deskcloud. Quick Start Guide

Laboration 3 - Administration

Securing Windows Remote Desktop with CopSSH

PowerChute TM Network Shutdown Security Features & Deployment

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Compliance and Security Information Management for PCI DSS Requirement 10 and Beyond

Five Steps to Improve Internal Network Security. Chattanooga ISSA

How Reflection Software Facilitates PCI DSS Compliance

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Security. TestOut Modules

Getting Started With Your Virtual Dedicated Server. Getting Started Guide

Linux Operating System Security

2X SecureRemoteDesktop. Version 1.1

A Guide to New Features in Propalms OneGate 4.0

Docufide Client Installation Guide for Windows

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Network Defense Tools

Workflow Templates Library

How To Achieve Pca Compliance With Redhat Enterprise Linux

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

visionapp Remote Desktop 2010 (vrd 2010)

CTS2134 Introduction to Networking. Module Network Security

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

BM482E Introduction to Computer Security

Virtualization Security Checklist

SUNDE TM. User s Manual for H4 and earlier models

Building Energy Security Framework

Linux Boot Camp. Our Lady of the Lake University Computer Information Systems & Security Department Kevin Barton Artair Burnett

White Paper. BD Assurity Linc Software Security. Overview

December P Xerox App Studio 3.0 Information Assurance Disclosure

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

How to Use? SKALICLOUD DEMO

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Transcription:

Security Advice for Instances in the HP Cloud Introduction: HPCS protects the infrastructure and management services offered to customers including instance provisioning. An instance refers to a virtual machine within the HPCS environment. HPCS instances are provisioned in their default configuration which has in-built security mechanisms. Once an instance is provisioned, the security of the cloud infrastructure behind that instance, including the hypervisor level, will be protected by HPCS. Configuration management, access management, the application of software updates and all other on-going security and maintenance tasks required to maintain a secure instance are the responsibility of the customer. The best practices contained in this document provide guidance for increasing and maintaining the security of HPCS instances. The following security principles helped influence these best practices. Although best practices security principles cannot guarantee security, they do help to prevent common security flaws during use of HPCS services. 1. Defense in depth - Build a security infrastructure with multiple layers of defense such that if an outer layer is compromised, the underlying layers are unaffected and continue to offer protection 2. Fail securely - In the case of failure, systems should fail into a closed secure state 3. Principle of least privilege - Only the minimum level of access for users and services shall be granted 4. Compartmentalize - Systems will be segregated in a way that if one of is compromised, the others security will remain intact 5. Defense through simplicity - The required effort to understand and secure grows with a systems complexity 6. Promote privacy - The amount of information that can be gathered about a system and its users should be minimized 7. Default deny - By default, all access is explicitly denied 8. Logging capability - Appropriate logging shall be implemented to monitor for unauthorized use, incident response and forensics

Password Management Even on a single user system, password security is very important. There are many tools freely available to attack weak passwords on remote systems using dictionary, brute force, or hybrid methods. Applying the following points can significantly improve the password security of an instance. No Guest Accounts Wherever possible disable all guest account functionality. Use Cryptographically Strong Passwords - Use a password generator, preferably one installed locally on your system to generate strong, random passwords. It is recommended to be no less than 10 characters, but the longer the better. It is recommended to use upper and lowercase letters, numbers, and special characters, excluding dictionary-based words. Use Unique Passwords Avoiding the repetition of credentials helps protect you against the compromise of a password being able to affect all of your other accounts or services. Store Passwords Securely Consider using a password wallet type application. Do Not Share Passwords, unless this is for specific service related accounts. Use Security Groups Consider what purpose the instance was created for and create a security group that allows access to only these services. Security groups can be edited via the API or through the manage.hpcloud.com interface (via Manage Servers then Manage Security Groups ). The example below demonstrates a simple configuration for a web-server. Ports 80 and 443 are enabled for http and https access. Port 22 is enabled to allow management of the instance using SSH. Port 3389 needs to be opened for windows instances.

Isolate Networks Consider grouping your servers by purpose - Use multiple security groups to partition and secure your instances in logical groups. Think about the impact different layers of your infrastructure may have on one-another and plan accordingly. Use host based firewall rules on highly sensitive servers to further protect services from unwanted access. LINUX Least Privilege Users and services should operate with the least privileges required to function. In the event of a compromise the attacker must take further steps to gain a privileged account. Never use a root account if a normal account will do. Use sudo for occasional commands that require root privilege. Whenever possible do not run network facing applications as root. Don t run processes with privileges that they don t require. o Consider setting up service accounts for processes that require some elevation of privileges and setting your sudoers with only the commands needed to run the processes. Consider chrooting applications that require significant access to disk resources. Create a password protected SSH key By default most instance images offered by HP Cloud Services are configured to allow direct access to your instance as root, using an SSH Key for access that is not password protected. This achieves a balance between out-of-the-box usability and security. Users seeking to increase security should use a password protected key. The advantage of a password protected key is that if the key is lost or compromised (due to a compromised pc, USB stick, etc) it cannot be used without the password. 1. Generate a new keyfile through the management interface:

2. Save the contents into a.pem file locally, if possible save it in a safe area or encrypted drive. 3. To create an encrypted SSH Private Key from your stored file AnotherKey.pem run the following command in Linux: openssl rsa in AnotherKey.pem des3 out AnotherKey_Secure.pem Now safely remove AnotherKey.pem and you ll be left with a secure, triple-des encrypted keyfile that can t be used by an adversary without knowledge of your password. If you re accessing the Cloud from Windows then the process is even easier. Assuming that you re using PuTTY as your key-import tool; simply add a key passphrase when importing the key.

Reduce Instance attack surface HP Cloud Services instance images are standard server-edition images from various Linux distributions (Ubuntu, CentOS, etc). These images typically come in a reasonably secure configuration but also have a number of software services installed that may not be needed. Access to these services from the internet has already been curtailed by configuring the correct security groups for your instances, but installed services can still be accessed locally and via the loopback interface, opening the door for local privilege escalation attacks. Run nestat to see what processes are waiting for network connections and run ps to identify what processes are currently running: sudo netstat -punta To get more information on a process identified using netstat, run ps and specify the process ID (PID): sudo ps up <pid> Then use your package manager to remove any services or processes, such as email daemons and printer services that you don t require.

yum remove <package name> apt-get remove <package name> Use Secure Protocols Always use secure channels (TLS/SSH) when authentication credentials are in flight Always use secure channels for transmission of sensitive data o SCP not FTP o RSYNC over SSH o SSH not Telnet Additional Security High risk servers require additional security, especially when handling customer traffic or containing sensitive information. Consider installing AIDE or Tripwire for file integrity checking. Consider ClamAV or similar anti-virus protection. Consider Swatch to watch log files. Consider Snort to watch inbound network traffic. Consider setting up Denyhost to protect remote access. OS Updates Maintain current OS versions via updates. If possible use the following commands to apply updates on a regular basis to keep the system up-to-date. It is recommended that if possible apply the patches first in a Test/Development environment first. For Debian based (Ubuntu): sudo apt-get update For RedHat based (CentOS/Fedora): sudo yum update It is suggested that as new versions of the OS you are running is released to setup and migrate your applications and data. This provides a clean slate and allows for the latest security patches and fixes that come with the new release to be applied.

WINDOWS Protecting Remote Desktop HP Cloud Services windows instances are configured with Remote Desktop enabled. However only the administrator user is present and allowed access. It is recommended to immediately change the administrator password to a strong password that you will remember. Next item would be to determine if you are running all newer clients that will be connecting to this host. If they are newer then it is recommended to change the setting from Allow connections from computers running any version of Remote Desktop (less secure) to Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure). It is also recommended to ensure that your security groups limit which hosts can actually connect to the RDP port. Without the use of client certificates to authenticate in conjunction with a password, it is a good idea to limit the number of attempts before the account is locked out to protect from brute force attacks against the password. It is also advised to rename the administrator account to something nonstandard so that if someone does try to brute-force that account they won t be successful.

Automatic Updates It is recommended to enable automatic updating of your instance to apply the Microsoft patches as they come out. To edit the settings: 1. Click Start click Run then type in gpedit.msc and hit enter. 2. Expand Computer Configuration 3. Expand Administrative Templates 4. Expand Windows Components 5. Click on Windows Updates 6. Double click on Configure Automatic updates. Option 3 auto downloads and then notifies for install. Best used for downloading the updates and then manually running the install. Best used for high uptime requirements. Option 4 Auto download and schedule install. Will download and then has an automatic install on a scheduled time. Set and will run and reboot. It is recommended to manually verify every so often that it has completed.

Reduce Instance attack surface HP Cloud Services instance images are standard server-edition images. These images typically come in a reasonably secure configuration but also have a number of software services installed that may not be needed. Access to these services from the internet has already been curtailed by configuring the correct security groups for your instances, but installed services can still be accessed locally and via the loopback interface, opening the door for local privilege escalation attacks. netstat abo This will give you a list of all listening ports, the executable that is running to create the port and the associated pid. Given this information, it is possible to see what may need uninstalled or what services may need stopped. From here load the add/remove programs to uninstall any software that is not needed. You can also click add/remove windows features to remove any features such as IIS or directory services from the computer. Least Privilege Users and services should operate with the least privileges required to function. In the event of a compromise the attacker must take further steps to gain a privileged account. Never use an administrator account if a normal account will do. Use runas for occasional commands that require administrator privilege. Whenever possible do not run network facing applications as administrator or network/system level. Don t run processes with privileges that they don t require. o Consider setting up service accounts for processes that require some elevation of privileges. Ensure proper file level permissions and ACL s are in place. Additional Security Consider using some form of virus/malware protection. Consider setting up event tasks to specific event log messages. Consider at minimum using the built-in host based firewall and look at getting a good Host Intrusion Prevention System(HIPS)

The information contained herein is subject to change without notice. The only warranties for HP and services are set forth in the express warranty statements accompanying such services. Nothing herein should be construed as constituting an additional warranty.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information