SECURITY BASELINES -Sangita Prabhu

Overview OS/NOS vulnerabilities and hardening practices Operation and security of file systems Common Network Hardening Practices Best practices in securing web services

OS/NOS Hardening Making OS more secure to outside threats Categorization of disrupting actions Attacks Malfunctions Errors

Best Practices for System Hardening Remove unused applications and services Strong Password Policies Limited number of administrators Account lockout Latest security updates and hot fixes Maintain external log Periodic backup System administrator should identify and remove all unused applications and services which might reveal some sensitive system information. Also, remove all unused or unnecessary file shares. Force periodic password changes. Remove or disable all expired or unneeded accounts. Set necessary privileges to ensure that resources are available on as needed basis. Keep track of latest security updates. Apply vendor suggested patches as and when available. Maintain log of all user account and administrative activities in order to conduct forensic analysis if system is compromised. Keeping external log can increase system integrity and make future security related maintenance much simpler. This log should contain information like all the software versions installed on the system. All the group information, Records of all backups and upgrades. When a security patch is recommended then it is easy to reference this manual rather than digging into the live system to find out if the particular patch is applicable.

File Systems Hardening Configuring Access Controls Setting Privileges on files and data objects Creating User Groups Grouping users by common needs File encryption capabilities Resource consuming feature

Configuring Access Controls Common Practices for setting file and data privileges: Disable write and execute permissions for all executables Restrict access to important files Pay close attention to access control inheritance Make all log files “Append Only” if the option is available Prevent users from installing, removing or editing scripts

System Updates Minimize gap between release and installation of a security patch. Monitor security-related Information --Mailing lists, security related sites, Hackers sites Evaluate Updates for Applicability --Paper Logs Plan the installation of Updates --unsystematic and haphazard updates could introduce new vulnerabilities to networks Document update plan Deploy new systems with latest software

Network Hardening Firmware updates Configuration Best Practices in configuring Router and Firewall systems Maintain a copy of current configurations Never allow IP-directed broadcasts Configure devices with meaningful names Always use description for each interface Always specify bandwidth on the interfaces Always configure loopback address

Network Hardening Best Practices in configuration contd… Avoid using common words for password and naming schemes Deploy logging throughout the network Restrict data traffic to required ports only

Access Control Lists ACL is a set of statements that controls the flow of packets through a device based on certain parameters and information within the packets ACLs implement packet filtering Packet filtering rules can be designed based on intrinsic and extrinsic information pertaining to a data packet

Designing filtering rules Best Practices Deny all packets unless explicit permissions Design antispoofing rules Identify protocols ,ports, and source and destination addresses that need to be serviced on your networks Configure the rule set of ACL by protocol and by port Place “deny all” rules at the end of the rule set

Enabling And Disabling Of Services And Protocols Running unnecessary services on the network devices makes them vulnerable Administrators should identify and remove all unnecessary services Required services should be evaluated and installed in a manner to lower potential risks Example: RPC and SNMP– if needed then should be accomplished via VPN for security

Commonly Exploited Services Some Examples of commonly exploited services on CISCO platforms Service Description Default Note SNMP Protocol Routers can support SNMP remote query and configuration Enabled If not in use, explicitly disable or restrict access Domain name Service Routers can perform DNS name resolution Set the DNS server address explicitly, or disable DNS IP Source Routing IP feature that allows packets to specify their own routes This rarely–used feature can be helpful in attacks; disable it.

Application Hardening Web Servers Isolating Web Servers Configuring web servers for access privileges Identifying and Enabling Web Server-Specific logging tools Considering security Implications Configuring Authentication and Encryption

Application Hardening… E-mail Servers Attachments with malicious contents E-mails with abnormal MIME headers Scripts Embedded into HTML-Enabled Mail Defense mechanisms: Latest software updates and patches Email content filtering using email gateway products Deployment of virus-scanning tools on the server Attachment checking mechanisms HTML active Content Removal

Application Hardening… FTP Servers Protecting against Bouncebacks --Using FTP servers to connect to the attacked machine rather than connecting directly --Makes difficult to track the attacker --Configure servers to not open data connections to TCP ports less than 1024 --Use proper file protections --Disable PORT command : It also disables PROXY FTP which might be needed in certain situations

FTP Servers… Restricting Areas Protecting Usernames and passwords Utilize alternate authentication mechanisms to avoid attempts to intercept clear text password Limit number of attempts for a legitimate password Limit the number of control connections Return same response USER command, prompting for the password and then reject the combination of Username and Password Port Stealing : Deploy random port assignments

Application Hardening… DNS Servers Inaccurate Data on IP Address Ownership Without accurate IP ownership data cannot distinguish between innocent users and attackers Customer Registry Communication Use encrypted communication DNS Spoofing and Cache Poisoning Not Updated root.hints files Recursive Queries Denial of service Attacks

Application Hardening… NNTP Servers (Network News Transfer Protocol) Messages are delivered to Newsgroups instead of individual users Newsgroups acts as a storage for the related messages News Client is used to read messages To gain access to new postings users need to access news servers NNTP is designed to store news article in a central database and allow user to choose only the items of their interest

NNTP Servers… Typically, NNTP servers run as a background process on one host and accepts connections to other hosts Have similar vulnerabilities as any other network services Proper authentication, disabling of unneeded services and application of relevant software and OS patches are effective methods to prevent attacks

Application Hardening File and Print Servers Offering only essential Network and OS Services on a Server Configuring Servers for User Authentication Configuring Server Operating Systems Managing Logging and other data collection mechanisms Configuring servers for File Backups

Application Hardening… DHCP Servers (Dynamic Host Configuration Protocol) Assignment of dynamic IP Addresses to devices on the network Simplifies network administration Has no security provisions therefore vulnerable to attacks Broadcast-based protocol, therefore, attacker can use a sniffer program to collect critical network information. Spoof official DHCP server : Redundant DHCP servers are allowed Launch DoS attack against the DHCP server

DHCP Servers… Certain steps to prevent such attacks Permanent address assignments with DHCP Allow dynamic addressing and monitor log files for malicious user Force stations with new MAC addresses to register with the DHCP server Intrusion Detection tools can be used Latest software and patches are important

Data Repositories Directory Services Lightweight Directory Access protocol (LDAP) LDAP directory is a special kind of database that stores information Based on simple tree-like hierarchy, called a Directory Information Tree (DIT) Threats to LDAP can be categorized in two groups: Directory Service-oriented threats Non directory Service-oriented threats

Directory Service-Oriented Threats Unauthorized access to data Unauthorized access to resources Unauthorized modification or deletion Spoofing of directory services Excessive use of resources

NonDirectory Service Oriented Threats Common network based attacks to compromise the availability of resources. Attacks against hosts by Physically accessing the resources Attacks against back-end databases

Security of LDAP Based on two processes Authentication Authorization Anonymous—No specific authentication Simple Authentication– Plaintext Passwords Simple Authentication and Security Layer (SASL)—Exchange of encrypted data (Most Secure) Authorization What resources, application and services are accessible by an authenticated client

Databases General Principles of Security-- Authentication of users and Applications Ensure use by Legitimate users only Determining access privileges Applications require username/password to use the database Administrative Policies and Procedures Written security policy Initial Configuration Auditing Backup and Recovery Procedures