Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 8 Desktop and Server OS Vulnerabilities. Objectives After reading this chapter and completing the exercises, you will be able to: Describe vulnerabilities.

Published byHerbert Wilson Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 8 Desktop and Server OS Vulnerabilities. Objectives After reading this chapter and completing the exercises, you will be able to: Describe vulnerabilities."— Presentation transcript:

1 Chapter 8 Desktop and Server OS Vulnerabilities

2 Objectives After reading this chapter and completing the exercises, you will be able to: Describe vulnerabilities of Windows and Linux operating systems Identify specific vulnerabilities and explain ways to fix them Explain techniques to harden systems against Windows and Linux vulnerabilities Hands-On Ethical Hacking and Network Defense, Second Edition 2

3 Built-in Windows Tools Although security problems exist in all computer systems, many attacks can be avoided with careful system analysis and maintenance, which can include anything from establishing an efficient, regular update scheme to reviewing log files for signs of unusual activity. When Microsoft learns of problems or vulnerabilities in its software, it publishes patches, security updates, service packs, and hotfixes to address them as soon as possible. Hands-On Ethical Hacking and Network Defense, Second Edition 3

4 Built-in Windows Tools - MBSA Microsoft has also addressed the problem of finding configuration errors, missing patches, and so on, and MBSA is an excellent, free resource for this task This tool is capable of checking for patches, security updates, configuration errors, blank or weak passwords, and more. Hands-On Ethical Hacking and Network Defense, Second Edition 4

5 5 MBSA

6 Hands-On Ethical Hacking and Network Defense, Second Edition 6 Types of Checks - MBSA

7 7 Microsoft Active Directory Connecter Internet Information Server Types of Checks - MBSA

8 Using MBSA Any computer meeting the system requirements shown in Table 8-3 (next slide) can scan another computer or be scanned locally or remotely by MBSA. MBSA has its origins in the HFNetchk scanner created by Mark Shavlik, a Windows NT developer. Microsoft collaborated with Shavlik to develop and refine MBSA. The latest MBSA version uses the dynamic features of Windows Update. Hands-On Ethical Hacking and Network Defense, Second Edition 8

9 MBSA Hands-On Ethical Hacking and Network Defense, Second Edition 9

10 MBSA Like the original HFNetChk tool, you can run MBSA from the command line, too, which enables you to use scripts. Figure 8-2 shows the output of running mbsacli.exe from a Windows 7 Enterprise system and targeting a file server running Windows Server 2008. 10

11 Activity 8-2: Hands-On Ethical Hacking and Network Defense, Second Edition 11 Activity 8-2: Using MBSA to Scan the Local Computer (Optional) Time Required: 30 minutes Objective: Use MBSA to scan the local computer for weak or missing passwords. Description: In this activity, you scan your computer with MBSA to discover vulnerabilities, including weak or missing passwords. At the end of the activity, submit a summary of your findings to your instructor, along with brief recommendations for correcting the problems you found.

12 Term 2 Hands-On Ethical Hacking and Network Defense, Second Edition 12

13 Best Practices for Hardening Windows Systems As a penetration tester, your job is simply to find vulnerabilities and report them as defined in your contract. Typically, managers want solutions included with reports of potential problems, particularly for technologies they might not fully understand. Although the only way to make a system truly secure is to unplug it and lock it away in a vault (tomb), this approach defies the purpose of a network. Because you can’t lock network computers away to keep them secure, the best option is to be vigilant (cautious). There are some general things you can do to make and keep a network secure, discussed in the following sections: 13

14 1.Patching Systems The best way to keep systems secure, operating at peak performance, and using the newest features is to keep systems under your care up to date. There are several methods for obtaining service packs, hotfixes, and patches. If you have only a few computers to maintain (10 computers or fewer), accessing Windows Update manually from each computer works fine, but this method is still time consuming. Depending on the Windows version, you can configure Automatic Updates on each machine. Hands-On Ethical Hacking and Network Defense, Second Edition 14

15 1.Patching Systems This option is usually better because it helps ensure that machines are always up to date without the administrator or user’s intervention. The downside is that some patches can cause problems, so testing a patch before applying it to a production system is preferable, particularly in large networks. For a large network, applying updates manually isn’t feasible. Configuring Automatic Updates is an option if you have physical access to all computers, but downloading patches to each machine can slow network performance. Hands-On Ethical Hacking and Network Defense, Second Edition 15

16 Patching Systems There are a couple of options for patch management: 1 - Microsoft’s Systems Management Server (SMS) can manage security patches for all computers on your network. This service assesses machines in a defined domain and can be configured to manage patch deployment. Hands-On Ethical Hacking and Network Defense, Second Edition 16

17 Patching Systems 2 - Another option is Windows Software Update Services (WSUS), a client/server technology designed to manage patching and updating system software from the network. Instead of downloading updates to each computer, WSUS downloads patches and publishes them internally to servers and desktop systems. Unlike Automatic Updates, which downloads and installs updates automatically, the administrator has control over which updates are deployed. Hands-On Ethical Hacking and Network Defense, Second Edition 17

18 Patching Systems 3 - Third-party patch management solutions are also available from vendors such as Symantec, McAfee,, Shavlik, and HP. Whatever patch-management technique is the best fit, remember that keeping systems up to date is one of the most critical steps in keeping systems secure. Hands-On Ethical Hacking and Network Defense, Second Edition 18

19 2. Antivirus Solutions Whether you’re working with an enterprise network consisting of hundreds of servers and thousands of clients or a small business network of 15 systems and one server, an antivirus solution is essential. For small networks, desktop antivirus tools with automatic updating might be enough, but in a large network, a corporate-level solution is needed. An antivirus tool is almost useless if it isn’t updated regularly. Ideally, an antivirus tool should automatically download and install updates daily. Hands-On Ethical Hacking and Network Defense, Second Edition 19

20 3. Enable Logging and Review Logs Regularly Logging is an important step for monitoring many crucial areas, including performance, traffic patterns, and possible security breaches. It must be configured carefully to record only useful statistics because logging can have a negative impact on performance. Review logs regularly for signs of intrusion or other problems on the network. A log monitoring tool is best for this task. Several are available, depending on network needs and budget. Hands-On Ethical Hacking and Network Defense, Second Edition 20

21 Disabling unneeded services and deleting unnecessary applications or scripts make sense because they give intruders a potential point of entry into a network. For example, if you have a Windows Server 2008 system acting as a file server, you certainly don’t need DNS services running on it; doing so leaves port 53 TCP/UDP open and vulnerable to attack. The idea is simple: Open only what needs to be open, and close everything else —also known as reducing the attack surface. (The attack surface is the amount of code a computer system exposes to unauthenticated outsiders.) Hands-On Ethical Hacking and Network Defense, Second Edition 21 4. Disable Unused Services and Filtering Ports

22 In addition, filtering out unnecessary ports can protect systems from attack. Some ports are frequently subject to attack :  FTP (20 and 21 TCP)  TFTP “Trivial FTP” (69 UDP)  Telnet (23 TCP)  DNS (53 TCP/UDP)  NNTP “ Network News Transfer Protocol” (119 TCP)  NetBIOS (135 TCP/UDP, 137 and 138 UDP, 139 TCP)  Windows 2000 NetBIOS (445 TCP/UDP)  Remote Desktop Protocol (3389 TCP)  SNMP “ Simple Network Management Protocol” (161 and 162 TCP/UDP)  Windows RPC programs (1025 to 1039 TCP/UDP) 22 4. Disable Unused Services and Filtering Ports

23 perimeter routers  The best way to protect a network from SMB attacks is to make sure perimeter routers filter out ports 137 to 139 and 445.  Blocking ports 139 and 445 has the added benefit of protecting against external null session attacks.  Even Windows Server 2003 doesn’t disable SMB on port 445 by default. In fact, if the computer is a domain controller, you need to provide access to SMB.  Because you usually want to share resources on a server, closing port 445 could create other problems, such as users not being able to access shared folders and printers.  For a complete list of ports and services, consult IANA’s Assigned Port Number page at: www.iana.org/assignments/port-numbers. 23 4. Disable Unused Services and Filtering Ports

24 Use TCP/IP filtering. Delete unused scripts and sample applications. Delete default hidden shares and unnecessary shares. Use a different unique naming scheme and passwords for public interfaces. Be careful of default permissions. Use packet-filtering technologies, such as host-based software firewalls, enterprise-class hardware firewalls, and intrusion detection and prevention systems, that are suited to the environment. Use open-source or commercial tools to assess system security. Use a file-integrity checker to monitor unauthorized file system modifications and send alerts of these changes 24 Other Security Best Practices

25 Disable the Guest account. Rename the default Administrator account. Make sure there are no accounts with blank passwords. Use Windows group policies to enforce security configurations on large networks efficiently and consistently. Develop a comprehensive security awareness program for users to reinforce your organization’s security policy. Keep up with emerging threats. Check with Microsoft, SANS, US- CERT (www. us-cert.gov), and other security organizations for the newest developments. The security field is changing rapidly, and security professionals must keep up with new developments, threats, and tools. 25 Other Security Best Practices

26 Linux OS Vulnerabilities  Like any OS, Linux can be made more secure if users are aware of its vulnerabilities and keep current on new releases and fixes.  It’s assumed you have some experience working with a *nix OS, so basics of the Linux OS and file system aren’t covered in this chapter.  Too many network administrators believe Windows is easier to attack and view *nix OSs as inherently more secure.  Security professionals must understand that making these assumptions can be dangerous because vulnerabilities exist for all OSs.  When conducting a security test on systems running Linux, you should follow the same rules you would for any OS. Hands-On Ethical Hacking and Network Defense, Second Edition 26

27 Users expect to be able to share resources over a network, regardless of the OS used, and companies have discovered that users no longer tolerate proprietary systems that can’t co-exist in a network. To address the issue of interoperability, a group of programmers created Samba (www.samba.org) in 1992 as an open-source implementation of CIFS (Common Internet File System). With Samba, *nix servers can share resources with Windows clients, and Windows clients can access a *nix resource without realizing that the resource is on a *nix computer. 27 Samba

28 Security professionals should have a basic knowledge of SMB and Samba because many companies have a mixed environment of Windows and *nix systems. For a Windows computer to be able to access a *nix resource, CIFS must be enabled on both systems. On networks that require *nix computers to access Windows resources, Samba is often used. It’s not a hacking tool; this product was designed to enable *nix computers to “trick” Windows services into believing that *nix resources are Windows resources. Most new versions of Linux include Samba as an optional package, so you don’t need to download, install, and compile it. 28 Samba

29 Visiting the CVE ( Common Vulnerabilities and Exposures) Web site is a good first step in discovering possible avenues attackers might take to break into a Linux system. Table 8-4 lists a small portion of the CVEs found when searching on the keyword “Linux.” To give you an idea of the multitude of Linux vulnerabilities, more than 500 entries were found. Many of these vulnerabilities can no longer be exploited on systems that have been updated. Hands-On Ethical Hacking and Network Defense, Second Edition 29 Tools for Identifying Linux Vulnerabilities

30 Security testers should review the CVE information carefully to ensure that a system doesn’t have any vulnerabilities listed on the CVE Web site and has been updated. A security tester using enumeration tools can do the following: Identify a computer on the network by using port scanning and zone transfers. Identify the OS the computer is using by conducting port scanning and enumeration. Identify via enumeration any logon accounts and passwords configured on the computer. Learn the names of shared folders by using enumeration. Identify services running on the computer. 30 Network enumeration is a computing activity in which usernames and information on groups, shares, and services of networked computers are retrieved. Tools for Identifying Linux Vulnerabilities

31  Attack surface The amount of code a computer system exposes to unauthenticated outsiders.  Common Internet File System (CIFS) A remote file system protocol that enables computers to share network resources over the Internet.  Samba An open-source implementation of CIFS that allows *nix servers to share resources with Windows clients and vice versa.  Server Message Block (SMB) A protocol for sharing files and printers and providing a method for client applications to read, write to, and request services from server programs in a network. SMB has been supported since Windows 95.  Systems Management Server (SMS) This service includes detailed hardware inventory, software inventory and metering, software distribution and installation, and remote troubleshooting tools.  Windows Software Update Services (WSUS) A free add-in component that simplifies the process of keeping Windows computers current with the latest critical updates, patches, and service packs. WSUS installs a Web-based application that runs on a Windows server. 31 Key Terms

32 Summary Tools are available for discovering Windows vulnerabilities (e.g., MBSA) Steps to secure systems Keeping systems updated, running antivirus tools, reviewing logs regularly, etc. Vulnerabilities of Linux OS Can be discovered with security tools Samba Created to address issue of interoperability Built-in Linux tools are available for configuring Hands-On Ethical Hacking and Network Defense, Second Edition 32

Download ppt "Chapter 8 Desktop and Server OS Vulnerabilities. Objectives After reading this chapter and completing the exercises, you will be able to: Describe vulnerabilities."

Similar presentations

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Installing software on personal computer

Installing software on personal computer
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Installing Samba Vicki Insixiengmay Jonathan Krieger.

Installing Samba Vicki Insixiengmay Jonathan Krieger.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.

1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Enterprise Network Security Accessing the WAN – Chapter 4.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Enterprise Network Security Accessing the WAN – Chapter 4.
Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition.

Similar presentations

Ads by Google