Presentation is loading. Please wait.

Presentation is loading. Please wait.

Host Hardening Chapter 6 Panko, Corporate Computer and Network Security Copyright 2005 Prentice-Hall.

Published byDamon Wilkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Host Hardening Chapter 6 Panko, Corporate Computer and Network Security Copyright 2005 Prentice-Hall."— Presentation transcript:

1 Host Hardening Chapter 6 Panko, Corporate Computer and Network Security Copyright 2005 Prentice-Hall

2 2 Figure 6-1: Hardening Host Computers The Problem  Computers installed out of the box have known vulnerabilities Not just Windows computers  Hackers can take them over easily  They must be hardened—a complex process that involves many actions

3 3 Figure 6-1: Hardening Host Computers Elements of Hardening  Physical security (Chapter 2).  Secure installation and configuration  Fix known vulnerabilities  Turn off unnecessary services (applications)  Harden all remaining applications (Chapter 9)  (more on next page)

4 4 Figure 6-1: Hardening Host Computers Elements of Hardening (continued)  Manage users and groups  Manage access permissions For individual files and directories, assign access permissions specific users and groups  Back up the server regularly  Advanced protections

5 5 Figure 6-1: Hardening Host Computers Security Baselines Guide the Hardening Effort  Specifications for how hardening should be done  Different for different operating systems  Different for different types of servers (webservers, mail servers, etc.)  Needed because it is easy to forget a step

6 6 Figure 6-1: Hardening Host Computers Server Administrators Are Called Systems Administrators  A sysadmin manages one or several servers—not necessarily all of a firm’s servers  Sometimes, groups of sysadmins manage multiple servers New

7 7 Figure 6-1: Hardening Host Computers Windows Computers  Microsoft Network Operating Systems (NOSs) LAN Manager (LANMAN) Windows NT Server Windows 2000 Server Windows 2003 Server (called.NET in the book)  Graphical user interface looks like client versions to ease learning (Figure 6-2)

8 8 Figure 6-2: Windows 2000 Server User Interface

9 9 Figure 6-1: Hardening Host Computers Windows Computers  Administrative Tools Group under Programs has Microsoft Management Consoles (MMCs) (Figure 6-3) Used to conduct most administrative actions Can add snap-ins for specific functionality

10 10 Figure 6-3: Computer Management Microsoft Management Console (MMC) System Tools snap-in

11 11 Figure 6-1: Hardening Host Computers Windows Computers  Windows 2000 introduced hierarchical domain structure with Active Directory Domain is a collection of resources Domain contains one or more domain controllers, member servers, client PCs Group policy objects (GPOs) on a domain controller can implement policies throughout a domain

12 12 Figure 6-1: Hardening Host Computers UNIX  Many versions of UNIX  LINUX is a set of versions for PCs—there are several different distributions  User can select the user interface—GUI or command-line interface (CLI)  CLIs are called shells (Bourne, BASH, etc.)  CLIs have picky syntax, capitalization, and spacing

13 13 Figure 6-1: Hardening Host Computers Internetwork Operating System (IOS)  For Cisco Routers, Some Switches, Firewalls Other Host Operating Systems  Macintosh  Novell NetWare  Firewalls  Even cable modems with web-based management interfaces

14 14 Figure 6-4: Installation and Patching Installation Offers Many Options, Some of Which Affect Security  For example, in Windows, the NTFS file system is better for security than FAT32  Need a security baseline to guide option choices during installation

15 15 Figure 6-4: Installation and Patching Known Vulnerabilities  Most programs have known vulnerabilities  Exploits are programs that take advantage of known vulnerabilities

16 16 Figure 6-4: Installation and Patching Known Vulnerabilities  Vulnerability reporters send vulnerability reports to vendors  Vulnerability reporters often say that vendors take too long to fix vulnerabilities  Vendors say that vulnerability reporters do not give them enough time, report too much detail to the press

17 17 Figure 6-4: Installation and Patching Fixes  Work-around: A series of actions to be taken; no new software  Patches: New software to be added to the operating system  Upgrades: Newer versions of programs usually fix older vulnerabilities.

18 18 Figure 6-4: Installation and Patching Upgrades  Often, security vulnerabilities are fixed in new versions  If a version is too old, the vendor might stop offering fixes  It might be good to wait to upgrade until after the first round of bug and security fixes

19 19 Figure 6-4: Installation and Patching Mechanics of Patching  Microsoft Windows Server Windows Update on Start menu (Figure 6-2) in Windows 2000 Automatic notification of update availability in Windows 2003  LINUX distributions often use rpm for updates

20 20 Patching

21 21 Figure 6-4: Installation and Patching Patches Often Are Not Applied  Companies get overwhelmed by number of patches Use many products, vendors release many patches per product Especially a problem for application programs

22 22 Figure 6-4: Installation and Patching Patches Often Are Not Applied  Cost of Patch installation Mitigated by patch servers that distribute patches to general servers More easy-to-use vendor tools are needed Might simply lack the resources to apply all; might be selective

23 23 Figure 6-4: Installation and Patching Patches Often Are Not Applied  Risks of Patch installation Reduced functionality Freeze machines, do other damage—sometimes with no Uninstall possible Should test patch on a test system before deployment Special problem for mission-critical production systems that must work

24 24 Figure 6-5: Turning Off Unnecessary Services Unnecessary Services  Operating system vendors used to install many services by default  This made them easier to use. When use changes, services do not have to be turned on.  Attackers have found flaws in many of these rare services

25 25 Figure 6-5: Turning Off Unnecessary Services Unnecessary Services  Vendors now install fewer services by default—lock down mode  Turn to security baseline to see what services to turn on and off  Easier to install too few and add than to install too many and remove unwanted services

26 26 Figure 6-5: Turning Off Unnecessary Services Turning Off Services In Windows Server  Go to the Computer Management MMC  On the tree, select Services and Applications (Figure 6-6) Status tells whether the service is active Startup tells how the service is started (automatic, manual, disabled, etc.)  Right click on a service or select and choose Action to stop a service, start it, disable it, etc.

27 27 Figure 6-6: Services and Applications in Windows

28 28 Figure 6-5: Turning Off Unnecessary Services Turning Off Services In UNIX  Three ways to start services inetd to start services when requests come in from users (Figure 6-7) rc scripts to start services automatically at book up (Figure 6-8) Start a service manually by typing its name or executing a batch file that does so

29 29 Figure 6-7: UNIX inetd Daemon for Responding to Client Requests Program A Program B Program C Program D inetd Port 23 Program A Port 80 Program B Port 123 Program C Port 1510 Program D 1. Client Request To Port 80 4. Start and Process This Request 3. Program B 2. Port 80 inetd.config

30 30 Figure 6-8 The UNIX rc.d Method of Automatically Starting Services /etc/rc.d 1. Script for Service A 2. Script for Service B 3. Script for Service F 4. Script for Service H rc0.d [scripts to run during System Mode 0-shutdown] K2... [Run the Kill portion of Script 2: Kills Service B] K3... [Run the Kill portion of Script 3: Kills Service F]... rc.d directory Scripts for services. Contain scripts to start or kill services. Directory rc0.d. Subdirectory of rc.d. Contains scripts to run start or kill portions of scripts in rc.d directory. These scripts are executed if run mode 0 occurs—system shutdown

31 31 Figure 6-8 The UNIX rc.d Method of Automatically Starting Services rc1.d rc2.d rc3.d rc4.d rc5.d rc6.d [scripts to run during System Mode 6-startup] S1... [Run the Start portion of Script 1: Starts Service A] S2... [Run the Start portion of Script 2: Starts Service B]... rcs.d [scripts to run during System Mode s—single-user mode] Other subdirectories of rc.d for scripts to execute in different run modes, such as run mode 6—startup

32 32 Figure 6-5: Turning Off Unnecessary Services Turning Off Services In UNIX  Identifying services that are running at any moment ps (processor status), usually with –aux parameters, lists running programs  Shows process name and process ID (PID) netstat tells what services are running on what ports

33 33 Figure 6-5: Turning Off Unnecessary Services Turning Off Services In UNIX  kill PID to kill a particular process  kill 47 (If PID=47) Add parameters –SIGTERM, -SIGHUP, -SIGKILL in order of increasing urgency  kill 47 –SIGTERM (PID = 47) Only kills for now. Must search inetd.config, rc scripts, batch files to see where it is being started automatically. Difficult to do.

34 34 Figure 6-9: Managing Users and Groups Introduction  Every user must have an account  There can also be groups Can assign security measures to groups These measures apply to the individual group members automatically Faster and easier than assigning security measures to individuals

35 35 Figure 6-9: Managing Users and Groups Creating and Managing Groups in Windows  Computer Management: Local Users and Groups snap-in (Figure 6-10)  Select Users  Select user from list Right click on user and select Properties: password restrictions, disable box Or select Action: change password, etc. Add, delete users

36 36 Figure 6-10: Users and Groups in Windows

37 37 Figure 6-11: Windows User Account Properties To get this screen, right click on user account in Figure 6-10, select Properties

38 38 Figure 6-12: Creating a New User in Windows

39 39 Figure 6-9: Managing Users and Groups Creating and Managing Groups in Windows  Select user from list Administrator is the super account  Change its name and create a new Administrator account with no permissions  Administrators should not log in as Administrators; log in as their own account, use RunAs to get temporary Administrator status when needed

40 40 Figure 6-9: Managing Users and Groups Creating and Managing Groups in Windows  Select user from list Guest account should be disabled (the default during installation)

41 41 Figure 6-9: Managing Users and Groups Creating and Managing Groups in Windows  Select Groups Assign rights to groups Standard groups: Administrators, Power Users, Backup Operators, etc.  Have appropriate permissions by default for their tasks

42 42 Figure 6-9: Managing Users and Groups Managing Users and Groups in UNIX  Different versions of UNIX do this differently, so it is difficult to talk in general terms  The super account is root su (switch user) allows administrators to log in as regular accounts, su to get root privileges when desired  Guest account should be disabled

43 43 Figure 6-13: Managing Permissions Principle of Least Permissions: Give Users the Minimum Permissions Needed for Their Job  More feasible to add permissions selectively than to start with many, reduce for security

44 44 Figure 6-13: Managing Permissions Assigning Permissions in Windows (Figure 6-14)  Right click on file or directory in My Computer  Select Properties, then Security tab  Select a user or group  NOT done through the start menu, selecting Administrative Tools

45 45 Figure 6-14: Assigning Permissions in Windows To bring up this screen, right click on a folder, select Properties. Click on Security tab

46 46 Figure 6-13: Managing Permissions Assigning Permissions in Windows (Figure 6-14)  Click on or off the 6 standard policies (permit or deny) List Folder Contents (see what is in a directory) Read (read only) Read and Execute (for programs) Write (change files) Modify (Write plus delete) Full control: all permissions

47 47 Figure 6-13: Managing Permissions Assigning Permissions in Windows (Figure 6-14)  Click on or off the 6 standard policies (permit or deny)  For more fine-grained control, 13 special permissions collectively give the standard 6  This gives highly granular access controls, especially compared to UNIX (next)

48 48 Figure 6-13: Managing Permissions Assigning Permissions in UNIX  ls -l shows details of files and directories in long format First character is - for a file, d for a directory Ends with name of file or directory -rwxr-x---1 root... purple.exe drw-r---- 1 brows... reports -rw-rw-r--1 lighter... bronze.txt Note: purple.exe is a file; reports is a directory. What is bronze.txt?

49 49 Figure 6-13: Managing Permissions Assigning Permissions in UNIX  ls -l shows files in a directory in long format Only three permissions: read (only), write (change), and execute (run program) Format is rwx for all or various combinations (r-x is read and execute but not write) -rwxr-x---1 root... purple.exe drw-r---- 1 brows... reports -rw-rw-r--1 lighter... bronze.txt rwx

50 50 Figure 6-13: Managing Permissions Assigning Permissions in UNIX  ls -l shows files in a directory in long format Next three characters are permissions (rwx possible) for the file owner -rwxr-x---1 root... purple.exe drw-r---- 1 brows... reports -rw-rw-r--1 lighter... bronze.txt purple.exe’s owner has all three permissions reports’ owner has only read and write permissions

51 51 Figure 6-13: Managing Permissions Assigning Permissions in UNIX Next three are permissions (rwx possible) for the group Next three are permissions for the rest of the world -rwxr-x---1 root... purple.exe drw-r---- 1 brows... reports -rw-rw-r--1 lighter... bronze.txt purple’s group has read and execute permissions. purple has no permissions for the rest of the world.

52 52 Figure 6-13: Managing Permissions Assigning Permissions in UNIX Next comes the number of links Next comes the name of the owner Group might be shown (not here) -rwxr-x---1 root... purple.exe drw-r---- 1 brows... reports -rw-rw-r--1 lighter... bronze.txt

53 53 Figure 6-13: Managing Permissions Assigning Permissions in UNIX  Changing permissions umask (user mask) command sets the default permissions for future assignments chmod (change mode) changes permissions for the file chown (change owner) changes the ownership of a file

54 54 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing permissions, starting programs, kernel messages, etc.  Windows 2000 Event Viewer (Figure 6-17)

55 55 Figure 6-17: Windows 2000 Event Viewer for Logging

56 56 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  UNIX has many logging facilities controlled by syslog program (Figure 6-18) Syslog program sends log entries of different types to specific directories on the host or on other hosts The file syslog.config specifies which log entries and which severity levels should go to which directories on which hosts

57 57 Figure 6-18: syslog in UNIX Event From Internal System syslog … Login.Err HostA.. Restart.* /errors/restart.. 3. Host A 2. Login/Err 1. Event. Type=Login, Level=Err syslog.config Host Wishing to Do Remote Logging 4. Remote Logging Host A (Runs syslog)

58 58 Figure 6-16: Advanced Server Hardening Techniques Backup (Chapter 10)  UNIX backup tar command (tape archive) Create tape archive of a file, group of files, directory tree in a.tar file Can use tar to look at table of contents of files in.tar file Can use tar to restore one, some, or all files

59 59 Figure 6-16: Advanced Server Hardening Techniques Backup (Chapter 10)  Windows backup Start, Programs, Accessories, System Tools, Backup  Note that Backup is under Accessories rather than under Administrative Tools like most MMCs GUI to create backups, restore backups

60 60 Figure 6-16: Advanced Server Hardening Techniques File Encryption  Protects files even if attacker breaks in  Key escrow: Copy of encryption key is kept elsewhere to protect in case of key loss  Windows Encrypting File System (EFS) Select file in Windows Explorer, select Properties Click on General tab’s Advanced button Click on the box Encrypt contents to secure data

61 61 Figure 6-16: Advanced Server Hardening Techniques File Encryption  Windows Encrypting File System (EFS) Encryption is transparent: Save, retrieve, copy files as usual Encrypted files generally cannot be sent over the network There is a Recovery agent (usually on the domain controller) for key escrow

62 62 Figure 6-16: Advanced Server Hardening Techniques File Integrity Checker  Creates snapshot of files: a hashed signature (message digest) for each file  After an attack, compares post-hack signature with snapshot  This allows systems administrator to determine which files were changed  Tripwire is the usual file integrity checker for UNIX (Figure 6-19)

63 63 Figure 6-19: Tripwire File Integrity Checker File 1 File 2 … Other Files in Policy List File 1 File 2 … Other Files in Policy List File 1 Signature File 2 Signature … File 1 Signature File 2 Signature … Tripwire 1. Earlier Time 2. After Attack Post-Attack Signatures 3. Comparison to Find Changed Files Reference Base

64 64 Figure 6-16: Advanced Server Hardening Techniques File Integrity Checker  If applied to too many files, too many false alarms will occur  Must be selective—core programs likely to be Trojanized during attacks Server Host Firewalls  Rules can be specific to the server’s role (e-mail, etc.)

65 65 Figure 6-20: Types of UNIX Vulnerability Assessment Tools External Audit Tool Host Assessment Tool Network Monitoring Tool Attack Packet Network Traffic Auditing Computer

66 66 Figure 6-21: Hardening Clients Importance of Clients  Contain important information  If taken over, can get in as user, passing through firewalls and other protections

67 67 Figure 6-21: Hardening Clients Enforcing Good Practice  Patching  Antivirus software  Firewall software  Limiting client software to an approved list (e.g., forbidding P2P file exchange products)  Save passwords?  File encryption

68 68 Figure 6-21: Hardening Clients Central Control is Desirable for Clients  For example, Microsoft Group Policy Objects (GPOs) for home clients  Require certain programs (antivirus, etc.), forbid programs not on list  Even lock down desktop so use cannot add new software or even change the interface  Central vulnerability scanning  Difficult to enforce on personally owned home computers

69 69 Topics Covered Firewalls and other protections sometimes break down Computers must be hardened to survive when attackers reach them Defense in depth

70 70 Topics Covered Elements of Hardening  Physical security (Chapter 2).  Secure installation and configuration  Fix known vulnerabilities  Turn off unnecessary services (applications)  Harden all remaining applications (Chapter 9)  Manage users and groups  Manage access permissions  Back up the server regularly  Advanced protections

71 71 Topics Covered Baselines are needed to specify everything that must be done to harden a server Server administrators are called systems administrators  Each server has one or more sysadmins

72 72 Topics Covered  Microsoft Network Operating Systems (NOSs) LAN Manager (LANMAN) Windows NT Server Windows 2000 Server Windows 2003 Server (called.NET in the book) Familiar Windows interface gives ease of learning and use

73 73 Topics Covered UNIX  Many versions of UNIX  LINUX distributions  CLIs are difficult to use Other  Novell NetWare  Cisco IOS for routers and switches  Firewalls, cable modems, etc.

74 74 Topics Covered Installation  Many options affect security  Need a baseline to guide installation

75 75 Topics Covered Patching vulnerabilities  The most critical hardening step  Fixes, patches, and upgrades  Often not applied because of sysadmin overload  Need to test patches before roll out  Linux uses rpm to get patches  Windows 2000 uses the Windows Update item on the start menu  Automatic notification in Windows 2003

76 76 Topics Covered Turn Off Unnecessary Services  To give attackers fewer targets  Windows Server Computer management MMC GUI  Unix inetd.config modification rc scripts ps –aux, netstat show process IDs (PIDs) kill PID kills the process with that PID

77 77 Topics Covered Managing Users and Groups  Assign permission to users  Can also assign permissions to groups Group members receive all assigned permissions  Assign permissions for individuals and groups to individual directories

78 78 Topics Covered Managing Users and Groups  Windows Server Computer Management: Local Users and Groups snap-in to manage users and groups  Assign permission to directories by right clicking on them  Windows has 6 standard permissions which can be subdivided into 13 special permissions  Windows can assign permissions in a directory to many users and groups

79 79 Topics Covered Permissions in Unix  Only three (read, write, and execute)  Can only be assigned to a file or directory owner, a single group, and the rest of the world  ls -l shows permissions  chmod changes permissions for a file or directory  chown changes the owner of a file or directory

80 80 Topics Covered File Integrity Checking  Tripwire for Unix and Windows Host Firewall  Protections tailored to host’s specific services Vulnerability Assessment  Unix external audit, network monitoring, and host assessment tools

81 81 Hardening Clients Good Practice  Many Aspects Patching Antivirus software Firewall software Limiting client software to an approved list Etc.  Difficult to enforce Centralized management (e.g., Microsoft GPOs) can enforce policies

Download ppt "Host Hardening Chapter 6 Panko, Corporate Computer and Network Security Copyright 2005 Prentice-Hall."

Similar presentations

Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Host Hardening (March 21, 2011) © Abdou Illia – Spring 2011.

Host Hardening (March 21, 2011) © Abdou Illia – Spring 2011.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Similar presentations

Ads by Google