O S ITSY-2000
advertisement
Learning Activity Plan
Information Technology Security Specialist
ITSY-2000
OPERATING SYSTEMS
SECURITY
ACKNOWLEDGEMENTS
Learning Activity Plan (LAP) developed by: Joe Mallen), faculty member of Southwest Texas Junior College. This LAP was
developed under the auspices of the Texas State Leadership Partnership for IT Specialist Curriculum Development and funded by
a grant from the Texas Higher Education Coordinating Board, Community and Technical College Division. This LAP is
recommended for use by community and technical colleges in Texas.
Authorizing Agency:
Texas Higher Education Coordinating Board, 1200 East Anderson Lane, Austin, TX 78752 (www.thecb.state.tx.us)
Funded by: Carl D. Perkins Vocational Education Act
Project Advisor: Rob Franks, Texas Higher Education Coordinating Board
Project Staff:
Director, Brent Kesterson, Tech Ed Division, Richland College, 12800 Abrams Road, Dallas, TX 75243
Coordinator, Ngoc Truong, Tech Ed Division, Richland College, 12800 Abrams Road, Dallas, TX 75243
Project Partners:
Collin County Community College, Ann Beheler, Barbara Taylor
Dallas County Community College District, Don Perry
Del Mar College, Larry Lee, Michael Harris
North Harris College, Bill Coppola, Allen Rice, Calvin Rennels
Richland College, Kay Eggleston, Martha Hogan, Paula Dennis
Southwest Texas Junior College, Dick Whipple
Southwest Texas Junior College, Joe Mallen
Texas State Technical College – Waco, Linda Shorter
Tyler Junior College, Charles Cowell
Non-exclusive copyright © 2003. Non-exclusive copyright is retained by the U.S. Department of Education, the
Texas Higher Education Coordinating Board, and Richland College. Permission to use or reproduce this document
in whole or part is granted for not-for-profit educational and research purposes only. For any other use, please
request permission in writing from the Technical Education Division, Richland College, 12800 Abrams Road,
Dallas, TX 75243. Phone: 972 238-6396. FAX: 972 238-6905
282217716
printed 05/29/16
3
.Table
of Contents
Classroom Setup Requirements ....................................................................................... 4-5
Discover Windows 2000 Vulnerabilities .............................................................................6
Discover Linux Vulnerabilities ............................................................................................7
Configuring an Audit Policy & Manage your Event Logs ..................................................8
Using Strong Passwords in Windows 2000 .........................................................................9
Using Strong Passwords in Linux ......................................................................................10
Viewing Open Ports in Windows 2000 .............................................................................11
Protecting your OS against Dictionary Attacks .................................................................12
Disable terminal access to root account in Linux ...........................................................13
Using a Keylogger Program...............................................................................................14
Using Security Analyzer on a Win2000 and Linux Client .......................................... 15-16
Removing Unnecessary services and changing Misc. security settings ............................17
Using Bastille to Reduce the Risk in a Linux System .......................................................18
4
Classroom Setup Requirements
Hardware Requirements:
The following table is the suggested hardware requirements for this course:
Hardware Specifications
Processor
L2 Cache
Hard Disk
RAM
CD-ROM
Network Interface card (NIC)
Sound card / Speakers
Network Hubs
Router
Greater than or equal to the following
Intel Pentium II (or equivalent) personal
computer with processor greater than or equal
to 300 Mhz.
256KB
8-GB Hard Drive
at least 128 MB
32x
10BaseT or 100BaseTX (10 or 100 Mbps)
Required for Instructor Station, optional for
student stations
Two 10-port 10Base T or 100BaseTX (10 or
100Mbps)hubs
Multi-homed system with three NICs
(Windows 2000 server)
Software Requirements:
The following software is used in this course for both the instructor and student systems.
Microsoft Windows 2000 Server, with Microsoft Internet Explorer 5 or later, including
Outlook express. If possible create three partitions: Two should be formatted in NTFS
for Windows 2000. A sufficiently large partition should be left completely blank so that
it can be used by the Red Hat Linux 7.x Installation.
Current Microsoft Windows 2000 Service Pack (unless otherwise directed in a lesson)
Webtrends Security Analyzer with optional agents for Red Hat Linux
(www.webtrends.com)
Ipswitch WS_Ping ProPack Version 2.1 or later (www.ipswitch.com)
Red Button
Netbios Authorization Tool (NAT)
Amecisco Invisisible Keylogger Stealth
Resource Kit Demonstrations files (Diskmap.exe, dmdiag.exe, drivers.exe, pstat.exe,
pulist.ext and perms.exe
(www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp).
Full Installation of Red Hat Linux (Red Hat Linux 7.x) See Linux installation
instructions for component details. Do not choose “server installation” which will
completely reformat the hard drive and destroy your Windows 2000 installation. You
should have the installation program automatically install the following services:
o X Windows
5
o
o
o
o
DNS Package (including Bind V8)
Shadow passwords
Development (contains GNU C compiler)
Both Linuxconf and Gnome Linux-conf (either on the installation disk, at
www.rpmfind.net, or at the Linuxconf website: www.solucorp.qc.ca/linuxconf)
o Winfile
o Fport
o Bastille version 1.1.0
Note: You can obtain the installation files for Red Hat Linux 7.x a www.redhat.com. If you are
new to the Red Hat Linux installation procedure, visit the following site for more detailed
instructions on how to install: http://www.redhat.com/docs/manuals/linux/
6
Discover Windows 2000 Vulnerabilities
Learning Outcome
Identify Windows Vulnerabilities during an initial default installation of the operating system.
Students will learn to use a program to discover the built-in accounts on remote servers and use a
dictionary type attack to discover passwords.
Recommended Resources for Learning Activity
“RedButton” Program
NetBIOS Auditing Tool (NAT)
Recommended Instructor Preparation for Learning Activity
Instructor lecture on how vulnerable a Windows 2000 Server can be out of the box. Classroom
discussion on how you can utilize the RedButton program to discover the built-in account
(Administrator) or the account name if it has been renamed, and the available shares on the
Server. Also, discuss how to use the NAT program to perform a dictionary attack. Students
should be familiar with the concept of “Shares” and “Dictionary Attacks”.
Recommended Instructor/Student In-class/lab Activity
Methods to:
Capture Student Attention: Tell the students that they are about to learn how to
become hackers and at the same time understand some of the Vulnerabilities with
Windows 2000 Server
Lab – Discover Windows 2000 Vulnerabilities:
1. Install the Redbutton program and run it.
2. Choose No when the program asks your intentions.
3. Enter the IP Address of the computer you are hacking and click on OK.
4. Click the Go Area in the Main Window
Note: Redbutton will come back and give you the built-in account name and the available
shares. Now all you need is the password. The following steps will perform a dictionary
attack to discover the password.
5. Install the NAT program.
6. Command prompt: Enter the following command -- >
NAT – 0 results.txt –u userlist.txt –p passlist.txt <ip address of the remote computer>
7. Command prompt: Enter -- > Type results.txt | more or open the results.txt file with a
word-processing program like notepad.
8. Search the file and discover the successful break-in attempts including the administrator
password.
9. Now that you know the system administrator password, log on to the remote computer
administrative share by going to Start | Run and entering the following command:
\\remote_machines_ipaddress\C$
10. You have now seen a simple example of the process of breaking into a system.
7
Discover Linux Vulnerabilities
Learning Outcome
Identify Red Had Linux Vulnerabilities during an initial default installation of the operating
system.
Recommended Resources for Learning Activity
www.solucorp.qc.ca/linuxconf
Recommended Instructor Preparation for Learning Activity
Instructor Note: Linuxconf must be installed. You can download it from the Linuxconf home
page listed above. Also, student Linux servers should be configured to allow all connections by
default for this lab to work.
Recommended Instructor/Student In-class/lab Activity
Lab - Discover Linux Vulnerabilities and modify Linux settings:
1. Login as Linux root user. Use the /user/sbin/useradd command to create a non-root
account named student. Make sure to use the /user/bin/passwd command to give the
student user a password of password.
2. Log off as root and login as student. Use the reboot command to reboot the system.
Note: You will see that a non-root user can reboot the system. You should also be able to
use the halt and poweroff commands.
3. Assume root by using the su command. As root, change to the /etc/security/console.apps/
directory.
4. Using a text editor enter the following into the /etc/security/console.apps/poweroff file:
USER=ROOT
SESSION-TRUE
5. Now log back in as student
6. Try using the poweroff command. Notice that student can no longer use this command.
7. Now, make the same changes to the halt command by changing the values to USER=root
and SESSION=true.
8. From another computer, open a Telnet Session and logon to your Linux server. Enter
Student as the login name, but enter the wrong password. Notice that after three attempts
the system will automatically reset the connection.
Note: This default setting is effective against brute force attacks.
9. Log on as root. Open linuxconf and go to User Accounts | Policies | Password and
account policies icon. Notice the default minimum length for a password is six
characters, and there are no minimum non-alphanumeric characters required.
10. Click the Params tab.
11. Note that no password aging settings are set.
8
Configuring and Audit Policy & Manage your Event Logs
Learning Outcome
Implement procedures to secure and monitor audit logs and set system administrator alerts
Recommended Resources for Learning Activity
Windows 2000 Server
Recommended Instructor Preparation for Learning Activity
It is recommended or helpful that students have a good understanding the security policy MMC
of a Windows 2000 Server.
Recommended Instructor/Student In-class/lab Activity
Two Part Lab.
Part I
Lab – Configure and Audit Policy
1. Click Active Directory Users and Computers from the Administrative tools menu. If
auditing is to be configured on a standalone computer, click Local Security Policy from
the Administrative tools menu
2. To have the domain controllers audited, right click the Domain Controllers OU. Click
Properties.
3. Click the Group Policy tab and then the Edit button. If there is no group policy to edit,
choose New to create a new Policy
4. In the left pane of the group policy screen, maneuver to Computer Configuration,
Windows Settings, Security Settings, Local Policies, Audity Policy.
5. Double-click the event that is to be audited
6. In the Security Policy Setting dialog box, click Define these policy settings, and choose
whether to audit successes, failures or both.
Part II – Filtering and Event Log to find a specific event
1.
2.
3.
4.
Click Event Viewer from the Administrative tools menu.
Right-click the log that you want to filter. Choose Properties.
Click the Filter tab
Choose the event types or any other filtering options (such as event source, category, etc.)
that are needed to filter the log. Then click OK.
5. To revert back to the unfiltered view, return to the filter tab and click Restore Defaults.
9
Using Strong Passwords in Windows 2000
Learning Outcome
Configure their Windows 2000 servers to enforce strong passwords by configuring the Security
Settings | Password Policy | Passwords must meet complexity requirement value in the Local
Security Settings snap-in.
Recommended Resources for Learning Activity
For More information regarding password security:
http://www.microsoft.com/Windows2000/en/server/help/default.asp?url/windows2000/en/server/help/windows_passwords_tips.htm
Recommended Instructor Preparation for Learning Activity
Instructor Notes on the four types or combinations of content to enforce strong passwords.
Including uppercase letters, Lowercase letters, Numbers, Non-alphanumeric characters such as
punctuation. Good student understanding on what is required of a strong password.
Recommended Instructor/Student In-class/lab Activity
Capture Student Attention: Explain a dictionary attack.
Lab – Using strong passwords in Windows 2000.
1. Create a user named StrongPasswordUser with the password: password. Uncheck the
user must change password at next logon check box.
2. Open up the Local Security Policy snap-in through Start | Programs | Administrative
tools | Local Security Policy.
3. Select the Security Settings | Account Policies | Password Policy | Passwords must
meet complexity requirements value and open it.
4. Click the Enable button to enable this policy.
5. Shut down and restart Windows 2000.
6. Try changing the password on StrongPasswordUser. Note that you are now forced to
use a strong password.
10
Using Strong Passwords in Linux
Learning Outcome
Modify the default password policy of a Linux System.
Recommended Resources for Learning Activity
www.solucorp.qc.ca/linuxconf
Recommended Instructor Preparation for Learning Activity
Linuxconf and gnome-linuxconf need to be installed for this lab. Instructor notes on how Linux
is configured by default to reject any password that resembles a “dictionary” password, which is
any word that looks like a word in a standard dictionary. Make sure students exactly what a
dictionary password is?
Recommended Instructor/Student In-class/lab Activity
Lab – Using strong passwords in Linux.
1. In X-Windows or at the terminal, open Linuxconf: linuxconf
2. Go to the Users accounts | Policies | Password & account policies section.
3. At the Policies tab, change the Minimum length value to 8, and the Minimum amount
of non alpha char value to 2
4. Select the Params tab and change the Must keep # of days to 2, Must change after #
days to 180, Warn # of days before expiration to 15.
5. Test it by adding a new user and creating a password.
11
Viewing Open Ports in Windows 2000
Learning Outcome
Discover how to track open files and ports in Windows 2000 which is a possible exploit for any
hacker trying to break into your server.
Recommended Resources for Learning Activity
http://www.cert.org/tech_tips/denial_of_service.html
http://rc.infotech.indiatimes.com/examples/rc/infodeta.jsp?code=134&chan=Expert%20Speak&i
ndus=9
Fport Application.
Recommended Instructor Preparation for Learning Activity
Instructor Notes on ports and how they are vulnerable to attacks such as Denial of Service
Attacks.
Recommended Instructor/Student In-class/lab Activity
Capture Student Attention: Classroom discussion on a Denial of Service attack that
crippled major sites such as yahoo.com, Amazon, com cnn.com Article can be found
here -- http://www.iol.ie/~kooltek/dosattacks.html
Lab – Viewing Open Ports in Windows 2000.
1. Open up to a command prompt and locate the fport program.
2. Type the following command: fport > fportoutput.txt
3. Use Notepad to open the fportoutput.txt file. You will now see a list of all open ports on
your system. Notice the information provided such as how the port is mapped to a
specific process.
12
Protecting your OS against Dictionary Attacks
Learning Outcome
Change a Local Security Policy Snap-in to change the default settings to protect against
dictionary password attacks.
Recommended Resources for Learning Activity
Netbios Auditing Tool (NAT)
Windows 2000 Server
Recommended Instructor Preparation for Learning Activity
Instructor Notes: The Server Service should be running for this lab to work.
Recommended Instructor/Student In-class/lab Activity
Capture Student Attention: Classroom Discussion on how dictionary attacks or
password guessing programs can break into a system.
Lab – Protecting your Windows 2000 Server against Dictionary Attacks.
1. Create a new account called testattack. Make the password password. Deselect the
User must change password at next logon check box.
2. Go to the command prompt. Change folders to where the Nat program is.
3. Enter the command: nat –o output.txt –u user41.txt –p pass41.txt <computer ip address>.
Note: Notice that the program tried all passwords in the text file and eventually broke into
the computer. Now, we will make the necessary changes to prevent this type of attack.
4. Open up the Local Security Policy Snap-in: Go to Account Policies | Account
Lockout Policy and double-click the Account lockout threshold icon. Change the
default settings so that the account will lock-up after four invalid login attempts. Now
open up the Account lockout duration icon and change the value to 0. This setting will
mean that you will have to manually reset the account if it has been locked out.
5. Now, try running the NAT program again. This time, note that you cannot access the
computer.
6. Open up the output.txt file and view other accounts that it tried to use.
13
Disable terminal access to the root account in Linux
Learning Outcome
Implement a secure user account policy and develop a security plan
Recommended Resources for Learning Activity
RedHat Linux 7.x
Recommended Instructor Preparation for Learning Activity
Instructor Notes on how you can create a second account that has root privileges, but will be
used for login purposes. Note to students that you cannot completely remove the root account
because it might affect some daemons that run on the system.
Recommended Instructor/Student In-class/lab Activity
Lab – Disable Terminal Access to the root account in Linux.
1. Boot into Linux and log on as root.
2. Make a copy of the /etc/passwd file and name it /etc/passwd.orig. This is just in case
something goes wrong and you need to return your system to it’s original state:
host# cp /etc/passwd /etc/passwd.orig
3. Use the /user/sbin/useradd and /usr/bin/passwd commands to create a new user named
admin
/user/sbin/useradd admin
/user/sbin/passwd admin
4. Now we will edit the /etc/passwd file so that the root entry reads as follows:
root:x:0:0:root:/root:/bin/false
5. Edit the admin entry as follows: admin:x:0:0::/home/admin:/bin/bash
6. close the /etc/passwd file, make sure you save your changes.
7. Log off and try to log back on as root. You should not be able to do so. However note
that all system daemons can still use the root account. All we have done is disabled
terminal access to the root account.
8. Log on as admin. Try to stop a few services, or add a few users. You should be able to
do so because your admin account is now defined as the root account.
9. Finally, replace the existing /etc/passwd file with the original
Host# cp /etc/passwd.orig /etc/passwd
14
Using a Keylogger Program
Learning Outcome
Discover network security risks, proper security design and monitoring solutions
Recommended Resources for Learning Activity
www.amecisco.com - Invisible Keylogger Stealth (IKS) Program
http://www.keyloggers.com
http://home.swipnet.se/~w-94075/keylogger/
Recommended Instructor Preparation for Learning Activity
Instructor Notes on the concept of a keylogger program which is a Security Threat software
program that records all the activity on a certain computer, and saves that information to a file
which can be sent via e-mail to a pre-defined address.
Recommended Instructor/Student In-class/lab Activity
Lab – Using a Keylogger Program in Windows 2000
1. Boot into Windows 2000 and make sure you log on as administrator.
2. Install the Invisible Keylogger Stealth program.
Note: Just accept the default installation folder during setup
3. Log on as administrator, and open up Notepad or some other program and type a few
words or a one sentence memo.
4. Open up the Log View for IKS shortcut. The Datview program will open. This is the
program that will do the translations.
5. Click the Go button and the iks.txt file will open. Note that the text you typed including
your Windows 2000 logon password will appear in the text log.
15
Using Security Analyzer on a Win2000 and Linux Client
Learning Outcome
Generate effective audit reports that help organizations improve security and meet industry
security standards.
Recommended Resources for Learning Activity
Win2000 Server
Linux Server
Webtrends Security Analyzer – www.webtrends.com
Recommended Instructor Preparation for Learning Activity
Internet Access, Security Analyzer Install Program along with Linux Agent need to be
downloaded and made accessible to students. It might be helpful for students to work in pairs.
The following lab has two parts. Analyzing a Windows 2000 machine and then analyzing a
Linux Client.
Recommended Instructor/Student In-class/lab Activity
Lab – Security Analyzer on Windows 2000 and Linux Agent
Part I – Analyzing a Windows 2000 Host
1. Install the Webtrends Security Analyzer.
Note: If you will be using the evaluation version of Security Analyzer, then you must have
internet access to register the program.
2. Select No at the AntiSync features Window
3. Add the starting Ip Address range of your network. This step is important as it will be
scanning your hosts on the network.
4. Run the Security Analyzer program and notice the available profiles.
5. Select the first profile on the list named “full Network-based Analysis” and choose Scan
to begin scanning your system.
6. Expand the vulnerabilities tab and notice the security risks on your system it found.
7. Expand the icon some more and notice several hot fixes have not been applied
8. Click on the Browser report and scroll down to the Host Vulnerabilities page. Note the
Fixes Required by Hosts section gives you a description of each problem and suggested
fixes.
Part II - Analyzing a Linux Client
1. First, you must install the Linux Red Hat 7.0 agent setup files on Windows 2000.
2. Double-click the AgentLinux60.exe file.
3. Open up Windows Explorer and locate the Linux agent setup file wsa_agent3.5.linux60.i586.rpm.
4. Copy the file to the c:\inetput\ftproot\ to make the file available to download through FTP
5. Go to the Linux machine and log on as root.
6. FTP to the Windows 2000 machine:
Host# ftp {partner’s ip address}
Name: Anonymous
Password: ftp
16
ftp> bi
Note: The bi command ensures transfer files in binary mode
ftp> get wsa_agent-3.5.linux60.i586.rpm
ftp> bye
7. Enter the Ls command and you should see the file you transferred.
Host# ls
8. Enter the command
Host# rpm –ivh wsa_agent-3.5.linux60.i586.rpm
Note: You will receive a message to run the configure.sh command in the /user/local/wsa
directory. But before you do this, you must create a file called agent.dat. To do this, run the
following commands.
Host# cd /usr/local/wsa
Host# touch agent.dat
Host# ./configure.sh
9. Now we will scan the Linux agent from the Security Analyzer Console.
10. Add a new profile by choosing File | New Profile.
11. In the profile description field, enter Partner’s Computer. In the Security Test Policy
section, select Critical Security Analysis.
12. Select Next. Then, in the Hosts to scan section, click the Add button. Enter the Ip
Address of your partner’s computer.
13. Click Finish. The Partner Computer profile you have created will come up.
14. Choose the Partner Computer and click Scan. Choose the New Scan button and click Ok.
The scan will take a few minutes and then a new window will come up with your results.
15. Choose the Vulnerabilities tab, which will display the security risks on the Linux
system.
16. Select the fixes needed tab. A list of recommendations to secure your system from highrisk vulnerabilities will appear.
17. Create a report and analyze the results.
18. Exit the Webtrends Security Analyzer program.
17
Removing unnecessary services and changing Misc. security settings
Learning Outcome
Secure Servers through system and application specific security
Recommended Resources for Learning Activity
Windows 2000 Server
Recommended Instructor Preparation for Learning Activity
Instructor Notes on how removing services that run in Windows 2000 is a good idea to reduce
the risks and exploits to your server.
Recommended Instructor/Student In-class/lab Activity
Lab – Removing unnecessary services and protocols in Windows 2000
1. Go to Start |Programs | Administrative Tools | Services an open the Services Snap-in.
2. The Services screen will show you a list of services in the system and their current
settings. The task scheduler can be a useful service, but it also a good way for attackers
to attack your server. We will now try to disable the service.
3. First, highlight the task scheduler icon, and then stop it.
4. You maybe prompted that the Remote Storage Engine Service is dependent, because we
will not be using this service either; we can stop this service as well.
5. Right-click the Task Scheduler icon and change the Startup type field to disabled.
6. Click Apply, and then OK.
7. Right-click the Remote Storage Engine icon and disable this service.
8. If you are not running or requiring services for Macintosh and AppleTalk computers you
can open up the control panel and click on the Add/Remove programs icon.
9. Click the Add/Remove Windows Component icon. Scroll down to the Other Network
and print Services icon and click on details. Here you can deselect both the Macintosh
Services, then click ok.
10. Click next to remove.
11. Now, we will remove the AppleTalk protocol, right-click on My Network Places and
then right-click the Local Area Connection icon.
12. Highlight and remove the AppleTalk protocol.
13. Now we will remove the NetBIOS support from the system. Again, access the Local
Area Connection Properties, highlight the Internet Protocol (TCP/IP) and click the
properties button.
14. Click the Advanced button and choose Wins. Choose the Disable NetBIOS over
TCP/Ip button and click OK.
18
Using Bastille to Reduce the Risk in a Linux System
Learning Outcome
#8 – Secure Servers through system and application specific security
#9 – Establish a suitable level of protection to control access and safeguard information
Recommended Resources for Learning Activity
Bastille can be downloaded from the following sites:
http://www.bastille-linux.org/
http://bastille-linux.sourceforge.net
Recommended Instructor Preparation for Learning Activity
When using Bastille, the following modules must be installed:
Bastille-TK-module-1.2.01.1mdk.noarch.rpm ---- for X-Windows Version
Bastille-curses-module-1.2.0-1.mdk.noarch.rpm ---- for Text based version
Recommended Instructor/Student In-class/lab Activity
“Lab - Using Bastille to Reduce the Risk in a Linux System”
1. Logon as root and enter X-Windows
2. Using Bastille make the following changes to your system
a. Using the FilePermissions module, disable the r-tools and modify your system so
that the ping and traceroute commands are only available to root.
b. Use the Bootsecurity module to change your server’s physical security
3. Click the EndScreen menu and click yes to change your system settings.
4. Use the logging module to configure additional logging modules
5. After you make these changes, you want to test by logging in as a non-root user and
trying to use the ping and traceroute commands.
6. Reboot the system and experiment.
