OS Hardening and Tool Kit - Information Security Awareness

I N F O R M A T I O N S E C U R I T Y E D U C A T I O N A N D A W A R E N E S S

D E P A R T M E N T O F E L E C T R O N I C S A N D I N F O R M A T I O N T E C H N O L O G Y

M I N I S T R Y O F C O M M U N I C A T I O N S A N D I N F O R M A T I O N T E C H N O L O G Y

G O V E R N M E N T O F I N D I A

I N F O R M A T I O N

S E C U R I T Y AWA R E N E S S

TOOL KIT

C E N T R E F O R D E V E L O P M E N T O F A D V A N C E D C O M P U T I N G

H Y D E R A B A D

Acknowledgements

HRD Division

Department of Electronics & Information Technology

Ministry of Communications and Information Technology

Government of India

PREFACE

"Three people can keep a secret only if two of them are dead!" —

Benjamin Franklin

It's quite common to have such quotes as its not easy to keep a secret. As per human tendency, a secret is never kept as a secret when it's explicitly said that it's secret.

Human nature tends to boost it up immediately whispering it to others. Thus a secret is never a secret. Maintaining secrecy is nothing but securing ourselves or our data.

In early days, it was not a great deal of emphasis on security as the systems were all closed. In simple terms, the data flow among the systems was persisting, but it was not beyond the organization but was in a simple LAN. Much of the technical details like protocols used for communication etc was not known to public. But today that's not the scenario everything is public, everything is open to all. It was Internet that has changed the whole computer paradigm and brought tremendous change in the way the computers communicate with each other. The secured information is also been exchanged through this open world of Internet.

Being a common man, we use Internet for our routine tasks. We should know how to use all the features provided by Internet securely so that the optimum usage of

Internet can be done keeping ourselves safe, in terms of privacy and maintaining secrecy.

Information Security Awareness should reach children and students who are the actual users for Internet and are the future of tomorrow. The importance of Security is identified and the initiation was taken by Department of Electronics and Information

Technology, Government of India by starting the project Information Security

Education and Awareness. The main objective of this project is to spread awareness on Information Security among people.

As part of this programme, material like handbooks, cartoon books for kids, posters, brochures are all developed by C-DAC Hyderabad. Parents and Teachers also play a vital role in this program as they are the people who teach children and students. This book mainly targets the Parents and Teachers as it covers topics related to security and also stressed on points of how to carry the same information to children and others. With all of your help, this project would reach the success point.

Our Sincere Acknowledgements for the support provided by Department of

Electronics & Information Technology, Ministry of Communications and Information

Technology, Government of India.

- C-DAC Hyderabad

Terms of Use

This document contains specific guidelines for establishing a secure Linux computing environment.This document is intended for home users, small offices and some guidelines are applicable to corporate offices also. The document is meant to provide the systematic approach to establish and maintain secure systems. These recommendations are meant to provide system administrators and users with the best settings for providing a more secure environment. Please note that the recommendations are fairly generic and in many cases must be tailored to fit the needs of the specific user’s system.

C-DAC cannot guarantee that these recommendations are the perfect solution for each and every user’s security needs. By following this guide, system administrators and/or users are acknowledging this and the following statements,

1.

No system on the network can ever be made completely secure, even when followed recommendations in this guide

2.

The authors/publishers of this guide are not responsible for problems or damages that may arise after following the recommendations in this guide

3.

We request to you notify the issues of following these recommendations to isea@cdac.in

where we will re-evaluate the recommendations.

4.

The author or organization is not responsible for any loss of data, loss of privacy or loss of network connectivity, etc., whether these recommendations are followed or not.

OPERATING SYSTEM HARDENING AND TOOLKIT © CDAC Hyderabad 1

INDEX

1. Introduction to Operating Systems .............................................................................................9

2. Physical Security.............................................................................................................................. 10

3. Introduction to Linux Operating System ............................................................................... 13

3.1Installation................................................................................................................................... 13

3.2 Partitioning ................................................................................................................................ 14

3.3 Authentication and Access ................................................................................................... 15

3.4

File permissions ................................................................................................................ 16

3.5 Boot Loader Security .............................................................................................................. 16

3.6 Kernel Hardening..................................................................................................................... 17

3.7Firewall Configuration............................................................................................................ 19

3.8 Services Hardening ................................................................................................................. 20

3.9 TCP Wrappers ........................................................................................................................... 21

3.10 Monitoring the Logs ............................................................................................................. 21

3.11 SSH Security ............................................................................................................................ 22

3.12 Other recommendations .................................................................................................... 23

4. MAC OS Hardening.......................................................................................................................... 25

4.1 Introduction ............................................................................................................................... 25

4.2 General Settings........................................................................................................................ 25

4.3 FileVault....................................................................................................................................... 27

4.4 Firewall ........................................................................................................................................ 28

4.5. Set the Root Password .......................................................................................................... 29

4.6. Disable Auto Logon ................................................................................................................ 30

4.7. Backups....................................................................................................................................... 31


5. Windows 2008 Hardening........................................................................................................... 32

5.1. Configure a Security Policy: ................................................................................................ 32

5.2. Disable or Delete unnecessary accounts: ...................................................................... 33

5.3 . Uninstall unnecessary applications or roles: .............................................................. 35

5.4. Configure the windows 2008 firewall: ........................................................................... 37

5.4. Configure Auditing: ................................................................................................................ 39

5.5. Disable unnecessary shares:............................................................................................... 41

5.5. Configure Encryption:........................................................................................................... 42

5.6. Updates and Patches: ............................................................................................................ 43

5.7. Antivirus and Network Access Point (NAP):................................................................ 44

5.8.Least Privilege:.......................................................................................................................... 45

5.9 Disable Automatic Services: ................................................................................................ 46

5.10. Disable Remote Registry: .................................................................................................. 48

5.11. Windows Error Reporting Service: ............................................................................... 48

5.12. Enable Web management Service: ................................................................................ 49

5.13. Use Secure Socket Tunneling protocol(SSTP) Service: ......................................... 51

5.14. Certificate Propagation:..................................................................................................... 51

5.15. Enable NetLogon: ................................................................................................................. 52

5.16. Special Administration Console Helper:...................................................................... 53

6. Windows Vista Hardening ........................................................................................................... 54

6.1 Introduction to Windows Vista and Windows 7 operating systems ................... 54

6.2 Configure Strong Administrator Password ................................................................... 54

6.3 Windows Action Center(Security Center)...................................................................... 57

6.4 Windows Firewall.................................................................................................................... 58


6.4 Automatic Updates.................................................................................................................. 59

6.5 Windows Defender.................................................................................................................. 59

6.6 Internet Options ....................................................................................................................... 60

6.7Ensure file sharing is off......................................................................................................... 61

6.8 Enable Screen Saver Password........................................................................................... 62

6.9 Local Security Policy............................................................................................................... 63

6.10 Other Recommendations ................................................................................................... 63

7. Windows XP Hardening................................................................................................................ 67

7.1. Configure Windows Security Center ............................................................................... 67

7.2 Windows Firewall.................................................................................................................... 68

7.3Windows Automatic Update................................................................................................. 69

7.4 Virus Protection: ...................................................................................................................... 70

7.5 Hardening File System Security ......................................................................................... 71

7.6 Hardening Local Security Policies..................................................................................... 72

7.7 Disable Remote Desktop ....................................................................................................... 75

7.8 Hardening Default Accounts................................................................................................ 76

7.9. File Permission Settings ....................................................................................................... 77

7.10 Set Registry Keys ................................................................................................................... 78

7.11 Services Hardening............................................................................................................... 79

7.12 Other recommendations .................................................................................................... 81

1.0 Virus Protection and Cleaner Tools....................................................................................... 84

1.1

Windows Based ................................................................................................................. 84

1.1.1 Avast Free Antivirus 6 ................................................................................................... 84

1.1.2

AVG Antivirus free edition 2011 ....................................................................... 85


1.1.3

AntiVir Personal 10.2.0.700 ................................................................................ 85

1.1.4

Bit defender free edition ...................................................................................... 86

1.1.5

McAfee Security Scan Plus ................................................................................... 87

1.1.6 Comodo Antivirus............................................................................................................ 87

1.1.7 ClamWin Free Antivirus................................................................................................ 87

1.1.8 Winpooch 0.6.6................................................................................................................. 88

1.1.9 VIPRE.................................................................................................................................... 89

1.1.10 PC tools Antivirus ........................................................................................................ 90

1.1.11 Malwarebytes................................................................................................................ 91

1.1.12 Dr. webcure it ................................................................................................................. 91

1.1.13 Microsoft Security Essentials ................................................................................ 92

1.2 Linux Based ................................................................................................................................ 93

1.2.1 Avast! Linux Home Edition .......................................................................................... 93

1.2.2 AVG Free Edition.............................................................................................................. 95

2.2.3 Calmtk .................................................................................................................................. 96

1.2.4 Panda Antivirus for Linux ............................................................................................ 96

1.2.5 Vexira Antivirus for Linux............................................................................................ 96

1.2.6 Trend Micro Server Protect......................................................................................... 97

1.2.7 Sophos Antivirus.............................................................................................................. 97

2.0 Lockdown, Auditing and Intrusion Detection Tools ....................................................... 98

2.1 Operating System lockdown tools..................................................................................... 98

2.1.1 Windows based ................................................................................................................ 98

2.1.2 Linux based....................................................................................................................... 99

2.1.2.4 Security Blanket by TCS ..........................................................................................101


2.2

URL Scan based tools.....................................................................................................101

2.2.1

Phishing Scans ........................................................................................................101

2.3

Web Server Lockdown Tools......................................................................................102

2.3.1

Microsoft IIS Lockdown Tool 2.1.....................................................................102

2.3.2 URL Scan security tool.........................................................................................103

2.4

Intrusion Detection tools .............................................................................................104

2.4.1

Linux based..............................................................................................................104

3.0 Security Assessment Tools .....................................................................................................108

3.1 Assessment Of OS Security Levels..................................................................................108

3.1.1 Microsoft security assessment tool(Windows) .................................................108

3.1.2

Nessus($,Linux,Windows) .................................................................................108

3.1.3

Retina($,Windows)...............................................................................................108

3.1.4

IBM internet scanner ...........................................................................................108

3.1.5

Patchlink vulnerability assessment tool ......................................................109

3.1.6

Qualys guard($,linux,windows).......................................................................109

3.1.7

GFI LANguard($,windows)................................................................................109

3.1.8

Core Impact($,Windows) ...................................................................................110

3.1.9

ISS internet scanner($,Windows) ...................................................................110

3.1.10 Nikto(Linux) .................................................................................................................110

3.1.11 X-scan(windows) ........................................................................................................111

3.1.12 Sara(linux,windows,opensource).........................................................................111

3.1.13 SAINT(($,Linux,opensource)..................................................................................112

3.1.14 MBSA(Windows).........................................................................................................112

3.2 Assessment of webserver security levels.....................................................................112


3.2.1 Nikto(Linux,windows,opensource)........................................................................112

3.2.2 Paros Proxy(Linux,Windows,Opensource) .........................................................113

3.2.3 WebScarab(Linux,Windows,Opensource)...........................................................113

3.2.4 WebInspect($,Windows)............................................................................................113

3.2.5 Whisker/libwhisker(Linux,Windows,Opensource) ........................................114

3.2.6 Burpsuite(Linux,Windows,Opensource)..............................................................114

3.2.7 Wikto(Windows,Opensource)..................................................................................114

3.2.8 Acunetix Web Vulnerability Scanner($,Windows)...........................................114

3.2.9 Watchfire AppScan($,Windows) .............................................................................115

3.2.10 N-Stealth($,Windows) ..............................................................................................115

3.3

Assessment of Database security levels.................................................................116

3.3.1 IPLocks ..............................................................................................................................116

3.3.2 AppDetective...................................................................................................................116

3.4

Assessment of Applications security.......................................................................116

3.4.1

Browser security levels.......................................................................................116

3.4.2

Peer to peer networking levels ........................................................................118

4.0

Operating system Updates and patches......................................................................120

4.1

Security Update solution tools...................................................................................120

4.1.1

Windows based tools...........................................................................................120

5.0

Security Update detection tools.....................................................................................121

5.1

MBSA....................................................................................................................................121

5.2

Microsoft office visio 2007 connector ....................................................................121

5.3 Microsoft Security Compliance Manager......................................................................121

5.4 Microsoft Security Assessment Tool ..............................................................................122


5.5 Security Update Management...........................................................................................122

References ............................................................................................................................................124


1. Introduction to Operating Systems

Operating System security is an essential part whether you are a professional or novice user. To ensure confidentiality, Integrity and Availability of data one must follow security guidelines to protect your data on daily basis. Security is a cyclical process, which has Planning, Implementing, Monitoring, Testing and Analysis phases.

The process of system hardening is not a one-time task, it is an iterative process.

Security holes are discovered daily in operating systems and application. So a secure system today may not be secure tomorrow.

Generally a system can be compromised via non-patched or insecure network applications. However, there are many more ways that a system can be compromised. Layered approach is the preferred approach to maintain security at various levels. We have Physical, Host, Operating System and User levels where security needs to be maintained, because one single mechanism cannot be relied upon for the security of a system.


2. Physical Security

Every computer user needs to be aware that physical security is the first layer of security and plays an equally important role in the overall protection of any system.

Physical security includes, restricted access to authorized personnel to operate the system, Keeping BIOS passwords and changing boot device priority to hard disk drive. Incase of laptops or notebooks, use laptop locks.

When you set a supervisor password, unauthorized people cannot change BIOS settings, but then can boot into the system. When you set a user password also, others cannot boot into the system unless they know the BIOS password.


By changing the boot device priority in BIOS, unauthorized users cannot boot into system with other media like live CD/DVD/USB and they cannot steal or alter the information or they cannot change any password including BIOS. This step also speeds up the booting process as directly searches boot record from hard disk.

It is also recommended to keep a password to boot loader if the option is available as we discussed that layered approach is the preferred approach and we need to secure each level wherever it is possible [not applicable to Microsoft products].


Physical security is the first layer of security, if it fails, any system can be easily compromised even you protect at host, operating system and user level. You can keep your PC in a secure casing or in a secure room, and you can also use disk drive locks to protect your drives. Also protect your systems from natural disasters like earthquake, lightening, electrical interruption and liquid leakage.

Other security measures include, encrypting your removable media information which will protect even the media is stolen beside keeping strong password wherever is possible.

In this document you will learn about physical security and operating system security. Other layers like host security and user awareness is presented in respective documents at http://www.infosecawareness.in


3. Introduction to Linux Operating System

Linux is an open-source operating system based on Unix. Linus Torvalds originally created Linux. Linux is free to download, edit and distribute. Linux is a powerful operating system. It has all the features of any commercial operating system. The features include stability, performance, Networking, Flexibility,

Compatibility, Multitasking and Security.

Here we present the BOSS Linux. BOSS is Bharat Operating System Solutions is a

GNU/Linux distribution developed by Centre for Development of Advanced

Computing derived from Debian for enhancing the use of Free/Open Source

Software throughout India. The Beta release of BOSS GNU/Linux version 4.0 is coupled with GNOME desktop environment with wide Indian language support

& packages.

Using a Linux system is not protection by itself. It is as vulnerable as a Windows or Mac operating system and was never conceived to be secure operating system.

The recommendations presented in this document also applicable to most of the

Linux versions. A security incident may results in Loss of data, Loss of revenue,

Cost of staff time, Loss of productivity, Legal Liability, and Loss of customer confidence etc., Hence we need to secure any operating system by reducing the attack surface and by hardening the services.

3.1Installation

Linux operating system installations is the first step to a stable and secure system. It is recommended to install minimal system and then add only the needed services, because a complex system hardening costs more and is much more complicated.

Choose the minimal install, with the basic system. It is recommended to choose minimum packages at the time of Installation. Later you can install the required packages with more security.


3.2 Partitioning

Partitioning is nothing but dividing the hard disk into slices for different purposes.

Any operating system will ask for a partition scheme during the installation.

Different partitions can be used for different means. A sample partitioning scheme may have following below partitions.

/var/log

/var

/home

/tmp swap

/

The partitioning scheme shown above will improve performance, security and other defense.


3.3 Authentication and Access

3.3.1 Authentication

Choose good passwords. It is the simple things, which noticeably improve the system security. Never use default passwords, dictionary words, pet names or weak passwords. A good password should contain at least 8 characters with combination of Numbers and special symbols. Ex. “Iw0rk4C-DAC”

3.3.2 Access restriction

Physical access restriction is the primary thing and should be considered with great care. If a hacker gains access to physical machine, he can do anything without any burden.

3.3.3 Users and groups

On any Unix system, users are identified within the kernel by a unique number called UID (User Identifier), which is linked to a username. Any user can belong to any number of groups, with a minimum of one. Access control depends on user as well as group.

Linux stores user account information in /etc/passwd. Check /etc/passwd file at the end where recently added accounts can be seen. If you suspect any account just delete that line.

• Enforce password aging that forces users to change their password periodically by using chage command.

• Default password length in Linux is 5. Change it to 8 characters, so that every password will have minimum 8 character long.

# vi /etc/login.defs change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8

• The root account is the most privileged account on a UNIX box.

Minimize the usage of root account unless its required. Use sudo


command to achieve the same task. Set time out option to logout automatically from root, if it is idle for certain time in /etc/profile file:

#vi /etc/profile

/*Add the following lines*/

“HISTFILESIZE=”

“TMOUT=3600”

Ownership of a file can be changed by chown and chgrp commands respectively to manage user and group.

3.4 File permissions

On a Unix or Linux like system a file will have a set of permissions configured for the owner, group and others. Privileges are expressed using 9 bits[rwxrwxrwx], which can be easily retrieved by using ls –l command. For example, to set permission to a file with –rwxr-xr-x, use the following command:

#chmod 755 <file name/path>

3.4.1 Detecting SUID/SGID programs

Any user will be able to run a program as root it it is set to SUID root. Hence you should minimize the use of these SUID/SGID programs and disable the programs, which are not needed.

To find all SUID file with a ‘s’ bit:

# find / -type f$-perm -04000 –o –perm -02000 $ \-exec ls –lg {} \;

To disable any SUID file:

# chmod a-s <filename>

3.5 Boot Loader Security

A running server is prone to various types of security threats, which can be categorized as local, and network or remote threats. We have two types of boot loaders GRUB and LILO. In this paper we will be mainly focusing on GRUB as it’s the widely used boot loader.

Once BIOS finishes its POST, the control is passed over to stage 1 of boot loader.

Stage 1 initializes the GRUB and the control goes to stage 2 with an optional


intermediate stage of 1.5. Stage 2 is completely responsible for loading the image of your Linux kernel.

So as we protect BIOS from altering, we need to secure GRUB boot loader also.

For this we need to change file attributes of grub.conf or lilo.conf to 600 to restrict non-root users changing the contents of these files.

# chmod 600 grub.conf

[or lilo.cof] Execute the above command from the directory where these files reside.

Password protecting grub: To set a password to grub boot loader, we need to calculate a salted hash of the password, because its not a good idea to keep clear text password in /boot/grub/menu.lst file. You can calculate has from the following commands. user@cdac:~$ grub grub>md5crypt md5crypt

Password: <your grub password>

<your grub password>

Encrypted: $%ks$728#98327k~*kshdk@/

Now edit your /boot/grub/menu.lst file with the keyword password, by replacing lock which will prompt for password when your system boots. title“BOSS Linux” password rootnoverify (hd0,1) makeactive chainloader +1

3.6 Kernel Hardening

The standard linux kernel is not secure to stop various malicious attacks. Kernel is the heart of Linux operating system. Kernel is loaded into RAM when the system boots which contains complex procedures that are needed for system operation.


There are patches for Linux kernel like PaX, Exec Shield and openwall Linux kernel patch which makes attacker more difficult to execute attacks against an application’s address space.

Other ways of kernel hardening include, restricting root login to system console and restricting use of su command to a group of super users.

/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from this file at boot time. The recommendations include:

1.

Limit network-transmitted configuration for IPV4

2.

Limit network-transmitted configuration for IPV6

3.

Turn on execshield protection

4.

Prevent against the common ‘syn flood attack’

5.

Turn on source IP address verification

6.

Prevent a cracker from using a spoofing attack against the IP address of the server

7.

Logs several types of suspicious packets, such as spoofed packets, sourcerouted packets and redirects.

Sample /etc/sysctl.conf file contents, read each statement’s purpose is commented in the file and modify as below. net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_synack_retries = 2 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.

autoconf = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1


kernel.exec-shield = 1 kernel.randomize_va_space = 1 fs.file-max = 65535 kernel.pid_max = 65536 net.ipv4.ip_local_port_range = 200065000

3.7Firewall Configuration

The most powerful firewall for Linux is IPTABLES . Download and install iptables package if it is not present. Mostly it is present on every distribution of Linux.

IPTABLES can filter, nat and modify TCP header information.

The filter table is used to allow and block traffic, and contains three chains

INPUT, OUTPUT, FORWARD. The nat table uses 3 chains, PREROUTING,

POSTROUTING, and OUTPUT.

Examples:

1. Allow incoming TCP traffic on port 22 (ssh) for adapter eth0 to allow and drop respectively. iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP

2. Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1

/24 iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j

ACCEPT

To start and stop iptables use the following commands

#/etc/init.d/iptables start

#/etc/init.d/iptables stop

#/etc/init.d/iptables status


3.8 Services Hardening

Standard installation provides only a few daemons, however as they may be used as an entry point for an attacker, you need to disable the one which are not needed.

Disabling daemons can be done by using sysv-rc-conf tool.To install this tool use the below command.

Securing the /etc/services file prevents unauthorized modification like deletion or addition of services. This involves in adding an immutable bit to the file. To do so, use the following command.

#chattr +i /etc/services

#apt-get install sysv-rc-conf

To launch,

#sysv-rc-conf

Read about each daemon and uncheck at each run level to disable that daemon if it is not required. It also speeds up booting process as well as system performance.


3.9 TCP Wrappers

TCP wrapper is used to provide additional security against intrusion by controlling access to defined services. TCP wrappers are controlled from two files.

/etc/hosts.allow

/etc/hosts.deny

The recommendation is to deny all hosts by putting “ALL: ALL@ALL, PARANOID” in the ‘/etc/hosts.deny’ file and then explicitly allowing trusted hosts in the

‘/etc/hosts.allow’ file as below:

Ssh : 192.168.1.2 ftp : 192.168.2.2 in.telnetd: 10.0.0.0/255.255.255.0# allow access from my internal

3.10 Monitoring the Logs

It is recommended to configure logging and auditing to collect all events. By default syslog stores data in /var/log directory. This is useful to for software configuration troubleshooting or to find violation of access rules.

Logcheck

Logcheck will go through the messages file and others on a regular basis (can be schedule via crontab) and sends an email report of any suspicious activity.

Logcheck and documentation is available from: http://www.psionic.com/abacus/logcheck/ .

Colorlogs colorlogs will color code log lines allowing you to easily spot bad activity. It is of somewhat questionable value however as I know very few people that stare at log files on an on-going basis. You can get it at: http://www.resentment.org/projects/colorlogs/ .


WOTS

WOTS collects log files from multiple sources and will generate reports or take action based on what you tell it to do. WOTS looks for regular expressions you define and then executes the commands you list (mail a report, sound an alert, etc.). WOTS requires you have perl installed and is available from: http://www.vcpc.univie.ac.at/~tc/tools/.

Swatch

Swatch is very similar to WOTS, and the log files configuration is very similar.

You can download swatch from: ftp://ftp.stanford.edu/general/security-tools/swatch/ auditd(Kernel Logging)

The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. If you need a solid audit trail then this is the tool for you, you can get it at: ftp://ftp.hert.org/pub/linux/auditd/ .

3.11 SSH Security

OpenSSH is a secure protocol designed to offer maximum of security, which replaced insecure remote access through Telent. OpenSSH is used for remote login, making backups, remote file transfer via scp or sftp and much more.

Default configuration files and port:

/etc/ssh/sshd_config – OpenSSH server configuration file

/etc/ssh/ssh_config – OpenSSH client configuration file

~/.ssh/ - Users ssh configuration directory

~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys

(RSA or DSA) that can be used to log into the user’s account

/etc/nologin - If this file exists, sshd refuses to let anyone except root log in.

/etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.


SSH default port : TCP 22

Disable OpenSSH Server : Some desktops and laptop can work without

OpenSSH server. If remote access or login is not required disable it by using below commands.

# chkconfig sshd off - Redhat/Fedora

# yum erase openssh-server - Redhat/Fedora

# apt-get remove openssh-server - Debian / Ubuntu / BOSS

Only Use SSH Protocol 2: SSH protocol version 1 has vulnerabilities and should avoid using SSH version 1. Open sshd_config file nd make sure the following line exists:

Protocol 2

Limit Users’ SSH Access: By default all systems are allowed to connect to SSH server. To restrict this by allowing only authenticated users, edit sshd_config file and add the below lines:

AllowUsers root user2 user3

DenyUsers user4 user5 user6

To allow specific users

To deny specific users

3.12 Other recommendations

•

Avoid using FTP, Telnet and rsh services and replace them SFTP,

OpenSSH.

•

Ensure that /sbin and /etc/ directories are owned by root. By default normal users can reboot the system by issuing “reboot” command or by pressing CTRL+ALT+DEL. To disable this ensure /sbin/halt is owned by root:

# chmod 700 /sbin/halt

• To disable CTRL+ALT+DEL, edit /etc/inittab by commenting the line stating, ca:ctrlaltdel:sbin/shutdown –t3 –r now as below, then save and exit the editor.

#ca::ctrlaltdel:/sbin/shutdown –t3 –r now


• Disallow root login from consoles by editing /etc/securetty file and comment the respective lines at the beginning.

•

Security Enhanced Linux:

The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs.

With restrictions are done with this, the ability of user programs and and system daemons to cause harm when compromised (via buffer overflows or misconfigurations) is reduced or mitigated.

•

File Sharing:

To share file between Linux and Windows systems, Samba software package is used. Samba can be configured to use encrypted passwords, restricting access based on user or IP address, and by setting file level permissions.

•

Encryption:

To minimize the risk of exposing the confidential information stored, encryption is the suitable option. Tools like OpenPGP and GnuPG allows encrypting emails and attachments as well as files stored on disk.

•

Anti Virus protection:

Also AntiVirus programs are available for Linux which mitigate the risks of entering the system. Clamav and Vexira are some of the AntiVirus tools for

Linux.

•

Disable drivers like for floppies, cdroms and USBs. Disable services like telnet, rsh, http using iptables.

•

Stopping the unnecessary services and applications:

Stop the unnecessary services and applications because the more services that are running, the more ports that will be left open to intruders. (Port is an entry/exit point to an application). So to protect the system it is bets to turn off any unnecessary services.


4. MAC OS Hardening

4.1 Introduction

To open security settings, go to system preferences, click on security in personal settings. It is shown below.

Click on security which will open a window as shown below to set screen saver password, system preference security, filevault and firewall. Let’s go in details of below screen shot about how to configure screen saver password and other security settings.

4.2 General Settings

First option is to set a password, when a screen saver begins. Usually screen saver doesn’t ask for a password even it is started until you check the first option “Require password 5 minutes after sleep or screen saver begins”


Below recommendations will apply to all users once they were set. Second option disables automatic login at startup to all users. If you check “Disable automatic login”, every user need to enter a password to login into the system.

The next option “Require password to unlock each system preference pane” will lock the system preference options and need to enter a password to unlock any pane and you need to unlock any pane by clicking on the lock icon as shown below.


The next option “Log out after<n> minutes of inactivity” will automatically log-off the users when the system is idle for <n> minutes.

4.3 FileVault

FileVault allows you to encrypt the information in your home folder. FileVault creates a separate volume for your home folder and encrypts the contents of it. The data in your home folder is encoded and your information is secure if your computer is lost or stolen. FileVault uses the latest government-approved encryption standard, the Advanced Encryption Standard with 128-bit keys (AES-

128).

To turn on the FileVault, Just click on “Turn On FileVault” button, after enabling

FileVault, it encrypts all the files of your home folder. You need to enter correct password to access any file from the home folder.

When you turn on the FileVault, it will give you the below warning before enabling the FileVault.


4.4 Firewall

The firewall in Mac OS X v10.5.1 and later is an Application Firewall, which allows you to control connections on a per-application basis, rather than a per-port basis.

This makes it easier to gain the benefits of firewall protection, and helps prevent undesirable applications from taking control of network ports that have been opened for legitimate applications.


When you click on advanced options, it will give you an option to add/remove any application to access the system. By selecting “Block all incoming connection”, you are bypassing previously added applications to access the system, i.e. no incoming connections are allowed.

4.5. Set the Root Password

MAC OS X, by default, has configured the root account to be disabled and has left the account with a blank password. Without a strong password, any system can be easily compromised.

To configure user accounts, Go to system preferences and click on Accounts which opens a window as shown below.


Here you can choose the user account and password or account name can be changed.

4.6. Disable Auto Logon

A default installation of Mac OS X is configured to automatically logon the first administrative user that is created. In addition, Mac OS X, by default, displays all valid user names in the login windows. Also, after 3 invalid login attempts, by default, it will prompt the user with a password hint. This can provide easy access and/or useful information to anyone with physical access to the system. These features should be disabled on all systems.


To disable auto logon, open user account, click on login options and select automatic login “OFF”. You can also set other options like whether to display restart, sleep and shutdown buttons, password hints and VoiceOver in the login window.

4.7. Backups

It is recommended to take periodical backup of your data in order to recover data even after hardware crashes.


5. Windows 2008 Hardening

5.1. Configure a Security Policy:

Install Security Configuration Wizard through Add and remove windows components which detect ports and services, and configure registry and audit settings according to the server's role.

• Disable unnecessary services based on the server role

• Remove unused firewall rules and limit existing firewall rules.

• Define restricted audit policies.

For Configuring the Security Policy wizard Go to Start --> Programs -->

Administrative Tools-->security Configuration Wizard.


5.2. Disable or Delete unnecessary accounts:

Attackers often gain access to servers through unused ports and services. So block the unused ports, protocols and by disabling services that are not required. During installation by default the Administrator, Guest and Help Assistant are created. As a security expertise the administrator account should be disabled to make it more difficult for an attacker to gain access. Both Guest and Help Assistant accounts should be disabled at all times.


For Disabling or deleting the accounts:

Go to Start -->programs --> Administrative Tools -->Server Manager

Configuration --> Local Users and Groups --> users

Right click on the user --> properties --> check for the account is disabled


5.3 . Uninstall unnecessary applications or roles:

The number of applications installed on the servers should be role related. It is a good idea to test these applications out in a separate environment before deploying them on the production network. Some applications make use of service backdoors, which can sometimes compromise the overall security of the server.

Belarc Advisor: It displays the installed software and hardware, missing patches fixes, antivirus status. It is free of cost and can be used for personal, government to look at their products which include many more features for managing security on multiple computers.

For uninstalling the unnecessary application:

Go to start --> programs --> Administrative tools--> Server manager --> Roles --

> Click remove roles



5.4. Configure the windows 2008 firewall:

Windows 2008 server comes with a built in firewall called the Windows Firewall with Advanced Security. As a security best practice, all servers should have its own host based firewall, bidirectional firewall which filters the outbound traffic as well as inbound traffic. IPSEC encryption configurations are integrated into one interface.

Using the advance rules you can build the firewall rules using Windows Active

Directory objects, source & destination IP addresses and protocols.

For configuring the windows 2008 firewall: Go to Start --> Control Panel -->

Windows Firewall --> Change Settings



5.4. Configure Auditing:

The following events should be logged and audited.

• Audit account logon events

•

Audit account management

•

Audit directory service access

•

Audit logon events

•

Audit object access

•

Audit policy change

•

Audit privilege use

•

Audit process tracking

•

Audit system events


For Configuring the Auditing: Go to Start --> Control Panel --> Administrative

Tools --> LocalSecurity policy -->Security Setting --> Local policies --> Audit policies


5.5. Disable unnecessary shares:

Unnecessary shares create a threat to critical servers. So it is necessary to disable the unnecessary shares. This can be done using the following command: Net share

This will display a list of all shares on the server. If there is a need to use a share, system and security administrators should configure the share as a hidden share and harden all NTFS and Share permissions.

C:\Documents and Settings>net share

Share name Resource Remark

-------------------------------------------------------------------------------

ADMIN$ C:\WINDOWS Remote Admin

C$ C:\ Default share

IPC$ Remote IPC

In order to create a hidden share, put a $ (Dollar) sign after the share name. The share will still be accessible; however it will not be easily listed through the network. Example: Accounting$


5.5. Configure Encryption:

According to industry standards, the servers require host sensitive information to make use of the encryption system. Windows Server 2008 provides a built in whole disk encryption feature called BitLocker Drive Encryption (BitLocker) which protects the operating system and data stored on the disk. To install BitLocker, select it in Server Manager or type the following at command prompt:

C:\ServerManagerCmd -installBitLocker –restart

For Configuring the Encryption on 2008 server: Go to Start --> Programs --

>Administrative Tools --> Server Manager --> Features --> Bit locker ( It will be accessed onlywhen active directory gets installed in windows server 2008)


5.6. Updates and Patches:

Updates and Patches are key elements for hardening a server. The system and security expertise should be constantly updating and patching their servers against vulnerabilities.

Administrators should periodically check the vendor’s websites for updates.

Windows Server Update Services (WSUS) provides a software update service for

Microsoft Windows operating systems and other Microsoft software.

For updating Go to: Start –> Windows Update (Make sure Automatic Updates is turned ON)


5.7. Antivirus and Network Access Point (NAP):

Anti Virus software is one of the basic and crucial steps for hardening a server.

Windows Server2008 comes with a Network Access Protection (NAP) which helps to defense against viruses from spreading out into the network.

It uses a set of policies which cleans the affected machines and when they are healthy, permits them access to parts of the production network. NAP consists of client server technology which scans and identifies machines that don't have the latest virus signatures, service packs or security patches.

For updating the Antivirus Go to: http://www.microsoft.com/security/default.aspx


5.8.Least Privilege:

Most of the security threats are often caused by high privileges bared by accounts.

Server services should not be configured using enterprise wide administrator accounts. Script Logic Cloak is a product which enhances the Windows NT File

System (NTFS) by providing increased security, more accurate audits.

For Least Privilege: Download Script Logic Cloak and install in your windows 2008 server which enhance the Windows NT file system Security.


5.9 Disable Automatic Services:

Here are all the services are disabled that were set to automatic startup. By disabling these services you can limit attack surface area which can prevent or limit exploitation of the server.

For Disable Automatic services: Go to: Start --> run -->Services.msc --> Disable unneededservices



5.10. Disable Remote Registry:

This service allows registry access to authenticated remote users. Even though this is blocked by the firewall and ACLs this service should be turned off if you have no reason to allow remote registry access.

For Disabling the remote registry Go to: Start --> Control Panel --> Windows firewall --> ON

If you have Corporate network follow the below steps:

Click Start – RUN --> Type "regedit" and press enter --> Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeSer vers\

Select "winreg" and click Edit, Select "Permissions".

Select appropriate users/groups and give appropriate permission like "Read" or "full Control” and then Click OK then exit.

5.11. Windows Error Reporting Service:

Windows Error Reporting (WER) is a set of Windows technologies that capture software crashdata and support end-user reporting of crash information. Through

Winqual services, softwareand hardware vendors can access reports in order to analyze and respond to these problems.

WER technologies are implemented in Windows XP, Windows Server 2003, and later.

Go to: Start --> programs --> Administrative tools -> server manager -- >

Configuration -->Local users and groups.


5.12. Enable Web management Service:

The primary goal of enterprises that are currently using Web Services is to derive a business sense out of this technology and drive their strategies based on that. This can only be done when they have proper control over Web Services offered to their customers.

For Enabling Web Management Service Go to: Start -> programs -->

Administrative Tools -->Server manager --> Roles --> Add roles --> Check for

IIS --> Management Tools --> Check for Management service.



5.13. Use Secure Socket Tunneling protocol(SSTP) Service:

Provides support for the Secure Socket Tunneling Protocol (SSTP) to connect to remote computers using VPN. If this service is disabled, users will not be able to use

SSTP to access remote servers.

SSTP allows traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic.

It encapsulates PPP traffic over the SSL channel of the HTTPS protocol (Port 443). It allows clients behind firewalls and NAT routers to connect to the VPN server without the concern for typical port blocking issues.

For using the SSTP service, Go to: start --> run -->services.msc --> secure socket tunneling protocol service --> Automatic

5.14. Certificate Propagation:

Smart Card certificate handling. Microsoft has included many smart-card services in

Vista, butprobably not too many people use them. Do not get these confused with memory cards, they arecompletely different things. Smart-cards are used sometimes for logging into vista instead of apassword.

For Certificate Propagation, Go to: Start --> run -->services.msc --> certificate propagation--> Automatic


5.15. Enable NetLogon:

It maintains a channel between computer and domain controller. The Netlogon subkey stores information for the Net Log-on service. The Net Log on service verifies log-on requests, and it registers, authenticates, and locates domain controllers. Also, to maintain backward compatibility, Net Log-on manages replication of the user account database to back up domain controllers running Windows NT 4.0 and earlier.

For Enabling Netlogon, Go to: Start --> Run-->services.msc -->Netlogon -->

Automatic


5.16. Special Administration Console Helper:

Special Administration Console Helper allows administrators to remotely access a command prompt. The Special Administration Console(SAC) can connect to a machine, where this service is running. SAC can perform remotemanagement tasks in case Windows on the machine stops functioning due to a Stop errormessage.

The SAC is an auxiliary Emergency Management Services command-line environment with thefollowing main functions:

• Redirect Stop error message explanatory text.

• Restart the system.

• Obtain computer identification information.

Go to: Start --> run -->Services.msc --> special administration console helper --

>Automatic


6. Windows Vista Hardening

6.1 Introduction to Windows Vista and Windows 7 operating systems

Windows Vista is an operating system developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs and media center PCs.

Windows Vista is announced in 22 July 2005. Development of Vista is completed on

November 8 2006 and on January 30, 2007, released worldwide. Windows Vista contains many changes and new features, including an updated GUI and visual style, a redesigned networking, audio, print and display sub-systems.

Windows 7 is the latest release of Microsoft Windows released on July 22, 2009 for manufacturing, which is a incremental upgrade to the Windows line, with the goal of being compatible with applications and hardware with which Windows Vista was already compatible. Presentations given by Microsoft in 2008 focused on multitouch support, a redesigned Windows shell with a new taskbar, referred to as the

Superbar.

Internally when compared OS processes and services with previous versions of

Windows line of operating systems, Microsoft went from Windows 2000 to

Windows XP, the system process gained 21 execution threads in its default configuration, Windows Vista kernel gained 39 threads and Windows 7 has gained nearly 100 execution threads.

With the complexity of processes and threads running on Windows Vista and

Windows 7, most of the times Windows OS is the attackers choice and we need to harden the default configuration to make Windows Vista and Windows 7 more secure.

6.2 Configure Strong Administrator Password

You should configure a strong Administrator password. By default, Windows may not have password configured, so to configure an Administrator password, go to control panel from start menu, click on Add or remove user accounts.


Choose Add or remove user accounts

Select the user, you want change the password and click on “Change your password”.


Like the above you can set password to any user account by selecting the appropriate user.


6.3 Windows Action Center(Security Center)

Windows action centre is the central place where all Windows security settings can be configured, viewed and monitored. Security centre contains following modules.

All the security configuration modules like Windows Firewall, Windows Update,

Windows Defender, Internet Options and other third party security settings can be configured and monitored.


6.4 Windows Firewall

Windows firewall filters the traffic flowing through network adapters. To block all incoming traffic from out side simply enable the firewall and check don’t allow exceptions option. Never disable firewall unless it is required and if you want to allow any program through firewall, go through the following link:

To switch ON the Windows Firewall, Just click on “On” as shown above and incase if you don’t want to allow any incoming connection, select the check box “ Block all incoming connections”.


6.4 Automatic Updates

There's an easy, free way to help keep your PC safer and running smoothly. It's called Windows Update. All you have to do is turn it on, and you'll get the latest security and other important updates from Microsoft automatically.

As show above, if there is a icon there are updates available for installation, review and click on Install updates.

6.5 Windows Defender

Windows Defender is software that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software by detecting and removing known spyware from your computer. Windows

Defender features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected, minimizes interruptions, and helps you stay productive.

Windows Defender can be configured from Windows Action Center. Make sure its

On and up-to-date.Other options can be set by clicking on “Tools”.


6.6 Internet Options

Internet options play key role in securing Microsoft Internet Explorer on any

Windows operating system. Make sure all settings are set to default, unless you changed some settings as per your requirement.


As shown above make sure that “Default Level” and Reset all zones t o default level” are disabled which means no modification have been done.

6.7Ensure file sharing is off

File sharing allows users to share folders and may allow malicious attackers to read or write files from your shared folders. By default, file sharing is turned off. If you decide to share a folder, make sure password protected sharing is turned on.

To ensure file sharing is turned off, follow these steps:

1.

Select Start --> Control Panel.

2.

In the left panel, click Classic View.

3.

In the Control Panel window, double-click Network and Sharing Center.

4.

Under Sharing and Discovery ensure File sharing is Off.

• To turn file sharing off or on, click the File sharing arrow button.

•

To enable password protected sharing, click the Password protected

• Sharing arrow button and click Turn on password protected sharing.


6.8 Enable Screen Saver Password

To prevent someone from using your computer when you have move or left for a while, you should enable a screen saver password. Your screen saver password will be your account log-in password.

1. In the Control Panel window, double-click Personalization. A list of options appears.

2. Select Screen Saver.

3. Set the following: Select a Screen saver from the drop down menu. Set the Wait time to 10 minutes or less. Select (check) On resume, display log on screen.

4. Click OK


6.9 Local Security Policy

Windows Vista has the facility to trace more security events, but the settings are not enabled by default. If your computer becomes compromised, keeping more logging information increases the chances that security experts will be able to trace how and when the compromise occurred.

Follow these steps to enable additional security event logging: Select Start > Control

Panel.In the left panel, click Classic View • In the Control Panel window, double-click

Administrative Tools and then Local Security Policy

If the User Account Control window appears, click continue.

In the left pane, click the small arrow next to local policies and then select each policy like Audit Policy, User Rights Assignment and Security Options by reading their description carefully.

6.10 Other Recommendations

6.10.1 Update all your third party software’s

Update all your third party software’s periodically.


6.10.2

Backup your data periodically

You Should take backup of your important data regularly and make sure the procedure for restoring it is working properly. You should keep regular backups of your system and files. Use rewritable media such as tapes or disks. The first requirement is to calculate how much data you need to backup and then select the type of backups. Monitor the backup process. Always keep an eye on the backup process.

To go to Windows backup, Go to control panel Click on classic view on the left hand side, then click on Backup and Restore Center.

6.10.3

Use good Antivirus and scan any downloaded file before opening

Software from unauthorized sources can create many problems. For example:

Freeware and low-cost software, which are downloaded from the Internet or can, contain viruses that will infect your system and spread to other computers on the


network. Hence use good antivirus, like Microsoft Security Essentials, scan the downloaded files and removable media and always keep update of the Antivirus.

6.10.4

Disable unnecessary services

You should enable only the services that are required to operate your device.

Disabling unnecessary services can help protect your system from potential attacks.


6.10.5 Use Bit-Locker drive encryption

BitLocker offers full-disk encryption. This means when BitLocker is enabled, the entire hard disk is encrypted. BitLocker is only available in Windows Vista Ultimate and Enterprise Editions only.

More information: http://technet.microsoft.com/enus/library/cc766295%28WS.10%29.aspx

6.10.6

Windows Vista parental control

Computers in today technology represent one of the greatest educational tools in recent times. Using a computer and the Internet, children are able to research topics, communicate with students in other areas.

Access to those resources brings with it an exposure to risk – one that is copyright.

As parents, you are constantly aware of dangers facing your children in the real world and want to keep them safe from online threats as well.

Parental Controls makes managing your children's online and offline activities much more secure and safe and includes easy to use tools to help you keep their computing activities a safe one.


7. Windows XP Hardening

7.1. Configure Windows Security Center

Ensure that Windows Firewall, Automatic Updates and Virus Protection are configured and they are not showing any errors and notifications. The Windows

Action Center(previously known as Windows Security Center) is a component included with Microsoft’s Windows XP(beginning with SP2), Windows Vista and

Windows 7 operating systems to view the status of computer security settings and status.

Windows Action Center allows the key components in security like Windows

Firewall, Automatic Updates and Antivirus Protection. It also gives a link to view the

Internet Explorer Settings.


7.2 Windows Firewall

The first thing you need to do is make sure that the Windows Firewall in turned ON.

Never turn off your firewall. Don’t allow exceptions also unless its required or other persons want to access any service or data on your system.

If you check Block all incoming connections , all exceptions configured in exceptions tab and any other incoming traffic will be ignored. In Exceptions tab you can allow services like file sharing, Remote Desktop or any other user defined protocol or program to enter into the system.

Advanced tab contains settings related to logging, ICMP settings and restore settings. Go through the Windows XP firewall configuration guide at http://technet.microsoft.com/en-us/library/cc875811.aspx

Don’t allow any file and printer or any other service through your firewall, which will help others in information gathering.


7.3Windows Automatic Update

The second thing you need to do is make sure that the Operating System and

Applications are up-to-date with service packs and hotfixes. Every software vendor distributes update to his or herOS or applications whenever vulnerability is found.

Hence it’s highly recommended to update the Software installed according to the vendor.

To configure Windows Update automatically, right click on My Computer , choose

Properties , and click on Automatic Updates tab.


If you want to manually connect to Windows Update, Go to start menu , Programs , and click on Windows Update , which will connect to Microsoft and downloads the updates missing in your system.

The other way you can configure Windows Update is open Internet Explorer , go to tools menu and click on Windows Update

Other general Software usually includes your PDF readers, Java, Music Players and any other office applications.

7.4 Virus Protection:

Viruses, Trojans and other malicious software programs pose a great risk to computers. Several forms of virus spread by using e-mail messages, browsing

Internet and removable media.

Antivirus software detects, fixes and prevents viruses from spreading to and from a computer. Antivirus software searches for latent viruses on a computer.

Microsoft provides antivirus software “ Microsoft Security Essentials” for free of cost to home users and small business with 10 systems with a valid license of

Microsoft Windows.

Windows security center checks whether the system has antivirus software or not and also checks whether its getting updated or not by notifying the user.


7.5 Hardening File System Security

Make sure that your hard drive partitions are formatted with NTFS file system.

NTFS is more secure than FAT or FAT32 partition schemes.

Check and convert a Partition/Drive to NTFS:


In the above image, file system type is NTFS. If you find FAT/FAT32, use the below command to convert a partition or drive to NTFS. Go to command prompt and enter the following command.

CONVERT D: /FS:NTFS -> To convert D drive to NTFS file system

NTFS is an advanced file system that provides performance, security, reliability and advanced features that are not found in any version of FAT. NTFS guarantees volume consistency by using standard transaction logging and recovery techniques.

If a system fails, NTFS uses its log file and checkpoint information to restore the consistency of the file system. In windows 2000 and Windows XP, NTFS also provides advanced features such as file and folder permissions, encryption, disk quotas, and compression.

7.6 Hardening Local Security Policies

It is recommended to modify default local security policy for more security. Because everyone know default settings and default user accounts of any Windows operating system. Hence it is recommended to change the default settings.

There are two types of policies, which need to be changed. Account policies answer the questions like “ Minimum length of the password” or “How long my password need to be?”. Auditing policies determine what sorts of security transactions are recorded in the Security Event Log. By default, nothing is retained in the Security

Event Log, so any hijack attempt is completely unrecorded. Security logs are crucial for analysis of any security incident.

Accessing the local security policy editor:

1.

Go to start Control Panel Administrative Tools Local Security Policy

2.

Expand Account Policies by clicking the “+” sign.

3.

Select the appropriate category.

4.

Double click the individual policy settings to make the changes as shown below.

5.

After configuring all settings, close the policy editor.

Password Policy

Policy

Enforce password history

Maximum password age

Minimum password age

Minimum password length

Security Setting

10 passwords remembered

90 days

1 day

8 characters


Password must meet complexity Enabled requirements

Store password using reversible encryption for all users in the domain

Disabled

The maximum password age is based on the classification of information on a specific system. For information classified as “Public” the password must be changed every 180 days, for “proprietary”, its 90 days and for “confidential”, it is 60 days

Check whether “password never expires” is checked for any user. In this case password never expires and OS never asks you to change the password. To check this right click on My Computer , click on manage. Expand Local Users and

Groups , Select the user and go to its properties and check.

Account Lockout Policy

Policy

Account lockout duration

Account lockout threshold

Reset account lockout counter after

Security Setting

30 minutes

5 invalid logon attempts

30 minutes

Audit Policy

Before configuring the audit policy, change the maximum log size and choose to

“Overwrite events as needed”. To change this setting, Go to start Control Panel

Administrative Tools Event Viewer. Right click on each event and choose properties and change the size as below. a.

Application Log = 20 MB b.

Security Log = 100 MB c.

System Log = 16 MB

Policy

Audit account logon events

Audit account management

Audit directory service access

Audit logon events

Security Setting

Success, Failure

Success, Failure

No Auditing

Success, Failure


Audit object access Failure (minimum)

Audit policy change

Audit privilege use

Audit process tracking

Success (minimum)

Failure (minimum)

No Auditing

Audit system events Success, Failure

Users and Privileges

Policy Security Setting

Access this computer from the network Users, Administrators (Remote Desktop

Users – whenever needed)

Act as part of the operating system

Add workstation to domain

Adjust memory quotas for a process

<None>

<Not Applicable>

<Default>

Allow logon through Terminal Services Remote Desktop Users

Backup file and directories <Default>

Bypass traverse checking Administrators, Users, Local Service,

Network Service, System

Change the system time

Create a page file

Administrators

Administrators

Create a token object

Create global objects

Create permanent shared objects

Debug programs

Deny access to the computer from the network

Deny logon as a batch job

<None>

<Default>

<None>

Administrators

Guests, Support_388945a0

Deny logon as a service

Deny logon locally

Deny logon through Terminal Services

Enable computer and user accounts to be trusted for delegation

Force shutdown from remote system

<Default>

<Default>

<Default>

<Default>

<Not Applicable>

Administrators

Generate security audits Local Service, Network Service

Impersonate a client after authentication <Default>

Increase scheduling priority Administrators

Load and unload device drivers

Lock pages in memory

Logon as a batch job

Administrators

<None>

<Default>


Logon as a service <Default>

Log on locally

Manage auditing and security log

Modify firmware environment values

Users, Administrators

Administrators

Administrators

Perform volume maintenance tasks

Profile single process

Profile system performance

Administrators

Administrators

Administrators

Remove computer from docking station Users, Administrators

Replace a process level token Local Service, Network Service

Restore files and directories

Shutdown the system

Synchronize directory service data

Administrators

Users, Administrators

<Not Applicable>

Take ownership of files or other objects Administrators

7.7 Disable Remote Desktop

It is highly recommended that you disable Terminal Services if it is not needed. To disable or check this setting, Right click on My Computer , Click on Properties , Go to Remote Tab and then uncheck “ Allow users to connect remotely to this computer ”


7.8 Hardening Default Accounts

Change the default configuration of the Administrator and Guest account. Make sure that every account has a strong password associated with them.

Configuring the Administrator Account:

1.

Log in as Administrator or from Administrator group

2.

Go to Start Control Panel Administrative Tools Computer

Management

3.

Expand Local Users and Groups

4.

Double Click on the Users

5.

Right click the Administrator account and choose to rename it.

6.

Right click the renamed Administrator account and select “ Set Password”

7.

Also rename Guest account by following the above steps.

Microsoft made Administrator and Guest accounts default on every copy of

Windows operating system. Hackers can simply target these accounts by using different password combinations.

In case of Guest account, you can simply disable it. Guest account is an account for users who don’t have a permanent account on your computer or domain. It allows people to use your computer without having access to your personal files.


To disable guest account, right click on the guest account and go to properties and check “ Account is disabled”.

7.9. File Permission Settings

There are several system files that need to be given controlled access to

Administrators and System. Usually system files reside in Root folder. It will usually

C:\Windows, but may vary depending on Installation.

Below are some of the system files and recommended security settings of those files.

To modify these settings, Login with Administrator or equivalent account, right click on any of the file, Go to security tab and change the users or groups.

System File Name Permission Settings

%SystemRoot%\regedit.exe

%SystemRoot%\system32\at.exe

Administrators: Full; System: Full


%SystemRoot%\system32\attrib.exe

%SystemRoot%\system32\drwatson.exe



%SystemRoot%\system32\eventcreat.exe Administrators: Full; System: Full

%SystemRoot%\system32\\eventtriggers.exe Administrators: Full; System: Full

%SystemRoot%\system32\ftp.exe

%SystemRoot%\system32\net.exe

%SystemRoot%\system32\netsh.exe

%SystemRoot%\system32\reg.exe

%SystemRoot%\system32\regedt32.exe

%SystemRoot%\system32\regsvr32.exe

%SystemRoot%\system32\runas.exe








%SystemRoot%\system32\sc.exe

%SystemRoot%\system32\telnet.exe

%SystemRoot%\system32\tftp.exe

%SystemRoot%\system32\tlntsvr.exe






7.10 Set Registry Keys

The Windows registry is a hierarchical database that stores configuration settings and options on Microsoft Windows Operating System. It contains settings for lowlevel operating system components as well as the applications running on the platform.

Some registry keys can be configured to enhance the Operating System security.

Take backup of registry, before doing any changes to the registry. To backup the registry contents, Go to start menu, Run, Then type regedit and click OK. Then go to

File Export and chose a name and location for backup and export.

Configure your registry:

Registry Key Value Purpose

HKLM\Software\Microsoft\Windows

\CurrentVersion\Policies\Explorer\No

DriveTypeAutoRun

HKCU\Software\Microsoft\Windows

\CurrentVersion\Policies\Explorer\No

DriveTypeAutoRun

HKU\.DEFAULT\Software\Microsof t\Windows\CurrentVersion\Policies\E xplorer\NoDriveTypeAutoRun

HKLM\System\CurrentControlSet\Se rvices\CDrom\Autorun

(REG_DWORD) 255 Disables autoplay from any disk type, regardless application of

(REG_DWORD) 255 Disables autoplay for current user

(REG_DWORD) 255 Disables autoplay

(REG_DWORD) 0

HKLM\System\CurrentControlSet\Se rvices\Tcpip\Parameters\DisableIPSo

(REG_DWORD) 2 urceRouting

HKLM\System\CurrentControlSet\Co (REG_DWORD)1 for the default profile

Disables CD/DVD autorun

Protects source- spoofing against routing

Enables Safe DLL


ntrol\Session Manager\Safe- Search Mode

DllSearchMode

7.11 Services Hardening

Service is a program that runs in the background. All background programs are not services.

A service has 3 basic startup states:

• Disabled : The service will not be loaded (Some programs stops working, won't take memory, and quick boot time)

• Manual : The service will be loaded on demand (Slow program start, will take memory when needed, and quick boot time)

• Automatic : The service is loaded at boot time (Fast program start, will take memory, and slow boot time)

To open services console go to run type “services.msc” and press OK


Service

Alerter

Clipbook

Distributed Link Tracking Client

Error Reporting Service

Fast User Switching Compatibility

Indexing Service

IPSEC Services

Messenger

Net meeting Remote Desktop Sharing

Network DDE

Network DDE DSDM

Remote Desktop Help Session Manager

Remote Registry Service

Routing and Remote Access

Secondary Logon

SSDP Discovery Service

TCP/IP NetBIOS Helper Service

Telnet

Terminal Services

Default

Manual

Manual

Automatic

Automatic

Manual

Manual

Automatic

Automatic

Manual

Manual

Manual

Manual

Automatic

Manual

Automatic

Manual

Automatic

Manual

Manual

Recommended

Disabled

Disabled

Disabled

Disabled

Disabled ★

Disabled ★

Manual ★

Disabled ✜

Disabled ✜

Disabled ✜

Disabled ✜

Disabled ✜

Disabled ✜

Disabled ✜

Manual ★

Disabled ✜

Disabled ★

Disabled ✜

Disabled ✜


Universal Plug and Play Device Host Manual Disabled ✜

Web Client Automatic Disabled ★

Windows Time Automatic Disabled ★

•

: Increases security by disabling vulnerabilities of respective services

• : Reduces CPU/RAM usage on the expense of loosing special features

7.12 Other recommendations

1.

Use a non-administrator account for daily operations. i.e user should not be in Administrators group.

2.

Use strong passwords with at least 8 characters long mixed with special symbols and numeric [ex: Iw0rk4CDAC].

3.

Use the screen saver password and press “ windows logo + L” to lock your computer, if you are going away for a while.

4.

Never download and Install any software from unknown sources. Search for its trustworthiness over Internet using any search engine before installation.

5.

Turn off auto play on all drives as described above

6.

Use good antivirus and update regularly. Scan any removable media prior to accessing it.

7.

Check your startup programs regularly and disable it if you found any suspicious by uncheck.

8.

Never open any email attachment from unknown sender, even it lures you.

9.

Backup important data on to CD/DVD.

10.

Educate yourself on Internet security or PC Security and mail your queries on isea@cdac.in


Toolkit



1.0 Virus Protection and Cleaner Tools

1.1 Windows Based

1.1.1 Avast Free Antivirus 6

Avast! Antivirus normally updates itself freely for the first 14 months of usage as long as the using computer is connected to the Internet. After each 14 month period, the user of the software must re-register to receive a new license key. Unless upgrading to the pay version, registration currently remains free.

Avast! Free Antivirus often outperforms our competitors´ paid-for products in independent tests, leading in both security features and scanning speed. In fact, AV-

Comparatives.org rated avast! 5.0 the fastest out of 20 antivirus programs!

Having antivirus protection is critical and, fortunately, easier than ever. Download now and in just a few minutes you’ll be enjoying the peace of mind that comes from having the best and fastest online protection available.

• Standard Shield — Real-time protection

•

•

•

•

•

•

•

•

•

IM shield — Instant Messenger protection

P2P shield — P2P protection

Internet Mail — E-mail protection

Outlook/Exchange — Microsoft Outlook/Exchange protection

Web Shield — HTTP protection (local transparent proxy)

Script blocker — script checker (Pro version only)

Network Shield — basic protection against well-known network worms. Acts as a lightweight Intrusion Detection System

Audible alarms — vocal warnings such as "Caution, a virus has been detected!"

Boot-time scan — through the program interface, a user can schedule a boottime scan to remove viruses that load during Windows startup and are therefore difficult to remove. http://www.avast.com/eng/download-avast-home.html


1.1.2 AVG Antivirus free edition 2011

Three reason for Using AVG Antivirus :

•

•

•

Over 110 million people

We’re rated #1

It’s easy

trust our people-powered protection

in threat detection by independent antivirus testing labs*

to install and use

According to Grisoft, over 60 million users have AVG Anti-Virus protection, including users of the Free Edition.

The AVG Anti-Virus Free Edition is similar to the AVG Anti-Virus Professional Edition product, but does not have all the features. It lacks the fine-grained control over how scans are conducted. In addition, the free versions do not receive technical support from Grisoft, and English is the only available language. http://www.freeavg.com/?lng=in-en&cmpid=free & http://free.grisoft.com/doc/5390/us/frt/0

1.1.3 AntiVir Personal 10.2.0.700

Avira AntiVir Personal - FREE Antivirus is a reliable free antivirus solution, that constantly and rapidly scans your computer for malicious programs such as viruses,

Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors every action executed by the user or the operating system and reacts promptly when a malicious program is detected.

•

•

•

•

•

•

Detects and removes more than 150,000 viruses

Always among the winners of comparison test featured in computer journals

The resident Virus Guard serves to monitor file movements automatically, e.g. downloading of data from the internet

Scanning and repair of macro viruses

Protection against previously unknown macro viruses

Protection against trojans, worms, backdoors, jokes and other harmful programs


•

•

•

•

•

•

•

•

•

•

AntiVir protection against viruses, worms and Trojans

AntiDialer protection against expensive dialers

AntiRootkit protection against hidden rootkits

AntiPhishing protection against phishing

AntiSpyware protection against spyware and adware

NetbookSupport for laptops with low resolution

QuickRemoval eliminates viruses at the push of a button

Easy operation

Internet-Update Wizard for easy updating

Protection against previously unknown boot record viruses and master boot record viruses http://www.filehippo.com/download_antivir/

1.1.4 Bit defender free edition

BitDefender Free Edition uses the same ICSA Labs certified scanning engines found in other BitDefender products, allowing you to enjoy basic virus protection for no cost at all.

This free antivirus software download is an on-demand virus scanner, which is best used in a system recovery or forensics role. If you are on an "always-on" Internet connection, we strongly advise you to consider using a more complex antivirus solution.

Key Features and Benefits Bit defender free editions are :

•

Virus Scanning & Removal :On-demand scanning - powerful scan engines ensure detection and removal of all viruses in the wild every time you need it.

•

Scheduled Scanning : The Scheduler lets you plan ahead, and schedule full system/drive scans in the off hours, when you won't be using your computer.

•

Immediate Scanning : With just a simple right-click, you can check your files and folders.

•

Quarantine : By isolating the infected files in quarantine, the risk of getting infected diminishes. You also have the possibility to send these files for further analysis to BitDefender Labs.

•

Reports : When launching a scan you may choose to create a report file where you can see statistics about the scan process. http://www.bitdefender.com/solutions/free.html


1.1.5 McAfee Security Scan Plus

Actively checks your computer for anti-virus software, firewall protection, and web security, and threats in your open applications.

Work or play with minimal interruptions with fast and effective virus, malware, and spyware scanning. Schedule security scans when you’re not using your PC.

Automatic scans and updates occur when your PC is idle. All of which means,

McAfee® AntiVirus Plus won’t slow you down http://home.mcafee.com/downloads/free-virus-scan?ctst=1

1.1.6 Comodo Antivirus

Keep Your PC Free of All Malware, Spyware, Viruses and Trojans . Breakthrough, patent-pending technology prevents all infections. 100% *

All-in-One Protection From Every Source of Infection. Defense for email, browsing & shopping, IM, external devices, downloads, gaming etc. http://antivirus.comodo.com/

1.1.7 ClamWin Free Antivirus

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates. The core ClamAV library provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats. The core ClamAV library is utilized in

Immunet 3.0, powered by ClamAV, which is a fast, fully featured Desktop AV solution for Windows.

ClamWin is a Free Antivirus program for Microsoft Windows 7 / Vista / XP / Me /

2000 / 98 and Windows Server 2008 and 2003.

ClamWin Free Antivirus is used by more than 600,000 users worldwide on a daily basis. It comes with an easy installer and open source code. You may download and use it absolutely free of charge . It features:

•

•

High detection rates for viruses and spyware;

Scanning Scheduler;


• Automatic downloads of regularly updated Virus Database.

• Standalone virus scanner and right-click menu integration to Microsoft

Windows Explorer;

• Addin to Microsoft Outlook to remove virus-infected attachments automatically.

The latest version of Clamwin Free Antivirus is 0.97.2 http://www.clamwin.com/

1.1.8 Winpooch 0.6.6

If you're worried about the constant threat of spyware and malware attacking your

PC, then WinPooch packs a powerful punch.

The good thing is, it's free makes special emphasis of stopping trojans and spyware using a technique known as "API hooking" which , basically provides static protection and doesn't allow anything to lock onto your registry. Alternatively it can give you the choice over whether you want a program to write in a system directory or in the registry, or else to connect to internet. The developers are keen to point out that this is in no way an anti virus checker and as such, it's a good idea to install it with one of their sister programs, ClamWin although note that this does not provide real time protection against viruses. Overall the good thing about this program is that it leaves the decision up to you over whether a program is installed or not. The downside is that it doesn't provide a real time anti virus scanner but it's easy to use and seems to be very effective at stopping anything coming through as you get plenty of alerts.

Simple to use and powerful at what it does, this is a great anti spyware blocker but would have scored more highly if it had included an anti virus checker.


Pros

•

Powerful at blocking spyware

•

Prompts you what to install and what not to

Cons

• Doesn't include a real time anti virus checker http://winpooch.en.softonic.com/

1.1.9 VIPRE

VIPRE Antivirus is the light-weight and highly effective antivirus program that does not slow down your PC. Using next-generation technology, VIPRE protects your computer from all types of malware threats including viruses, adware, spyware, worms, rootkits, and more.

And VIPRE is supported by a world-class team of experts, with toll-free support and free malware removal assistance! Get VIPRE today and get the peace of mind of the world's most-loved antivirus product!

High performance threat protection with low impact on system resources

User tell us the biggest frustration with antivirus programs is bloat and high resource usage.

VIPRE Antivirus has been completely written from scratch to run seamlessly without impairing system performance. Users report amazing results after replacing their existing antivirus with VIPRE - it's like they have a new system!

All-new technology delivers a powerpful antivirus and antispyware engine

At VIPRE's core is an antivirus and antispyware engine that merges the detection of all types of malware into a single efficient and powerful system. The new technology was developed exclusively by GFI, without building on older generation antivirus engines. VIPRE uses next-generation technologies making it the future of antivirus programs.

Advanced anti-rootkit technology

VIPRE's all-new anti-rootkit technology finds and disables malicious hidden processes, threats, modules, services, files, Alternate Data Streams (ADS), or registry keys on a user's system. Removing rootkits is supplemented by VIPRE's FirstScan™ which runs at the system's boot time. FirstScan bypasses the Windows operating system, to directly scan certain locations of the hard drive for malware, removing infections where found.

Real-time monitoring with Active Protection™


VIPRE's Active Protection delivers real time monitoring and protection against known and unknown malware threats. Active Protection works inside the Windows kernel (the core of the operating system), watching for malware and stopping it before it has a chance to execute on a user's system.

Full protection against email-borne threats

VIPRE Antivirus includes comprehensive protection against email viruses, with direct support for Outlook, Outlook Express and Windows Mail; and support for any email program that uses POP3 and SMTP (Thunderbird, IncrediMail, Eudora, etc.).

We Saved The Best Thing For Last! Unlimited Home License

Uniquely, VIPRE is the first security product to provide an "unlimited home license"(*). For an annual subscription price of $49.95, all the PCs in your house can be protected with this single 'home license'. This license is for residential use, and includes your home office. All the PC's in your home are covered. For example, that would include a laptop in use by a child in college. (Small businesses should not use this license, they should use VIPRE

Enterprise). All annual subscriptions include one year of threat definition updates, software upgrades, and live US-based toll-free technical support. Get VIPRE Antivirus Premium and there's only one toll-free number to call for all your PC security tech support. http://www.vipreantivirus.com/Software/VIPRE-Antivirus/

1.1.10 PC tools Antivirus

Better protection, better scanner, less impact,Virus Scan and Removal for MBR, PC

Tools AntiVirus Features

PC Tools AntiVirus' main features include the following:

•

•

IntelliGuard protection against computer viruses and related malware threats

Smart Updates to keep virus definitions and other feature enhancements up to date

•

Customizable Scan Settings applicable to both PC Tools AntiVirus' on-demand file scan and real-time protection features

•

•

•

Ability to quarantine and restore items that have been detected

Logging of File Scans conducted by PC Tools AntiVirus

Enhanced architecture providing enhanced infection removal capabilities for limited user accounts http://www.pctools.com/anti-virus/download/?src=lp_av


1.1.11 Malwarebytes

Malwarebytes Anti-Malware Free utilizes Malwarebytes powerful technology to detect and remove all traces of malware including worms, trojans, rootkits, rogues, dialers, spyware and more.

Advanced Malware Detection and Removal .

Industry Proven Clean-up Technologies Eradicate Existing Malware Infections

Rapid Response Malware Database and Heuristics Updates

Access to our Expert Community and Knowledgeable Support Team

(Email/Forums) http://www.malwarebytes.org/mbam-download.php

1.1.12 Dr. webcure it

Dr.WEB CureIt! is an antivirus and anti-spyware scanning tool that is developed on the Dr.WEB engine which will help you quickly scan and cure, if necessary, a computer without installation of the Dr.WEB Anti-virus.

•

Dr.WEB CureIT! detects and removes

Mass-mailing worms

• E-mail viruses

•

Peer-to-peer viruses

•

Internet worms

•

File viruses

•

Trojans

•

Stealth viruses

•

Polymorphic viruses

• Bodiless viruses

• Macro viruses

• MS Office viruses

• Script viruses


•

Spyware

•

Spybots

• Password stealers

• Keyloggers

• Paid Dialers

• Adware

•

Riskware

•

Hacktools

•

Backdoors

•

Joke programs

•

Malicious scripts

• Other malware http://www.softpedia.com/progDownload/Dr-WEB-CureIt-Download-50008.html

1 .1.13 Microsoft Security Essentials

Microsoft Security Essentials (MSE) is a free antivirus software product created by

Microsoft that provides protection against different types of malware such as computer virus, spyware, rootkits and trojan horses for Windows XP (IA-32[4]),

Windows Vista, and Windows 7 (both IA-32 and x64). Microsoft Security Essentials replaces Windows Live OneCare, a commercial subscription-based antivirus service and the free Windows Defender, which only protected users from adware and spyware. Unlike the Microsoft Forefront family of enterprise-oriented security products, Microsoft Security Essentials is geared for consumer use.

1. Real Time Protection

2. System scanning & cleaning

3. Windows Firewall integration

4. Live system behavior monitoring

5. Dynamic signature service


6. Rootkit protection

7. Protection against false positives

8. Network inspection system

The latest version of Microsoft Security Essentials includes a new feature called the network inspection system. The network inspection system provides protection against network-based exploits such as the Conficker (MS09-67) and other exploits that take advantage of network vulnerabilities to infect PCs. The network inspection system in Microsoft Security Essentials also:

•

Scans traffic on networks to which the PC is connected and proactively mitigates known attacks. No action is required by the consumer or small business.

•

Automatically blocks traffic with an identified exploit attempt.

•

Requires the Windows Filtering Platform (WFP) available in Windows Vista and Windows 7. The network inspection system feature will not be enabled on Windows XP. http://www.microsoft.com/en-in/security_essentials/default.aspx

1.2 Linux Based

1.2.1 Avast! Linux Home Edition

Avast, the anti-virus program I previously decided has the coolest name for an antivirus program, also sports a pretty great Linux GUI. As you can see it looks right at home on my Ubuntu desktop. This makes it easy to update defintions and scan the folders of your choice.

It’s also really easy to install Avast for Linux. Just download your package of choice

(rpm, deb and tar.gz), then register for a free year of Avast usage. If you don’t register, you won’t be able to use the program avast! Linux Home Edition represents an antivirus solution for the increasingly popular Linux platform. The Home Edition is offered free of charge but only for home, non-commercial use . Both of these conditions should be met.

Main features:

•

•

•

•

Outstanding performance

Reasonable memory requirements

ICSA certified

Intuitive Simple User Interface


•

•

•

•

•

•

•

•

•

•

•

Independent on installed graphic libraries

Working with the scan results

Actions with infected files

Storing the scan results (history)

Virus encyclopedia

Command-line scanner with STDIN/STDOUT mode

Non-incremental updates

Updates can be completely automatic

Alerts via SMTP

Works on all modern distributions

Shell scripts for common tasks

Antivirus kernel

The antivirus kernel of avast! for Linux is identical to the kernel for Windows systems.

The latest version of the avast! antivirus kernel features outstanding detection abilities, together with high performance. You can expect 100% detection of In-the-

Wild viruses (viruses already spreading between users) and excellent detection of

Trojan horses with minimum false positives.

The kernel is certified by ICSA Labs; it frequently takes part in the tests of Virus

Bulletin magazine, often yielding the VB100 award.

Like avast! for Windows, the avast! engine for Linux also features outstanding unpacking support. It can scan inside almost the same number of archives as under

Windows, with the exception of MAPI, CAB, ACE, CHM, 7ZIP and NTFS streams. The following archives can be scanned: ARJ, ZIP, MIME (+ all associated formats), DBX

(Outlook Express archives), RAR, TAR, GZIP, BZIP2, ZOO, ARC, LHA/LHX, TNEF

(winmail.dat), CPIO, RPM, ISO, and SIS. It also supports a number of executable packers (such as PKLite, Diet, UPX, ASPack, FSG, MEW, etc.).

User interface

The Simple User Interface is used to start on-demand scanning, to work with the results and to change the various scan options.

The user interface requires GTK+ 2.x libraries. If you do not have these libraries installed on your system, the libraries from the installation package will be used.

Command line scanner


Experienced users will appreciate the classic on-demand scanner, controlled from the command line. It enables files to be scanned in specified directories and both on local and remote volumes. Of course, the command line scanner also works on volumes mounted over a network.

The program is very flexible and has many additional arguments and switches. It is able to generate extensive report files that can be used for analysis.

The scanner is able to run in STDIN/STDOUT mode as a pipe filter. This mode is intended to be used in shell scripts.

Automatic updates

Updates of the virus database are another key need in virus protection. Avast! is usually updated at least 3 times a week (even more frequently during virus outbreaks), providing you with the most up-to-date definitions to efficiently protect your system against the latest threats.

Virus chest

The Linux version also has a chest directory where suspicious files are stored. These files can be deleted, or it is possible to work with them later. It is also possible to submit the files to our virus lab for further analysis.

Internationalization

Currently, avast! for Linux is available in the following languages: English, Czech,

Portuguese (Brazil), Bulgarian, Finnish, French. http://www.avast.com/linux-home-edition#tab1

Http://www.avast.com/free-antivirus-download

1.2.2 AVG Free Edition

5 REASONS TO CHOOSE AVG

1.

Over 110 million people trust our people-powered protection.

2.

We’re rated #1 in threat detection by independent antivirus testing labs.*

3.

It’s easy to install and use.

4.

Our 30-day money back guarantee means your purchase is risk free.

5.

Free technical support and updates to latest versions throughout your subscription term.

*AVG Internet Security was rated Number 1 in threat detection by AV-Test Org May-

August 2010. http://free.avg.com/us-en/download http://free.avg.com/us-en/free-antivirus-download


2.2.3 Calmtk

ClamTk is a GUI front-end for Clam Antivirus using gtk2-perl. It is designed to be an easy-to-use, lightweight, point-and-click desktop virus scanner for Linux. ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates. The core ClamAV library provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats http://www.clamav.net/lang/en/ http://sourceforge.net/projects/clamtk/

1.2.4

Panda Antivirus for Linux

Panda Software provides a free 'command line only' version of their software for use on Red Hat systems. The software can be automated easily by creating a script and then scheduling it to run scans at scheduled times, but real time protection is not possible. Updates to the engine are installed manually after downloading new definition files. If you are going to run a Linux workstation this provides a nice costeffective solution, but too many features are missing to consider it for deployment for on commercial servers. http://www.pandasecurity.com/default

1.2.5 Vexira Antivirus for Linux

Central Command Vexira Antivirus for Linux provides real time protection for workstations as well as servers with the ability to scan email, files, and downloads from external sites. Updates can be downloaded automatically via the Internet, relieving some administration chores. Vexira also has the ability to scan files automatically as they are accessed, and it offers configurable path protection. It also provides email virus notification, blocks access to infected files, and has options for repair - move - rename - deletion of infected files. Vexira provides a command-line scanner, scans archives (.zip, .gz, .tar, etc), and allows for scalable concurrent scanning. Vexira does not provide support for SMP.


Central Command's Vexira Antivirus for Linux is the best product of its kind for providing overall features and protection. Its only downfall, again, is the lack SMP support. If Central Command can correct this one shortcoming, they could dominate the Linux market until other companies begin providing more features and automation to their products. The cost for a single workstation is around $40, and

$400 for a server. http://www.centralcommand.com/

1.2.6 Trend Micro Server Protect

Trend Micro's ServerProtect provides virus protection for Linux servers in a mixed

Windows environment. Administration is handled through a Web based interface, and allows administrator the ability to run on demand scans, set scan options for real time and on demand scans, and even automatic updates. Because the management console is web based, remote management is made easy.

ServerProtect allows administrators to configure automated alerts via email, and

SNMP. The logs are easy to read and provide adequate information for dealing with file infections. The down side of this product is its lack of support for newer kernels, and SMP systems. http://www.trendmicro.co.in/in/products/personal/titanium-maximumsecurity/index.html#tab2

1.2.7 Sophos Antivirus

Sophos Antivirus provides a "command line" version of their software for use on Linux systems. Creating and scheduling scripts can automate scans. Updates must be downloaded and installed manually. This product does a great job of finding and removing viruses, but lacks many features needed by network administrators. http://www.sophos.com/en-us/


2.0 Lockdown, Auditing and Intrusion Detection Tools

2.1 Operating System lockdown tools

2.1.1 Windows based

2.1.1.1 SecureIt Pro 4.70.0117

Use SecureIt Pro to lock your computer when you're not there. The program comes with a ton of features: Disabling the main Windows key functions, like Ctrl+Alt+Del,

Alt+Tab, the Windows key, and the Ctrl+Esc key combination. SecureIt Pro can also disable the Windows boot keys, detect for cold boots, allow other people to leave messages, log incorrect password attempts, or even hide itself every few seconds.

The program also includes password reminder options, that can assist you if you ever forget your password, as well as several advanced configuration options as well as a locking screen saver. http://www.cleansofts.com/get/945/17903/SecureIT_Pro_470.html

2.1.1.2 PC Locker Pro 1.3

PC Locker Pro locks and protects the computer when you leave it.

It is easy to use: lock your computer just by clicking 1 button or using hotkey.

PC Locker Pro displays a lock screen and protects your computer. Keyboard and mouse will be disabled. To unlock computer you need to enter a password. PC

Locker Pro will lock the computer after incorrect shutdown.

Features of PC Locker Pro 1.3

:

· Lock and protect your computer when you leave.

· Display a lock screen (custom color or custom image).

· Lock computer after incorrect shutdown.

· Record unsuccessful attempts.

· Pretty and friendly interface (it is the style of WindowsXP).

· Easy to use. http://www.scanwith.com/download/PCLockerPro.htm

http://www.downloadto.com/Security/Miscellaneous/PC-Locker-Pro-35217/


2.1.2 Linux based

2.1.2.1 Pessulus Lock down Editor

Pessulus, Lockdown Editor, restrict/lock stuff on your Public Gnome Desktop. Managing pc's for public use can be a challenge as you don't want people to mess with system settings.

Manually editing configuriguration files for restricting these access can be a big pain. But with pessulus editor you can easily freeze features that you don't want your users to have access to. For example, you wouldn't want people to log out, lock screen, edit panel shortcuts etc. It will lock some of the settings down for the onboard user so that your

Desktop stays the way you like it. Well, you can do this using pessulus, a lockdown editor for GNOME desktops. This editor gives you the privilege to disable such features of your desktop.

This software is ofcourse not required for a single user desktop, but if your system is for public use, like coffee shops etc. then you might want to restrict some features for the user.

This is where Pessulus, Lockdown editor comes into play http://linuxers.org/article/pessulus-lockdown-editor-restrictlock-stuff-you-publicgnome-desktop

2.1.2.2 Bastille Linux

The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works.

Bastille currently supports the Red Hat (Fedora Core, Enterprise, and

Numbered/Classic), SUSE, Debian, Gentoo, and Mandrake distributions, along with

HP-UX. Full Mac OS X is ready for download today.

Bastille's focuses on letting the system's user/administrator choose exactly how to harden the operating system. In its default hardening mode, it interactively asks the user questions, explains the topics of those questions, and builds a policy based on the user's answers. It then applies the policy to the system. In its assessment mode, it builds a report intended to teach the user about available security settings as well as inform the user as to which settings have been tightene

Running Bastille on Red Hat, SuSE and Mandrake Linux

Bastille supports a number of Linux distributions and operating systems. In the

RPM-focused world, it supports

Fedora Core, Red Hat Enterprise, Red Hat Classic (Red Hat 6 through 9), SuSE and

Mandrake systems. On these systems, Bastille is primarily used via an RPM, though you can also download the raw source tarball.


Installing Bastille 2.x on Red Hat (Classic, Enterprise or Fedora Core), SuSE or

Mandrake is easiest via the RPM.

You need to install the Bastille RPM as well as a supporting perl module to provide either the graphical or text-based interface.

Bastille on Mac OS X (UNIX Power Users Only)

Bastille for Mac OS X is stable. We released a beta package at ToorCon, which became our production version after additional testing. It does require you to be a

UNIX Power User though, as it does not have a Mac OSX-specific installer.

Special note: because of issues in either X or perl-Tk on OSX, you'll get a trivial error when you finish running Bastille's front-end. Simply follow this up by running

"bastille -b" to activate the back-end and implement the hardening steps you've chosen.

Bastille on Gentoo

Bastille is part of Gentoo, available through the portage system. Bryan Stine made a port of the current stable release set, which the Bastille project is working to integrate into the mainstream code for better maintainability. http://bastille-linux.sourceforge.net/running_bastille_on.htm

2.1.2.3 Kiosk

System administrators typically spend a lot of their time fixing trivial problems for users who have accidently changed their settings in some way. When an inexperienced user moves a desktop icon into the wastebin or sets a mimetype to open with the wrong programme they may be unable to reset their changes. Calls to the system administrator for help are a poor use of everyone's time. It would be better if the user had never been able to make undesirable changes. start the Kiosk tool (as your normal user, there's no need to run as root) by selecting

K-menu -> System -> Kiosk Admin Tool, or with the kiosktool command, and click

Add New Profile. Give this profile a name such as 'locked-down' and click OK to save.

You will be asked for your root password to save the new profile. Now click Manage

Users and add a user policy to link a user to your new locked-down profile. It is also possible to link a whole group to the policy, you can see and change which users are in which groups by looking at the file /etc/group. http://extragear.kde.org/apps/kiosktool.php


2.1.2.4 Security Blanket by TCS

Operating system (OS) security is a priority for system administrators, but most agree that it is not an easy process. It can be time consuming and difficult, and the process can vary from OS to OS. Security Blanket from Raytheon Trusted Computer

Solutions (RTCS) is an easy-to-use, flexible tool that helps you configure your Red

Hat Enterprise Linux (RHEL) version 4 or 5 operating system to make it more secure—a process known as system lock down or system hardening. Additionally,

Security Blanket supports CentOS 4, 5 and Oracle Enterprise Linux.

Security Blanket can be used to configure a new system to a preconfigured or customized set of security standards and can be run periodically to measure compliance. System administrators who are not Linux experts can feel confident that they can meet their organization’s security requirements by using Security

Blanket

2.2 URL Scan based tools

2.2.1 Phishing Scans

2.2.1.1 Reasonable Anti-phishing Toolbar

Protect your financial account from fraud email and web site: Unlike typical antiphishing software using phishing report mechanism, Reasonable Antiphishing proactively detect possible fake web sites by visual similarity to protect your bank account, credit card information and online account like PayPal, eBay, Citibank and

HSBC. Reasonable Antiphishing also detects fraud web site in emails and web pages.

Version 2.0.21 adds Windows Vista and IE 7 support. http://www.download.com/Reasonable-Anti-phishing-Toolbar/3000-12768_4-

10634323.html

2.2.1.2 Phishing Detector 1.0

With this Anti-phishing tool you can detect Phishings, Email Frauds and Spoofed emails immediately at your INBOX with one click. http://www.scanwith.com/download/Phishing_Detector.htm


2.2.1.3 Garlicwrap

GralicWrap is a remote control that slows down the internet performance on system because the application maintains a constant connection with its central server. It also blocks the fraudulent websites. GarlicWrap check every website visited by the user against the information stored at its central database. http://gralicwrap.com/WebDownloadClient.php

2.2.1.4 Mcafee Site Advisor for firefox

McAfee SiteAdvisor for Firefox - Adds safety ratings to sites and search results to protect you against adware, spam, and online scams. http://www.siteadvisor.com/download/ff_preinstall.html

2.2.1.5 Spoofstick

SpoofStick is a simple browser extension that helps users detect spoofed (fake) websites. A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won't notice the incorrect URL and give away important information. This practice is sometimes known as “phishing". http://www.spoofstick.com/internet_explorer.html

http://www.spoofstick.com/firefox.html

2.3 Web Server Lockdown Tools

2.3.1 Microsoft IIS Lockdown Tool 2.1

Microsoft has released an updated version of Internet Information Services (IIS)

Lockdown Tool 2.1, which provides templates for the major IIS-dependent Microsoft products. The IIS Lockdown Tool functions by turning off unnecessary features. This reduces the attack surface available to an attacker. To provide in-depth defense or multiple layers of protection against an attacker, URLscan, with customized


templates for each supported server role, has been integrated into the IIS Lockdown

Tool.

However, to help keep your server secure and to stay protected against known security vulnerabilities, you must install all critical updates.

All the default security-related configuration settings in IIS versions 6.0 and 7.0 meet or exceed the security configuration settings made by the IIS Lockdown tool.

Therefore, you do not have to run this tool on Web servers that are running IIS version 6.0 or 7.0. However, if you are upgrading from an earlier version of IIS, you should run the IIS Lockdown Tool before the upgrade to enhance the security of your Web server.

Here is a list of the new features in IIS Lockdown Tool2.1:

•

Server roles . Version 2.1 is driven by supplied templates for the major IISdependent Microsoft products. These include Microsoft Exchange Server 5.5 and Exchange 2000 Server, Microsoft Commerce Server, Microsoft BizTalk

Server, Microsoft Small Business Server 4.5 and 2000, Microsoft SharePoint

Portal Server, Microsoft FrontPage Server Extensions, and SharePoint Team

Services.

•

URLscan integration , with customized templates for each supported server role . This integration enables the IIS Lockdown Tool to provide additional security enforced by URLscan without requiring the administrator to design a custom URLscan filter for the particular server configuration and application.

•

Ability to remove or disable IIS services . Services such as HTTP , FTP,

SMTP, and NNTP can be removed or disabled.

•

Support for scripted or unattended installation . The tool can read from an answer file.

•

Redesigned user interface and fixes . In response to user feedback, the IIS

Lockdown Tool offers an improved user experience. http://technet.microsoft.com/en-us/library/dd450372%28WS.10%29.aspx

http://www.microsoft.com/technet/security/tools/locktool.mspx

2.3.2 URL Scan security tool

Microsoft released UrlScan 3.0 as a separate download, which added features to create filtering rules, to always allow specific URLs to bypass UrlScan filtering, and to allow or deny requests that contained user-defined query string elements. This feature helps prevent server attacks that use query strings, such as SQL injection attacks. UrlScan 3.0


added change notifications for the UrlScan.ini file, so it is no longer necessary to restart IIS after updating your UrlScan.ini file.

Microsoft later released UrlScan 3.1 as a separate download, which added enhanced parsing of escape sequences in URLs and query strings. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5017 http://www.microsoft.com/technet/security/tools/urlscan.mspx

2.4 Intrusion Detection tools

2.4.1 Linux based

2.4.1.1 Tiger(Intrusion Detection tool)

Tiger is a security tool that can be use both as a security audit and intrusion detection system. It supports multiple UNIX platforms and it is free and provided under a GPL license. Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language. http://download.savannah.nongnu.org/releases/tiger/

2.4.1.2 Tripwire(Monitors Directory for any changes)

Open Source Tripwire® software is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. http://sourceforge.net/projects/tripwire/

2.4.1.3 SWATCH(actively monitors log files)

The purpose of this program is to scan the system log files to report security-related events or other events of interest. Swatch can be configured to send alerts to system administrators. The program uses a resource file to scan for certain events and generate alerts. The resource file consists of directives that specify patterns, actions to take when the pattern is found, and the recurrence of the pattern. The swatch program provides a call_pager Perl utility with the distribution. As the name implies, this utility sends alert pages to systems personnel. Listing 3 displays a typical swatch resource file. By default, the swatch program expects the swatch resource file by name to be ~/.swatchrc

and will monitor the /var/log/syslog file. These defaults can also be specified via command-line options. Before using this utility,


make sure you understand the syslog configuration information typically located in

/etc/syslog.conf http://safari.java.net/0321194438/ch08lev2sec2

2.4.1.4 LIDS(Linux Intrusion Detection tool)

LIDS is an enhancement for the Linux kernel written by Xie Huagang and Philippe

Biondi. It implements several security features that are not in the Linux kernel natively. Some of these include: mandatory access controls (MAC), a port scan detector, file protection (even from root), and process protection. http://www.secureos.jp/LIDS-JP/develop/

2.4.1.5 Snort(Intrusion Detection tool)

Snort® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry. http://www.snort.org/

2.4.1.6 BRO(Network Intrusion Detection System)

Bro is a network IDS developed by the Lawrence Berkeley National Laboratory of the Department of Energy and is used quite heavily in federal, military and research labs. Bro is an open source, Unix-based NIDS that passively monitors network traffic and looks for anomalous traffic behavior.

This tool works by first extracting the application layer of packets and then executes event-oriented analyzers comparing the patterns with signatures that have been identified as malicious data. Although Bro is a signature-based detection engine, it can detect attacks through changes in traffic patterns and predefined activities. http://www.bro-ids.org/download.html


2.4.1.7 Prelude(Intrusion Detection tool)

Prelude benefits from its ability to find traces of malicious activity from different sensors (Snort, honeyd, Nessus Vulnerability Scanner, Samhain, over 30 types of systems logs, and many others) in order to better verify an attack and in the end to perform automatic correlation between the various events.

Prelude is committed to providing an Hybrid IDS that offers the ability to unify currently available tools into one, powerful, and distributed application . http://www.prelude-ids.org/spip.php?rubrique6

2.4.1.8 OSSEC(Host based Intrusion Detection System)

OSSEC is an Open Source Host-based intrusion detection system. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, timebased alerting and active response. It runs on most operating systems, including

Linux, OpenBSD, FreeBSD, Mac OS, Solaris and Windows. It has a centralized, crossplatform architecture allowing multiple systems to be easily monitored and managed. http://www.ossec.net/main/downloads/

2.4.1.9 McAfee Free Tool ( Intrution Detection Tools)

2.4.1.9.1 Attacker v3.0

A TCP/UDP port listener.

Attacker -A TCP/UDP port listener. You provide a list of ports to listen on and the program will notify you when a connection or data arrives at the port(s). Can minimize to the system tray and play an audible alert. This program is intended to act as a guard dog to notify you of attempted probes to your computer via the

Internet.

Attacker is not intended to protect your computer from hackers in any way other than notifying you of what was always happening to your computer before you knew about it! Running this program may in fact attract more attention to your computer from people remotely scanning for vulnerabilities due to it appearing as a collection of open ports. However, it will definitely not lessen the security of your computer. It is strongly recommended you have a good anti-virus program installed and that you do NOT have File & Printer Sharing enabled for use over the Internet.


http://www.mcafee.com/us/downloads/free-tools/attacker.aspx

2.4.1.9.2 Carbonite v1.0

A Linux Kernel Module to aid in RootKit detection.

Incident Response vs. Loadable Kernel Module Rootkits

Rootkits are collections of commonly trojaned system processes and scripts that automate many of the actions an attacker takes when he compromises a system.

Rootkits will trojan ifconfig, netstat, ls, ps, and many other system files to hide an attacker's actions from unwary system administrators. They are freely available on the Internet, and one exists for practically every Unix release. The state-of-the-art rootkits are Loadable Kernel Modules (a feature unique to most Unix systems) that hide files, hide processes, and create illicit backdoors on a system. Solaris, Linux, and nearly all Unix flavors support Loadable Kernel Modules. Attacker tools that are

Loadable Kernel Modules, or LKMs, have added to the complexity of performing initial response and investigations on Unix systems.

All operating systems provide access to kernel structures and functions through the use of system calls. This means whenever an application or command needs to access a resource the computer manages via the kernel, it will do so through system calls. This is practically every command a user types! Therefore LKM rootkits such as knark, adore, and heroin provide quite a challenge to investigators. The typical system administrator who uses any user space tools (any normal Unix commands) to query running process could overlook critical information during the initial response.

Therefore we created a Linux kernel module called Carbonite, an lsof and ps at the kernel level. Carbonite "freezes" the status of every process in Linux's task_struct, which is the kernel structure that maintains information on every running process in Linux. http://www.mcafee.com/us/downloads/free-tools/carbonite.aspx


3.0 Security Assessment Tools

3.1 Assessment Of OS Security Levels

3.1.1 Microsoft security assessment tool(Windows)

The Microsoft Security Assessment Tool (MSAT) is a risk-assessment application designed to provide information and recommendations about best practices for security within an information technology (IT) infrastructure. http://www.microsoft.com/downloads/details.aspx?FamilyID=6d79df9c-c6d1-

4e8f-8000-0be72b430212&displaylang=en

3.1.2 Nessus($,Linux,Windows)

The Nessus® vulnerability scanner, is the world-leader in active scanners, featuring high speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs, and across physically separate networks. http://www.nessus.org/download/

3.1.3 Retina($,Windows)

Retina Network Security Scanner, the industry and government standard for multiplatform vulnerability management, identifies known and zero day vulnerabilities plus provides security risk assessment, enabling security best practices, policy enforcement, and regulatory audits. http://www.eeye.com/html/products/retina/download/index.html

3.1.4 IBM internet scanner

Internet Scanner can identify more than 1,300 types of networked devices on your network, including desktops, servers, routers/switches, firewalls, security devices and application routers.

Once all of your networked devices are identified, Internet Scanner analyzes the configurations, patch levels, operating systems and installed applications to find


vulnerabilities that could be exploited by hackers trying to gain unauthorized access. https://www.iss.net/issEn/MYISS/login.jhtml?action=download

3.1.5 Patchlink vulnerability assessment tool

Reduce corporate risk through the timely, proactive elimination of operating system and application vulnerabilities.

•

•

•

Decrease IT costs and improve productivity with a highly automated, subscription-based patch management solution.

Eliminate recurring risks through 'patch drift'

Demonstrate compliance with security policies and government regulations through continuous patch monitoring and comprehensive reporting. http://www.lumension.com/patch-management.jsp

3.1.6 Qualys guard($,linux,windows)

FreeScan allows you to quickly and accurately scan your server for thousands of vulnerabilities that could be exploited by an attacker. If vulnerabilities exist on the

IP address provided, FreeScan will find them and provide detailed information on each risk - including its severity, associated threat, and potential impact. It even provides links to give you more information about the vulnerability and how to correct it. http://www.qualys.com/forms/trials/freescan/matrix/?lsid=6960

3.1.7 GFI LANguard($,windows)

GFI LANguard Network Security Scanner (N.S.S.) is an award-winning solution that allows you to scan, detect, assess and rectify any security vulnerabilities on your network. As an administrator, you often have to deal separately with problems related to vulnerability issues, patch management and network auditing, at times using multiple products. However, with GFI LANguard N.S.S., these three pillars of vulnerability management are addressed in one package. Using a single console with extensive reporting functionality, GFI LANguard N.S.S.’s integrated solution helps you address these issues faster and more effectively .


http://www.gfi.com/downloads/downloads.aspx?pid=lanss&lid=EN

3.1.8 Core Impact($,Windows)

Core Impact is commercial penetration testing application developed by Core

Security Technologies which allows the user to probe for and exploit security vulnerabilities in a computer network.

The interface is designed to be usable by individuals without specialized training in computer security, and includes functions for generating reports from the gathered information. It is used by over 600 companies and government entities. http://www.coresecurity.com/?module=ContentMod&action=item&id=535

3.1.9 ISS internet scanner($,Windows)

Minimum purchase quantity, 10 IP's. ISS Internet Scanner is installed on one computer on the network, and scans computers and routers for security vulnerabilities in the operating system, key applications and configuration, using

ISS's database of known vulnerabilities. The perpetual license requires annual support and maintenance. This version includes SiteProtector management for licenses up to 500 IP's. http://www.securehq.com/group.wml&deptid=75&groupid=394&sessionid =

3.1.10 Nikto(Linux)

A more comprehensive web scanner Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses

Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected. http://linux.softpedia.com/get/System/Networking/Nikto-10271.shtml


3.1.11 X-scan(windows)

X-Scan is a basic network vulnerability scanner utilising a multi-threading scan approach. The scanner can be utilised both at the command line and has an easy to use GUI front-end. The following items can be scanned:

•

Remote OS type and version detection,

•

Standard port status and banner information,

•

SNMP information,

•

CGI vulnerability detection,

•

IIS vulnerability detection,

•

RPC vulnerability detection,

•

SSL vulnerability detection,

•

SQL-server,

•

FTP-server,

•

SMTP-server,

•

POP3-server,

•

NT-server weak user/password pairs authentication module,

•

NT server NETBIOS information,

•

Remote Register information, etc. http://www.xfocus.org/programs/200507/18.html

3.1.12 Sara(linux,windows,opensource)

In its simplest (and default) mode, it gathers as much information about remote hosts and networks as possible by examining such network services as finger, NFS,

NIS, ftp and tftp, rexd, and other services. The information gathered includes the presence of various network information services as well as potential security flaws

-- usually in the form of incorrectly setup or configured network services, wellknown bugs in system or network utilities, or poor or ignorant policy decisions. It can then either report on this data or use a simple rule-based system to investigate any potential security problems. Users can then examine, query, and analyze the output with an HTML browser, such as Mosaic or Netscape. While the program is primarily geared towards analyzing the security implications of the results, a great deal of general network information can be gained when using the tool - network topology, network services running, types of hardware and software being used on the network, etc.


http://www-arc.com/sara/

3.1.13 SAINT(($,Linux,opensource)

SAINT, or the Security Administrator's Integrated Network Tool, uncovers areas of weakness and recommends fixes. With SAINT® vulnerability assessment tool, you can:

•

•

•

Detect and fix possible weaknesses in your network’s security before they can be exploited by intruders.

Anticipate and prevent common system vulnerabilities.

Demonstrate compliance with current government regulations such as

FISMA, SOX, GLBA, HIPAA, and COPPA and with industry regulations such as

PCI DSS.

The SAINT® scanning engine is the ideal cornerstone for your vulnerability assessment program. SAINT features a graphical user interface that is intuitive and easy to use. http://download.saintcorporation.com/downloads/freetrial/saint-install-6.7.2.gz

3.1.14 MBSA(Windows)

Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the

IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Built on the Windows Update Agent and Microsoft

Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services

(WSUS), Systems Management Server (SMS) and Microsoft Operations Manager

(MOM). Apparently MBSA on average scans over 3 million computers each week.

3.2 Assessment of webserver security levels

3.2.1 Nikto(Linux,windows,opensource)

A more comprehensive web scanner Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins


are frequently updated and can be automatically updated (if desired). It uses

Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.

3.2.2 Paros Proxy(Linux,Windows,Opensource)

We wrote a program called "Paros" for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through

Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified. http://www.parosproxy.org/download.shtml

3.2.3 WebScarab(Linux,Windows,Opensource)

WebScarab is a framework for analysing applications that communicate using the

HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.

In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. http://www.net-security.org/software.php?id=504

3.2.4 WebInspect($,Windows)

WebInspect application security assessment tool ensures your organization’s web security and the security of your most critical information by identifying known and unknown vulnerabilities within the Web application layer. WebInspect also helps you ensure Web server security by including checks that validate that the Web server is configured properly. With WebInspect, auditors, compliance officers, and security experts can perform security assessments on Web applications and Web services. https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto

&cp=1-11-201-200%5e9570_4000_100__


3.2.5 Whisker/libwhisker(Linux,Windows,Opensource)

Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker. http://www.wiretrip.net/rfp/

3.2.6 Burpsuite(Linux,Windows,Opensource)

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another. http://portswigger.net/suite/download.html

3.2.7 Wikto(Windows,Opensource)

Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a

Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code. http://www.sensepost.com/research/wikto/

3.2.8 Acunetix Web Vulnerability Scanner($,Windows)

Out of the 100,000 websites scanned by Acunetix WVS, 42% were found to be vulnerable to Cross Site Scripting. XSS is extremely dangerous and the number of the attacks is on the rise. Hackers are manipulating these vulnerabilities to steal organizations’ sensitive data. Can you afford to be next?


Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript,

ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. Exploited Cross Site Scripting is commonly used to achieve the following malicious results:

•

•

•

•

•

•

•

•

Identity theft

Accessing sensitive or restricted information

Gaining free access to otherwise paid for content

Spying on user’s web browsing habits

Altering browser functionality

Public defamation of an individual or corporation

Web application defacement

Denial of Service attacks http://www.acunetix.com/cross-site-scripting/scanner.htm

3.2.9 Watchfire AppScan($,Windows)

Watchfire® AppScan® automates web application security audits to help ensure the security and compliance of websites. Named the worldwide market-share leader according to Gartner and IDC, our AppScan product suite offers a solution for all types of web application security testing needs- outsourced, individual scans and enterprise-wide analysis - and for all types of users- application developers, quality assurance teams, penetration testers, security auditors and senior management . https://www.watchfire.com/securearea/appscan.aspx

3.2.10 N-Stealth($,Windows)

N-Stealth is a comprehensive web server security-auditing tool that scans for over

30,000 vulnerabilities. It is ideal for system administrators, security consultant and

IT professionals. http://www.nstalker.com/products/free/


3.3 Assessment of Database security levels

3.3.1 IPLocks

IPLocks Armour provides the industry’s most robust solution for detecting and repairing database weaknesses. No other vendor can match the combination of scalability, customizability, and cost-effectiveness of IPLocks. Companies around the world use IPLocks Armour to support critical initiatives such as:

•

•

•

•

•

User Privilege Reporting

Internal Security

SOX Compliance

PCI Compliance

Risk Management http://www.iplocks.com/products/iplocks_armour.html

3.3.2 AppDetective

A network-based, vulnerability assessment scanner, AppDetectivePro discovers database applications within your infrastructure and assesses their security strength. In contrast to piecemeal solutions, AppDetectivePro modules allow enterprises to assess two primary application tiers - application / middleware, and back-end databases - through a single interface. Backed by a proven security methodology and extensive knowledge of application-level vulnerabilities,

AppDetectivePro locates, examines, reports, and fixes security holes and misconfigurations. As a result, enterprises can proactively harden their database applications while at the same time improving and simplifying routine audits. https://www.appsecinc.com/downloads/appdetectivepro/

3.4 Assessment of Applications security

3.4.1 Browser security levels

3.4.1.1 Wachfire

Watchfire® AppScan® automates web application security audits to help ensure the security and compliance of websites. Named the worldwide market-share leader


according to Gartner and IDC, our AppScan product suite offers a solution for all types of web application security testing needs - outsourced, individual scans and enterprise-wide analysis - and for all types of users - application developers, quality assurance teams, penetration testers, security auditors and senior management. https://www.watchfire.com/securearea/appscan.aspx

3.4.1.2 N-stalker

N-Stalker Web Application Security Scanner 2006 is a web security assessment solution developed by N-Stalker. By incorporating the well-known N-Stealth HTTP

Security Scanner and its 35,000 Web Attack Signature database, along with a patentpending Component-oriented Web Application Security Assessment technology, N-

Stalker is capable of sweeping your Web Application for a large number of vulnerabilities common to this environment, including Cross-site Scripting and SQL injection, Buffer Overflow and Parameter Tampering attacks and much more. http://www.nstalker.com/products/free/download-free-edition

3.4.1.3 Acutenix

Website security is possibly today's most overlooked aspect of securing the enterprise and should be a priority in any organization. Hackers are concentrating their efforts on web-based applications - shopping carts, forms, login pages, dynamic content, etc. Web applications are accessible 24 hours a day, 7 days a week and control valuable data since they often have direct access to backend data such as customer databases.

Firewalls, SSL and locked-down servers are futile against web application hacking

Any defense at network security level will provide no protection against web application attacks since they are launched on port 80 - which has to remain open.

In addition, web applications are often tailor-made therefore tested less than offthe-shelf software and are more likely to have undiscovered vulnerabilities.

Acunetix WVS automatically checks your web applications for SQL Injection, XSS & other web vulnerabilities www.acunetix.com/

3.4.1.4 Sprajax(for AJAX)

Sprajax is an open source black box security scanner used to assess the security of

AJAX-enabled applications. By detecting the specific AJAX frameworks in use,


Sprajax is able to better formulate test requests and identify potential vulnerabilities. http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project

3.4.1.5 Pixy(for PHP)

Pixy is an Open-Source Vulnerability Scanner that identifies SQL, XSS problems in PHP applications. http://pixybox.seclab.tuwien.ac.at/pixy/download.php

3.4.2 Peer to peer networking levels

3.4.2.1 Prevx

However, in order to share files on your computer and sometimes in order for you to access files on other computers within a P2P network such as BitTorrent, you must open a specific TCP port through the firewall for the P2P software to communicate. In effect, once you open the port you are no longer protected from malicious traffic coming through it.

It may cause confusion for novice users in much the same way personal firewall software such as ZoneAlarm does because simply allowing or banning actions wholesale would result in either allowing a large amount of suspicious activity to go undetected or banning a large amount of benign actions such as the user trying to install their own software, so Prevx asks the user how it should treat the activity.

Any time that an application attempts to access system memory or critical files or alter the registry the Prevx Home software detects the activity and either blocks it completely or asks the user how to proceed. According to Prevx the software will detect and prevent buffer overflows and overruns, modification of critical files and directories, unauthorized changes to critical areas of the system registry and more.

I removed my antivirus and firewall software for an entire week during my test and still ran into no viruses or other malicious code or spyware. A scan with Ad-Aware found a handful of tracking cookies, but nothing malicious. http://info.prevx.com/downloadprevx2.asp


3.4.2.2 Honeytrap

Honeytrap is a network security tool written to observe attacks against network services. As a low-interactive honeypot, it collects information regarding known or unknown network-based attacks and thus can provide early-warning information . http://honeytrap.mwcollect.org/download-Download%20Honeytrap


4.0 Operating system Updates and patches

4.1 Security Update solution tools

4.1.1 Windows based tools

4.1.1.1 Updates

4.1.1.1.1 Microsoft Update

Latest bug fixes for Microsoft Windows, including fixes for some possible DoS attacks. http://www.update.microsoft.com/windowsupdate/

4.1.1.1.2 WSUS

Microsoft Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. http://technet.microsoft.com/en-us/wsus/default.aspx

4.1.1.1.3 Microsoft Office Update

Latest bug fixes for Microsoft Windows, including fixes for some possible DoS attacks http://office.microsoft.com/en-us/downloads/default.aspx


5.0 Security Update detection tools

5.1 MBSA

Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the

IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Built on the Windows Update Agent and Microsoft

Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services

(WSUS), Systems Management Server (SMS) and Microsoft Operations Manager

(MOM). Apparently MBSA on average scans over 3 million computers each week . http://www.microsoft.com/technet/security/tools/mbsahome.mspx

5.2 Microsoft office visio 2007 connector

Do you know the security status of your network? Get a visual. The Visio 2007

Connector for Microsoft Baseline Security Analyzer (MBSA) lets you view the results of an MBSA scan in a clear, comprehensive Microsoft Office Visio 2007 network diagram. You must have both Visio 2007 Professional and MBSA 2.1, a free security tool from Microsoft, for this connector to work properly.

5.3 Microsoft Security Compliance Manager

This tool provides security configuration recommendations from Microsoft, centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft products.

Take advantage of the experience of Microsoft security professionals, and reduce the time and money required to harden your environment. This end-to-end Solution

Accelerator will help you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications. Access the complete database of Microsoft recommended security settings, customize your baselines, and then choose from multiple formats—including XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security

Content Automation Protocol (SCAP)—to export the baselines to your environment to automate the security baseline deployment and compliance verification process.


Use the Microsoft Security Compliance Manager to achieve a secure, reliable, and centralized IT environment that will help you better balance your organization’s needs for security and functionality. http://technet.microsoft.com/en-us/library/cc677002.aspx

5.4 Microsoft Security Assessment Tool

The Microsoft Security Assessment Tool (MSAT) is a free tool designed to help organizations like yours assess weaknesses in your current IT security environment, reveal a prioritized list of issues, and help provide specific guidance to minimize those risks. MSAT is an easy, cost-effective way to begin strengthening the security of your computing environment and your business. Begin the process by taking a snapshot of your current security state, and then use MSAT to continuously monitor your infrastructure’s ability to respond to security threats.

MSAT is designed to help you identify and address security risks in your IT environment. The tool employs a holistic approach to measuring your security posture and covers topics including people, process, and technology.

MSAT provides:

•

•

•

•

•

Easy to use, comprehensive, and continuous security awareness

A defense-in-depth framework with industry comparative analysis

Detailed, ongoing reporting comparing your baseline to your progress

Proven recommendations and prioritized activities to improve security

Structured Microsoft and industry guidance http://technet.microsoft.com/en-us/security/cc185712

5.5 Security Update Management

Microsoft Update

Microsoft Update consolidates updates provided by Windows Update and Office

Update into one location and enables you to choose automatic delivery and installation of high-priority updates.

Windows Server Update Services (WSUS)

WSUS simplifies the process of keeping Windows-based systems current with the latest updates, with minimal administrative intervention.

System Center Configuration Manager


System Center Configuration Manager 2007 enables operating system and application deployment and configuration management, enhancing system security and providing comprehensive asset management of servers, desktops, and mobile devices.

Systems Management Server 2003 Inventory Tool for Microsoft Updates

Systems Management Server administrators can use the Inventory Tool for

Microsoft Updates (ITMU) to determine the update compliance of managed systems. http://technet.microsoft.com/en-us/security/cc297183


References

•

Linux Kernel Archives. http://www.kernel.org

•

Linux Security Modules.

http://lsm.immunix.org

•

Openwall Project. http://www.openwall.com

•

PaX Project. http://pageexec.virtualave.net

•

Rule Set Based Access Control for Linux. http://www.rsbac.org

•

Security-enhanced Linux. http://www.nsa.gov/selinux

• http://www.cyberciti.biz

• http://www.microsoft.com

• http://www.en.wikipedia.org/wiki/

• http://www.cmu.edu

• http://www.microsoft.com

• http://en.wikipedia.org

•

Other sources include other websites through search engines
