Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Auditing Networks, Perimeters and Systems

advertisement 
Auditing Networks,
Perimeters and Systems
Audit Checklists, Unit 6
Windows
The SANS Institute
Copyright 2001 Marchany
1
W2K CIS Rulers
 CIS Rulers are being developed for
Windows 2000 and NT systems
 Format is similar to the Unix rulers (levels
1-3)
 Work has just started on it
 You’re getting a very ROUGH preview of
the rulers.
Copyright 2001 Marchany
2
Sample W2K level 1 Ruler –
Physical Data Security
 Enable the end user to protect laptops.
 Physically secure servers.
 Protect the server from Unattended Reboot.
– Protect the SAM with SYSKEY
 Protect the Backup Tapes.
 Use NTFS disk partitions.
 Use Encrypting File System
Copyright 2001 Marchany
3
Sample W2K Level 1 Ruler –
Security Policy Configuration
 Configure the Local Security Policy.
 Configure the Account Policy.
 Secure Administrator/Guest accounts.
 Configure Local Policies.
 Enable Audit Policies.
 Customize User Rights.
Copyright 2001 Marchany
4
Win2k Audit
(Run MMC -> CTRL M -> Security Templates -> Setup Security)
Copyright 2001 Marchany
5
User Rights
Copyright 2001 Marchany
6
Sample W2K Level 1 Ruler –
Security Policy Configuration
 Customize Security Options
– Restrict Anonymous Connections
– Allow server operators to schedule tasks (DC
only).
– Clear virtual Memory Pagefile on shutdown.
– Audit access of Global System Objects.
– Do Not Display last username in login screen.
 Configure Public Key Policy.
 Configure IP Security Policy.
Copyright 2001 Marchany
7
File System Configuration.
(__) Define System Configuration and Service Pack
Level
(__) During Audit, set browser to see all files
(__) System is configured as NTFS file system?
(__) System Administrator has a current Emergency
Recovery Disk in a locked storage area.
(__) Wiping of system page file occurs at system
shutdown.
Copyright 2001 Marchany
8
Sample W2K Level 1 Ruler
 Group Policy
 MMC Snap-In
 System Tools
– Configure Event Log Settings
– System Information
– Performance Logs & Alerts
– Local Users & Groups
 Lock out unauth’d Floppy Disk use
Copyright 2001 Marchany
9
Sample W2K Level 1 Ruler
 Disable unused services
– Remove OS2 and POSIX subsystems
 Secure Remote control programs (PC
Anywhere)
 Disable Microsoft Network Client
 Additional Utilities
– W2K Suppot tools
– Resource Kit tools
Copyright 2001 Marchany
10
Sample W2K Level 1 Ruler
 Freeware, Shareware and Commercial Tools
– Use Access Control List Auditing Tools
– Audit SP and HotFix levels
– Consider installing nmap, WinDump, PGP,
Anti-Trojan, L0phtCrack 3, snort
Copyright 2001 Marchany
11
Sample W2K Level 1 Ruler –
The Registry
 Disable auto-run on CD ROM Drives.
 Control Remote Registry Access.
 Restrict Null User access to named pipes
and shares.
 Disable Router discovery.
 Disable ICMP Redirects.
 Remove Administrative Shares.
Copyright 2001 Marchany
12
Sample W2K Level 1 Ruler
 File Folder and Registry Permissions
 Security Analysis and Configuration Tool
– Apply standard Incremental Security Templates
– Create Custom Policies
– Perform analysis of computer
 Recovery Options
– Baseline System backup
– Regular System backup
– Remote System backup
– NTBackup.exe
Copyright 2001 Marchany
13
Sample W2K Level 1 Ruler
 Recovery Options (Continued)
– Emergency Repair Disks
– Safe Mode with or without networking
– Safe Mode with command prompt
– Recovery Console
 Active Directory Services
– Domain Controllers and Trust
– The Trees vs. the Forest
– Enterprise Admins and Schema Admins
Copyright 2001 Marchany
14
Sample W2K Level 1 Ruler
 Application Security
– IIS v5 – CRITICAL!
– Telnet Server
– File and Printer Sharing
– Windows Services for Unix 2.0
– Exchange, Outlook, Outlook Express
– SQL
 These may be more suited to Level 2
Copyright 2001 Marchany
15
A Sample NT Level 1 Ruler








Installation
Networking
User Accounts
Services/System
Files/Directories
Registry
Applications
Developed by Marc Debonis, VA Tech
Copyright 2001 Marchany
16
Sample VT Level 1 NT Ruler
 Installation
– Physically secure machine
– Enable BIOS boot password, user/admin levels
– Install NT on C:, no dual boot, use NTFS
– Put bogus name for install
– Select only TCP/IP to install
– Do NOT install IIS
– Do NOT use DHCP
– Do NOT use WINS server entries
Copyright 2001 Marchany
17
Sample VT Level 1 NT Ruler
 Installation
– Disable LMHOSTS lookup
– Login as Administrator
• Delete MyBriefCase, Install IIS, IE, Inbox icons
– Install post SP5/SP6 hotfixes
• Install in this order: Winhlp-I, Nddefixi, Lsareqi,
Q234351I, Csrssfxi, Loctlfxi, Ntfsfix1, Igmpfix1,
Ipsrfixi
Copyright 2001 Marchany
18
(__) Define Service Pack Level
Start -> Run -> WINVER (works the same for NT 4.0)
Copyright 2001 Marchany
19
Checking for Service Packs
Copyright 2001 Marchany
20
Copyright 2001 Marchany
21
(__) System does not have
un-necessary devices
Start -> Settings -> Control Panel -> Devices.
Copyright 2001 Marchany
22
Sample VT Level 1 Ruler
 Networking
– Use network control panel to remove RPC
Configuration, NetBIOS Interface, Workstation,
Server.
– Set service TCP/IP NetBIOS Helper to disabled
– Disable Windows NT Networking
– Disable WINS Client (TCP/IP) binding
– Disable WINS Client (TCP/IP) device
Copyright 2001 Marchany
23
Sample VT Level 1 Ruler
 Accounts
– Set minimum password length to 8
– Lockout after 3 bad attempts 
– Under Policies-> User Rights
• Select Right/Access this computer from Network
and remove ALL groups listed in the Grant To box
• Under Show Advanced Rights, select Bypass
Traverse Checking, remove Everyone
• Select Log on Locally and disable guest
Copyright 2001 Marchany
24
Sample VT NT Level 1 Ruler
 Accounts
– Select Policies -> Audit
• Enable audit events: logon/logoff, user/group mgt, security
policy changed, restart, shutdown and system
– Open User Manager for Domains
•
•
•
•
Rename Administrator account to Master
Remove Description for Master Account
Set Master account password to something VERY strong
Rename Guest account to DEFUNCT
– Allow remote lockout of administrator account only
Copyright 2001 Marchany
25
(__) Auditing is Enabled
User Manager, Policies,Audit
http://www.geek-speak.net/products/ntaudit1.html
Copyright 2001 Marchany
26
Audit Best Practice
Copyright 2001 Marchany
27
Audit Best Practice (2)
Copyright 2001 Marchany
28
Passwords
(__) NT password policies comply with Best Practices for NT Passwords.
(__) User passwords are known only by the user.
(__) Users are required to maintain unique passwords for each AIS.
(__) Passcrack for Windows NT or other password tester is run at least yearly.
(__) Password database (SAM) is encrypted.
(__) Administrator password is protected to the same level as the data contained
on the computer.
(__) Password is enabled for screen saver. (Control Panel, Desktop)
Copyright 2001 Marchany
29
Passfilt
Copyright 2001 Marchany
30
NT 4.0 Start -> Programs -> Administrative Programs -> User Manager
Copyright 2001 Marchany
31
Win2k, My Computer -> Control panel, Administrative
Tools -> Local Security Policy -> Password Policy
Copyright 2001 Marchany
32
Sample VT NT Level 1 Ruler
 Services/System
– Disable unnecessary system services
• Network DDE, Network DDE DDSM, Schedule,
Spooler, Telephony service, distributed DCOM
– From System Control Panel, click
Startup/Shutdown tab
• Uncheck Overwrite any Existing File?
• Uncheck Write debugging info to:
• Uncheck Automatically Reboot?
Copyright 2001 Marchany
33
Sample VT NT Level 1 Ruler
 Services/System
– Click Display Control Panel
• Click Screen Save Tab, enable Blank Screen Screen
Saver, modify wait to 5 minutes, check the
Password Protected box.
– Event Logs
• Open Log->Log settings and increase max size of
logs > 2048K
Copyright 2001 Marchany
34
Log--> Log Settings
Copyright 2001 Marchany
35
Event View 2000
My Computer -> Control Panel -> Administrative Tools -> Event Viewer
Copyright 2001 Marchany
36
Using dumpel for audit logs
Copyright 2001 Marchany
37
Sample VT NT Level 1 Ruler
 For the rest of the ruler, go to
http://security.vt.edu and look in the
Checklists section for Marc’s document
 Some may consider his requirements to be
really strict but some may like them.
Copyright 2001 Marchany
38
Sample Windows 2000 Level 2
Ruler
 Rules of Engagement for Active Directory
 Developed at VA Tech for our AD structure
– Marc Debonis, www.w2k.vt.edu
 Allows lower level admins to control their
own domains
 Not for everyone
 Somewhat draconian
Copyright 2001 Marchany
39
Sample VT Level 2 Ruler: Active
Directory ROE
 The Child domain must have at least 1 fulltime
peer BDC for the child domain
 The child domain controllers must meet
Microsoft’s minimum computer hardware
requirements
 No 3rd party of Microsoft add-on software are
allowed on child domain controllers
– IIS, Certificate Services, Indexing Service, Windows
Media Services, DNS, DHCP, WINS, printer/file
services
Copyright 2001 Marchany
40
Sample VT Level 2 Ruler: Active
Directory ROE
 The child domain controllers must be in a
backup program and have full recoverability
tested
 The child domain controllers must allow
and not block global policy objects
replicated from the root
 All W2K hosts must follow prescribed DNS
naming conventions (xxx.yyy.vt.edu)
Copyright 2001 Marchany
41
Sample VT Level 2 Ruler: Active
Directory ROE
 All W2K hosts within the child domain will
use root AD DDNS server settings. Child
DC will use static IP and not run DHCP
servers
 Child domain will not attempt to create
child domains “below” theirs. They will use
OU to do this.
Copyright 2001 Marchany
42
Sample VT Level 2 Ruler: Active
Directory ROE
 No non-administrative local logins will be
allowed to the child domain controllers. The
CDC will be housed in secure areas with
controlled access
 2 week backups of event/audit logs will be
kept and access to them will be given to the
AD enterprise admins for
security/debugging purposes.
Copyright 2001 Marchany
43
Sample VT Level 2 Ruler: Active
Directory ROE
 All service packs will be installed in a
timely manner, coordinated with root AD
controller upgrades
 Will people buy into this?
– Some will, some won’t but those that do are
more secure.
Copyright 2001 Marchany
44
Whew!

You’ve got a basic strategy for building
security checklist/audit plans for
–
–
–
–
Perimeter
Unix
NT
Windows 2000
Please fill out your comment sheets!
Copyright 2001 Marchany
45
Today’s Course Goals




Construct a high level Security Checklist from the CIS
rulers for your site.
– Unix. NT, Windows 2000
Use TBS to provide a response to your internal auditors
and secure your systems.
Use STAR to define the $$$ cost of implementing security
features at your site.
– This method can be used over time to show trends
Develop a set of reports/matrices that can be used to
quickly identify the security status of a host at your site.
Copyright 2001 Marchany
46
URLs referred to in this course
STAR Matrices
http://courseware.vt.edu/marchany/STAR
Sample R/A Documents
http://security.vt.edu
Top Ten Vulnerabilties
http://www.sans.org/topten.htm
Top Ten Blocking
http://www.sans.org/giactc/gcfw.htm
Egress Filtering
http://www.sans.org/y2k/egress.htm
CVE
http://cve.mitre.org
GIAC Practicals
http://www.sans.org/giactc/cert.htm
RFC 2196
http://www.ietf.org/rfc/rfc2196.txt
Center for Internet Security
http://www.cisecurity.org
Copyright 2001 Marchany
47
Course Revision History
Copyright 2001 Marchany
48
Related documents
Unit 2 – The Boot Prom – OpenBoot
Unit 2 – The Boot Prom – OpenBoot
Unit 8 – Solaris File Systems - Virginia Alliance for Secure
Unit 8 – Solaris File Systems - Virginia Alliance for Secure
antigone opening activity
antigone opening activity
Auditing Networks, Perimeters and Systems
Auditing Networks, Perimeters and Systems
Early Middle Ages Quiz
Early Middle Ages Quiz
Unit 4 – The Boot Process
Unit 4 – The Boot Process
Classifying Governments Who can participate?
Classifying Governments Who can participate?
Security, Targetting & Analysis of Risk (STAR)
Security, Targetting & Analysis of Risk (STAR)
SeabrookRose
SeabrookRose
Auditing Networks, Perimeters and Systems
Auditing Networks, Perimeters and Systems
Download
advertisement