Security+
All-In-One Edition
Chapter 12 – Security Baselines
Brian E. Brzezicki
Hardening and Baselines
Operating systems and software are written to
be functional and easy to use and install.
Otherwise vendors will have a hard time
selling them ;-)
Unfortunately they generally come configured
insecure (or less secure that possible) out of
the box.
There are two important terms we need to
understand in regards to securing systems
out of the box.
Hardening
We talked about hardening in chapter 8. And making
sure machines are hardened is one major goal of
Security Baselines.
Just in case you forgot the basic of hardening… we’ll
just overview it again on the next slide.
Hardening
Hardening – the process of securing a system as
much as possible for production
• Installing updates/patches
• Disabling or removing* un-necessary
software/services
• Disabling unecessary protcols such as IPX/IPX,
NetBEUI and Appletalk
• Securing services
– Setting application configuration controls to max security
– Setting OS configuration controls to max security
– Restricting access to authorized users
• Installing add on host based tools such as firewalls
and anti-virus.
Baseline –
The row of
shields above
your fighter
that protects
you from
attack by
hordes of
aliens
Baselines
Close actually…
Baselines – the process of establishing a
minimum set of protections that protects a
computer system/network from attack from
the hordes of script-kiddies and crackers.
• MINIMUM set of protections and
configurations
• Important to have baselines in any
organization – why?
Password Policies (340)
One baseline concept that is often
overlooked is the idea of requiring strong
password practices (policy).
Why is a password policy important?
(more)
Password Policy Concepts (343)
What are all these things?
• Minimum password lengths - 8
• Minimum password ages – days to weeks
• Maximum password ages 60 - 90 days
• Case changes, number and special characters
–
–
–
–
1 or more A-Z
1 or more a-z
1 or more 0-9
1 or more special character
• Password History 5 - 10
• No personal information (usernames, real name,
children's names, birthdates)
Password Usability vs. Security
However you have to balance “usability” vs. security
• what do I mean by this
• What problems occur with “too secure” passwords?
I like to use a “passphrase” to generate a password
“I Like to drink Iced Tea and Lemon”
ILTDITAL
1Ltd1t@l
Attacks against passwords (342)
Some types of attacks that you should
understand the terminology of
• Dictionary Attack – go through the
dictionary
• Hybrid attack – makes substitutions on
dictionary words
• Brute force – try everything!
Password Crackers (341)
As an security administrator, you should use software
that enforces your companies password policies
such as
• PASSFILT.DLT (NT 4.0 SP2)
• Windows Group Polices (Windows 2000+)
• Npasswd or PAM on Unix/Linux
You should also try to “crack” passwords periodically
• Cain and Abel (windows)
• John the Ripper (windows, Unix)
• Crack (Unix)
Random password term
Virtual password – Some software asks you
to type passphrase, like a sentence.
Software often takes the passphrase and
uses it to create a “virtual password”.
Anyone have any ideas how they could do
that?
Hardening
Windows 2003 (345)
Windows 2003 was MS first product using their
“Trustworthy Computing Initiative”. Concept was
“Secure by design, secure by default” This included
• Fewer default installed features (19 less than 2000..
Next slide)
• Official Security Guides for securing services
• Security Configuration Wizards – easily install and
lockdown services
• Software Restriction policy – allows an administrator
to define what software should be allowed to run on
a system – Why is this important?
(more)
Services
Show for real on workstation.
Windows 2003
• IIS – allows isolation between web
applications.
• Enhanced auditing features
• Network Access Quarantine – explain this.
• MBSA – Microsoft Baseline Security
Analyzer… this is a type of vulnerability
assessment program for MS OS and
software You should run this on all MS
machines.
Windows 2008 (346)
• Bit locker – drive encryption software
• Roles-based installation of network services.
(Web server only installs Web server, not
DNS etc)
• Read only Domain Controllers
• NAP – controls access to networks resources
based on computers compliance to security
policy.
Difference between NAQ and NAP
http://technet.microsoft.com/enus/library/bb726973.aspx
Always Make sure your up to date
on patches/service packs (361)
Staying up to date is one of the best ways to protect
from network service attacks (especially buffer
overflows)
Some terms you should understand (Microsoft specific)
• Hot Fix
• Patch
• Service Pack
Updates can be applied, either manually or
automatically. They can also be downloaded
automatically and stored until install.
•
•
•
•
•
•
•
•
•
•
•
Unix (347)
Keep software up to date (see next slide)
Disable/remove un-necessary accounts
Disable un-necessary software (remove it actually)
Turn off un-necessary services out of /etc/rc.*
Turn off un-necessary services out of “xinetd” (2
slides away)
Remove compilers
Tighten file/directory permissions
Remove SUID programs
Install TCP wrappers (in a few slides)
Configure host based firewall
Install and maintain tripwire scanning
yum-updatesd (n/b)
yum
Xinetd (354)
• Xinetd is a program that manages various
services and starts up an instance of a
service when a user tries to access this
service. Services are defined by text
configuration files in /
The predecessor to xinetd is “inetd”.. Still used
in Solaris last time I checked (Solaris 9)
Xinetd config file example next slide
Xinetd
TCP wrappers (n/b)
Before Unix had host based firewalls included. TCP
wrappers was used to limit access to network
services to certain IP addresses. It is still heavily
used today and a good practice to use them.
TCP wrappers takes 2 text based files
• /etc/hosts.allow
– read first, overrides /etc/hosts.deny if conflict
• /etc/hosts.deny
– Read last
Example next page
/etc/host.deny (tcpwrappers)
/etc/hosts.deny (tcpwrappers)
Verifying (All OSes) (n/b)
• After applying baselines you should
ALWAYS verify your settings have been
taken. One good way is to look at what ports
are open and what services are running.
• nmap (screen shot next screen)
• netstat (screen shot in a few)
NMAP
netstat
PS and Task Manager (n/b)
Another step for verifying is to use “ps”
(Unix) or task manager (windows) to see
what processes are running. You should
always familiarize yourself with your OS
and know what processes are necessary
for operation so you can make sure no unnecessary processes are running. And
Also identify “rogue” processes.
Network Hardening (363)
Switches and Routers also need to be secured
• They ALSO need to have patches applied in a
timely manner! They run OSes and are
attacked. Network equipment provides direct
access into your network, and it’s often not
maintained!
• Use good password policies on these devices
(more)
Network Hardening (363)
• Turn off SNMP, or change public/private
community passwords (SNMP next slide)
• Use encrypted management interfaces
(what’s this?.. See a few slides from now)
• Restrict access to management interfaces
• Do Network Mapping, Vulnerability
Assessment and Penetration Testing (in a
few slides)
SNMP
Simple Network Management Protocol
• Used for network management
• Allows for “reads”
– Ex. How many packets were routed
– Ex. How many web pages were served
• Allows “writes”
– Ex. Reboot
– Ex. Shutdown interface
• Plain text communication (earlier versions)
• Communities (like passwords) – Public/Private for
read and write access
Vulnerability Assessment and
Penetration Testing (n/b)
Network Mapping – The act of using software
to try to determine the topology and
software/services of your network.
Vulnerability Assessment – The process of
scanning/probing your systems to determine
what software exists and what holes might
exist on the network/systems. All systems
should have Vulnerability Assessments
done.
Vulnerability Assessment and
Penetration Testing (n/b)
Penetration Testing – A process of actually
trying to test your security posture by
exploiting holes determined in the
vulnerability testing stages. Penetration
testing can DAMAGE the network and should
not be done without management approval,
and should ONLY be done if the testing itself
cannot do serious damage.
Management
Interfaces
Securing Various Network
Services
Web Servers
Web Servers
What is a web server?
What protocols and ports does it use?
Web Servers (IIS) (375)
IIS is Microsoft's Web Server Software and is a
popular attack target
• Secure the host OS, remove all un-necessary
services! Try to only run the web service.
• Remove all sample files (especially before 6)
– \InetPub\IISamples
– \Winnt\Help\IIShelp
– \Program files\Common Files\Systems\MSadc
• Set permissions properly, only allow read access for
non-web developers
• Run IIS LockDown (MS tool for older versions)
• Patch… Patch… Patch
Apache (376)
Apache is the MOST popular web server on the
Internet, and is available for Unix and
Windows.
• Secure OS, try to only run web server on this
machine.
• Set apache to run as “restricted user” rather
than root (httpd or www are common)
• Restrict permissions on web directories
• Restrict IP addresses if necessary
• Delete example CGI files
Web Security
Web server based attacks
• Buffer Overflows
• Path Traversal attacks
– Ex. http://www.server.com/directory/../etc/passwd
• URL encoding issues
• Unchecked inputs to server side programs
– Ex.
http://www.myapp.com/app?username=me;”drop
database applog”
Mail Servers
Email (379)
What is email?
What is the protocol for Email called?
What is the port number for email?
What are some security issues (in running email)
• Relaying
• Reconnaissance
• Buffer overflows
We will talk about these on the next slides
Relaying and SPAM
• What is relaying (next slide)
Relaying (n/b)
SPAM ( ch 11. 311)
How to make sure your not the cause of
SPAM
• Turn of “SMTP relaying”
– Restrict IP addresses of senders to internal
addresses only
– Require authentication of users before
allowing them to send email
Using email for Reconnaissance
• expn and vrfy commands
Relaying
• Can get your mail server blacklisted quick
• Wastes your bandwidth and CPU time
• Restrict relaying for internal addresses
ONLY
• Use authentication mechanisms before
allowing users to send mail out of your
SMTP server.
Securing Exchange (378)
•
•
•
•
•
Secure OS
Run only email services
Run the MBSA
Patch, patch, patch
Restrict relaying
Securing Sendmail (379)
• Secure the OS
• Don’t run as root (run as smtp)
• Turn off expn and vrfy
– PrivacyOptions=noexpn novrfy
• Restrict relaying
FTP (379)
What is FTP?
What are the port numbers?
What is a problem with FTP?
FTP attacks (379)
• Sniffing of data and password (do
example)
• Buffer overflows
• Use of anonymous accounts
Securing FTP
• Don’t run FTP… seriously, use something
else like scp or sftp
• Turn off anonymous access
• Restrict access to authorized IPs only
(internal hopefully!)
• Patch, patch, patch
DNS (379)
What is DNS
What ports does it run on?
Attacks against DNS servers (next slides)
• Buffer Overflows
• Reconnaissance Attacks
• DNS cache poisoning
Buffer Overflows
You’ll learn about these next chapter!
Countermeasures
• Run DNS server as an unprivileged account
• Patch, Patch, Patch
Reconnaissance with DNS
Zone transfers allow hackers to learn your
servers and IP addresses
Zone Transfers
Countermeasures
• Only allow Zone Transfers from slave DNS
servers.
DNS cache poisoning
The IP addresses for www.bankofamerica.com
is currently 172.16.193.173. What happens if
I can trick your computer to thinking
www.bankofamerica.com is at IP
130.85.5.14, and I actually run 130.85.5.14?
File and Print Servers (380)
Attacks
• Buffer Overflows – patch, patch, patch
• Sniffing –encrypt data, use switches
• Unauthorized / too much access (next)
Groups Polices and Security
Templates
Too Much Privileges
People have more access then they need
Countermeasures
• Require authentication to resources
• Ensure proper permissions on files (least
privilege)
• On printers, only allow people to manage their
own print jobs (stop, print, delete)
• Administrators can manage all features on
printers.
Group Policies (382)
What are Group Policies – “an infrastructure to
deliver and apply configurations and policy
settings”
What do they require?
What tool do you use to manage them (GPMC)
Show example with MMC.
Group Policies (382)
What are some thing you might set in a GPO?
• Password policies
• Server login rights
• Access to USB drives
• What services start on a computer
• IE settings
• Network Sharing encryption settings
• What software can be run
• Logon banners
• Others?
Group Policy Ordering
In windows Group Policies can exist on multiple
“groups”. The order which they are applied is as
follows, the later ones can override settings from
earlier ones*
• Local Computer
• Local User GPO
• Site GPO
• Domain GPO
• Organizational Unit GPO
* There is a way for earlier GPOs to block settings
from being overwritten.
Security Templates (384)
Security Template – a collection of security settings
that can be applied to a system.
• Password lengths
• Account Lockout
• File Permissions
• Registry Permissions
• Restricted Groups
• System Services
Security Templates can be stand alone and applied to
a system, or pushed out via group policy.
Chapter 12 – Review
Q. If I had a host based firewall that blocks access to
ssh (port 22/tcp) to only allowed IP addresses.
Should I still use TCP wrappers to block access?
Why or Why not?
Q. What is a program that you can use to scan your
computer for open network ports?
Q. What is a program that tells you what programs are
running and using what ports?
Q. What is a security template
Chapter 12 - Review
Q. What is a Group Policy?
Q. Name 3 steps in hardening ANY OS?
Q. If you are a security admin, what is the best
practice to defeat buffer overflows attacks?
Q. What does the inetd/xinetd daemon do?
Chapter 12 - Review
Q. What is a hot fix, how is it different than a
service pack?
Q. What is the idea of a password history?
Q. What is the idea of a minimum password
age, what does it help enforce?