Computer Security for

Student-Administered Computers

Agenda

What's the Problem? Security Risk Security Incidents Defenses Vigilance

What's the Problem at UW? http://staff.washington.edu/dittrich/talks/security/incidents.html

port-scanning: looking for systems to target

buffer-overrun attacks: command execution via coding errors

open account exploits: to login

packet sniffing: to learn login secrets

trojan horse attacks: to fool user into executing infected program

shared/stolen accounts: to login

denial of service attacks: to prevent or hamper use of computers

file storage: to pirate software/music/etc.

forging email or other electronic messages: to harass/threaten/fool

Security Goals

Microsoft Prescriptive Guidance: Security Operations Guide for Windows 2000 Server

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/prodtech/windows/windows2000/staysecure/default.asp

Get secure Stay secure (over time, amidst changes)

Security Risk

Managing risk to protected resources

Resources: data, applications, servers, etc.

what's its value? Threat: something that could access/harm resources

natural/physical, unintentional/intentional Vulnerability: point where resource can be attacked

Exploit: use of a vulnerability by a threat

could result in loss of confidentiality, integrity or availability

Risks need to be ranked: low, medium, high

Security Incidents

physical: earthquake, water leak, power failure, etc.

technical vulnerability exploits: attacks, buffer overflows, ...

information gathering exploit: OS identification, wireless leak, social engineering

denial of service exploit: resource removal, physical damage, etc.

Defenses

Data: encryption and backups; antivirus software

Application: developer needs to enforce

Host: limit server to specific roles

Network: blocking and/or encrypting traffic

Perimeter: firewalls; authorized PCs are clean before connecting

Physical: removable media, locks, redundancy, restricted areas

Policies and Procedures: raise awareness and prevent abuse

Windows 2000 Defenses

Planning Isolation Installation and Upgrades Antivirus software Group Policy/Registry Changes IPSec/Filtering Application Lockdown

Windows 2000 Defenses: Planning

What kind? server: member or domain controller? workstation?

What role? basic? web server? cluster?

What’s required for other services? need to think about this

Windows 2000 Defenses: Isolation

On Internet-connected computer: gather all upgrades, antivirus software

http://www.washington.edu/computing/software download

Network Associates/McAfee Netshield (server) McAfee VirusScan (workstation) upgrades and updates

burn on CD

Connect to a hub not connected to Internet Use static, non-routable IP addresses: 10.10.xxx.xxx

Windows 2000 Defenses: Installation and Upgrades

Install Windows 2000 don’t do it blindly -- read and think about it

Install latest service packs Install security patches/hotfixes to service packs Switch to non-privileged account

use RUNAS whenever elevated privileges needed

Watch logs (use EventViewer)

Windows 2000 Defenses: Antivirus

Install Netshield Install latest upgrades/updates

don’t schedule to update/upgrade (not connected)

Windows 2000 Defenses:Group Policy/Registry Changes %SystemRoot%\security\templates

Basic Basicwk.inf (workstation) Basicsv.inf (member server) Basicdc.inf (domain controller)

Incremental securedc.inf (domain controller) securews.inf (workstations or member servers) IIS Incremental.inf (IIS only)

Windows 2000 Defenses:Apply AD Group Policy

Active Directory Users and Computers/Domain Controllers/Properties/Group Policy/New

type “BaselineDC Policy” press enter, then right-click on BaselineDC Policy select “No Override

Edit/Windows Settings (expand)/Security Settings/Import Policy

locate template BaselineDC.inf and place name in “Import Policy From” box

close Group Policy and then click Close replicate to other domain controllers and reboot

Windows 2000 Defenses:Apply Member Group Policy

Active Directory Users and Computers/Member Servers/Properties/Group Policy/New

type “Baseline Policy” Edit/Windows Settings (expand)/Security Settings/Import

Policy locate template Baseline.inf and place name in “Import Policy

From” box close Group Policy and then click Close

repeat above for Incremental template files replicate to other domain controllers and reboot

Windows 2000 Defenses:Verify Group Policy

Verify with secedit (compare with existing template)

secedit /analyze /db secedit.sdb /cfg xxxxx.inf look at log file

Test!

Windows 2000 Defenses:Registry Changes (in Baseline)

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

EnableICMPRedirect=0

SynAttackProtect=2

DisableIPSourceRouting=2

PerformRouterDiscovery=0

HKLM\System\CurrentControlSet\Services\AFD\Parameters

DynamicBacklogGrowthDelta=10

EnableDynamicBacklog=1

MinimumSynamicBacklog=20

MaximumDynamicBacklog=20000

Windows 2000 Defenses:IP Filtering

Block all ports not needed for servers

Windows 2000 Defenses:Application Lockdown

Read application’s notes on security IIS

IS Incremental.inf follow guidelines

SQL Server change default system DBA passwords protect DBs with access rights/file permissions

Linux Defenses

Planning Isolation Installation and Upgrades Antivirus software??? IP Filtering Application Lockdown

Linux Defenses: Planning

What kind? workstation? server?

What servers? web server? insecure servers?

What apps are required? What services are required?

Linux Defenses: Isolation

On Internet-connected computer: gather all upgrades burn on CD

Connect to a hub not connected to Internet Use static, non-routable IP addresses: 10.10.xxx.xxx

Linux Defenses: Installation and Upgrades

Install Linux don’t do it blindly -- read and think about it put /tmp, /home and /var/log in separate partitions

Install latest upgrades Switch to non-privileged account

use “su -” whenever elevated privileges needed

Watch logs (usually in /var/log)

Linux Defenses: IP Filtering

tcp wrappers /etc/hosts.deny

ALL:ALL

/etc/hosts.allow ALL: 10. LOCAL sshd: ALL

/etc/xinetd.d disable=yes for undesired services

killall -USR2 xinetd

Linux Defenses: Apache Lockdown

Apache -- start by restricting everything

<Directory />

Options None

AllowOverride None

Order deny,allow

Deny from all

</Directory>

then allow by specific directories want to disable CGI, includes

Linux Defenses: FTP Lockdown

should not use -- sends passwords in plain text use ssh/scp/sftp instead

/etc/ftpusers should NOT include root or other privileged accounts disallow anonymous FTP

should read:

class all real *

References

http://www.washington.edu/computing/security Microsoft Baseline Security Analyzer

for 2000/XP requires Internet access to run http://www.microsoft.com/technet/treeview/default.asp?

url=/technet/security/tools/Tools/mbsahome.asp

SANS Institute Bookstore (Windows 2000 & Linux) SANS = System Administration, Networking and Security) https://www.washington.edu/computing/software/

sitelicenses/sans/sw/access.html