Learning Activity PlanInformation Technology Security Specialist

ITSY-2000OPERATING SYSTEMS

SECURITY

ACKNOWLEDGEMENTS

Learning Activity Plan (LAP) developed by: Joe Mallen), faculty member of Southwest Texas Junior College. This LAP was developed under the auspices of the Texas State Leadership Partnership for IT Specialist Curriculum Development and funded by a grant from the Texas Higher Education Coordinating Board, Community and Technical College Division. This LAP is recommended for use by community and technical colleges in Texas.

Authorizing Agency: Texas Higher Education Coordinating Board, 1200 East Anderson Lane, Austin, TX 78752 (www.thecb.state.tx.us)

Funded by: Carl D. Perkins Vocational Education Act

Project Advisor: Rob Franks, Texas Higher Education Coordinating Board

Project Staff:Director, Brent Kesterson, Tech Ed Division, Richland College, 12800 Abrams Road, Dallas, TX 75243Coordinator, Ngoc Truong, Tech Ed Division, Richland College, 12800 Abrams Road, Dallas, TX 75243

Project Partners:Collin County Community College, Ann Beheler, Barbara TaylorDallas County Community College District, Don PerryDel Mar College, Larry Lee, Michael HarrisNorth Harris College, Bill Coppola, Allen Rice, Calvin RennelsRichland College, Kay Eggleston, Martha Hogan, Paula DennisSouthwest Texas Junior College, Dick WhippleSouthwest Texas Junior College, Joe MallenTexas State Technical College – Waco, Linda ShorterTyler Junior College, Charles Cowell

Non-exclusive copyright © 2003. Non-exclusive copyright is retained by the U.S. Department of Education, the Texas Higher Education Coordinating Board, and Richland College. Permission to use or reproduce this document in whole or part is granted for not-for-profit educational and research purposes only. For any other use, please request permission in writing from the Technical Education Division, Richland College, 12800 Abrams Road, Dallas, TX 75243. Phone: 972 238-6396. FAX: 972 238-6905

document.doc printed 05/14/23

.Table of Contents

Classroom Setup Requirements........................................................................................4-5

Discover Windows 2000 Vulnerabilities.............................................................................6

Discover Linux Vulnerabilities............................................................................................7

Configuring an Audit Policy & Manage your Event Logs..................................................8

Using Strong Passwords in Windows 2000.........................................................................9

Using Strong Passwords in Linux......................................................................................10

Viewing Open Ports in Windows 2000.............................................................................11

Protecting your OS against Dictionary Attacks.................................................................12

Disable terminal access to root account in Linux ...........................................................13

Using a Keylogger Program...............................................................................................14

Using Security Analyzer on a Win2000 and Linux Client...........................................15-16

Removing Unnecessary services and changing Misc. security settings............................17

Using Bastille to Reduce the Risk in a Linux System.......................................................18

3

Classroom Setup Requirements

Hardware Requirements:

The following table is the suggested hardware requirements for this course:

Hardware Specifications Greater than or equal to the followingProcessor Intel Pentium II (or equivalent) personal

computer with processor greater than or equal to 300 Mhz.

L2 Cache 256KBHard Disk 8-GB Hard DriveRAM at least 128 MBCD-ROM 32xNetwork Interface card (NIC) 10BaseT or 100BaseTX (10 or 100 Mbps)Sound card / Speakers Required for Instructor Station, optional for

student stationsNetwork Hubs Two 10-port 10Base T or 100BaseTX (10 or

100Mbps)hubsRouter Multi-homed system with three NICs

(Windows 2000 server)

Software Requirements:The following software is used in this course for both the instructor and student systems.

Microsoft Windows 2000 Server, with Microsoft Internet Explorer 5 or later, including Outlook express. If possible create three partitions: Two should be formatted in NTFS for Windows 2000. A sufficiently large partition should be left completely blank so that it can be used by the Red Hat Linux 7.x Installation.

Current Microsoft Windows 2000 Service Pack (unless otherwise directed in a lesson) Webtrends Security Analyzer with optional agents for Red Hat Linux

(www.webtrends.com) Ipswitch WS_Ping ProPack Version 2.1 or later (www.ipswitch.com) Red Button Netbios Authorization Tool (NAT) Amecisco Invisisible Keylogger Stealth Resource Kit Demonstrations files (Diskmap.exe, dmdiag.exe, drivers.exe, pstat.exe,

pulist.ext and perms.exe (www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp).

Full Installation of Red Hat Linux (Red Hat Linux 7.x) See Linux installation instructions for component details. Do not choose “server installation” which will completely reformat the hard drive and destroy your Windows 2000 installation. You should have the installation program automatically install the following services:

o X Windows

4

o DNS Package (including Bind V8)o Shadow passwordso Development (contains GNU C compiler)o Both Linuxconf and Gnome Linux-conf (either on the installation disk, at

www.rpmfind.net, or at the Linuxconf website: www.solucorp.qc.ca/linuxconf)o Winfile o Fporto Bastille version 1.1.0

Note: You can obtain the installation files for Red Hat Linux 7.x a www.redhat.com. If you are new to the Red Hat Linux installation procedure, visit the following site for more detailed instructions on how to install: http://www.redhat.com/docs/manuals/linux/

5

Discover Windows 2000 Vulnerabilities

Learning OutcomeIdentify Windows Vulnerabilities during an initial default installation of the operating system. Students will learn to use a program to discover the built-in accounts on remote servers and use a dictionary type attack to discover passwords.

Recommended Resources for Learning Activity“RedButton” ProgramNetBIOS Auditing Tool (NAT)

Recommended Instructor Preparation for Learning ActivityInstructor lecture on how vulnerable a Windows 2000 Server can be out of the box. Classroom discussion on how you can utilize the RedButton program to discover the built-in account (Administrator) or the account name if it has been renamed, and the available shares on the Server. Also, discuss how to use the NAT program to perform a dictionary attack. Students should be familiar with the concept of “Shares” and “Dictionary Attacks”.

Recommended Instructor/Student In-class/lab ActivityMethods to:

Capture Student Attention: Tell the students that they are about to learn how to become hackers and at the same time understand some of the Vulnerabilities with Windows 2000 Server

Lab – Discover Windows 2000 Vulnerabilities:1. Install the Redbutton program and run it.2. Choose No when the program asks your intentions.3. Enter the IP Address of the computer you are hacking and click on OK.4. Click the Go Area in the Main WindowNote: Redbutton will come back and give you the built-in account name and the available shares. Now all you need is the password. The following steps will perform a dictionary attack to discover the password.5. Install the NAT program.6. Command prompt: Enter the following command -- >

NAT – 0 results.txt –u userlist.txt –p passlist.txt <ip address of the remote computer>7. Command prompt: Enter -- > Type results.txt | more or open the results.txt file with a

word-processing program like notepad.8. Search the file and discover the successful break-in attempts including the administrator

password.9. Now that you know the system administrator password, log on to the remote computer

administrative share by going to Start | Run and entering the following command:\\remote_machines_ipaddress\C$

10. You have now seen a simple example of the process of breaking into a system.

6

Discover Linux Vulnerabilities

Learning Outcome Identify Red Had Linux Vulnerabilities during an initial default installation of the operating system.

Recommended Resources for Learning Activitywww.solucorp.qc.ca/linuxconf

Recommended Instructor Preparation for Learning ActivityInstructor Note: Linuxconf must be installed. You can download it from the Linuxconf home page listed above. Also, student Linux servers should be configured to allow all connections by default for this lab to work.

Recommended Instructor/Student In-class/lab Activity

Lab - Discover Linux Vulnerabilities and modify Linux settings:

1. Login as Linux root user. Use the /user/sbin/useradd command to create a non-root account named student. Make sure to use the /user/bin/passwd command to give the student user a password of password.

2. Log off as root and login as student. Use the reboot command to reboot the system.Note: You will see that a non-root user can reboot the system. You should also be able to use the halt and poweroff commands. 3. Assume root by using the su command. As root, change to the /etc/security/console.apps/

directory.4. Using a text editor enter the following into the /etc/security/console.apps/poweroff file:

USER=ROOTSESSION-TRUE

5. Now log back in as student6. Try using the poweroff command. Notice that student can no longer use this command.7. Now, make the same changes to the halt command by changing the values to USER=root

and SESSION=true.8. From another computer, open a Telnet Session and logon to your Linux server. Enter

Student as the login name, but enter the wrong password. Notice that after three attempts the system will automatically reset the connection.

Note: This default setting is effective against brute force attacks.9. Log on as root. Open linuxconf and go to User Accounts | Policies | Password and

account policies icon. Notice the default minimum length for a password is six characters, and there are no minimum non-alphanumeric characters required.

10. Click the Params tab. 11. Note that no password aging settings are set.

7

Configuring and Audit Policy & Manage your Event Logs

Learning Outcome Implement procedures to secure and monitor audit logs and set system administrator alerts

Recommended Resources for Learning ActivityWindows 2000 Server

Recommended Instructor Preparation for Learning ActivityIt is recommended or helpful that students have a good understanding the security policy MMC of a Windows 2000 Server. Recommended Instructor/Student In-class/lab ActivityTwo Part Lab.Part ILab – Configure and Audit Policy

1. Click Active Directory Users and Computers from the Administrative tools menu. If auditing is to be configured on a standalone computer, click Local Security Policy from the Administrative tools menu

2. To have the domain controllers audited, right click the Domain Controllers OU. Click Properties.

3. Click the Group Policy tab and then the Edit button. If there is no group policy to edit, choose New to create a new Policy

4. In the left pane of the group policy screen, maneuver to Computer Configuration, Windows Settings, Security Settings, Local Policies, Audity Policy.

5. Double-click the event that is to be audited6. In the Security Policy Setting dialog box, click Define these policy settings, and choose

whether to audit successes, failures or both.

Part II – Filtering and Event Log to find a specific event

1. Click Event Viewer from the Administrative tools menu.2. Right-click the log that you want to filter. Choose Properties.3. Click the Filter tab4. Choose the event types or any other filtering options (such as event source, category, etc.)

that are needed to filter the log. Then click OK.5. To revert back to the unfiltered view, return to the filter tab and click Restore Defaults.

8

Using Strong Passwords in Windows 2000

Learning OutcomeConfigure their Windows 2000 servers to enforce strong passwords by configuring the Security Settings | Password Policy | Passwords must meet complexity requirement value in the Local Security Settings snap-in.

Recommended Resources for Learning ActivityFor More information regarding password security:http://www.microsoft.com/Windows2000/en/server/help/default.asp?url-/windows2000/en/server/help/windows_passwords_tips.htm

Recommended Instructor Preparation for Learning ActivityInstructor Notes on the four types or combinations of content to enforce strong passwords. Including uppercase letters, Lowercase letters, Numbers, Non-alphanumeric characters such as punctuation. Good student understanding on what is required of a strong password.

Recommended Instructor/Student In-class/lab Activity Capture Student Attention: Explain a dictionary attack.

Lab – Using strong passwords in Windows 2000.

1. Create a user named StrongPasswordUser with the password: password. Uncheck the user must change password at next logon check box.

2. Open up the Local Security Policy snap-in through Start | Programs | Administrative tools | Local Security Policy.

3. Select the Security Settings | Account Policies | Password Policy | Passwords must meet complexity requirements value and open it.

4. Click the Enable button to enable this policy.5. Shut down and restart Windows 2000.6. Try changing the password on StrongPasswordUser. Note that you are now forced to

use a strong password.

9

Using Strong Passwords in Linux

Learning OutcomeModify the default password policy of a Linux System.

Recommended Resources for Learning Activitywww.solucorp.qc.ca/linuxconf

Recommended Instructor Preparation for Learning ActivityLinuxconf and gnome-linuxconf need to be installed for this lab. Instructor notes on how Linux is configured by default to reject any password that resembles a “dictionary” password, which is any word that looks like a word in a standard dictionary. Make sure students exactly what a dictionary password is?

Recommended Instructor/Student In-class/lab Activity

Lab – Using strong passwords in Linux.

1. In X-Windows or at the terminal, open Linuxconf: linuxconf2. Go to the Users accounts | Policies | Password & account policies section.3. At the Policies tab, change the Minimum length value to 8, and the Minimum amount of non alpha char value to 24. Select the Params tab and change the Must keep # of days to 2, Must change after #

days to 180, Warn # of days before expiration to 15.5. Test it by adding a new user and creating a password.

10

Viewing Open Ports in Windows 2000

Learning OutcomeDiscover how to track open files and ports in Windows 2000 which is a possible exploit for any hacker trying to break into your server.

Recommended Resources for Learning Activityhttp://www.cert.org/tech_tips/denial_of_service.htmlhttp://rc.infotech.indiatimes.com/examples/rc/infodeta.jsp?code=134&chan=Expert%20Speak&indus=9Fport Application.

Recommended Instructor Preparation for Learning ActivityInstructor Notes on ports and how they are vulnerable to attacks such as Denial of Service Attacks.

Recommended Instructor/Student In-class/lab Activity Capture Student Attention: Classroom discussion on a Denial of Service attack that

crippled major sites such as yahoo.com, Amazon, com cnn.com Article can be found here -- http://www.iol.ie/~kooltek/dosattacks.html

Lab – Viewing Open Ports in Windows 2000.1. Open up to a command prompt and locate the fport program.2. Type the following command: fport > fportoutput.txt 3. Use Notepad to open the fportoutput.txt file. You will now see a list of all open ports on

your system. Notice the information provided such as how the port is mapped to a specific process.

11

Protecting your OS against Dictionary Attacks

Learning OutcomeChange a Local Security Policy Snap-in to change the default settings to protect against dictionary password attacks.

Recommended Resources for Learning ActivityNetbios Auditing Tool (NAT)Windows 2000 Server

Recommended Instructor Preparation for Learning ActivityInstructor Notes: The Server Service should be running for this lab to work.

Recommended Instructor/Student In-class/lab Activity Capture Student Attention: Classroom Discussion on how dictionary attacks or

password guessing programs can break into a system.

Lab – Protecting your Windows 2000 Server against Dictionary Attacks.

1. Create a new account called testattack. Make the password password. Deselect the User must change password at next logon check box.

2. Go to the command prompt. Change folders to where the Nat program is.3. Enter the command: nat –o output.txt –u user41.txt –p pass41.txt <computer ip address>.

Note: Notice that the program tried all passwords in the text file and eventually broke into the computer. Now, we will make the necessary changes to prevent this type of attack.

4. Open up the Local Security Policy Snap-in: Go to Account Policies | Account Lockout Policy and double-click the Account lockout threshold icon. Change the default settings so that the account will lock-up after four invalid login attempts. Now open up the Account lockout duration icon and change the value to 0. This setting will mean that you will have to manually reset the account if it has been locked out.

5. Now, try running the NAT program again. This time, note that you cannot access the computer.

6. Open up the output.txt file and view other accounts that it tried to use.

12

Disable terminal access to the root account in Linux

Learning OutcomeImplement a secure user account policy and develop a security plan

Recommended Resources for Learning ActivityRedHat Linux 7.x

Recommended Instructor Preparation for Learning ActivityInstructor Notes on how you can create a second account that has root privileges, but will be used for login purposes. Note to students that you cannot completely remove the root account because it might affect some daemons that run on the system.

Recommended Instructor/Student In-class/lab Activity

Lab – Disable Terminal Access to the root account in Linux.1. Boot into Linux and log on as root.2. Make a copy of the /etc/passwd file and name it /etc/passwd.orig. This is just in case

something goes wrong and you need to return your system to it’s original state: host# cp /etc/passwd /etc/passwd.orig3. Use the /user/sbin/useradd and /usr/bin/passwd commands to create a new user named

admin /user/sbin/useradd admin /user/sbin/passwd admin4. Now we will edit the /etc/passwd file so that the root entry reads as follows: root:x:0:0:root:/root:/bin/false5. Edit the admin entry as follows: admin:x:0:0::/home/admin:/bin/bash6. close the /etc/passwd file, make sure you save your changes.7. Log off and try to log back on as root. You should not be able to do so. However note

that all system daemons can still use the root account. All we have done is disabled terminal access to the root account.

8. Log on as admin. Try to stop a few services, or add a few users. You should be able to do so because your admin account is now defined as the root account.

9. Finally, replace the existing /etc/passwd file with the originalHost# cp /etc/passwd.orig /etc/passwd

13

Using a Keylogger Program

Learning OutcomeDiscover network security risks, proper security design and monitoring solutions

Recommended Resources for Learning Activitywww.amecisco.com - Invisible Keylogger Stealth (IKS) Programhttp://www.keyloggers.comhttp://home.swipnet.se/~w-94075/keylogger/

Recommended Instructor Preparation for Learning ActivityInstructor Notes on the concept of a keylogger program which is a Security Threat software program that records all the activity on a certain computer, and saves that information to a file which can be sent via e-mail to a pre-defined address.

Recommended Instructor/Student In-class/lab Activity

Lab – Using a Keylogger Program in Windows 20001. Boot into Windows 2000 and make sure you log on as administrator.2. Install the Invisible Keylogger Stealth program.Note: Just accept the default installation folder during setup3. Log on as administrator, and open up Notepad or some other program and type a few

words or a one sentence memo.4. Open up the Log View for IKS shortcut. The Datview program will open. This is the

program that will do the translations. 5. Click the Go button and the iks.txt file will open. Note that the text you typed including

your Windows 2000 logon password will appear in the text log.

14

Using Security Analyzer on a Win2000 and Linux Client

Learning OutcomeGenerate effective audit reports that help organizations improve security and meet industry security standards.

Recommended Resources for Learning ActivityWin2000 ServerLinux ServerWebtrends Security Analyzer – www.webtrends.com

Recommended Instructor Preparation for Learning ActivityInternet Access, Security Analyzer Install Program along with Linux Agent need to be downloaded and made accessible to students. It might be helpful for students to work in pairs. The following lab has two parts. Analyzing a Windows 2000 machine and then analyzing a Linux Client.Recommended Instructor/Student In-class/lab Activity

Lab – Security Analyzer on Windows 2000 and Linux AgentPart I – Analyzing a Windows 2000 Host

1. Install the Webtrends Security Analyzer. Note: If you will be using the evaluation version of Security Analyzer, then you must have internet access to register the program.2. Select No at the AntiSync features Window3. Add the starting Ip Address range of your network. This step is important as it will be

scanning your hosts on the network.4. Run the Security Analyzer program and notice the available profiles.5. Select the first profile on the list named “full Network-based Analysis” and choose Scan

to begin scanning your system.6. Expand the vulnerabilities tab and notice the security risks on your system it found.7. Expand the icon some more and notice several hot fixes have not been applied 8. Click on the Browser report and scroll down to the Host Vulnerabilities page. Note the

Fixes Required by Hosts section gives you a description of each problem and suggested fixes.

Part II - Analyzing a Linux Client

1. First, you must install the Linux Red Hat 7.0 agent setup files on Windows 2000.2. Double-click the AgentLinux60.exe file.3. Open up Windows Explorer and locate the Linux agent setup file wsa_agent-

3.5.linux60.i586.rpm.4. Copy the file to the c:\inetput\ftproot\ to make the file available to download through FTP5. Go to the Linux machine and log on as root.6. FTP to the Windows 2000 machine:

Host# ftp {partner’s ip address}Name: AnonymousPassword: ftp

15

ftp> bi Note: The bi command ensures transfer files in binary modeftp> get wsa_agent-3.5.linux60.i586.rpmftp> bye

7. Enter the Ls command and you should see the file you transferred.Host# ls

8. Enter the commandHost# rpm –ivh wsa_agent-3.5.linux60.i586.rpm

Note: You will receive a message to run the configure.sh command in the /user/local/wsa directory. But before you do this, you must create a file called agent.dat. To do this, run the following commands.

Host# cd /usr/local/wsaHost# touch agent.datHost# ./configure.sh

9. Now we will scan the Linux agent from the Security Analyzer Console.10. Add a new profile by choosing File | New Profile.11. In the profile description field, enter Partner’s Computer. In the Security Test Policy

section, select Critical Security Analysis.12. Select Next. Then, in the Hosts to scan section, click the Add button. Enter the Ip

Address of your partner’s computer.13. Click Finish. The Partner Computer profile you have created will come up.14. Choose the Partner Computer and click Scan. Choose the New Scan button and click Ok.

The scan will take a few minutes and then a new window will come up with your results.15. Choose the Vulnerabilities tab, which will display the security risks on the Linux

system. 16. Select the fixes needed tab. A list of recommendations to secure your system from high-

risk vulnerabilities will appear. 17. Create a report and analyze the results.18. Exit the Webtrends Security Analyzer program.

16

Removing unnecessary services and changing Misc. security settings

Learning OutcomeSecure Servers through system and application specific security

Recommended Resources for Learning ActivityWindows 2000 Server

Recommended Instructor Preparation for Learning ActivityInstructor Notes on how removing services that run in Windows 2000 is a good idea to reduce the risks and exploits to your server.

Recommended Instructor/Student In-class/lab Activity

Lab – Removing unnecessary services and protocols in Windows 2000

1. Go to Start |Programs | Administrative Tools | Services an open the Services Snap-in.2. The Services screen will show you a list of services in the system and their current

settings. The task scheduler can be a useful service, but it also a good way for attackers to attack your server. We will now try to disable the service.

3. First, highlight the task scheduler icon, and then stop it.4. You maybe prompted that the Remote Storage Engine Service is dependent, because we

will not be using this service either; we can stop this service as well.5. Right-click the Task Scheduler icon and change the Startup type field to disabled.6. Click Apply, and then OK.7. Right-click the Remote Storage Engine icon and disable this service.8. If you are not running or requiring services for Macintosh and AppleTalk computers you

can open up the control panel and click on the Add/Remove programs icon.9. Click the Add/Remove Windows Component icon. Scroll down to the Other Network

and print Services icon and click on details. Here you can deselect both the Macintosh Services, then click ok.

10. Click next to remove.11. Now, we will remove the AppleTalk protocol, right-click on My Network Places and

then right-click the Local Area Connection icon.12. Highlight and remove the AppleTalk protocol.13. Now we will remove the NetBIOS support from the system. Again, access the Local

Area Connection Properties, highlight the Internet Protocol (TCP/IP) and click the properties button.

14. Click the Advanced button and choose Wins. Choose the Disable NetBIOS over TCP/Ip button and click OK.

17

Using Bastille to Reduce the Risk in a Linux System

Learning Outcome#8 – Secure Servers through system and application specific security#9 – Establish a suitable level of protection to control access and safeguard information

Recommended Resources for Learning ActivityBastille can be downloaded from the following sites:

http://www.bastille-linux.org/http://bastille-linux.sourceforge.net

Recommended Instructor Preparation for Learning ActivityWhen using Bastille, the following modules must be installed:Bastille-TK-module-1.2.01.1mdk.noarch.rpm ---- for X-Windows VersionBastille-curses-module-1.2.0-1.mdk.noarch.rpm ---- for Text based version

Recommended Instructor/Student In-class/lab Activity“Lab - Using Bastille to Reduce the Risk in a Linux System”

1. Logon as root and enter X-Windows2. Using Bastille make the following changes to your system

a. Using the FilePermissions module, disable the r-tools and modify your system so that the ping and traceroute commands are only available to root.

b. Use the Bootsecurity module to change your server’s physical security3. Click the EndScreen menu and click yes to change your system settings.4. Use the logging module to configure additional logging modules5. After you make these changes, you want to test by logging in as a non-root user and

trying to use the ping and traceroute commands.6. Reboot the system and experiment.

18