Security+All-In-One Edition

Chapter 12 – Security Baselines

Brian E. Brzezicki

Hardening and BaselinesOperating systems and software are written to

be functional and easy to use and install. Otherwise vendors will have a hard time selling them ;-)

Unfortunately they generally come configured insecure (or less secure that possible) out of the box.

There are two important terms we need to understand in regards to securing systems out of the box.

HardeningWe talked about hardening in chapter 8. And making

sure machines are hardened is one major goal of Security Baselines.

Just in case you forgot the basic of hardening… we’ll just overview it again on the next slide.

Hardening

Hardening – the process of securing a system as much as possible for production

• Installing updates/patches• Disabling or removing* un-necessary

software/services• Disabling unecessary protcols such as IPX/IPX,

NetBEUI and Appletalk• Securing services

– Setting application configuration controls to max security– Setting OS configuration controls to max security– Restricting access to authorized users

• Installing add on host based tools such as firewalls and anti-virus.

Baseline – The row of

shields above your fighter that protects

you from attack by hordes of

aliens

Baselines

Close actually… Baselines – the process of establishing a

minimum set of protections that protects a computer system/network from attack from the hordes of script-kiddies and crackers.

• MINIMUM set of protections and configurations

• Important to have baselines in any organization – why?

Password Policies (340)

One baseline concept that is often overlooked is the idea of requiring strong password practices (policy).

Why is a password policy important?

(more)

Password Policy Concepts (343)What are all these things?• Minimum password lengths - 8• Minimum password ages – days to weeks • Maximum password ages 60 - 90 days• Case changes, number and special characters

– 1 or more A-Z– 1 or more a-z– 1 or more 0-9– 1 or more special character

• Password History 5 - 10• No personal information (usernames, real name,

children's names, birthdates)

Password Usability vs. SecurityHowever you have to balance “usability” vs. security • what do I mean by this• What problems occur with “too secure” passwords?

I like to use a “passphrase” to generate a password

“I Like to drink Iced Tea and Lemon”

I L T D I T A L

1 L t d 1 t @ l

Attacks against passwords (342)

Some types of attacks that you should understand the terminology of

• Dictionary Attack – go through the dictionary

• Hybrid attack – makes substitutions on dictionary words

• Brute force – try everything!

Password Crackers (341)

As an security administrator, you should use software that enforces your companies password policies such as

• PASSFILT.DLT (NT 4.0 SP2)• Windows Group Polices (Windows 2000+)• Npasswd or PAM on Unix/Linux

You should also try to “crack” passwords periodically• Cain and Abel (windows)• John the Ripper (windows, Unix)• Crack (Unix)

Random password term

Virtual password – Some software asks you to type passphrase, like a sentence. Software often takes the passphrase and uses it to create a “virtual password”.

Anyone have any ideas how they could do that?

Hardening

Windows 2003 (345)Windows 2003 was MS first product using their

“Trustworthy Computing Initiative”. Concept was “Secure by design, secure by default” This included

• Fewer default installed features (19 less than 2000.. Next slide)

• Official Security Guides for securing services• Security Configuration Wizards – easily install and

lockdown services• Software Restriction policy – allows an administrator

to define what software should be allowed to run on a system – Why is this important?

(more)

Services

Show for real on workstation.

Windows 2003

• IIS – allows isolation between web applications.

• Enhanced auditing features

• Network Access Quarantine – explain this.

• MBSA – Microsoft Baseline Security Analyzer… this is a type of vulnerability assessment program for MS OS and software You should run this on all MS machines.

Windows 2008 (346)

• Bit locker – drive encryption software• Roles-based installation of network services.

(Web server only installs Web server, not DNS etc)

• Read only Domain Controllers• NAP – controls access to networks resources

based on computers compliance to security policy.

Difference between NAQ and NAP http://technet.microsoft.com/en-us/library/bb726973.aspx

Always Make sure your up to date on patches/service packs (361)

Staying up to date is one of the best ways to protect from network service attacks (especially buffer overflows)

Some terms you should understand (Microsoft specific)• Hot Fix• Patch• Service Pack

Updates can be applied, either manually or automatically. They can also be downloaded automatically and stored until install.

Unix (347)• Keep software up to date (see next slide)• Disable/remove un-necessary accounts• Disable un-necessary software (remove it actually)• Turn off un-necessary services out of /etc/rc.*• Turn off un-necessary services out of “xinetd” (2

slides away)• Remove compilers• Tighten file/directory permissions• Remove SUID programs• Install TCP wrappers (in a few slides)• Configure host based firewall• Install and maintain tripwire scanning

yum-updatesd (n/b)

yum

Xinetd (354)• Xinetd is a program that manages various

services and starts up an instance of a service when a user tries to access this service. Services are defined by text configuration files in /

The predecessor to xinetd is “inetd”.. Still used in Solaris last time I checked (Solaris 9)

Xinetd config file example next slide

Xinetd

TCP wrappers (n/b)Before Unix had host based firewalls included. TCP

wrappers was used to limit access to network services to certain IP addresses. It is still heavily used today and a good practice to use them.

TCP wrappers takes 2 text based files• /etc/hosts.allow

– read first, overrides /etc/hosts.deny if conflict• /etc/hosts.deny

– Read last

Example next page

/etc/host.deny (tcpwrappers)

/etc/hosts.deny (tcpwrappers)

Verifying (All OSes) (n/b)

• After applying baselines you should ALWAYS verify your settings have been taken. One good way is to look at what ports are open and what services are running.

• nmap (screen shot next screen)

• netstat (screen shot in a few)

NMAP

netstat

PS and Task Manager (n/b)

Another step for verifying is to use “ps” (Unix) or task manager (windows) to see what processes are running. You should always familiarize yourself with your OS and know what processes are necessary for operation so you can make sure no un-necessary processes are running. And Also identify “rogue” processes.

Network Hardening (363)Switches and Routers also need to be secured

• They ALSO need to have patches applied in a timely manner! They run OSes and are attacked. Network equipment provides direct access into your network, and it’s often not maintained!

• Use good password policies on these devices

(more)

Network Hardening (363)• Turn off SNMP, or change public/private

community passwords (SNMP next slide)

• Use encrypted management interfaces (what’s this?.. See a few slides from now)

• Restrict access to management interfaces

• Do Network Mapping, Vulnerability Assessment and Penetration Testing (in a few slides)

SNMPSimple Network Management Protocol• Used for network management• Allows for “reads”

– Ex. How many packets were routed– Ex. How many web pages were served

• Allows “writes”– Ex. Reboot– Ex. Shutdown interface

• Plain text communication (earlier versions)• Communities (like passwords) – Public/Private for

read and write access

Vulnerability Assessment and Penetration Testing (n/b)

Network Mapping – The act of using software to try to determine the topology and software/services of your network.

Vulnerability Assessment – The process of scanning/probing your systems to determine what software exists and what holes might exist on the network/systems. All systems should have Vulnerability Assessments done.

Vulnerability Assessment and Penetration Testing (n/b)

Penetration Testing – A process of actually trying to test your security posture by exploiting holes determined in the vulnerability testing stages. Penetration testing can DAMAGE the network and should not be done without management approval, and should ONLY be done if the testing itself cannot do serious damage.

Management Interfaces

Securing Various Network Services

Web Servers

Web Servers

What is a web server?

What protocols and ports does it use?

Web Servers (IIS) (375)IIS is Microsoft's Web Server Software and is a

popular attack target• Secure the host OS, remove all un-necessary

services! Try to only run the web service.• Remove all sample files (especially before 6)

– \InetPub\IISamples– \Winnt\Help\IIShelp– \Program files\Common Files\Systems\MSadc

• Set permissions properly, only allow read access for non-web developers

• Run IIS LockDown (MS tool for older versions)• Patch… Patch… Patch

Apache (376)Apache is the MOST popular web server on the

Internet, and is available for Unix and Windows.

• Secure OS, try to only run web server on this machine.

• Set apache to run as “restricted user” rather than root (httpd or www are common)

• Restrict permissions on web directories• Restrict IP addresses if necessary• Delete example CGI files

Web SecurityWeb server based attacks

• Buffer Overflows

• Path Traversal attacks– Ex. http://www.server.com/directory/../etc/passwd

• URL encoding issues

• Unchecked inputs to server side programs– Ex.

http://www.myapp.com/app?username=me;”drop database applog”

Mail Servers

Email (379)What is email?

What is the protocol for Email called?

What is the port number for email?

What are some security issues (in running email)• Relaying• Reconnaissance• Buffer overflows

We will talk about these on the next slides

Relaying and SPAM

• What is relaying (next slide)

Relaying (n/b)

SPAM ( ch 11. 311)

How to make sure your not the cause of SPAM

• Turn of “SMTP relaying”– Restrict IP addresses of senders to internal

addresses only– Require authentication of users before

allowing them to send email

Using email for Reconnaissance

• expn and vrfy commands

Relaying

• Can get your mail server blacklisted quick

• Wastes your bandwidth and CPU time

• Restrict relaying for internal addresses ONLY

• Use authentication mechanisms before allowing users to send mail out of your SMTP server.

Securing Exchange (378)• Secure OS

• Run only email services

• Run the MBSA

• Patch, patch, patch

• Restrict relaying

Securing Sendmail (379)• Secure the OS

• Don’t run as root (run as smtp)

• Turn off expn and vrfy– PrivacyOptions=noexpn novrfy

• Restrict relaying

FTP (379)

What is FTP?

What are the port numbers?

What is a problem with FTP?

FTP attacks (379)

• Sniffing of data and password (do example)

• Buffer overflows

• Use of anonymous accounts

Securing FTP

• Don’t run FTP… seriously, use something else like scp or sftp

• Turn off anonymous access

• Restrict access to authorized IPs only (internal hopefully!)

• Patch, patch, patch

DNS (379)What is DNS

What ports does it run on?

Attacks against DNS servers (next slides)

• Buffer Overflows

• Reconnaissance Attacks

• DNS cache poisoning

Buffer OverflowsYou’ll learn about these next chapter!

Countermeasures

• Run DNS server as an unprivileged account

• Patch, Patch, Patch

Reconnaissance with DNSZone transfers allow hackers to learn your

servers and IP addresses

Zone TransfersCountermeasures

• Only allow Zone Transfers from slave DNS servers.

DNS cache poisoningThe IP addresses for www.bankofamerica.com

is currently 172.16.193.173. What happens if I can trick your computer to thinking www.bankofamerica.com is at IP 130.85.5.14, and I actually run 130.85.5.14?

File and Print Servers (380)Attacks

• Buffer Overflows – patch, patch, patch

• Sniffing –encrypt data, use switches

• Unauthorized / too much access (next)

Groups Polices and Security Templates

Too Much Privileges

People have more access then they need

Countermeasures• Require authentication to resources• Ensure proper permissions on files (least

privilege)• On printers, only allow people to manage their

own print jobs (stop, print, delete)• Administrators can manage all features on

printers.

Group Policies (382)

What are Group Policies – “an infrastructure to deliver and apply configurations and policy settings”

What do they require?

What tool do you use to manage them (GPMC)

Show example with MMC.

Group Policies (382)

What are some thing you might set in a GPO?• Password policies• Server login rights• Access to USB drives• What services start on a computer• IE settings• Network Sharing encryption settings• What software can be run• Logon banners• Others?

Group Policy OrderingIn windows Group Policies can exist on multiple

“groups”. The order which they are applied is as follows, the later ones can override settings from earlier ones*

• Local Computer• Local User GPO• Site GPO• Domain GPO• Organizational Unit GPO* There is a way for earlier GPOs to block settings

from being overwritten.

Security Templates (384)Security Template – a collection of security settings

that can be applied to a system.• Password lengths• Account Lockout• File Permissions• Registry Permissions• Restricted Groups• System Services

Security Templates can be stand alone and applied to a system, or pushed out via group policy.

Chapter 12 – ReviewQ. If I had a host based firewall that blocks access to

ssh (port 22/tcp) to only allowed IP addresses. Should I still use TCP wrappers to block access? Why or Why not?

Q. What is a program that you can use to scan your computer for open network ports?

Q. What is a program that tells you what programs are running and using what ports?

Q. What is a security template

Chapter 12 - ReviewQ. What is a Group Policy?

Q. Name 3 steps in hardening ANY OS?

Q. If you are a security admin, what is the best practice to defeat buffer overflows attacks?

Q. What does the inetd/xinetd daemon do?

Chapter 12 - ReviewQ. What is a hot fix, how is it different than a

service pack?

Q. What is the idea of a password history?

Q. What is the idea of a minimum password age, what does it help enforce?