host hardening chapter 6 panko, corporate computer and network security copyright 2005 prentice-hall

Host Hardening

Chapter 6

Panko, Corporate Computer and Network SecurityCopyright 2005 Prentice-Hall

2

Figure 6-1: Hardening Host Computers

The Problem Computers installed out of the box have known

vulnerabilities Not just Windows computers

Hackers can take them over easily

They must be hardened—a complex process that involves many actions

3


Elements of Hardening Physical security (Chapter 2).

Secure installation and configuration

Fix known vulnerabilities

Turn off unnecessary services (applications)

Harden all remaining applications (Chapter 9)

(more on next page)

4


Elements of Hardening (continued) Manage users and groups

Manage access permissions For individual files and directories, assign access

permissions specific users and groups

Back up the server regularly

Advanced protections

5


Security Baselines Guide the Hardening Effort

Specifications for how hardening should be done

Different for different operating systems

Different for different types of servers (webservers, mail servers, etc.)

Needed because it is easy to forget a step

6


Server Administrators Are Called Systems Administrators

A sysadmin manages oneor several servers—not necessarily all of a firm’sservers

Sometimes, groups of sysadmins managemultiple servers

New

7


Windows Computers Microsoft Network Operating Systems (NOSs)

LAN Manager (LANMAN) Windows NT Server Windows 2000 Server Windows 2003 Server (called .NET in the book)

Graphical user interface looks like client versions to ease learning (Figure 6-2)

8

Figure 6-2: Windows 2000 Server User Interface

9


Windows Computers Administrative Tools Group under Programs has

Microsoft Management Consoles (MMCs) (Figure 6-3)

Used to conduct most administrative actions

Can add snap-ins for specific functionality

10

Figure 6-3: Computer Management Microsoft Management Console (MMC)

System Tools snap-in

11


Windows Computers Windows 2000 introduced hierarchical domain

structure with Active Directory

Domain is a collection of resources

Domain contains one or more domain controllers, member servers, client PCs

Group policy objects (GPOs) on a domain controller can implement policies throughout a domain

12


UNIX Many versions of UNIX

LINUX is a set of versions for PCs—there are several different distributions

User can select the user interface—GUI or command-line interface (CLI)

CLIs are called shells (Bourne, BASH, etc.)

CLIs have picky syntax, capitalization, and spacing

13


Internetwork Operating System (IOS) For Cisco Routers, Some Switches, Firewalls

Other Host Operating Systems Macintosh

Novell NetWare

Firewalls

Even cable modems with web-based management interfaces

14

Figure 6-4: Installation and Patching

Installation Offers Many Options, Some of Which Affect Security

For example, in Windows, the NTFS file system is better for security than FAT32

Need a security baseline to guide option choices during installation

15


Known Vulnerabilities

Most programs have known vulnerabilities

Exploits are programs that take advantage of known vulnerabilities

16


Known Vulnerabilities

Vulnerability reporters send vulnerability reports to vendors

Vulnerability reporters often say that vendors take too long to fix vulnerabilities

Vendors say that vulnerability reporters do not give them enough time, report too much detail to the press

17


Fixes

Work-around: A series of actions to be taken; no new software

Patches: New software to be added to the operating system

Upgrades: Newer versions of programs usually fix older vulnerabilities.

18


Upgrades

Often, security vulnerabilities are fixed in new versions

If a version is too old, the vendor might stop offering fixes

It might be good to wait to upgrade until after the first round of bug and security fixes

19


Mechanics of Patching

Microsoft Windows Server

Windows Update on Start menu (Figure 6-2) in Windows 2000

Automatic notification of update availability in Windows 2003

LINUX distributions often use rpm for updates

20

Patching

21


Patches Often Are Not Applied

Companies get overwhelmed by number of patches

Use many products, vendors release many patches per product

Especially a problem for application programs

22


Patches Often Are Not Applied

Cost of Patch installation

Mitigated by patch servers that distribute patches to general servers

More easy-to-use vendor tools are needed

Might simply lack the resources to apply all; might be selective

23


Patches Often Are Not Applied Risks of Patch installation

Reduced functionality

Freeze machines, do other damage—sometimes with no Uninstall possible

Should test patch on a test system before deployment

Special problem for mission-critical production systems that must work

24

Figure 6-5: Turning Off Unnecessary Services

Unnecessary Services

Operating system vendors used to install many services by default

This made them easier to use. When use changes, services do not have to be turned on.

Attackers have found flaws in many of these rare services

25


Unnecessary Services

Vendors now install fewer services by default—lock down mode

Turn to security baseline to see what services to turn on and off

Easier to install too few and add than to install too many and remove unwanted services

26


Turning Off Services In Windows Server

Go to the Computer Management MMC

On the tree, select Services and Applications (Figure 6-6)

Status tells whether the service is active

Startup tells how the service is started (automatic, manual, disabled, etc.)

Right click on a service or select and choose Action to stop a service, start it, disable it, etc.

27

Figure 6-6: Services and Applications in Windows

28


Turning Off Services In UNIX Three ways to start services

inetd to start services when requests come in from users (Figure 6-7)

rc scripts to start services automatically at book up (Figure 6-8)

Start a service manually by typing its name or executing a batch file that does so

29

Figure 6-7: UNIX inetd Daemon for Responding to Client Requests

Program A

Program B

Program C

Program D

inetd

Port 23 Program APort 80 Program BPort 123 Program CPort 1510 Program D

1. Client RequestTo Port 804. Start and

ProcessThis Request

3. Program B 2. Port 80

inetd.config

30

Figure 6-8 The UNIX rc.d Method of Automatically Starting Services

/etc/rc.d1. Script for Service A2. Script for Service B3. Script for Service F4. Script for Service H

rc0.d [scripts to run during System Mode 0-shutdown]K2 . . . [Run the Kill portion of Script 2: Kills Service B]K3 . . . [Run the Kill portion of Script 3: Kills Service F]. . .

rc.d directory

Scripts for services. Contain scripts to start or kill services.

Directory rc0.d. Subdirectory of rc.d. Contains scripts to run start or kill portions of scripts in rc.d directory. These scripts are executed if run mode 0 occurs—system shutdown

31

Figure 6-8 The UNIX rc.d Method of Automatically Starting Services

rc1.drc2.drc3.drc4.drc5.drc6.d [scripts to run during System Mode 6-startup]

S1 . . . [Run the Start portion of Script 1: Starts Service A]S2 . . . [Run the Start portion of Script 2: Starts Service B]. . .

rcs.d [scripts to run during System Mode s—single-user mode]

Other subdirectories of rc.d for scripts to execute in different run modes, such as run mode 6—startup

32


Turning Off Services In UNIX

Identifying services that are running at any moment

ps (processor status), usually with –aux parameters, lists running programs

Shows process name and process ID (PID)

netstat tells what services are running on what ports

33


Turning Off Services In UNIX kill PID to kill a particular process

kill 47 (If PID=47)

Add parameters –SIGTERM, -SIGHUP, -SIGKILL in order of increasing urgency

kill 47 –SIGTERM (PID = 47)

Only kills for now.

Must search inetd.config, rc scripts, batch files to see where it is being started automatically. Difficult to do.

34

Figure 6-9: Managing Users and Groups

Introduction

Every user must have an account

There can also be groups

Can assign security measures to groups

These measures apply to the individual group members automatically

Faster and easier than assigning security measures to individuals

35


Creating and Managing Groups in Windows Computer Management: Local Users and Groups

snap-in (Figure 6-10)

Select Users

Select user from list Right click on user and select Properties:

password restrictions, disable box Or select Action: change password, etc. Add, delete users

36

Figure 6-10: Users and Groups in Windows

37

Figure 6-11: Windows User Account Properties

To get this screen, right click on user account in Figure 6-10, select Properties

38

Figure 6-12: Creating a New User in Windows

39


Creating and Managing Groups in Windows Select user from list

Administrator is the super account

Change its name and create a new Administrator account with no permissions

Administrators should not log in as Administrators; log in as their own account, use RunAs to get temporary Administrator status when needed

40


Creating and Managing Groups in Windows

Select user from list

Guest account should be disabled (the default during installation)

41


Creating and Managing Groups in Windows Select Groups

Assign rights to groups

Standard groups: Administrators, Power Users, Backup Operators, etc.

Have appropriate permissions by default for their tasks

42


Managing Users and Groups in UNIX

Different versions of UNIX do this differently, so it is difficult to talk in general terms

The super account is root

su (switch user) allows administrators to log in as regular accounts, su to get root privileges when desired

Guest account should be disabled

43

Figure 6-13: Managing Permissions

Principle of Least Permissions: Give Users the Minimum Permissions Needed for Their Job

More feasible to add permissions selectively than to start with many, reduce for security

44


Assigning Permissions in Windows (Figure 6-14)

Right click on file or directory in My Computer

Select Properties, then Security tab

Select a user or group

NOT done through the start menu, selecting Administrative Tools

45

Figure 6-14: Assigning Permissions in Windows

To bring up this screen, right click on a folder, select Properties. Click on Security tab

46


Assigning Permissions in Windows (Figure 6-14) Click on or off the 6 standard policies (permit or deny)

List Folder Contents (see what is in a directory)

Read (read only)

Read and Execute (for programs)

Write (change files)

Modify (Write plus delete)

Full control: all permissions

47


Assigning Permissions in Windows (Figure 6-14)

Click on or off the 6 standard policies (permit or deny)

For more fine-grained control, 13 special permissions collectively give the standard 6

This gives highly granular access controls, especially compared to UNIX (next)

48


Assigning Permissions in UNIX ls -l shows details of files and directories in long format

First character is - for a file, d for a directory Ends with name of file or directory

-rwxr-x---1 root . . . purple.exedrw-r---- 1 brows . . . reports-rw-rw-r--1 lighter . . . bronze.txt

Note: purple.exe is a file; reports is a directory.What is bronze.txt?

49


Assigning Permissions in UNIX ls -l shows files in a directory in long format

Only three permissions: read (only), write (change), and execute (run program)

Format is rwx for all or various combinations (r-x is read and execute but not write)


rwx

50


Assigning Permissions in UNIX ls -l shows files in a directory in long format

Next three characters are permissions (rwx possible) for the file owner


purple.exe’s owner has all three permissionsreports’ owner has only read and write permissions

51


Assigning Permissions in UNIX Next three are permissions (rwx possible) for the

group Next three are permissions for the rest of the

world


purple’s group has read and execute permissions.purple has no permissions for the rest of the world.

52


Assigning Permissions in UNIX Next comes the number of links Next comes the name of the owner Group might be shown (not here)


53


Assigning Permissions in UNIX Changing permissions

umask (user mask) command sets the default permissions for future assignments

chmod (change mode) changes permissions for the file

chown (change owner) changes the ownership of a file

54

Figure 6-16: Advanced Server Hardening Techniques

Reading Event Logs (Chapter 10)

The importance of logging to diagnose problems

Failed logins, changing permissions, starting programs, kernel messages, etc.

Windows 2000 Event Viewer (Figure 6-17)

55

Figure 6-17: Windows 2000 Event Viewer for Logging

56


Reading Event Logs (Chapter 10)

UNIX has many logging facilities controlled by syslog program (Figure 6-18)

Syslog program sends log entries of different types to specific directories on the host or on other hosts

The file syslog.config specifies which log entries and which severity levels should go to which directories on which hosts

57

Figure 6-18: syslog in UNIX

EventFrom

InternalSystem

syslog

…Login.Err HostA..Restart.* /errors/restart..

3. Host A2. Login/Err

1. Event.Type=Login,

Level=Err

syslog.config

Host Wishingto Do Remote

Logging

4.RemoteLogging

Host A(Runs syslog)

58


Backup (Chapter 10) UNIX backup

tar command (tape archive)

Create tape archive of a file, group of files, directory tree in a .tar file

Can use tar to look at table of contents of files in .tar file

Can use tar to restore one, some, or all files

59


Backup (Chapter 10)

Windows backup

Start, Programs, Accessories, System Tools, Backup

Note that Backup is under Accessories rather than under Administrative Tools like most MMCs

GUI to create backups, restore backups

60


File Encryption Protects files even if attacker breaks in

Key escrow: Copy of encryption key is kept elsewhere to protect in case of key loss

Windows Encrypting File System (EFS) Select file in Windows Explorer, select

Properties Click on General tab’s Advanced button Click on the box Encrypt contents to secure data

61


File Encryption Windows Encrypting File System (EFS)

Encryption is transparent: Save, retrieve, copy files as usual

Encrypted files generally cannot be sent over the network

There is a Recovery agent (usually on the domain controller) for key escrow

62


File Integrity Checker

Creates snapshot of files: a hashed signature (message digest) for each file

After an attack, compares post-hack signature with snapshot

This allows systems administrator to determine which files were changed

Tripwire is the usual file integrity checker for UNIX (Figure 6-19)

63

Figure 6-19: Tripwire File Integrity Checker

File 1File 2…Other Files inPolicy List

File 1File 2…Other Files inPolicy List

File 1 SignatureFile 2 Signature……

File 1 SignatureFile 2 Signature……

Tripwire

Tripwire

1.EarlierTime

2.After

Attack

Post-Attack Signatures

3. Comparison to Find Changed Files

Reference Base

64


File Integrity Checker If applied to too many files, too many false alarms

will occur

Must be selective—core programs likely to be Trojanized during attacks

Server Host Firewalls Rules can be specific to the server’s role (e-mail,

etc.)

65

Figure 6-20: Types of UNIX Vulnerability Assessment Tools

ExternalAuditTool

HostAssessment

Tool

NetworkMonitoring

ToolAttackPacket

NetworkTraffic

AuditingComputer

66

Figure 6-21: Hardening Clients

Importance of Clients

Contain important information

If taken over, can get in as user, passing through firewalls and other protections

67


Enforcing Good Practice Patching

Antivirus software

Firewall software

Limiting client software to an approved list (e.g., forbidding P2P file exchange products)

Save passwords?

File encryption

68


Central Control is Desirable for Clients For example, Microsoft Group Policy Objects

(GPOs) for home clients

Require certain programs (antivirus, etc.), forbid programs not on list

Even lock down desktop so use cannot add new software or even change the interface

Central vulnerability scanning

Difficult to enforce on personally owned home computers

69

Topics Covered

Firewalls and other protections sometimes break down

Computers must be hardened to survive when attackers reach them

Defense in depth

70

Topics Covered

Elements of Hardening Physical security (Chapter 2). Secure installation and configuration Fix known vulnerabilities Turn off unnecessary services (applications) Harden all remaining applications (Chapter 9) Manage users and groups Manage access permissions Back up the server regularly Advanced protections

71

Topics Covered

Baselines are needed to specify everything that must be done to harden a server

Server administrators are called systems administrators Each server has one or more sysadmins

72

Topics Covered

Microsoft Network Operating Systems (NOSs)

LAN Manager (LANMAN)

Windows NT Server

Windows 2000 Server

Windows 2003 Server (called .NET in the book)

Familiar Windows interface gives ease of learning and use

73

Topics Covered

UNIX Many versions of UNIX

LINUX distributions

CLIs are difficult to use

Other Novell NetWare

Cisco IOS for routers and switches

Firewalls, cable modems, etc.

74

Topics Covered

Installation Many options affect security

Need a baseline to guide installation

75

Topics Covered

Patching vulnerabilities The most critical hardening step

Fixes, patches, and upgrades

Often not applied because of sysadmin overload

Need to test patches before roll out

Linux uses rpm to get patches

Windows 2000 uses the Windows Update item on the start menu

Automatic notification in Windows 2003

76

Topics Covered

Turn Off Unnecessary Services To give attackers fewer targets

Windows Server Computer management MMC GUI

Unix inetd.config modification rc scripts ps –aux, netstat show process IDs (PIDs) kill PID kills the process with that PID

77

Topics Covered

Managing Users and Groups Assign permission to users

Can also assign permissions to groups Group members receive all assigned

permissions

Assign permissions for individuals and groups to individual directories

78

Topics Covered

Managing Users and Groups Windows Server Computer Management: Local

Users and Groups snap-in to manage users and groups

Assign permission to directories by right clicking on them

Windows has 6 standard permissions which can be subdivided into 13 special permissions

Windows can assign permissions in a directory to many users and groups

79

Topics Covered

Permissions in Unix Only three (read, write, and execute)

Can only be assigned to a file or directory owner, a single group, and the rest of the world

ls -l shows permissions

chmod changes permissions for a file or directory

chown changes the owner of a file or directory

80

Topics Covered

File Integrity Checking Tripwire for Unix and Windows

Host Firewall Protections tailored to host’s specific services

Vulnerability Assessment Unix external audit, network monitoring, and host

assessment tools

81

Hardening Clients

Good Practice Many Aspects

Patching Antivirus software Firewall software Limiting client software to an approved list Etc.

Difficult to enforce Centralized management (e.g., Microsoft GPOs)

can enforce policies

host hardening chapter 6 panko, corporate computer and network security copyright 2005 prentice-hall

Documents

hardening effortspecifications

host hardeningchapter

client versions

network security copyright

server user interfacefigure

member servers

domain controllers

mail servers