a6 security misc on figuration
TRANSCRIPT
-
8/2/2019 A6 Security Misc on Figuration
1/17
A6:
SECURITY MISCONFIGURATION
BY Shaikh Asadullah
-
8/2/2019 A6 Security Misc on Figuration
2/17
SECURITY MISCONFIGURATION ?
This happens when the system admins,DBAs,
and developers leave security holes in the
configuration of computer systems.
Examplesy Router ACL
y Default accounts and passwords
y Unnecessary default, backup, sample apps, libraries
y Unused administrative services(FTP,DNS)
y Software i.e Unpatched , outdated or default
-
8/2/2019 A6 Security Misc on Figuration
3/17
-
8/2/2019 A6 Security Misc on Figuration
4/17
-
8/2/2019 A6 Security Misc on Figuration
5/17
-
8/2/2019 A6 Security Misc on Figuration
6/17
HOW ATTACKERS DO IT
Collect info about the targeted system's stack
y OS and version number
y Web server type (Apache, IIS, etc.)
y
RDBMS (MySQL, SQL Server, Oracle, etc.)y Web development language
y Tools/libraries used (Castle, NHibernate, etc.)
Check their data sources for all known exploits
against any part of that stack.
y There are known vulnerabilities for each level of the
stack.
-
8/2/2019 A6 Security Misc on Figuration
7/17
HOW WE PROTECT?
Don't give away info about your stack
Change default user accounts
Delete unused pages and user accounts
Turn off unused services
Whitelist pages
Stay up-to-date on patches
Consider internal attackers as well as external.
Use automated scanners
-
8/2/2019 A6 Security Misc on Figuration
8/17
CHANGE DEFAULT ACCOUNTS
When you install an OS or server tool, it has a
default root account with a default password.
Examples:
y Windows "Administrator" & "Administratory Sql Server "sa" & no password
y Oracle "MASTER" & "PASSWORD
y Apache "root" & "changethis" Make sure you
change these passwords!
Make sure you change these passwords!
Completely delete the accounts when possible
-
8/2/2019 A6 Security Misc on Figuration
9/17
DELETE UNUSED PAGES
Remove all files and pages
that are no longer
needed.
Focus on:Installation default and
sample pages
y Pages that we've migrated
y
Old and backed-up configfiles.
-
8/2/2019 A6 Security Misc on Figuration
10/17
DELETE UNUSED ACCOUNTS
As soon as an employee or contractor leaves,
change his password.
Change his username.
Move files and delete the account Look for old client accounts and delete them.
-
8/2/2019 A6 Security Misc on Figuration
11/17
TURN OFF UNUSED SERVICES
Look through all running services
If they're not being used, turn them off
Disable them upon system startup
Pay particular attention to:y Services enabled upon install
Remote debugging Content management
y Services turned on ad-hoc One-time use
"This is a temporary fix. We'll put a better solution in later.
Inside IISy Directory browsing
y Ability to run scripts and executables
-
8/2/2019 A6 Security Misc on Figuration
12/17
WHITELIST PAGES
Serve only pages that are allowed.
Intercept requests for pages and disallow any
request for something other than ...
y
*.htmly *.jsp
y *.js
y *.css
y etc.
Whitelists are better than blacklists.
-
8/2/2019 A6 Security Misc on Figuration
13/17
UPDATE PATCHES
Patch Tuesday is the most
overlooked defense
Day-one vulnerabilities
Subscribe to vendors' alertlists
RSS feed to
Wired,Slashdot, etc.
-
8/2/2019 A6 Security Misc on Figuration
14/17
CONSIDER INTERNAL ATTACKERS
Rootkits can be installed.
Private files can be exposed.
Users Authentication and previleges.
Web.config can't be served to browsers, but it canbe read by employees.
y Encrypt parts of it
-
8/2/2019 A6 Security Misc on Figuration
15/17
USE AUTOMATED SCANNERS
o Download and install one or more automated
scanners.
y Microsoft Baseline Security Analyzer (MBSA)
y
WebScarab from OWASPy Nikto
y Samurai
Attackers will use tools(e.g Rootkits) like this
against you.
-
8/2/2019 A6 Security Misc on Figuration
16/17
SUMMARY
Many hackers find ways to damage our systems
that can be stopped by some simple maintenance
of the stack.
y
Applying patchesy Removing or changing authentication on unneeded
or default accounts
y Whitelist the files served
y Using automated scanners
-
8/2/2019 A6 Security Misc on Figuration
17/17
REFERENCES
Secure deployment section in the OWASP
http://www.owasp.org
http://www.cirt.net
http://sectools.org