host hardening (march 30, 2015) © abdou illia – spring 2015 series of actions to be taken in...
TRANSCRIPT
Host Hardening
(March 30, 2015)
© Abdou Illia – Spring 2015
Series of actions to be taken in order to make it hard for an attacker to
successfully attack computers in a network environment
2
Computer system #1 Intel® Core® i7 Processor (3.20GHz) 2GB SDRAM PC3200 (800MHz), Dual Channel 1TB Serial ATA 7200rpm Hard Disk Drive 16x Multi-Format DVD Writer (DVD±R/±RW) Gateway 7-Bay Tower Case Integrated Ultra ATA Controller (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE
1394 Firewire Ports, Parallel, Serial and (2) PS/2 20" Black LCD Flat Panel Display (19" viewable) Gateway Premium 104+ Keyboard Two-Button PS/2 Wheel Mouse Napster 2.0 and 150 Song Sampler Intel® High Definition Audio GMAX 2100 2.1 Speakers with Subwoofer 56K PCI data/fax modem 10/100/1000 (Gigabit) Ethernet Microsoft Office 2010 Professional on DVD
3
Computer Hardware & Software
Computer Hardware
Operating System
Productivity Software
4
Computer system #2 Intel® Core® i7 Processor (3.20GHz) 2GB SDRAM PC3200 (800MHz), Dual Channel 1TB Serial ATA 7200rpm Hard Disk Drive 16x Multi-Format DVD Writer (DVD±R/±RW) Gateway 7-Bay Tower Case Integrated Ultra ATA Controller (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE
1394 Firewire Ports, Parallel, Serial and (2) PS/2 20" Black LCD Flat Panel Display (19" viewable) Gateway Premium 104+ Keyboard Two-Button PS/2 Wheel Mouse Napster 2.0 and 150 Song Sampler Intel® High Definition Audio GMAX 2100 2.1 Speakers with Subwoofer 56K PCI data/fax modem 10/100/1000 (Gigabit) Ethernet Windows 7 Professional Google Chrome 16 installed Microsoft Office 2010 Professional installed
5
Computer Hardware & Software
Computer Hardware
Operating System
Web browserProductivity Software
6
Computer system #3 Intel® Core® i7 Processor (3.20GHz) 2GB SDRAM PC3200 (800MHz), Dual Channel 1TB Serial ATA 7200rpm Hard Disk Drive 16x Multi-Format DVD Writer (DVD±R/±RW) Gateway 7-Bay Tower Case Integrated Ultra ATA Controller (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE
1394 Firewire Ports, Parallel, Serial and (2) PS/2 20" Black LCD Flat Panel Display (19" viewable) Gateway Premium 104+ Keyboard Two-Button PS/2 Wheel Mouse Napster 2.0 and 150 Song Sampler Intel® High Definition Audio GMAX 2100 2.1 Speakers with Subwoofer 56K PCI data/fax modem 10/100/1000 (Gigabit) Ethernet Windows Server 2008 Enterprise installed Internet Explorer 8 installed IIS 6.0 installed
7
Computer Hardware & Software
Computer Hardware
Operating System
Web service software (IIS, Apache, ...)Web browser
Productivity Software
Client & server
application programs
8
Your knowledge about Host hardening
Which of the following is most likely to make a computer system unable to perform any kind of work or to provide any service?
a) Client application programs get hacked
b) Server application programs (web service software, database service, network service, etc.) get hacked
c) The operating system get hacked
d) The connection to the network/Internet get shut down
9
OS market share
OS Vulnerability test2010 by omnired.com
OS tested: Win XP, Win Server 2003, Win Vista Ultimate, Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse Enterprise
10, Ubuntu 6.10 Tools used to test vulnerabilities:
Scanning tools (Track, Nessus) Network mapping (Nmap command) All host with OS installation defaults
Results Microsoft's Windows and Apple's OS X are ripe with remotely accessible
vulnerabilities and allow for executing malicious code The UNIX and Linux variants present a much more robust exterior to the
outside Once patched, however, both Windows and Apple’s OS are secure.
10
Your knowledge about Host hardening
You performed an Out-of-the-box installation of Windows XP and Linux FreeBSD 6.2 on two different computers. Which computer is more likely to be secure ?
a) Windows XPb) Linux FreeBSD 6.2c) They will have the same level of security
What needs to be done, first, in order to prevent a hacker from taking over a server with OS installation defaults that has to be connected to the Internet?
a) Lock the server roomb) Configure the firewall to deny all inbound traffic to the serverc) Download and install patches for known vulnerabilities
11
Security Baseline
Because it’s easy to overlook something in the hardening process, businesses need to adopt a standard hardening methodology: standard security baseline
Need to have different security baseline for different kind of host; i.e. Different security baselines for different OS and
versions Different security baselines for different types of server
applications (web service, email service, etc.) Different security baselines for different types of client
applications.
12
Options for Security Baselines
Organization could use different standards OS vendors’ baselines and tools
e.g. Follow MS Installation procedure and use Microsoft Baseline Security Analyzer (MBSA)
Standards Agencies baselines e.g. CobiT* Security Baseline
Company’s own security baselines Security Baseline to be implemented by
Server administrators known as systems admin
* Control Objectives for Information and Related Technology
13
Elements of Hardening
Physical security Secure installation and configuration Fix known vulnerabilities Remove/Turn off unnecessary services (applications) Harden all remaining applications Manage users and groups Manage access permissions
For individual files and directories, assign access permissions to specific users and groups
Back up the server regularly Advanced protections
According to
baseline
14
Example of Security Baseline for Win XP Clients OS Installation
Create a single partition on HDD Format disk using NTFS file system Install Win XP and Service Pack 3
Fixing OS vulnerabilities Download and install latest patches Turn on Windows’ Automatic Updates checking
Configure Windows Firewall Block incoming connections except KeyAccess and Remote
Assistance Turn off unnecessary services
Turn off Alerter, Network Dynamic Data Exchange, telnet Application Installation
Centrally assign applications using group policies Fixing applications’ vulnerabilities
Turn on each application’s automatic update checking
15
Hardening servers The 5 P’ s of security and compliance: Proper Planning Prevents Poor
Performance Plan the installation
Identify The purpose of the server. Example: provides easy & fast access to Internet
services The services provided on the server Network service software (client and server) The users or types of users of the server
Determine Privileges for each category of users If and how users will authenticate How appropriate access rights will be enforced Which OS and server applications meet the requirements The security baseline(s) for installation & deployment
Install, configure, and secure the OS according to the security baseline Install, configure, and secure server software according to sec. baseline Test the security Add network defences Monitor and Maintain
16
Hardening servers (cont.)
Choose the OS that provides the following: Ability to restrict admin access (Administrator vs. Administrators) Granular control of data access Ability to disable services Ability to control executables Ability to log activities Host-based firewall Support for strong authentication and encryption
Disable or remove unnecessary services or applications If no longer needed, remove rather than disable to prevent re-enabling Additional services increases the attack vector More services can increase host load and decrease performance Reducing services reduces logs and makes detection of intrusion easier
17
Hardening servers (cont.)
Configure user authentication Remove or disable unnecessary accounts
(e.g. Guest account) Change names and passwords for default accounts Disable inactive accounts Assign rights to groups not individual users Don't permit shared accounts if possible Configure time sync Enforce appropriate password policy Use 2-factor authentication when necessary Always use encrypted authentication
18
UNIX / Linux Hardening
Many versions of UNIX No standards guideline for hardening
User can select the user interface Graphic User Interface (GUI) Command-Line Interfaces (CLIs) or shells
CLIs are case-sensitive with commands in lowercase except for file names
19
UNIX / Linux Hardening
Three ways to start services
Start a service manually (a) through the GUI, (b) by typing its name in the CLI, or (c) by executing a batch file that does so
Using the inetd program to start services when requests come in from users
Using the rc scripts to start services automatically at boot up
Inetd = Internet daemon; i.e. a computer program that runs in the background
20
UNIX / Linux Hardening
Program A
Program B
Program C
Program D
inetd
Port 23 Program APort 80 Program BPort 123 Program CPort 1510 Program D
1. Client RequestTo Port 123
4. Start and Process
This Request
3. Program C 2. Port 123
/etc/inetd.config
Starting services upon client requests Services not frequently used are dormant Requests do not go directly to the service Requests are sent to the inetd program which is started at server boot up
21
UNIX / Linux Hardening
Turning On/Off unnecessary Services In UNIX
Identifying services running at any moment
ps command (process status), usually with –aux parameters, lists running programs
Shows process name and process ID (PID)
netstat tells what services are running on what ports
Turning Off Services In UNIX kill PID command is used to kill a particular process
kill 47 (If PID=47)
22
Advanced Server Hardening Techniques
File Integrity Checker
Creates snapshot of files: a hashed signature (message digest) for each file
After an attack, compares post-hack signature with snapshot
This allows systems administrator to determine which files were changed
Tripwire is a file integrity checker for Linux/UNIX, Windows, etc.: www.tripwire.com (ftp://coast.cs.purdue.edu/pub/tools/unix)
23
Advanced Server Hardening Techniques
File 1File 2…Other Files inPolicy List
File 1File 2…Other Files inPolicy List
File 1 SignatureFile 2 Signature……
File 1 SignatureFile 2 Signature……
Tripwire
Tripwire
1.EarlierTime
2.After
Attack
Post-Attack Signatures
3. Comparison to Find Changed Files
Reference Base
File Integrity problem: many files change for legitimate reasons. So it is difficult to know which ones the attacker changed.
24
Other types of host that can be Hardened Internetwork Operating System (IOS)
For Cisco Routers, Some Switches, Firewalls Even cable modems with web-based
management interfaces