hardening the host computer - wmich.edullilien/teaching/fall2005... · hardening the host computer...
TRANSCRIPT
Project 4
1
I. INTRODUCTION
In this project, we tried to maintain an appropriate level of information security that requires attention to confidentiality, integrity and availability. We began with Operating System issues and then moved to issues such as Antivirus Applications and Firewalls. Maintaining the operating system in an up-to-date configuration is the first and most important step in maintaining a proper security posture. Once the OS is secure, then focus can be shifted to Antivirus issues, as these programs can be direct threats to the data on a machine. After these specific threats were covered, a firewall acts as a barrier with a regulated gate to screen traffic to and from the host. These aspects were discussed first and the Appendix gives a set of relevant log files pertaining to this testing.
II. HARDENING THE OS
HARDENING WINDOWS 2000 SEVER
Abstract Windows 2000 Server was configured as a Server, which would allow both ftp and http. The security level of the server was first found using CIS NG Scoring Tool (gives score for the security level of the system), which was initially in Service pack 3. The server was then hardened with Service Pack 4 and other security templates and it was found that the security increased with these installations. Learning Objectives: To install and run the CIS NG Scoring Tool. To apply security templates in Windows to harden the
computer. To change user account settings to harden the Server. Materials/Tools needed: Windows 2000 Server (includes the security templates)
CIS NG Scoring Tool Windows XP Service Pack 2 NeWT, a vulnerability scanner Lab Steps at a Glance Step 1. Log on to Windows 2000 Server PC and install the CIS NG Scoring Tool. Step 2. Run the CIS NG Scoring Tool. Step 3. Install Service Pack 4 and run the Scoring Tool again. Step 4. Apply the security templates and run the Scoring Tool again. Step 5. Test and adjust new settings. Step 6. Install and run NeWT. Lab Steps in detail Step 1. Log on to Windows 2000 Server PC and install the CIS NG Scoring Tool. After logging into Windows 2000 Server PC, the CIS NG Scoring Tool was installed. The desktop resolution was set to be 1024 X 768 for Scoring Tool installation. Step 2. Run the CIS NG Scoring Tool. The Scoring Tool is a program that checks the security of your machine and provides a score for the security level. The security score for Windows 2000 Server PC (with service pack 3) was analyzed using the CIS NG Scoring Tool. The overall score was as low as 17.573. The Scoring Tool is shown in figure 1. This tool produced three sets of reports. Screenshots of these reports are presented in the Appendix(1).
Hardening the Host Computer
Baranidar Subramanian Mani Vijay Anand Perumal Tanvi Srivastava
Department of Computer Science College of Applied Science and Engineering
Western Michigan University Kalamazoo MI.
Fall 2005 {bsubrama, mperumal, tsrivast}@cs.wmich.edu
Project 4
2
Fig.1: CIS Security Scoring Tool Step 3. Install Service Pack 4 and run the Scoring Tool again. To increase the security level, Service pack 4 was installed and the score was found to be 30.357. This score increase was due to the security level increase by Service Pack 4. Step 4. Apply the security templates and run the Scoring Tool again. The security templates contained many security specifications/rules useful to increase the security level of the system. To apply the security templates, we used Microsoft Management Console with the Security Configuration and Analysis Snap-in. Start � run � type mmc We will see the window as shown below.
Fig. 2: Microsoft Management Console In the MMC window, these were followed, Add Snap-in � Add Security Configuration and Analysis and right-click � open Database � type w2kserv � import template (basicrv) � Analyze Computer Now.
The analysis would check for the discrepancies between the computer configuration and template settings. The template settings were applied using “Configure Computer” option and the score (using Scoring Tool) increased (30.804) which was the result of increased security level by the security template(e.g. Account policy, Password policy). Step 5. Test and adjust new settings. The applied template changed the password settings to meet the complexity requirements. This effect was checked with a weak password (small password), which was rejected by the system. We could also change the password settings manually by changing the user account settings. Thus we learned how to increase the security level using security templates. Step 6. Install and run NeWT. NeWT, a vulnerability scanner checks for the insecurities (holes) in the system. It gives a list of vulnerabilities in the system and the solutions for correcting them along with the risk factors involved. The vulnerabilities in Windows 2000 Server PC were checked and reduced after installing service pack 4 and security templates. A screenshot of the NeWT Vulnerability Scanner is shown in figure 3. A sample screenshot of the report is shown in the Appendix(2).
Fig. 3: NeWT Vulnerability Scanner
HARDENING LINUX (EXTRA)
Abstract We first tried to harden Linux in the same way as we did with Windows. We installed a tool called Bastille and tried to harden our Operating System.
Learning Objectives: To install Bastille To harden the Linux Operating System
Project 4
3
Materials/Tools needed:
Linux – UBUNTU Bastille
Lab steps at a glance: Step 1. Log on to the Linux server PC. Step 2. Install Bastille. Step 3. Run Bastille. Step 4. Reboot machine and examine results. Step 5. Log off from the Linux Server PC.
Lab Steps in detail: Step 1. Log on to the Linux server PC. The Linux server, in this case UBUNTU was installed on the PC and then logged in with the suid(super user id) and password. Step 2. Install Bastille. The Synaptic Package Manager was opened and the package named Bastille was looked for. Once the package was found, the package was marked for installation and then the changes were applied which will install Bastille on the machine.
Fig. 4: Bastille GUI Step 3. Run Bastille. The terminal was opened and the command sudo Bastille – c was typed and the suid’s password was entered. This will open up Bastille’s user interface. A series of questions will be asked and the system will be hardened based on the response to each of the questions. The Bastille GUI is shown in figure 4. Step 4. Reboot machine and examine results. Now the machine was rebooted to see if the effects have taken place. The system was hardened based on our response to the questions.
Step 5 Logoff from the Linux server PC The log file for Bastille contained all the settings that were asked during the setup process. The log files and screenshots are shown in the Appendix.
III. WINDOWS XP SERVICE PACK 2
Abstract Windows XP Service Pack 2 has increased network protection, memory protection, e-mail security, and browsing security. The XP Service Pack 2 update can be installed either by using the Windows Update utility or by downloading the network installation version from Microsoft’s website. One of the new features in XP Service Pack 2 was the Security Center Utility. The Security Center Utility monitored the computer’s Firewall, Antivirus Software, and Updates. Learning Objectives: To install Windows XP Service Pack 2. To configure the Microsoft Firewall as appropriate for the
network needs. To configure the Automatic Updates as appropriate for the network needs.
Materials/ Tools needed: Windows XP Professional Windows XP Service Pack 2 Nmap, a port scanning utility
Lab Steps at a Glance: Step 1. Log on to Windows XP Professional PC and install XP
Service Pack 2. Step 2. Explore new features Step 3. Test new features Lab Steps in detail: Step 1. Log on to Windows XP Professional PC and install XP After logging into Windows XP Professional PC, XP Service pack was installed. Step 2. Explore new features We activated the ‘Automatic Updates now’ option using ‘Help Protect my PC’ window. All the options in the ‘Security Screen’ were analyzed.
Project 4
4
Fig. 5: Windows Security center Windows Firewall: Below is the process for analyzing and changing the Firewall settings. Click Manage security settings for: Windows Firewall � Analyze all the three tabs in the Windows Firewall screen. General Tab � used to turn the Firewall on, on with no
exception, or off. Exception Tab � used to add ‘exceptions’ to what the
Firewall would block. We could choose the programs or ports that the Firewall would allow.
Advanced Tab � used to modify settings on a more granular level. We could change the firewall network settings, logging settings, or ICMP settings. The network settings would enable us to allow or disallow using programs such as FTP or Telnet. The Logging setting
would allow us log packets that were dropped as well as
successful connections. The ICMP settings would allow us to configure how the computer would react with programs such as ping and tracert. We could activate the firewall log using the ‘Advanced Tab’ as follows: Click Advanced Tab � Click Security Logging Settings � Check both the ‘Log Dropped packets’ and ‘Log successful connections’ checkboxes � Click Log File options � save the file as ‘firewall_log’.
Step 3. Test new features (ping and nmap) Ping -> A utility that verifies the connection of a machine to the internet.
Nmap � free port scanning software distributed by Insecure.Org and designed to detect open ports on a target computer, determine which services are running on those ports, and infer which operating system the computer is running (this is also known as fingerprinting) The firewall would allow our computer (Firewall activated system) to ping other computers but would not allow other computers to ping to it. Windows XP Professional PC (Firewall activated system) was pinged from Windows 2000 Server PC and gets no replies. But pinging other systems yielded replies. Exploring the firewall_log log file: The entries for the dropped packets from Windows 2000 Server PC as a result of the above step can be seen in this log file. The firewall log is shown in the Appendix(3). Effect of firewall on the firewall enabled computer: Windows 2000 Server PC was pinged from Windows XP professional PC (firewall enabled). Information about the total number of hosts up was obtained but was unable to fetch the details of the ports or operating system due to the effect of firewall settings. Functionality of Pop-Up Blocker: The pop-up blocker is a new feature introduced with the service pack that stops all the pop-ups from popping up. Also, it has the option of allowing some useful pop-ups. Start� Internet explorer � Tools � Popup Blocker
� Enter the address of website to allow the pop-ups.
Fig. 6: Pop-up blocker Thus we explored the various security functionalities of service pack 4 and its impact on the system. Pop up blocker is shown in the figure above.
Project 4
5
IV. USING ANTIVIRUS APPLICATIONS
ANTIVIRUS IN LINUX
Abstract We tried to install Antivirus Applications called clamav and amavis (a mail virus scanner) on the Linux platform.
Learning Objectives:
To install amavis and clam antivirus. Setup clam antivirus to scan the computer on a nightly
basis. Setup amavis, send a malware and see how the mail virus scanner acts on it.
Materials/Tools needed: Linux – UBUNTU Clam Anti-virus Amavis - a mail virus scanner
Lab steps at a glance: Step 1: Install amavis and clamav on the server Step 2: Set up clamav to run on a nightly basis. Step 3: Configure Amavis to scan email. Step 4: Configure the Linux Client to send e-mail with evolution. Step 5: Send malicious software to the server. Step 6: Check the logs.
Lab Steps in detail: Step 1. Install amavis and clamav on the server Amavis and Clamav were downloaded using synaptic download manager.
Step 2. Set up clamav to run on a nightly basis. By typing
Clamscan –ir –move=/var/infected /home we did a clamscan that was the actual command to activate the antivirus scan. The command ir scanned home recursively and moved only the infected files into the infected directory. Now when we typed the same command inside the file
etc/cron.daily/freshclam it configured the antivirus to be run on a daily basis. Figure 7 explains the commands that will start up the virus scan at a particular time.
Fig 7: Setting up the anti-virus to run at a particular time
Step 3. Configure Amavis to scan email. Similar steps were performed inside the master.cf and main.cf files inside /etc/postfix directories and inside the /etc/amavisd.conf file and it configured the antivirus and gave a report for the emails on a nightly basis. The screenshots are given in the Appendix. Step 4. Configure the Linux Client to send e-mail with evolution. The Linux client called Evolution analogous to Outlook Express in Windows was configured with the correct incoming and outgoing servers to enable email functionalities. Step 5. Send malicious software to the server. A malicious file was sent from the registered email to the same email. However, this file was blocked.
Step 6. Check the logs. The file /var/log/maillog recorded this blocking by logging the mail details and the malicious software’s name and other details.
ANTIVIRUS IN WINDOWS
Abstract We tried to explore the use of McAfee’s Antivirus Software for the Windows platform. We also configured and used Microsoft Outlook Express for this process.
Learning Objectives:
To install Outlook Express. To install McAfee anti-virus. Try to extract a zip file containing a Trojan and see how the anti-virus works. Try to send an email with a Trojan and see how the
antivirus works.
Materials/Tools needed: Microsoft Windows 2000 server McAfee Anti-Virus Microsoft Outlook Express
Project 4
6
Lab steps at a glance: Step 1: Install and configure McAfee antivirus on Windows 2000 server Step 2: Configure Microsoft Outlook Express. Step 3: Attempt to deploy Malware
Lab Steps in detail: Step 1. Install and configure McAfee Antivirus on windows 2000 server McAfee Antivirus is first downloaded which would be a trial version and installed inside the Windows 2000 server.
Fig. 8: McAfee Anti-virus program
Step 2: Configure Microsoft Outlook Express. The windows mail program Outlook Express was configured with the correct incoming and outgoing servers to enable email functionalities. Step 3. Attempt to deploy Malware Now that both Outlook Express and McAfee Anti-virus were configured, the next step was to test and see how the Anti-virus really worked on the Trojan and what it does to the Trojan.
Extraction testing: With the Antivirus file definitions being updated to the latest version to occupy most of the known virus signatures, the sample Trojan file was downloaded from the internet and the .zip file containing the Trojan was placed inside a folder. Before we extracted the file, the Anti-virus program was opened and it was configured to scan all incoming emails and also all the files that were extracted using any program. The Anti-virus program was scheduled to run on a daily basis to give a nightly report on what it does. This file was extracted with WinZip. When extracting the file, each and every file inside the .zip file was scanned for viruses using McAfee. The main Trojan file was removed and only the remaining files without any virus signatures were extracted. This is shown in figure 9.
Fig. 9: Trojan file detected
Email Trojan detection testing: The same Trojan file was attached to an email and this email was sent to the same configured address inside Outlook Express. Before the email was downloaded into the email program from the incoming server, the mails were scanned as the anti-virus was already configured to scan all incoming and outgoing mails. The anti-virus program intercepted the main email with the Trojan file and it was blocked and deleted. Only the contents of the email were allowed into Outlook Express.
Thus, the Anti-virus provided a good amount of protection to the systems and the main advantage of these programs was that they could be configured easily as to what to do with the virus definitions. A log file was also generated which is shown in the Appendix. Virus definitions can either be quarantined or deleted. Each time a new definition is found, it is added to the big database of virus definitions within the program.
V. FIREWALLS
PERSONAL FIREWALL IN WINDOWS
Abstract We tried to explore the use of Visnetic Personal Firewall, a software based firewall product specifically designed for servers. We installed this on the Windows 2000 server and tried to check its security from the Windows XP system.
Learning Objectives: To install Visnetic Personal Firewall To send packets from Windows XP to Windows 2000 server
Project 4
7
and note the effects and apply rules and see how these affect the security.
Materials/Tools needed:
Microsoft Windows 2000 server Microsoft Windows XP Visnetic Personal Firewall
Lab Steps at a glance: Step1: Log on to both the Windows XP Professional and Windows 2000 Server PCs Step 2: Install and configure Visnetic Personal Firewall. Step 3: Test the security and functionality of the PC. Step 4: Tweak and test the security and functionality of the PC. Step 5: Log off from both the Windows XP and Windows 2000 Server PCs.
Lab Steps in detail: Step 1. Log on to both the Windows XP Professional and Windows 2000 Server PCs The first step was logging into both the operating systems. Windows 2000 server was run inside a virtual machine on the Windows XP machine.
Step 2. Install and configure Visnetic Personal Firewall. The Visnetic Personal Firewall was downloaded from the internet and was installed on the Windows 2000 server machine with all the default settings. The default settings will not allow any incoming connections to this machine. In the following steps, testing and tweaking the security were explained. Step 3. Test the security and functionality of the PC. The personal firewall was installed inside Windows 2000 server in the last step. On the Windows XP machine, first a nmap operation was done using the command
nmap 10.0.4.45 ( ip address of the Windows 2000 server)
This operation lists all the ports in the network except 10.0.4.45 that was blocked by the firewall. After this, ftp and http operations were tried from the Windows XP machine and these operations fail.
The log file shows these failed operations. Packets that were blocked based on a matching rule have a red flag icon. This indicates that, there was no rule defined to allow the connections. This is clearly shown in figure 10 and the blocked incoming packets are shown in figure 11.
Fig. 10: Firewall that does not allow any connections from 10.0.4.45
Fig 11: The incoming packets from 10.0.4.45 are blocked.
Step 4. Tweak and test the security and functionality of the PC. In the previous step, the firewall provided increased security but it did not allow any incoming scans. In this step, the security was tweaked a little bit and incoming connections from Windows XP (10.0.4.46, the ip address) alone were allowed. This is shown as follows.
The rules were defined under the network adapters tab. Two rules, one for allowing the http connection and the other for ftp connections, were defined which would allow ftp and http connections from the Windows XP machine. The ip address of the Windows XP machine was specified when defining the rules. These rules allowed ftp connections and the http connections from the Windows XP machine. This is shown in the following figure. A file named index.html was created inside the Windows 2000 server machine and was placed in the virtual directory c:/Inetpub/wwwroot. This file was first
Project 4
8
accessed using http://10.0.4.45/index.html
After entering the username and password, the message “Test Connection Succeeded” from the index.html showed up in the browser. Since the Windows 2000 machine was configured as a server, it also allowed ftp connection that was shown by typing
ftp://10.0.4.45 and after the authentication process, the file index.html showed up in the browser. Step 5. Log off from both the Windows XP and Windows 2000 Server PCs.
The last step was to logoff from both the Windows XP and Windows 2000 server machines.
IP TABLES IN LINUX (EXTRA)
Abstract The Linux Kernel has the ability to filter packets by default. Using this behavior in Linux, we configured the Linux machine as a firewall. All packets were subjected to one of the three chains of rules, INPUT, FORWARD and OUTPUT. To assist in the scripting of rulesets there is a utility called Lokkit. We used both IpTables and Lokkit.
Learning Objectives:
To install and configure Lokkit and IpTables. To see how settings can be enhanced and more security can be provided using IpTables and Lokkit.
Materials/Tools needed: Linux – UBUNTU Lokkit
Lab Steps at a glance: Step 1: Configure Lokkit and IpTables. Step 2: Tweak and test the security and functionality of the PC.
Lab Steps in detail: Step 1. Configure Lokkit and IpTables. The Lokkit package was downloaded and installed using the synaptic package manager inside UBUNTU and then we typed the command
IpTables –L This showed the input, output and forward policies inside the machine. The Lokkit interface was opened to configure the IpTables.
Sudo Lokkit was the command used and the option was set to high. The command
IpTables –L would give the same three policies but they are more restrictive. They are shown in figure 11.
Fig 11: IP Tables showing the three rules
Step 2. Tweak and test the security and functionality of the PC. The Lokkit interface was opened and the customize option was chosen to allow http and ftp operations. Once these options were selected, the machine allowed both these operations similar to the firewalls in the previous task. The Lokkit user interface is shown below.
Fig 12: Lokkit main screen
Fig 13: Advanced options inside Lokkit
Project 4
9
CONCLUSION
Thus, we can see that there are a number of technologies that ensures that the critical characteristics of the data are maintained. These techniques can be either hardware or software. An understanding of these technologies is essential to enable security without compromising functionality.
REFERENCES
[1]Computer Security Lab Manual Computer Security Lab Manual by V.J. Nestler, W.A. Conklin, G.B. White, M.P. Hirsch [2] CIS Benchmark reports, http://www.cisecurity.org/bench_win2000.html (visited Oct 2005) [3] Microsoft windows update, http://update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?ln=en&returnurl=http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us (Visited Nov 2005) [4] NeWT Vulnerability scanner http://www.tenablesecurity.com/products/newt.shtml (visited Oct 2005) [5] Linux Ubuntu http://www.ubuntulinux.org/ (visited oct 2005) [6] Bastille http://www.bastille-linux.org/ (visited Oct 2005) [7] Nmap http://www.insecure.org/nmap/ (visited Nov 2005) [8] Clam Antivirus http://www.clamav.net/ (visited Nov 2005) [9] Amavis http://www.amavis.org/ (visited Nov 2005) [10] McAfee http://us.mcafee.com/root/landingpages/affLandPage.asp?affid=101&lpname=linkshare_mie&cid=5614&siteID=M241PF1pr2o-sXTYRajarQUKIWLAX4JGZQ (visited Nov 2005) [11]Visnetic Personal Firewall http://www.deerfield.com/products/visnetic-firewall/firewall-software.htm/ (visited Nov 2005) [12]Lokkit http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/custom-guide/s1-basic-firewall-gnomelokkit.html (visited Nov 2005) [13]Information Security http://www.omeda.com/cgi-win/insec.cgi?offer=YHE28&p=YHE28 (visited Nov 2005)
[14]Firewalls, Exclusive Research Guide http://searchsecurity.techtarget.com/content/0,290959,sid14_gci1111739,00.html?offer=SEbpcf1g11 (visited Nov 2005)
Project 4
10
APPENDICES
1. Screenshots of the different reports produced by the CIS NG security Scoring Tool.
Compliance Validation Report
User Password Report
Project 4
11
Services Report 2. A sample report produced by the NeWT vulnerability scanner.
NeWT Vulnerability scanner
Project 4
12
3. Sample Log file of Windows Firewall. #Version: 1.5 #Software: Microsoft Windows Firewall #Time Format: Local #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path 2005-11-21 19:23:23 DROP TCP 10.0.4.20 10.0.4.45 341 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.25 10.0.4.45 341 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.1 10.0.4.45 175 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.20 10.0.4.45 175 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.25 10.0.4.45 175 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.1 10.0.4.45 2603 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.20 10.0.4.45 2603 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.25 10.0.4.45 2603 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.1 10.0.4.45 559 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.20 10.0.4.45 559 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.25 10.0.4.45 559 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.1 10.0.4.45 355 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.20 10.0.4.45 355 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.25 10.0.4.45 355 40087 40 AR 0 1626607892 0 - - - RECEIVE 2005-11-21 19:23:23 DROP TCP 10.0.4.1 10.0.4.45 964 40087 40 AR 0 1626607892 0 - - - RECEIVE More screenshots, videos, logs and other reports are included in the CD.