information security lesson 4 - baselines - eric vanderburg

Information Security © 2006 Eric Vanderburg

Information Security

Chapter 4Security Baselines


Basic Security• TSR (Terminate and Stay Resident)

programs – Applications that are running even when you close them so that they can be loaded faster.

• Process – program or program component that runs in the background.


Services• Perform a specific function for the OS. Each requires a process or

processes to function. They run in these modes:– Automatic– Manual– Disabled

• Services.msc


Services• Netstat - Displays active TCP connections,

ports on which the computer is listening


Services• Disable unused services

– Difficult because it is hard to find which ones are not used

– Processes can be monitored but many services could use a process

• Unused services are great for attackers because you do not see their activity and they are always running.

• Malicious code could be added to the service to run with it.

• Network services have an associated port that must be open for them to function. This is an entry point for an attacker. – Port numbers? Review


TCP/IP• Socket

– Protocol, Address, Port– TCP 13.154.33.61:53

• IP Address review• 65,535 ports, 1000 and lower are most

used


Securing the system• OS Hardening – securing

the system against vulnerabilities. (see guides for each system)– Patch management is one

component– Patch – fixes an issue and

is tested– Hot fix – less tested than a

patch– Service Pack – Group of

patches together. The entire group is tested together for stability.


Patch Management• SUS (Software Update Services) or 3rd

party tools• Define patches for groups of computers• Update computers on a schedule• Verify that patches have been installed

(log)


MMC (Microsoft Management Console)

• Custom MMCs– Saved as .msc in your documents and

settings– Can work for local or remote computers– Taskpad– Snap-ins

• Security Policy– Security Configuration and Analysis MMC

snap-in– Command-line SECEDIT utility


Security Templates (Windows)• Security Templates

– Setup Security - default security settings. – Compatible (compatws.inf) - members of the Users group can

run applications that are not a part of the Designed for Windows Logo Program.

– Secure (securedc.inf / securews.inf) - modifies security settings that impact the operating system and network protocols such as the password policy, account policy, and various Registry settings. It also removes all members from the Power Users group.

– Highly Secure (hisecdc.inf / hisecws.inf) - This template increases the security of the parameters defined within the secure template. This template also removes all members from the Power Users group.

– Internet Explorer (lesacls.inf) – locks down IE– Reset file permissions (rootsec.inf) – reset permissions

starting from the root.


Group Policy• Make environmental changes to groups of

clients or servers• Change policies such as password length

or complexity for a domain• Enforce restrictions on users or computers• Restrict available software


Default GPOs• Default Domain Policy

– Applied to domain– Password policy, account policy, & kerberos

can only be set here• Default Domain Controllers Policy

– Applied to DC container• Create others in the Group Policy Object

Editor MMC or from AD Users & Computers


Hardening• Application Hardening

– Patch– MBSA (Microsoft Baseline Security Analyzer) can check for

patch compliance with Microsoft applications– Cisco Security Agent can restrict the abilities of certain

applications• Web Server Hardening

– ACLs– Patch– Delete sample web pages– Put the web server in a separate area of the network DMZ

(Demilitarized Zone)– Delete scripts and applications that are not used– Enable encryption for sensitive data


Hardening• Mail Server Hardening

– Use a single purpose machine– Require authentication for mail protocols to protect

against open mail relay (bouncing messages from your mail server to another).

– Set an ACL for those who can send messages– Enable logging for defense and legal purposes.

• File Servers Hardening– Set appropriate permissions– Log access to sensitive files– Keep behind the firewall


Hardening• NNTP (Network News Transfer Protocol)

Hardening– ACLs– Authentication– Patch

• FTP Server Hardening– Disable anonymous logon– Use an ACL– Set appropriate privileges– Set account logon restrictions such as time-outs, lock-

outs for failed logon, and auditing.


Hardening Data Repositories• Directory Services

– Windows• AD (Active Directory)• SAM (Security Accounts Manager) – Local database• DC (Domain Controller)• PDC (Primary Domain Controller)• BDC (Backup Domain Controller)

– Novell (eDirectory)– LDAP (Lightweight Directory Access Protocol)– Use ACLs– Restrict the right to log on locally to domain

controllers


Hardening Data Repositories• DBMS (Database Management System)

– Oracle, SQL Server, Informix, Sybase, DB2– Buffer Overflow– SQL (Structured Query Language) Injection – send a

malformed SQL query• Utilize user views• Segment the database• Keep the database tables behind the firewall• Utilize authentication• Stored procedures and web forms should use

proper coding techniques to protect against buffer overflow, SQL injection, and other attacks.


Hardening Networks• Update firmware on network devices

– EEPROM (Electrically Erasable Programmable Read Only Memory)

• Filter data at the edge of the network (Firewalls)• Filter by:

– Address (IP or MAC)– Domain name– Protocol– Port– Message content– Session


Hardening Networks

• ACLs and Rule bases are used in filtering– Keep rule bases small to increase efficiency in

filtering (max: 40 rules)


Acronyms• BDC, Backup Domain Controller• DNS, Domain Name Service• DHCP, Dynamic Host Configuration Protocol• EEPROM, Electrically Erasable Programmable

Read Only Memory• EPROM, Erasable Programmable Read Only

Memory• FTP, File Transfer Protocol• MMC, Microsoft Management Console• NNTP, Network News Transfer Protocol


Acronyms• NOS, Network Operating System• PDC, Primary Domain Controller• ROM, Read Only Memory• SAM, Security Accounts Manager• TSR, Terminate and Stay Resident• DBMS, Database Management System• AD, Active Directory• LDAP, Lightweight Directory Access

Protocol• SQL, Structured Query Language

information security lesson 4 - baselines - eric vanderburg

Technology