information security lesson 4 - baselines - eric vanderburg
TRANSCRIPT
Information Security © 2006 Eric Vanderburg
Information Security
Chapter 4Security Baselines
Information Security © 2006 Eric Vanderburg
Basic Security• TSR (Terminate and Stay Resident)
programs – Applications that are running even when you close them so that they can be loaded faster.
• Process – program or program component that runs in the background.
Information Security © 2006 Eric Vanderburg
Services• Perform a specific function for the OS. Each requires a process or
processes to function. They run in these modes:– Automatic– Manual– Disabled
• Services.msc
Information Security © 2006 Eric Vanderburg
Services• Netstat - Displays active TCP connections,
ports on which the computer is listening
Information Security © 2006 Eric Vanderburg
Services• Disable unused services
– Difficult because it is hard to find which ones are not used
– Processes can be monitored but many services could use a process
• Unused services are great for attackers because you do not see their activity and they are always running.
• Malicious code could be added to the service to run with it.
• Network services have an associated port that must be open for them to function. This is an entry point for an attacker. – Port numbers? Review
Information Security © 2006 Eric Vanderburg
TCP/IP• Socket
– Protocol, Address, Port– TCP 13.154.33.61:53
• IP Address review• 65,535 ports, 1000 and lower are most
used
Information Security © 2006 Eric Vanderburg
Securing the system• OS Hardening – securing
the system against vulnerabilities. (see guides for each system)– Patch management is one
component– Patch – fixes an issue and
is tested– Hot fix – less tested than a
patch– Service Pack – Group of
patches together. The entire group is tested together for stability.
Information Security © 2006 Eric Vanderburg
Patch Management• SUS (Software Update Services) or 3rd
party tools• Define patches for groups of computers• Update computers on a schedule• Verify that patches have been installed
(log)
Information Security © 2006 Eric Vanderburg
MMC (Microsoft Management Console)
• Custom MMCs– Saved as .msc in your documents and
settings– Can work for local or remote computers– Taskpad– Snap-ins
• Security Policy– Security Configuration and Analysis MMC
snap-in– Command-line SECEDIT utility
Information Security © 2006 Eric Vanderburg
Security Templates (Windows)• Security Templates
– Setup Security - default security settings. – Compatible (compatws.inf) - members of the Users group can
run applications that are not a part of the Designed for Windows Logo Program.
– Secure (securedc.inf / securews.inf) - modifies security settings that impact the operating system and network protocols such as the password policy, account policy, and various Registry settings. It also removes all members from the Power Users group.
– Highly Secure (hisecdc.inf / hisecws.inf) - This template increases the security of the parameters defined within the secure template. This template also removes all members from the Power Users group.
– Internet Explorer (lesacls.inf) – locks down IE– Reset file permissions (rootsec.inf) – reset permissions
starting from the root.
Information Security © 2006 Eric Vanderburg
Group Policy• Make environmental changes to groups of
clients or servers• Change policies such as password length
or complexity for a domain• Enforce restrictions on users or computers• Restrict available software
Information Security © 2006 Eric Vanderburg
Default GPOs• Default Domain Policy
– Applied to domain– Password policy, account policy, & kerberos
can only be set here• Default Domain Controllers Policy
– Applied to DC container• Create others in the Group Policy Object
Editor MMC or from AD Users & Computers
Information Security © 2006 Eric Vanderburg
Hardening• Application Hardening
– Patch– MBSA (Microsoft Baseline Security Analyzer) can check for
patch compliance with Microsoft applications– Cisco Security Agent can restrict the abilities of certain
applications• Web Server Hardening
– ACLs– Patch– Delete sample web pages– Put the web server in a separate area of the network DMZ
(Demilitarized Zone)– Delete scripts and applications that are not used– Enable encryption for sensitive data
Information Security © 2006 Eric Vanderburg
Hardening• Mail Server Hardening
– Use a single purpose machine– Require authentication for mail protocols to protect
against open mail relay (bouncing messages from your mail server to another).
– Set an ACL for those who can send messages– Enable logging for defense and legal purposes.
• File Servers Hardening– Set appropriate permissions– Log access to sensitive files– Keep behind the firewall
Information Security © 2006 Eric Vanderburg
Hardening• NNTP (Network News Transfer Protocol)
Hardening– ACLs– Authentication– Patch
• FTP Server Hardening– Disable anonymous logon– Use an ACL– Set appropriate privileges– Set account logon restrictions such as time-outs, lock-
outs for failed logon, and auditing.
Information Security © 2006 Eric Vanderburg
Hardening Data Repositories• Directory Services
– Windows• AD (Active Directory)• SAM (Security Accounts Manager) – Local database• DC (Domain Controller)• PDC (Primary Domain Controller)• BDC (Backup Domain Controller)
– Novell (eDirectory)– LDAP (Lightweight Directory Access Protocol)– Use ACLs– Restrict the right to log on locally to domain
controllers
Information Security © 2006 Eric Vanderburg
Hardening Data Repositories• DBMS (Database Management System)
– Oracle, SQL Server, Informix, Sybase, DB2– Buffer Overflow– SQL (Structured Query Language) Injection – send a
malformed SQL query• Utilize user views• Segment the database• Keep the database tables behind the firewall• Utilize authentication• Stored procedures and web forms should use
proper coding techniques to protect against buffer overflow, SQL injection, and other attacks.
Information Security © 2006 Eric Vanderburg
Hardening Networks• Update firmware on network devices
– EEPROM (Electrically Erasable Programmable Read Only Memory)
• Filter data at the edge of the network (Firewalls)• Filter by:
– Address (IP or MAC)– Domain name– Protocol– Port– Message content– Session
Information Security © 2006 Eric Vanderburg
Hardening Networks
• ACLs and Rule bases are used in filtering– Keep rule bases small to increase efficiency in
filtering (max: 40 rules)
Information Security © 2006 Eric Vanderburg
Acronyms• BDC, Backup Domain Controller• DNS, Domain Name Service• DHCP, Dynamic Host Configuration Protocol• EEPROM, Electrically Erasable Programmable
Read Only Memory• EPROM, Erasable Programmable Read Only
Memory• FTP, File Transfer Protocol• MMC, Microsoft Management Console• NNTP, Network News Transfer Protocol
Information Security © 2006 Eric Vanderburg
Acronyms• NOS, Network Operating System• PDC, Primary Domain Controller• ROM, Read Only Memory• SAM, Security Accounts Manager• TSR, Terminate and Stay Resident• DBMS, Database Management System• AD, Active Directory• LDAP, Lightweight Directory Access
Protocol• SQL, Structured Query Language