section 1 system hardening cyber-utopia definition: a magical place, where all systems are already...

Section 1System Hardening

Cyber-utopiaDefinition: A magical place, where all systems

are already hardened out of the box and forever remain impregnable to attack

Objectives (1 of 2)

Describe the basic steps required to harden the PC hardware.

Describe the basic steps required to harden any Operating System.

Evaluate the hardening requirements of a PC running a MS Windows-based OS.

Objectives (2 of 2)

Evaluate the requirements of a system running a Linux-based OS.

Labs: Using MBSA to check for missing MS Windows

patches. Installing MS Windows updates and patches

with QChain. Performing vulnerability scanning with Nessus.

Hardening the Hardware (1 of 12)

Why do we need to harden the hardware? Prevention of local access on a stand-

alone isolated system. Prevention against boot-up alteration or

booting from anything other than the internal HDD.

Prevention against configuration alteration.


Prevention of local access on a stand-alone isolated system. All too often systems are placed in

remote location for sight monitoring or data collection.

There are no remote staff ensuring the security and safety of the system.

The remote system has access to internal systems and can be used to access those systems directly.


Prevention against boot-up alteration or booting from anything other than the internal HDD.

Unlocked BIOS allows local users to alter what device they are booting from.

Bootable “auditing” tools and other applications can be used to collect data, passwords, etc from PC.


Entire Operating Systems, including MS Windows, Linux and even MS DOS can be made to boot from external USB devices and CD/DVDs.

Many malware applications can be spread through bootable CDs, floppies and DVDs that are infected.

Bootable USB drives can be used to copy entire local HDD or even worse format, erase or encrypt local HDD data.


Prevention against configuration alteration. Somewhat related to preventing boot-

up alteration. Many BIOS updates can be installed

from floppy disk. Local BIOS configuration can be altered

enough to prevent PC from booting properly or at all.


So what do we need to do? Install security screws on the system

cases. Lock the BIOS with a password.

User password Admin Password Boot-up/Power-on Password

Enable only system HDD boot-up, disable all other possibilities.


Enable only interfaces that are actually required for proper system functionality.

System comm. ports (parallel, serial, USB) Sound system ports (onboard or

peripheral) Keyboard/mouse ports Network interfaces (onboard or

peripheral) Monitor ports


Record BIOS settings. Export option Manual recording

Prevent BIOS resets and updates Jumper settings (should already be done) Floppy installs (may already be done)

Disable non-required onboard controllers

SATA SCSI IDE/E-IDE

OS Hardening Basics (1 of 10)

Is this a new (clean) install? Yes (are you sure), No?

What applications are installed and running on the system? Licensed, Open Source? Have these been verified as clean?

Has the machine been connected to the network? Yes, No (are you sure)?


Who has access to install applications on the system?Administrator, SU, Users, anybody?

Have all of the current patches and services packs required for this system’s function been applied?Yes (are you sure), No?


Has an anti-malware application been installed and is it operational?

Yes (are you sure), No? Does the system have a personal

firewall installed and is it operational?

Yes (are you sure), No?


Have user accounts been created? Yes, No (are you sure)?

Have default passwords been appropriately altered? Yes (are you sure), No?

Are the log files correctly setup to for: user access tracking? the anti-malware application? the personal firewall?


Is this a new (clean) install? Yes (are you sure), No?

What is the current security posture of the system? If “Clean” treat like newly installed

system (are you sure). If “Compromised” we can either try to

fix (recover from backup) or re-install from scratch (often the best solution depending on the criticality of the system and type of breach).


If “Unknown” treat as if “compromised” until you determine otherwise.

Check user lists and groups. Are there any “new” users or groups? Is the guest account enabled? Are the user passwords weak or set to

default? Are there any accounts that should be

removed or disabled? When are the user’s logging in?


What do the log files tell you. Have the log files been correctly set up? Are there any time gaps in the log files? When was the last time the log files

were review, cleaned or purged? Who has rights to install software

and perform updates? Administrator, Users, Super-Users?


What software has been installed on the system? Same as when originally setup. Various approved applications installed

by the administrator. User installed and/or unapproved apps. Unrecognized (possibly spyware, etc.)

that has been installed through web browsing or by user.


Have the OS, anti-malware, and personal firewall applications been patched regularly and correctly? Never been patched! Missing a lot of patches. Missing a few patches. Up to date.


Up to this point we have treated “new” system slightly differently then the “compromised” and “unknown” systems. The main reason for this is because they are different.

The “new” system should have only what we put on it.

The “compromised” and “unknown” systems may have a lot more then you were expecting.

Windows Hardening (1 of 10)

Windows installs a lot of “additional” software with the base install and you don’t have the option of not installing it.

We will look at this from a “very” small network point of view as it will be easier to get your bearings. What’s a very small network – 1 to 2

PCs with a server. (How’s your home network???)


You should read following two documents: Windows XP Security Guide.doc –

located in the Windows_XP_ Security_Guide.zip file (219 pages)

Windows Server 2003 Security Guide.doc located in the Windows_Server_2003_Security_Guide.zip file (254 pages)


Additional documents are available on the BAIST ftp site


Ensure the system’s password policy meets or exceeds the written policy.

Ensure the Anti-malware (virus) application is up to date.

Ensure the system has all of the patches and service packs required for its function.

Ensure the user is unable to install software.


Ensure there are no errant or unnecessary processes running on the system.

Ensure there are no errant or unnecessary system services running on the system.

Ensure the Remote Administration function is disabled or locked down.

Ensure all Administrative PCs are locked down.


Ensure that there are no unnecessary TCP or UDP ports open.

Ensure that wireless networking, and infrared file transfer functions are disabled or locked down.

Ensure that system administrators have their own “regular” UserID and they use the RunAs command to perform any administrative work, unless logging in as Administrator is the only way to correct the issue.


Ensure the Default administrator account has been renamed.

Ensure the Administrative accounts have inactivity timeouts configured.

Ensure the “File and Print Sharing” feature has been disabled or locked down.

Ensure the personal firewall is turned on and configured correctly.

Windows Hardening - Vista

Microsoft Trustworthy Computing Initiative Introduced in 2002 A result of several high profile worms

and viruses e.g. MS Blaster

Major paradigm shift for Microsoft Shift from producing feature-rich software

to prioritizing security and integrity


Microsoft Trustworthy Computing Initiative (cont.) Tenets of MTCI

Secure by design Secure coding philosophies

Secure by Default Ensure components of Windows default to

most secure setting Secure in Deployment

Creation of tools and prescriptive guidance to help business and users


Microsoft Trustworthy Computing Initiative (cont.) Resulted in major improvements in

security XP could not benefit fully as it was

released 2 years prior


Trustworthy Computing Initiative (cont.) Enter Vista

First Microsoft OS fully compliant with goals of Trustworthy Computing

Vista Services Hardening Secure by Default Designed to thwart errant service behavior


Windows Services Formerly known as NT services Long-running executables running in their own

Windows sessions Can be started at system boot, paused, and

restarted Usually have no user interface Can run in different security context than the

user currently logged in Allow for great flexibility in application

development


Windows Services (cont.) Traditionally vulnerable to exploitation

for several reasons Generally run in security context of

privileged accounts (eg. Local Administrator)

If service is compromised, malware has a good chance of doing anything it desires

eg. Remote Procedure Call (RPC) in XP Prior to SP2, ran under Local System

account


Windows Services (cont.) Traditionally vulnerable to exploitation

for several reasons (Cont.) Many services are network facing

Allow malware to exploit via inbound connections

Allows infected services to make outbound connections to infect other systems

Services are long-running Run from the time the system starts to when it

shuts down Allows malware plenty of time to do business


Windows Services (cont.) Service Hardening

Accomplished 4 ways in MS Vista Running services with Least Privilege Service Isolation Restricted Network Access Session 0 Isolation


Windows Services (cont.) Service Hardening (cont.)

Running with Least Privilege Although many Windows services historically

ran as Local System, many only need a small subset of privileges

XP could run in “all or nothing” manner. Not able to pick and choose required privileges

Vista allows services to run with the minimum privileges required to function



Service Isolation Prior to Vista, services needing to access an

object could gain access in 3 ways1 – Use the Local System account2 – Decrease security on the

object3 – Create an account specifically

allowed to run the service

Vista allows a service to reserve an object for its exclusive use by securing the resource with an access control entry (ACE) that contains a SID



Restricted Network Access Vista firewall builds on capabilities of XP SP2

firewall New capabilities include outbound filtering

and Ipsec integration Vista firewall also integrates with Windows

Vista Services Hardening- Makes is harder for malware

to function Could have prevented Blaster, Sasser, or

Wlechia from using infected services



Session 0 Isolation Fast User Switching in XP accommodates

simultaneous logged on users by putting each in a different Windows session

Session 0 is created during startup (more are added as required)

Services have always run in Session 0 Before Vista, user applications have been able to

run in Session 0 as well allowing cross contamination resulting in exploits

Vista reserves Session 0 for services only and makes it non-interactive

Linux/Unix Hardening (1 of 6)

Still thinking small here…, 1 to 2 systems (workstations or servers).

If you have the option (new install), only install the services you will need for your system. Linux/Unix installs usually give you

much greater flexibility about what options you want to install.


Gathering Linux Hardening documentation can be cumbersome at best. There are dozens of versions of Linux/Unix. Everybody has there own opinion, with many

commonalities. What works in one, probably works in others.

Suggested reading includes: rhel-sg-en.pdf rhl-sg-en-9.pdf Security-HOWTO.pdf


Like MS Windows, you should read these documents, however other shorter documents have also been provided. You should use these documents as a

guide for your installations, but you should really build your own installation specific documentation.


Common themes that occur in nearly all Linux/Unix Hardening documentation include: Strengthening passwords. Updating system application and kernel

files. Verifying package installs with a

package manager. Root and User management.


Disable unnecessary processes. Disable unnecessary services. Disable remote administration. Disable unnecessary TCP/IP services

Does any of this sound familiar? The reason that we separate the

Linux/Unix OS from MS Windows is that while there are similarities in what needs to be done, there are major differences in how we perform these actions.


With Linux/Unix installations we also have some software hardening options that we can apply. Bastille – Proactively “locks-down” a

Linux/Unix system and configures it for increased security.

SELinux – A research prototype Linux (kernel and utilities) developed in partnership with the NSA, which enforces mandatory access control policies. (Not a fully “Trusted OS”)

New Information (Slide 1 of 8)

Windows Vista Very nice graphical interface. Installs TCP/IPv4 and TCP/IPv6 by

default. Problem is that there is currently no real

anti-malware solution for the TCP/IPv6 protocol stack at this time.

This may push ahead the acceptance of TCP/IPv6, however there is the potential for new far more powerful attacks appearing as well.


If you have a current version of an antivirus application, you will have to purchase a new version or upgrade for MS Vista.

Currently, McAfee (8.0i) anti-virus software is not supported McAfee 8.5 (released in November 2006) needs to be purchased.

In fact most vendors have had to produce an anti-virus solution without information from Microsoft about the kernel.

Why? Read vista_position.pdf from McAfee.


Fedora Core 8 and Ubuntu Again, very nice interfaces. Both install TCP/IPv4 and TCP/IPv6

stacks, similar to Windows Vista. This leads to the same problems as listed

with Microsoft, however there are several open source anti-malware applications available for install.

Since these anti-malware applications are open source, you can compile them for nearly any Linux/Unix system.


As before these anti-malware applications do not solve the issues with the current TCP/IPv6 stacks.

Like MS Windows Vista Fedora Core 8 takes nearly an hour or more to install, several hours to upgrade and provides fewer configuration options in the install menu than ever before.

Fedora use to have a great installation configuration process, after installing it, it currently feels like more like MS Windows.


Fedora Core 8 installs the SELinux kernel by default.

This has been the case since Fedora Core 2, however there is an option to turn off the installation of the SELinux kernel, but why would you want to.

Easier to set up some security routines, more difficult to set up others.

Setup of IPTables was easier, however the installation of AVG (anti-malware) required custom compile and install due to conflicts with the built in VOIP functionality of Fedora Core 5.


Ubuntu (kubuntu, edubuntu, etc…) is a hardened OS with an SELinux kernel and other security features, making it a very tight system.

It is currently the most popular Linux distro download and is one of the easiest to install.

Installation takes about 12 minutes, initial updates took about 30 minutes, and installation of additional software took about 4 hours. (This is considerably less than Fedora Core 5 ~ 8.5 hours.)


Ubuntu seems to be one of the easier Linux OS’s to work with right now.

Back to basics approach, with a 3-year Long-term Support (LTS) agreement on their current official release (v6.06.1).

Very customizable and easy to use, update (which even includes a package for AVG antivirus) and maintain.

Fully open source, with clear instructions on downloading the source packages for all installed applications. (Fedora use to have this but it is missing this now.)

section 1 system hardening cyber-utopia definition: a magical place, where all systems are already...

Documents

pc hardware

remote system

system hdd boot

hardening requirements

system cases

standalone isolated

prevention of local

local bios configuration