Download
host hard ening n.
Skip this Video
Loading SlideShow in 5 Seconds..
Host Hard ening PowerPoint Presentation
Download Presentation
Host Hard ening

Host Hard ening

152 Views Download Presentation
Download Presentation

Host Hard ening

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Host Hardening Series of actions to be taken in order to make it hard for an attacker to successfully attack computers in a network environment (March 19, 2014) © Abdou Illia – Spring 2014

  2. Computer system #1 • Intel® Core® i7 Processor (3.20GHz) • 2GB SDRAM PC3200 (800MHz), Dual Channel • 1TB Serial ATA 7200rpm Hard Disk Drive • 16x Multi-Format DVD Writer (DVD±R/±RW) • Gateway 7-Bay Tower Case • Integrated Ultra ATA Controller • (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use • (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire Ports, Parallel, Serial and (2) PS/2 • 20" Black LCD Flat Panel Display (19" viewable) • Gateway Premium 104+ Keyboard • Two-Button PS/2 Wheel Mouse • Napster 2.0 and 150 Song Sampler • Intel® High Definition Audio • GMAX 2100 2.1 Speakers with Subwoofer • 56K PCI data/fax modem • 10/100/1000 (Gigabit) Ethernet • Microsoft Office 2010 Professional on DVD

  3. Computer Hardware & Software Productivity Software Operating System Computer Hardware

  4. Computer system #2 • Intel® Core® i7 Processor (3.20GHz) • 2GB SDRAM PC3200 (800MHz), Dual Channel • 1TB Serial ATA 7200rpm Hard Disk Drive • 16x Multi-Format DVD Writer (DVD±R/±RW) • Gateway 7-Bay Tower Case • Integrated Ultra ATA Controller • (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use • (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire Ports, Parallel, Serial and (2) PS/2 • 20" Black LCD Flat Panel Display (19" viewable) • Gateway Premium 104+ Keyboard • Two-Button PS/2 Wheel Mouse • Napster 2.0 and 150 Song Sampler • Intel® High Definition Audio • GMAX 2100 2.1 Speakers with Subwoofer • 56K PCI data/fax modem • 10/100/1000 (Gigabit) Ethernet • Windows 7 Professional • Google Chrome 16 installed • Microsoft Office 2010 Professional installed

  5. Computer Hardware & Software Web browserProductivity Software Operating System Computer Hardware

  6. Computer system #3 • Intel® Core® i7 Processor (3.20GHz) • 2GB SDRAM PC3200 (800MHz), Dual Channel • 1TB Serial ATA 7200rpm Hard Disk Drive • 16x Multi-Format DVD Writer (DVD±R/±RW) • Gateway 7-Bay Tower Case • Integrated Ultra ATA Controller • (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use • (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire Ports, Parallel, Serial and (2) PS/2 • 20" Black LCD Flat Panel Display (19" viewable) • Gateway Premium 104+ Keyboard • Two-Button PS/2 Wheel Mouse • Napster 2.0 and 150 Song Sampler • Intel® High Definition Audio • GMAX 2100 2.1 Speakers with Subwoofer • 56K PCI data/fax modem • 10/100/1000 (Gigabit) Ethernet • Windows Server 2008 Enterprise installed • Internet Explorer 8 installed • IIS 6.0 installed

  7. Web service software (IIS, Apache, ...)Web browserProductivity Software Client & server application programs Operating System Computer Hardware Computer Hardware & Software

  8. Your knowledge about Host hardening • Which of the following is most likely to make a computer system unable to perform any kind of work or to provide any service? • Client application programs get hacked • Server application programs (web service software, database service, network service, etc.) get hacked • The operating system get hacked • The connection to the network/Internet get shut down

  9. OS Vulnerability test2010 by omnired.com • OS tested: • Win XP, Win Server 2003, Win Vista Ultimate, • Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger • FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse Enterprise 10, Ubuntu 6.10 • Tools used to test vulnerabilities: • Scanning tools (Track, Nessus) • Network mapping (Nmap command) • All host with OS installation defaults • Results • Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities and allow for executing malicious code • The UNIX and Linux variants present a much more robust exterior to the outside • Once patched, however, both Windows and Apple’s OS are secure. OS market share

  10. Your knowledge about Host hardening • You performed an Out-of-the-box installation of Windows XP and Linux FreeBSD 6.2 on two different computers. Which computer is more likely to be secure ? • Windows XP • Linux FreeBSD 6.2 • They will have the same level of security • What needs to be done, first, in order to prevent a hacker from taking over a server with OS installation defaults that has to be connected to the Internet? • Lock the server room • Configure the firewall to deny all inbound traffic to the server • Download and install patches for known vulnerabilities

  11. Security Baseline • Because it’s easy to overlook something in the hardening process, businesses need to adopt a standard hardening methodology: standard security baseline • Need to have different security baseline for different kind of host; i.e. • Different security baselines for different OS and versions • Different security baselines for different types of server applications (web service, email service, etc.) • Different security baselines for different types of client applications.

  12. Options for Security Baselines • Organization could use different standards • OS vendors’ baselines and tools • e.g. Follow MS Installation procedure and use Microsoft Baseline Security Analyzer (MBSA) • Standards Agencies baselines • e.g. CobiT* Security Baseline • Company’s own security baselines • Security Baseline to be implemented by • Server administrators known as systems admin * Control Objectives for Information and Related Technology

  13. Elements of Hardening • Physical security • Secure installation and configuration • Fix known vulnerabilities • Remove/Turn off unnecessary services (applications) • Harden all remaining applications • Manage users and groups • Manage access permissions • For individual files and directories, assign access permissions to specific users and groups • Back up the server regularly • Advanced protections According to baseline

  14. Example of Security Baseline for Win XP Clients • OS Installation • Create a single partition on HDD • Format disk using NTFS file system • Install Win XP and Service Pack 3 • Fixing OS vulnerabilities • Download and install latest patches • Turn on Windows’ Automatic Updates checking • Configure Windows Firewall • Block incoming connections except KeyAccess and Remote Assistance • Turn off unnecessary services • Turn off Alerter, Network Dynamic Data Exchange, telnet • Application Installation • Centrally assign applications using group policies • Fixing applications’ vulnerabilities • Turn on each application’s automatic update checking

  15. Hardening servers • The 5 P’ s of security and compliance: Proper Planning Prevents Poor Performance • Plan the installation • Identify • The purpose of the server. Example: provides easy & fast access to Internet services • The services provided on the server • Network service software (client and server) • The users or types of users of the server • Determine • Privileges for each category of users • If and how users will authenticate • How appropriate access rights will be enforced • Which OS and server applications meet the requirements • The security baseline(s) for installation & deployment • Install, configure, and secure the OS according to the security baseline • Install, configure, and secure server software according to sec. baseline • Test the security • Add network defences • Monitor and Maintain

  16. Hardening servers (cont.) • Choose the OS that provides the following: • Ability to restrict admin access (Administrator vs. Administrators) • Granular control of data access • Ability to disable services • Ability to control executables • Ability to log activities • Host-based firewall • Support for strong authentication and encryption • Disable or remove unnecessary services or applications • If no longer needed, remove rather than disable to prevent re-enabling • Additional services increases the attack vector • More services can increase host load and decrease performance • Reducing services reduces logs and makes detection of intrusion easier

  17. Hardening servers (cont.) • Configure user authentication • Remove or disable unnecessary accounts (e.g. Guest account) • Change names and passwords for default accounts • Disable inactive accounts • Assign rights to groups not individual users • Don't permit shared accounts if possible • Configure time sync • Enforce appropriate password policy • Use 2-factor authentication when necessary • Always use encrypted authentication

  18. UNIX / Linux Hardening • Many versions of UNIX • No standards guideline for hardening • User can select the user interface • Graphic User Interface (GUI) • Command-Line Interfaces (CLIs) or shells • CLIs are case-sensitive with commands in lowercase except for file names

  19. UNIX / Linux Hardening • Three ways to start services • Start a service manually (a) through the GUI, (b) by typing its name in the CLI, or (c) by executing a batch file that does so • Using the inetd program to start services when requests come in from users • Using the rc scripts to start services automatically at boot up Inetd = Internet daemon; i.e. a computer program that runs in the background

  20. UNIX / Linux Hardening • Starting services upon client requests • Services not frequently used are dormant • Requests do not go directly to the service • Requests are sent to the inetd program which is started at server boot up Program A 1. Client Request To Port 123 4. Start and Process This Request Program B inetd Program C 2. Port 123 Program D 3. Program C Port 23 Program A Port 80 Program B Port 123 Program C Port 1510 Program D /etc/inetd.config

  21. UNIX / Linux Hardening • Turning On/Off unnecessary Services In UNIX • Identifying services running at any moment • ps command (process status), usually with –aux parameters, lists running programs • Shows process name and process ID (PID) • netstat tells what services are running on what ports • Turning Off Services In UNIX • kill PID command is used to kill a particular process • kill 47 (If PID=47)

  22. Advanced Server Hardening Techniques • File Integrity Checker • Creates snapshot of files: a hashed signature (message digest) for each file • After an attack, compares post-hack signature with snapshot • This allows systems administrator to determine which files were changed • Tripwire is a file integrity checker for Linux/UNIX, Windows, etc.: www.tripwire.com (ftp://coast.cs.purdue.edu/pub/tools/unix)

  23. Advanced Server Hardening Techniques Reference Base File 1 File 2 … Other Files in Policy List File 1 Signature File 2 Signature … … 1. Earlier Time Tripwire 3. Comparison to Find Changed Files Post-Attack Signatures File 1 File 2 … Other Files in Policy List File 1 Signature File 2 Signature … … 2. After Attack Tripwire File Integrity problem: many files change for legitimate reasons. So it is difficult to know which ones the attacker changed.

  24. Other types of host that can be Hardened • Internetwork Operating System (IOS) • For Cisco Routers, Some Switches, Firewalls • Even cable modems with web-based management interfaces