Transcript Host Hardening

Host Hardening
(March 21, 2011)
© Abdou Illia – Spring 2011
CERT Report on systems vulnerabilities

Source: CERT Report @ http://www.kb.cert.org/vuls/bymetric
2
OS Vulnerability test
 Source: http://www.omninerd.com/articles/2006_Operating_System_Vulnerability_Summary
 OS tested:



Win XP, Win Server 2003, Win Vista Ultimate,
OS market share for 2006
Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger
FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse Enterprise 10,
Ubuntu 6.10
 Tools used to test vulnerabilities:



Scanning tools (Track, Nessus)
Network mapping (Nmap command)
All host with OS installation defaults
 Results



Microsoft's Windows and Apple's OS X are ripe with remotely accessible
vulnerabilities and allow for executing malicious code
The UNIX and Linux variants present a much more robust exterior to the outside
Once patched, however, both Windows and Apple’s OS are secure, at least
from the outside.
3
Your knowledge about Host hardening

Today, how long it will take for a hacker to “own” a
server with OS installation defaults that is
connected to the Internet?
a)
b)
c)

A week
A day or two
Two weeks
What needs to be done, first, in order to prevent a
hacker from taking over a server with OS installation
defaults that has to be connected to the Internet?
a)
b)
c)
Lock the server room
Configure the firewall to deny all inbound traffic to the server
Download and install patches for known vulnerabilities
4
Your knowledge about Host hardening
 You performed an Out-of-the-box installation
of Windows XP and Linux FreeBSD 6.2 on
two different computers. Which computer is
more likely to be secure ?
a)
b)
c)
Windows XP
Linux FreeBSD 6.2
They will have the same level of security
5
What is Hardening Host Computers?
 A series of actions to be taken in order to make it hard
for an attacker to successfully attack computers in a
network environment
 Because it’s easy to overlook something in the
hardening process, businesses need to adopt a standard
hardening methodology or a standard security baseline
 Need to have different security baseline for different kind
of host; i.e.


Different security baselines for different OS and versions
Different security baselines for different types of servers
(web servers, mail servers, etc.) and applications
6
Security Baseline
 Organization could use different standards

OS vendors’ baselines and tools


Standards Agencies baselines


e.g. Follow MS Installation procedure and use
Microsoft Baseline Security Analyzer (MBSA)
e.g. CobiT* Security Baseline
Company’s own security baselines
 Security Baseline to be implemented by

Server administrators known as systems admin
* Control Objectives for Information and Related Technology
7
Elements of Hardening







Physical security
Secure installation and configuration
Fix known vulnerabilities
Remove/Turn off unnecessary services (applications)
Harden all remaining applications
Manage users and groups
Manage access permissions

For individual files and directories, assign access
permissions to specific users and groups
 Back up the server regularly
 Advanced protections
A
c
c
o
r
d
i
n
g
t
o
8
b
a
s
e
l
i
n
e
Example of Security Baseline for
Win XP Clients
 OS Installation
Create a single partition on HDD
 Format disk using NTFS file system
 Install Win XP and Service Pack 3
Fixing OS vulnerabilities
 Download and install latest patches
 Turn on Windows’ Automatic Updates checking
Configure Windows Firewall
 Block incoming connections except KeyAccess and Remote
Assistance
Turn off unnecessary services
 Turn off Alerter, Network Dynamic Data Exchange, telnet
Application Installation
 Centrally assign applications using group policies
Fixing applications’ vulnerabilities
 Turn on each application’s automatic update checking






9
Hardening servers
 Be aware of the 5 ‘P’ s of security and compliance
 Proper Planning Prevents Poor Performance
 Plan the installation

Identify





Determine










The purpose of the server. Example: provides easy & fast access to
Internet services
The services provided on the server
Network service software (client and server)
The users or types of users of the server
Privileges for each category of users
If and how users will authenticate
How appropriate access rights will be enforced
Which OS and server applications meet the requirements
The security baseline(s) for installation & deployment
Install, configure, and secure the OS according to the security baseline
Install, configure, and secure server software according to sec. baseline
Test the security
Add network defenses
Monitor and Maintain
10
Hardening servers (cont.)
 Choose the OS that provides the following:







Ability to restrict admin access (Administrator vs. Administrators)
Granular control of data access
Ability to disable services
Ability to control executables
Ability to log activities
Host-based firewall
Support for strong authentication and encryption
 Disable or remove unnecessary services or
applications




Remove rather than disable to prevent re-enabling
Additional services increases the attack vector
More services can increase host load and decrease performance
Reducing services reduces logs and makes detection of intrusion
easier
11
Hardening servers (cont.)
 Configure user authentication









Remove or disable unnecessary accounts
(e.g. Guest account)
Change names and passwords for default accounts
Disable inactive accounts
Assign rights to groups not individual users
Don't permit shared accounts if possible
Configure time sync
Enforce appropriate password policy
Use 2-factor authentication when necessary
Always use encrypted authentication
12
Windows Hardening
 Most Windows hardening done using Graphical
User Interface
13
Windows Hardening
 Turning services and applications on/off in Windows
14
Q: Reducing services can increase host load and decrease performance: T
F
Windows Hardening
 Domain configuration and directory service
needed for central security setting
 Windows 2000 introduced hierarchical
domain structure with Active Directory

Domain is a collection of resources

Domain contains one or more domain controllers,
member servers, client PCs

Group policy objects (GPOs) on a domain
controller can implement security policies
throughout a domain
15
UNIX / Linux Hardening
 Many versions of UNIX

No standards guideline for hardening
 User can select the user interface


Graphic User Interface (GUI)
Command-Line Interfaces (CLIs) or shells
 CLIs are case-sensitive with commands in
lowercase except for file names
16
UNIX / Linux Hardening
 Three ways to start services

inetd program used to start services when requests
come in from users

rc scripts to start services automatically at boot up

Start a service manually by typing its name or
executing a batch file that does so
Inetd = Internet daemon; i.e. a computer program that runs in the background
17
UNIX / Linux Hardening
 Starting services upon client requests



Services not frequently used are dormant
Requests do not go directly to the service
Requests are sent to the inetd program which is started at server boot up
Program A
Program B
4. Start and
Process
This Request
Program C
Program D
1. Client Request
To Port 123
inetd
3. Program C
Port 23
Port 80
Port 123
Port 1510
2. Port 123
Program A
Program B
Program C
Program D
/etc/inetd.config
18
UNIX / Linux Hardening
 Turning On/Off unnecessary Services In UNIX

Identifying services running at any moment

ps command (processor status), usually with –aux
parameters, lists running programs
 Shows process name and process ID (PID)


netstat tells what services are running on what ports
Turning Off Services In UNIX

kill PID command is used to kill a particular process
 kill 47
(If PID=47)
Q: You kill some services but see that they are running again the next
day. Explain why?
19
Advanced Server Hardening Techniques
 Need to read Event Logs to diagnose problems

Failed logins, changing permissions, starting
programs, kernel messages, etc.
20
Advanced Server Hardening Techniques
 File Encryption



Protects files even if attacker breaks in
Key escrow: Copy of encryption key is kept
elsewhere to protect in case of key loss
Windows Encrypting File System (EFS)



Select file in Windows Explorer, select Properties
Click on General tab’s Advanced button
Click on the box Encrypt contents to secure data
21
Advanced Server Hardening Techniques
 File Integrity Checker

Creates snapshot of files: a hashed signature
(message digest) for each file

After an attack, compares post-hack signature
with snapshot

This allows systems administrator to
determine which files were changed

Tripwire is a file integrity checker for
Linux/UNIX, Windows, etc.: www.tripwire.com
(ftp://coast.cs.purdue.edu/pub/tools/unix)
22
Advanced Server Hardening Techniques
Reference Base
1.
Earlier
Time
File 1
File 2
…
Other Files in
Policy List
Tripwire
File 1 Signature
File 2 Signature
…
…
3. Comparison to Find Changed Files
Post-Attack Signatures
2.
After
Attack
File 1
File 2
…
Other Files in
Policy List
Tripwire
File 1 Signature
File 2 Signature
…
…
23
File Integrity problem: many files change for legitimate reasons. So it is difficult to know
which ones the attacker changed.
Other types of host that can be
Hardened
 Internetwork Operating System (IOS)

For Cisco Routers, Some Switches, Firewalls
 Even cable modems with web-based
management interfaces
24