Auditing Networks, Perimeters and Systems

Download Report

Transcript Auditing Networks, Perimeters and Systems

Building Your IT Security
Checklist
Sample checklist/audit plans for
Unix, NT and Windows 2000
Active Directory
Copyright 2001 Marchany
1
What have we just done?
The
Top 20 threats meet our risk
criteria:
•Have
a high probability of occurring
•Result in the loss of a critical service
•Be extremely expensive to fix later
•Result in heavy, negative publicity
Copyright 2001 Marchany
2
Applying TBS to the real
world!



TBS = Time Based Security
Top Ten Vulnerabilities, the vulnerabilities
responsible for most hacks
Apply TBS as an approach to an effective
understandable security policy





Basics
Perimeter
Unix
NT
Windows 2000
Copyright 2001 Marchany
3
The TBS Audit Layers


A complete IT audit/security checklist is a set
of component audits/checklists. You should
be able to measure E, D and R times for each
layer of the security architecture.
Components




Procedural: E = D+R
Perimeter(Firewall): E = D+R
UNIX: E = D+R
NT/Windows 2000: E =D+R
Copyright 2001 Marchany
4
CIS Rulers




Rulers list a set of minimal actions that need
to be done on a host system.
This is a consensus list derived from security
checklists provided by CIS charter members
(VISA, IIA, ISACA, First Union, Pitney Bowes,
Allstate Insurance, DOJ, Chevron, Shell Oil,
VA Tech, Stanford, Catepillar, Pacific Gas &
Electric, RCMP, DOD CIRT, Lucent, Edu
Testing Services and others)
Can’t develop your own set? Use these!
http://www.cisecurity.org
Copyright 2001 Marchany
5
CIS Rulers: A Security and
Audit Checklist

Level 1


Mandatory Actions required regardless of
the host’s location or function.
Level 2


Dependent on your network topology
Different for switched nets vs. shared nets
vs. wireless nets, etc.
Copyright 2001 Marchany
6
CIS Rulers: Security Checklist
& Audit Plan

Level 3


Application Specific (WWW, FTP, DB, Auth)
Procedural


Examines the policies in place.
This is the policy review checklist.
Level 3
FTP WWW DB Mail
Level 2 Switched Wireless Non Switched
LEVEL 1
Copyright 2001 Marchany
7
CIS Rulers: Procedural







General Administration Policies
Key security tool installed
User Accounts and environment
System Logs
Network File sharing
General Email Issues
This review is done during the Audit Planning
Phase of the audit process
Copyright 2001 Marchany
8
CIS Ruler: Procedural

General Administration Policies









Acceptable Use Policy
Backup Policy
Security Administrator duties
Whois Contact Information (Tech/Admin)
System changelogs (Source Revision Control)
Incident Response
Minimum software requirements
User, temp, system account policies
Patches
Copyright 2001 Marchany
9
CIS Ruler Example: Backups
·
·
·
·
·
·
·
·
·
·
·
Does a backup policy exist?
Do backup logs exist?
What data is backed up
How often data is backed up
Type of backup (full, differential, etc.)
How the backups are scheduled and verified
How the backup media is handled and labeled
How the backup media is stored
How long the backup media is retained
How backup media is rotated and expired
How backup data is recovered
Copyright 2001 Marchany
10
CIS Ruler: Procedural

Key security tools installed




Network routers implement minimum
filtering requirements
Verify network routers are properly
configured and monitored for in/out traffic
Are all firewalls properly configured and
monitored for in/out traffic
The above rules prevent DDOS attacks
from affecting other nets.
Copyright 2001 Marchany
11
CIS Ruler: Procedural

User Accounts and Environment


System Logs


How long are they kept? Are they secured?
Network file sharing



Remove obsolete user entries from system
Review what filesystems this system can access
Review what filesystems this system exports
Email Policy

Abuse Policy?
Copyright 2001 Marchany
12
CIS Ruler: Written
Documentation, Policies
Where is it?
 Is it available to anyone that needs it?
 Is it up to date?
 Is anything major missing (SGI policies, but
no HP policies)?

Copyright 2001 Marchany
13
CIS Ruler Example: Security
Policy




Purpose - the reason for the policy.
Related documents – lists any documents (or other policy)
that affect the contents of this policy.
Cancellation - identifies any existing policy that is cancelled
when this policy becomes effective.
Background - provides amplifying information on the need for
the policy.
Copyright 2001 Marchany
14
CIS Ruler:




Scope - states the range of coverage for the policy (to whom or
what does the policy apply?).
Policy statement - identifies the actual guiding principles or
what is to be done. The statements are designed to influence
and determine decisions and actions within the scope of
coverage. The statements should be prudent, expedient, and/or
advantageous to the organization.
Action - specifies what actions are necessary and when they
are to be accomplished.
Responsibility - states who is responsible for what.
Subsections might identify who will develop additional detailed
guidance and when the policy will be reviewed and updated.
Copyright 2001 Marchany
15
Procedural: Incident Response
Plan

Are the six Incident Response steps covered?






Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned (if there are no lessons learned
documents either the plan isn’t followed or no
incidents have occurred).
Copyright 2001 Marchany
16
Procedural: Training &
Education



Do technical people have the training to
do their job competently?
Are there standards their skills can be
measured against?
Are there standards of compliance that
ensure they are using their training in
accordance with policy?
Copyright 2001 Marchany
17
Procedural: Physical
Security





Consoles in physically secure areas?
Fire suppression?
Backups? Offsite backups?
Network components secured?
Phone wiring secured?
Copyright 2001 Marchany
18
Procedural: Windows 2000






These are based on the SANS “Securing
Windows 2000” booklet.
Least Privilege Principle
Avoid granting unnecessary Admin privs.
Limit Domain Trust.
Restrict modems in workstations and servers.
Limit access to sniffer software (Network
Monitor).
Copyright 2001 Marchany
19
Procedural: Windows 2000









Keep system software updated.
Update and Practice a Recovery Plan.
Require strong passwords.
Require password protected screen savers.
Establish Auditing and Review Policies.
Require Administrators to have a User and
Administrator account.
Require antivirus software.
Install host based IDS.
Perform periodical low-level security audits.
Copyright 2001 Marchany
20
CIS Procedural Ruler Review



Procedural rulers give you a starting point for
determining your site’s policy pie
These policies include acceptable use,
privacy, incident response, accountability,
backup and any other appropriate action
The CIS procedural ruler is a consensus list of
practices done at the charter members sites.
Copyright 2001 Marchany
21
CIS Rulers for Solaris and
Linux



This section explains the items listed in
the CIS Security Benchmarks for Solaris
and Linux.
The commands are very similar and the
strategy is the same for both OS.
We’ll be hardening the Solaris system in
the lab portion of this course.
Copyright 2001 Marchany
22
CIS Level 1 Ruler: Unix






Patches
Key Security Tools Installed
System Access, authentication,
authorization
User Accounts and Environment
Kernel Level TCP/IP tuning
Kernel Tuning
Copyright 2001 Marchany
23
CIS Level 1 Ruler: Unix






Batch Utilities: at/cron
UMASK issues
File/Directory Permissions/Access
System Logging
SSH
Minimize network services
Copyright 2001 Marchany
24
CIS Level 1 Ruler: Unix






Minimize RPC network services
Minimize standalone network services
General Email Issues
X11/CDE
General Administration Policies
Specific Servers

www, ftp, DB, Mail, NFS, Directory, Print,
Syslog
Copyright 2001 Marchany
25
CIS Level 1 Unix Ruler Patches



Define a regular procedure for checking,
assessing, testing and applying the latest
vendor recommended and security patches.
Keep 3rd party application patches updated.
Why?


The first line of defense is proper patch/Service
Pack installation.
Patches are living and need to be updated
regularly
Copyright 2001 Marchany
26
CIS Level 1 Unix Ruler:
Security Tools




These tools help decrease your detection
time, D
Install the latest version of TCP Wrappers on
appropriate network services
SSH for login, file copy and X11 encryption
Install crypto file signature function to
monitor changes in critical system binaries
and config files (tripwire)
Copyright 2001 Marchany
27
CIS Level 1 Unix Ruler:
Security Tools




Install Portsentry or similar personal FW
software
Run NTP or some other time sync tool
Run “logcheck” or similar syslog
analysis or monitoring tool
Install the latest version of sudo
Copyright 2001 Marchany
28
CIS Level 1 Unix Ruler:
Access, Authorization





No trusted hosts features: .rhosts, .shosts or
/etc/hosts.equiv
Create appropriate banner for any network
interactive service
Restrict direct root login to system console
Verify shadow password file format is used
Verify PAM configuration
Copyright 2001 Marchany
29
CIS Level 1 Unix Ruler:
Kernel TCP/IP Tuning





System handling of ICMP packets is secured
System handling of source routed packets
secured
System handling of broadcast packets
secured
Use strong TCP Initial Sequence Numbers
Harden against TCP SYN Flood attacks
Copyright 2001 Marchany
30
CIS Level 1 Unix Ruler:
Kernel , Batch Utilities





Enable kernel level auditing
Enable stack protection
Ensure ulimits are defined in /etc/profile
and /etc/.login
Restrict batch file access to authorized
users
Ensure cron files only readable by root
or cron user
Copyright 2001 Marchany
31
CIS Level 1 Unix Ruler:
UMASK, File Perms, Access






Set daemon umask to 022 or stricter
Set user default umask (022 or 027)
Console EEPROM password enabled?
Check /dev entries for sane ownership
and permissions
Mount all filesystems RO or NOSUID
All filesystems except / mounted
NODEV
Copyright 2001 Marchany
32
CIS Level 1 Unix Ruler: File
Perms and Access






Verify passwd, group, shadow file perms
Verify SUID, SGID system binaries
Disable SUID, SGID on binaries only used by
root
No World-write dirs in root’s search path
Sticky bit set on all temp directories
No NIS/NIS+ features in passwd or group
files if NIS/NIS+ is disabled
Copyright 2001 Marchany
33
See what we can find
¨ /usr/bin/find / -local -type f -name '.rhosts' -exec ls -al {} \; -exec cat {} \; 2 (.rhosts)
/usr/bin/find / -local -type f -user root -perm -4000 -exec ls -dal {} \; 2 (SUID files)
/usr/bin/find / -local -type f -user root -perm -2000 -exec ls -dal {} \; 2 (SGID files)
find /\(-local –o –prune\) -perm –000002 –print
find /name .netrc -print
find / -perm –1000
Copyright 2001 Marchany
34
Audit Report Example
Audit Method
Ls –la (list files) against critical files to determine their
permissions
Finding
Several system configuration files in /etc are writable
Risk Level: High
Security Implication
The /etc directory is critical for establishing the operating
configuration of many system services including startup and
shutdown. If an attacker is able to modify these files, it may be
possible to subvert privileged operating system commands.
Recommendation
¨ Change permissions of all files in /etc to be writable by root or
bin only.
Copyright 2001 Marchany
35
/dev Permissions Exhibit
# ls –l /dev
total 72
-rwxr-xr-x
crw------crw------brw-rw---crw--w--wbrw------brw-rw---brw-rw---brw-rw---brw-rw---brw-rw---brw-rw---brw-rw---brw-rw---brw-rw---brw-rw----
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
sys
sys
disk
root
floppy
disk
disk
disk
disk
disk
disk
disk
disk
disk
disk
26450
14,
4
14, 20
32,
0
5,
1
2,
1
16,
0
3,
0
3,
1
3, 10
3, 11
3, 12
3, 13
3, 14
3, 15
3, 16
Copyright 2001 Marchany
Sep
Apr
Apr
May
May
May
May
May
May
May
May
May
May
May
May
May
24 1999 MAKEDEV
17 1999 audio
17 1999 audio1
5 1998 cm206cd
26 15:17 console
5 1998 fd1
5 1998 gscd
5 1998 hda
5 1998 hda1
5 1998 hda10
5 1998 hda11
5 1998 hda12
5 1998 hda13
5 1998 hda14
5 1998 hda15
5 1998 hda16
36
World-Writeable and SUID/SGID Files
Audit Method
Find commands were executed on the servers to locate all files with world-writeable permissions
and SUID/SGID permissions. The output was redirected to appropriate files for later analysis.
Finding
A large number of world-writeable and SUID/SGID files were found on the server XYZ. Further,
a number of files in the /usr, /opt and /var directories allow all users to have write permission.
Security Implication
World-writeable files allow any user or an intruder to change the contents of a file, effecting
information integrity. Also, for executable files, an intruder may replace the file with a trojan
horse that can damage the system and its integrity. SUID/SGID files execute with the privilege of
the owner/group. These can be subverted by an unauthorized user or intruder to escalate their
privilege to those of the owner/group of the SUID/SGID file.
Risk Level: High
Recommendation
¨
Review all world-writeable and SUID/SGID files on the system. Using freeware tools like
fix-modes or YASSP can facilitate identifying and correcting the permissions on files. After the
review, create a list of all the remaining “approved” World-writeable and SUID/SGID files on the
system and store in a secure place. Periodically, check the system against this list to identify
changes and ensure that such changes are approved.
¨
NFS shared files, especially files in /usr, /opt and /var should be exported ‘read-only to
specific hosts. Further, through /etc/vfstab, the exported file systems (except special cases like
/tmp, /dev and /) should be mounted with the nosuid option to prevent the inadvertent granting of
SUID privilege on NFS mounted files.
Copyright 2001 Marchany
37
CIS Level 1 Unix Ruler:
System Logging and SSH





Capture messages sent to syslog AUTH
facility (enable system logging)
Copy syslogs to central syslog server
Audit failed logins and SU attempts
Enable system accounting
Logins allowed via SSH only (no rsh,
rlogin, ftp or telnet)
Copyright 2001 Marchany
38
CIS Level 1 Unix Ruler:
Reduce /etc/inetd.conf







Disable
Disable
Disable
Disable
Disable
Disable
Disable
name (UDP)
exec/rexec (TCP)
login/rlogin (TCP)
uucp (TCP)
systat (TCP)
netstat (TCP)
time (TCP/UDP)
Copyright 2001 Marchany
39
CIS Level 1 Unix Ruler:
Reduce /etc/inetd.conf







Disable
Disable
Disable
Disable
Disable
Disable
Disable
echo (TCP)
discard (TCP/UDP)
daytime (TCP/UDP)
chargen (TCP/UDP)
rusersd (RPC)
sprayd (RPC)
rwall (RPC)
Copyright 2001 Marchany
40
CIS Level 1 Ruler: Reduce
/etc/inetd.conf



Disable rstatd (RPC)
Disable rexd (RPC)
Use TCP Wrappers for all enabled
network services (TCP/UDP)
Copyright 2001 Marchany
41
Sample /etc/inetd.conf
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell
stream
tcp
nowait
root
/usr/sbin/tcpd
in.rshd
login
stream
tcp
nowait
root
/usr/sbin/tcpd
in.rlogind
#exec
stream
tcp
nowait
root
/usr/sbin/tcpd
in.rexecd
#comsat dgram
udp
wait
root
/usr/sbin/tcpd
in.comsat
talk
dgram
udp
wait
nobody.tty
/usr/sbin/tcpd
in.talkd
ntalk
dgram
udp
wait
nobody.tty
/usr/sbin/tcpd
in.ntalkd
This is a fragment of /etc/inetd.conf where shell, login, talk,
and ntalk probably should be commented out. Note the
/usr/sbin/tcpd so this system is probably running
tcpwrappers. More of the file is in the notes pages.
Copyright 2001 Marchany
42
CIS Level 1 Unix Ruler:
Restrict RPC





Restrict NFS client request to originate
from privileged ports
No filesystem should be exported with
root access
Export list restricted to specific range of
addresses
Export RO if possible
Export NOSUID if possible
Copyright 2001 Marchany
43
CIS Level 1 Unix Ruler: Email,
X11/CDE





Use Sendmail v8.9.3 or later. (v8.11.6 is
current 6/01/02)
Restrict sendmail ‘prog’ mailer
Verify privileged and checksums for mail
programs
Ensure X server is started with Xauth
Use SSH to access X programs on
remote hosts
Copyright 2001 Marchany
44
CIS Level 1 Unix Ruler: User
Accts, Environment







Enforce strong passwords
No null passwords
Remove root equivalent users (UID=0)
No “.” in root PATH
No .files world or group writable
Remove .netrc, .exrc, .dbxrc files
User $HOME dirs should be < 755
Copyright 2001 Marchany
45
TBS Example Using E=D+R
•Security policy: automated script to check password file for
users with UID 0 (superuser access) returns user ”zippy”.
•Syslog is checked:
Apr 15 21:07:59 6C: goodnhacked.com telnetd[5020]: connect from
some.com
Apr 15 21:08:18 6E: goodnhacked.com login[5021]: [email protected] as zippy
•IDS returns:
21:07:16.63 badguy.com.26617 > goodnhacked.com.5135: udp
21:07:16.66 goodnhacked.com.5135 > badguy.com.26617: udp 69
5135 is SGI Object Server with a known vulnerability
Copyright 2001 Marchany
46
CIS Level 1 Ruler Review



The previous action items should be
done on any Unix system on your
network regardless of its function
A similar checklist is being developed
for Windows 2000.
The Level 1 rulers impose a minimum
security standard on all Unix and
Windows 2000 systems.
Copyright 2001 Marchany
47
CIS Level 2 Rulers



Once Level 1 rulers have been applied,
you pick the appropriate Level 2 ruler.
This is very organization specific. What
works at my site might not apply at
yours.
Additional service may be disabled if
they aren’t needed.
Copyright 2001 Marchany
48
CIS Level 2 Ruler: Unix







Kernel-level TCP/IP tuning
Physical Console Security
SSH
Minimize network services
Minimize RPC network services
General email issues
X11/CDE
Copyright 2001 Marchany
49
CIS Level 2 Ruler: Unix

Kernel Tuning



Physical Console Security


Network options for non-router machines
Disable multicast
Enable EEPROM password. Who knows it?
SSH

Restrictively configure it
Copyright 2001 Marchany
50
CIS Level 2 Ruler: Unix

Minimize Network Services







Disable
Disable
Disable
Disable
Disable
Disable
Disable
inetd entirely
FTP
Telnet
rsh/rlogin
comsat
talk
tftp
Copyright 2001 Marchany
51
CIS Level 2 Ruler: Unix

Minimize network services







Disable
Disable
Disable
Disable
Disable
Disable
Disable
tftp
finger
sadmin
rquotad
CDE Tooltalk server (ttdbserverd)
RPC/UDP/TCP ufs
kcms_server
Copyright 2001 Marchany
52
CIS Level 2 Ruler: Unix







Disable
Disable
Disable
Disable
Disable
Disable
Disable
fontserver
cachefs service
Kerberos server
printer server
gssd
CDE dtspc
rpc.cmsd calendar server
Copyright 2001 Marchany
53
CIS Level 2 Ruler: Unix

Minimize Network Services



If FTP service is enabled, see additional
level 3 requirements for FTP servers
If tftp is enabled, use the security option
If sadmind is enabled, use the security
option
Copyright 2001 Marchany
54
CIS Level 2 Ruler: Unix

Minimize RPC network services







Disable NFS server
Disable Automounter
Disable NFS client services
Add ports 2049, 4045 to privileged port list
Disable NIS
Disable NIS+
Replace rpcbind with more secure version
Copyright 2001 Marchany
55
CIS Level 2 Ruler: Unix

General Email Issues



Don’t run sendmail on machines that don’t
receive mail
Remove mail aliases which send data to
programs (Vacation)
X11/CDE


Disable CDE if not needed
Use the SECURITY extension for X-Server
to restrict access
Copyright 2001 Marchany
56
CIS Level 2 Ruler Review



Level 2 rulers are site specific.
They are more sensitive to vendor
software requirements. For example, a
vendor product may require that you
enable the dreaded r-commands. You
have no choice so you keep an eye on
that vulnerability.
They may impose stricter standards.
Copyright 2001 Marchany
57
CIS Unix Ruler Review




CIS Rulers are a good starting point for
developing a Unix audit plan. Solaris, Linux,
HP-UX available, AIX under review, CISCO
router under review
Level 1 ruler defines minimum security
standards for all Unix systems
Level 2-3 rulers are more network and
function specific
Procedural rulers address policy issues
Copyright 2001 Marchany
58
Summary


The CIS benchmark document and
scanning tool is an excellent resource
you should use immediately to
strengthen the security of your Solaris
and Linux systems.
The scanning tool provides you with a
simple score that you can use to
present to management.
Copyright 2001 Marchany
59
Lab Exercise


Let’s apply the steps in the CIS
benchmark to the demonstration
system.
We’ll run the scanning tool to get a
baseline, make our mods and rerun the
scanning tool to measure our progress.
Copyright 2001 Marchany
60
Appendix 1
Audit Checklists for
Windows
The SANS Institute
Copyright 2001 Marchany
61
W2K CIS Rulers




CIS Rulers have been developed for
Windows 2000 and NT systems
Format is similar to the Unix rulers
(levels 1-3)
Level 2, IIS benchmarks are in test at
present.
They’re free!
Copyright 2001 Marchany
62
Sample Windows 2000 Level 2
Ruler


Rules of Engagement for Active Directory
Developed at VA Tech for our AD structure




Marc Debonis, www.w2k.vt.edu
Allows lower level admins to control their own
domains
Not for everyone
Somewhat draconian
Copyright 2001 Marchany
63
Sample VT Level 2 Ruler:
Active Directory ROE



The Child domain must have at least 1
fulltime peer BDC for the child domain
The child domain controllers must meet
Microsoft’s minimum computer hardware
requirements
No 3rd party of Microsoft add-on software are
allowed on child domain controllers

IIS, Certificate Services, Indexing Service,
Windows Media Services, DNS, DHCP, WINS,
printer/file services
Copyright 2001 Marchany
64
Sample VT Level 2 Ruler:
Active Directory ROE



The child domain controllers must be in a
backup program and have full recoverability
tested
The child domain controllers must allow and
not block global policy objects replicated from
the root
All W2K hosts must follow prescribed DNS
naming conventions (xxx.yyy.vt.edu)
Copyright 2001 Marchany
65
Sample VT Level 2 Ruler:
Active Directory ROE


All W2K hosts within the child domain
will use root AD DDNS server settings.
Child DC will use static IP and not run
DHCP servers
Child domain will not attempt to create
child domains “below” theirs. They will
use OU to do this.
Copyright 2001 Marchany
66
Sample VT Level 2 Ruler:
Active Directory ROE


No non-administrative local logins will
be allowed to the child domain
controllers. The CDC will be housed in
secure areas with controlled access
2 week backups of event/audit logs will
be kept and access to them will be
given to the AD enterprise admins for
security/debugging purposes.
Copyright 2001 Marchany
67
Sample VT Level 2 Ruler:
Active Directory ROE


All service packs will be installed in a
timely manner, coordinated with root
AD controller upgrades
Will people buy into this?

Some will, some won’t but those that do
are more secure.
Copyright 2001 Marchany
68
Copyright 2001 Marchany
69
Sample W2K level 1 Ruler –
Physical Data Security



Enable the end user to protect laptops.
Physically secure servers.
Protect the server from Unattended Reboot.




Protect the SAM with SYSKEY
Protect the Backup Tapes.
Use NTFS disk partitions.
Use Encrypting File System
Copyright 2001 Marchany
70
Sample W2K Level 1 Ruler –
Security Policy Configuration






Configure the Local Security Policy.
Configure the Account Policy.
Secure Administrator/Guest accounts.
Configure Local Policies.
Enable Audit Policies.
Customize User Rights.
Copyright 2001 Marchany
71
Win2k Audit
(Run MMC -> CTRL M -> Security Templates -> Setup Security)
Copyright 2001 Marchany
72
User Rights
Copyright 2001 Marchany
73
Sample W2K Level 1 Ruler –
Security Policy Configuration

Customize Security Options







Restrict Anonymous Connections
Allow server operators to schedule tasks (DC
only).
Clear virtual Memory Pagefile on shutdown.
Audit access of Global System Objects.
Do Not Display last username in login screen.
Configure Public Key Policy.
Configure IP Security Policy.
Copyright 2001 Marchany
74
File System Configuration.
(__) Define System Configuration and Service Pack
Level
(__) During Audit, set browser to see all files
(__) System is configured as NTFS file system?
(__) System Administrator has a current Emergency
Recovery Disk in a locked storage area.
(__) Wiping of system page file occurs at system
shutdown.
Copyright 2001 Marchany
75
Sample W2K Level 1 Ruler



Group Policy
MMC Snap-In
System Tools





Configure Event Log Settings
System Information
Performance Logs & Alerts
Local Users & Groups
Lock out unauth’d Floppy Disk use
Copyright 2001 Marchany
76
Sample W2K Level 1 Ruler

Disable unused services




Remove OS2 and POSIX subsystems
Secure Remote control programs (PC
Anywhere)
Disable Microsoft Network Client
Additional Utilities


W2K Suppot tools
Resource Kit tools
Copyright 2001 Marchany
77
Sample W2K Level 1 Ruler

Freeware, Shareware and Commercial
Tools



Use Access Control List Auditing Tools
Audit SP and HotFix levels
Consider installing nmap, WinDump, PGP,
Anti-Trojan, L0phtCrack 3, snort
Copyright 2001 Marchany
78
Sample W2K Level 1 Ruler –
The Registry






Disable auto-run on CD ROM Drives.
Control Remote Registry Access.
Restrict Null User access to named
pipes and shares.
Disable Router discovery.
Disable ICMP Redirects.
Remove Administrative Shares.
Copyright 2001 Marchany
79
Sample W2K Level 1 Ruler


File Folder and Registry Permissions
Security Analysis and Configuration Tool




Apply standard Incremental Security Templates
Create Custom Policies
Perform analysis of computer
Recovery Options




Baseline System backup
Regular System backup
Remote System backup
NTBackup.exe
Copyright 2001 Marchany
80
Sample W2K Level 1 Ruler

Recovery Options (Continued)





Emergency Repair Disks
Safe Mode with or without networking
Safe Mode with command prompt
Recovery Console
Active Directory Services



Domain Controllers and Trust
The Trees vs. the Forest
Enterprise Admins and Schema Admins
Copyright 2001 Marchany
81
Sample W2K Level 1 Ruler

Application Security







IIS v5 – CRITICAL!
Telnet Server
File and Printer Sharing
Windows Services for Unix 2.0
Exchange, Outlook, Outlook Express
SQL
These may be more suited to Level 2
Copyright 2001 Marchany
82
A Sample NT Level 1 Ruler








Installation
Networking
User Accounts
Services/System
Files/Directories
Registry
Applications
Developed by Marc Debonis, VA Tech
Copyright 2001 Marchany
83
Sample VT Level 1 NT Ruler

Installation








Physically secure machine
Enable BIOS boot password, user/admin levels
Install NT on C:, no dual boot, use NTFS
Put bogus name for install
Select only TCP/IP to install
Do NOT install IIS
Do NOT use DHCP
Do NOT use WINS server entries
Copyright 2001 Marchany
84
Sample VT Level 1 NT Ruler

Installation


Disable LMHOSTS lookup
Login as Administrator


Delete MyBriefCase, Install IIS, IE, Inbox icons
Install post SP5/SP6 hotfixes

Install in this order: Winhlp-I, Nddefixi, Lsareqi,
Q234351I, Csrssfxi, Loctlfxi, Ntfsfix1, Igmpfix1,
Ipsrfixi
Copyright 2001 Marchany
85
(__) Define Service Pack Level
Start -> Run -> WINVER (works the same for NT 4.0)
Copyright 2001 Marchany
86
Checking for Service Packs
Copyright 2001 Marchany
87
Copyright 2001 Marchany
88
(__) System does not have
un-necessary devices
Start -> Settings -> Control Panel -> Devices.
Copyright 2001 Marchany
89
Sample VT Level 1 Ruler

Networking





Use network control panel to remove RPC
Configuration, NetBIOS Interface,
Workstation, Server.
Set service TCP/IP NetBIOS Helper to
disabled
Disable Windows NT Networking
Disable WINS Client (TCP/IP) binding
Disable WINS Client (TCP/IP) device
Copyright 2001 Marchany
90
Sample VT Level 1 Ruler

Accounts



Set minimum password length to 8
Lockout after 3 bad attempts 
Under Policies-> User Rights



Select Right/Access this computer from Network and
remove ALL groups listed in the Grant To box
Under Show Advanced Rights, select Bypass Traverse
Checking, remove Everyone
Select Log on Locally and disable guest
Copyright 2001 Marchany
91
Sample VT NT Level 1 Ruler

Accounts

Select Policies -> Audit


Open User Manager for Domains





Enable audit events: logon/logoff, user/group mgt,
security policy changed, restart, shutdown and system
Rename Administrator account to Master
Remove Description for Master Account
Set Master account password to something VERY strong
Rename Guest account to DEFUNCT
Allow remote lockout of administrator account only
Copyright 2001 Marchany
92
(__) Auditing is Enabled
User Manager, Policies,Audit
http://www.geek-speak.net/products/ntaudit1.html
Copyright 2001 Marchany
93
Audit Best Practice
Copyright 2001 Marchany
94
Audit Best Practice (2)
Copyright 2001 Marchany
95
Passwords
(__) NT password policies comply with Best Practices for NT Passwords.
(__) User passwords are known only by the user.
(__) Users are required to maintain unique passwords for each AIS.
(__) Passcrack for Windows NT or other password tester is run at least yearly.
(__) Password database (SAM) is encrypted.
(__) Administrator password is protected to the same level as the data contained
on the computer.
(__) Password is enabled for screen saver. (Control Panel, Desktop)
Copyright 2001 Marchany
96
Passfilt
Copyright 2001 Marchany
97
NT 4.0 Start -> Programs -> Administrative Programs -> User Manager
Copyright 2001 Marchany
98
Win2k, My Computer -> Control panel, Administrative
Tools -> Local Security Policy -> Password Policy
Copyright 2001 Marchany
99
Sample VT NT Level 1 Ruler

Services/System

Disable unnecessary system services


Network DDE, Network DDE DDSM, Schedule,
Spooler, Telephony service, distributed DCOM
From System Control Panel, click
Startup/Shutdown tab



Uncheck Overwrite any Existing File?
Uncheck Write debugging info to:
Uncheck Automatically Reboot?
Copyright 2001 Marchany
100
Sample VT NT Level 1 Ruler

Services/System

Click Display Control Panel


Click Screen Save Tab, enable Blank Screen
Screen Saver, modify wait to 5 minutes, check
the Password Protected box.
Event Logs

Open Log->Log settings and increase max size
of logs > 2048K
Copyright 2001 Marchany
101
Log--> Log Settings
Copyright 2001 Marchany
102
Event View 2000
My Computer -> Control Panel -> Administrative Tools -> Event Viewer
Copyright 2001 Marchany
103
Using dumpel for audit logs
Copyright 2001 Marchany
104
Sample VT NT Level 1 Ruler


For the rest of the ruler, go to
http://security.vt.edu and look in the
Checklists section for Marc’s document
Some may consider his requirements to
be really strict but some may like them.
Copyright 2001 Marchany
105
Whew!

You’ve got a basic strategy for building
security checklist/audit plans for
–
–
–
–
Perimeter
Unix
NT
Windows 2000
Please fill out your comment sheets!
Copyright 2001 Marchany
106
Today’s Course Goals




Construct a high level Security Checklist from the CIS
rulers for your site.
– Unix. NT, Windows 2000
Use TBS to provide a response to your internal auditors
and secure your systems.
Use STAR to define the $$$ cost of implementing security
features at your site.
– This method can be used over time to show trends
Develop a set of reports/matrices that can be used to
quickly identify the security status of a host at your site.
Copyright 2001 Marchany
107