Transcript Chapter 5 - Securing servers and network devices

Slides copyright 2010
by Paladin Group, LLC
used with permission by
UMBC Training Centers, LLC
Security+
Chapter 5 – Securing Servers and
Network Devices
Brian E. Brzezicki
System Hardening
System Hardening (237-242)
Procedure of making a system as secure as it possibly be.
• Changing default users and passwords
• Disable/remove un-needed
– Services
– Applications
– Network protocols
•
•
•
•
Enable software firewall
Enable anti-virus
Enable HIDS
Set applications and operating system parameters for highest
available security
• Set appropriate permissions on resources
• Ensure the system is up to date (patched) and stays up to date
BIOS Boot Screen
You should
configure the
BIOS to use
• a password
• disable
booting from
removable
media
Baselines
The row of
shields above
your fighter that
protects you from
attack by hordes
of aliens
Baselines (242)
Close actually… goes hand in hand with hardening.
Baselines – the process of establishing a minimum
set of protections that protects a computer
system/network from attack from the hordes of
script-kiddies and crackers.
• MINIMUM set of protections and configurations
• Important to have baselines in any organization –
why?
Imaging (242)
Imagining is the process of creating one install fully
hardened and ready to go, then using that image
to rapidly create other machines.
• Makes sure all systems are at least at a minimum
level and you know how the software is deployed
• Makes an administrators life much easier and
quicker deployments.
Performance Baseline (248)
Performance Baseline – a baseline of normal system
performance and resources usage.
– Processor
– Memory
– Disk
– NIC
Tools for Performance base lining
– Performance Monitor - Windows
– sar – Unix/Linux
Baselines and Group Policies (244)
Microsoft Group Polices allow you to enforce
configurations and push your “baselines” out
across your Active Domain environment.
Security Templates are security specific setting that
can be enabled in a GPO or on stand alone
machines. They are security settings specific to
certain server functionality requirements.
A Final Note on baselines (249)
• Configuration baseline
• Security baseline
What’s the difference between the two?
Patch Management
Keeping your software up-to-date in a timely
manner is one of the most important things you
can do. This is often referred to as Patch
management.
Patch Management (250)
Terms you need to be aware of for the exam
• Hot fix
• Patch
• Service Pack
• Zero-Day Attack
Patch Management (252)
Patching in a timely manner is one of the most
important things you can do… but beware you
must be prepared for the unexpected and have a
plan / process for patching
– Test
– Back out plan
– Small Scale Deployment
– Apply Changes Universally
– Audit / Verify Changes
– Document changes
Patch Management Tools (253)
Windows
• MBSA
• WSUS
• SMS
• Windows Update
– Know the possible settings for windows update
Linux
• yum and yum-updatesd
Change Management (253)
Systems and Networks are not static entities, they change. Just like
patching there should be a process for change management
where changes are
–
–
–
–
–
–
Requested
Analyzed
Tested
Applied
Verified
Documented
How many of you are confident that if your systems and networks
burned down today, you could rebuild them to the exact same
state/functionality tomorrow? What is the possible damage to
your organization if you cannot do this in a timely manner?
Hardening Network Devices (254)
• Change default usernames and passwords
• Assign each administrator their OWN
username/password
• Remove un-needed services and protocols
• Keep Operating System up to Date (Patch)
• Management Interfaces
– Encrypt communications (don’t use telnet)
– Restrict access to authorized Ips
– Disable completely if possible
Management
Interfaces
Privilege Escalation
Know what this term is
– How to protect?
– SUID and SGID bits in Unix
find / -perm -4000 -print
find / -perm -2000 -print
Hardening Server Applications
Same general process as hardening an Operating
System
• Changing default users and passwords
• Disable/remove un-needed modules
• Set applications parameters for highest available
security
• Set appropriate permissions on resources
• Ensure the software is up to date (patched) and stays
up to date
• Enable logging features
Specific Services and Concerns
Web Sites
• What exactly is a web site?
• TCP / 80 for unsecured communication (HTTP)
• TCP / 443 for “secured” communication (HTTPS)
– Encryption
– Server authentication via digital certificates
• Common Web Server Packages
– Apache (Unix/Linux, Windows)
– Internet Information Services (Windows)
Protecting a Web Site
• Ensure that the only people that can publish to
your sites are your web developers
• Patch, Patch, Patch
• Perform input validation on any interactive code
you write for your website
• Understand what a Buffer Overflow is (next)
Buffer Overflow
• Potential Attack against ANY program code
• Possibility exists when the programmers does not
check input length for inputted data
• Attacker can send MORE data than the server
expects, allowing a potential for the attacker to
overflow memory space and write in their own
instructions that the CPU will execute in the
context of the user that the application runs as,
these instructions are commonly called shellcode
Buffer Overflow Countermeasures
• Patching, Patching, Patching for systems
administrators (main countermeasure)
• Non-executable stack and heap for systems
administrators (not on exam)
• Address space randomization for systems
administrators (not on exam)
• Secure programming education for programmers
• Code review for programmers
• Input Length validation for programmers
Client Side Web Concerns (259)
ActiveX
• Microsoft Technology
• Called ActiveX controls
• Allows computers to download and execute code
from the Internet – mobile Code
• Very Dangerous, can do ANYTHING to your
machine
• Requires Internet Explorer (for the most part)
Client Side Web Concerns (261)
Java
• Another type of Mobile Code
• Developed by Sun Microsystems in the mid 1990s
• Uses byte code and requires a Java Virtual
Machine
• When run in a browser called an applet, however
can run stand alone
• Runs in a sandbox if unsigned
• Allows wide access to computer if signed.
Signed Code
Both Java applications and ActiveX controls can be
digitally signed to validate the
• Authenticity of the software publisher
• Integrity of the Code
• Microsoft specifically calls signed code
Authenticode
Just because something is signed DOES it mean we
should trust the code not to harm our system?
JavaScript (260-261)
• Developed by Netscape
• NOT Related to Java except in name.
• Allows Code posted on the website to control
aspects of your browser giving you a more
dynamic and interactive web browsing experience
• Cannot under normal circumstances affect
components outside of the browser
JavaScript concerns
• JavaScript can interact with components of the
web browser
• Can create pop ups
• There are dangers of XSS which usually involves
stealing session cookies (authentication data)
• Can turn off JavaScript however that leads to a
very limited web experience
Cookies (261)
Cookies are small pieces of information that a web site
provides to a web browser to keep session state or
hold preferences. Without cookies the web would be
very non-interactive and boring.
Site: paladingrp.com
Name: last_ip_addr
Content: 208.254.31.43
Path: /
Send for: HTTP
Expires: Sunday, July 25, 2011 7:30PM
Cookies
Cookies are horribly misunderstood
• The CANNOT spread viruses
• There is NO code in cookies
• They are simply variables
• They add state to HTTP which is stateless
However
• They can be a privacy concern
• Authentication cookies stolen during a login can possibly be
replayed to gain false access to a site.
• A site can send cookies with the site field as another web
site. These are called third party cookies.
Web Pop Ups (262)
Additional browser pages that pop up when you
visit another web site
• Usually annoying
• Can be valid, especially for management
interfaces
• Most browser have pop-up blocker settings, you
should be comfortable configuring this setting and
adding or removing sites to the allowed list of
sites that can issue pop ups.
Anti-Virus and Anti-Spyware (262)
Any computer accessing the Internet should have
anti-virus and anti-spyware installed. We will talk
about viruses and spyware in more detail in
Chapter 6.
Email Servers (263)
Electronic mail (email) is a major component of Internet
Communications.
Protocols:
• SMTP: TCP/25
• POP3: TCP/110 POPS: TCP/995
• IMAP4: TCP/143
IMAPS: TCP/993
How is SMTP, POP and IMAP different? Are there any
similarities?
Email Servers (264-265)
SPAM
• SPAM
• UCE
• UBE
All the same thing… all unwanted
• Wastes Time
• Wastes Resources
• Can Spread Viruses, Worms and Trojans
• Can be used for social engineering (ex. Phishing)
Open Relays (265)
Spammer Blacklists and White lists
Blacklist – a list of sites/email addresses that you DO
NOT accept mail from
Whitelist – a list of sites/email addresses that you
DO want to accept mail from, regardless of
anything else.
Real Time Black Lists – lists of spammers or open
relays on the internet, updated in realtime.
– Open relays or spam from within your organization can
get you on these lists. This can cause valid email
communications to be blocked.
Database Servers (267)
Many organizations applications and important data
rely upon or are stored in Databases. With the rise of
the Internet a lot of applications have been written to
access this data. However Database servers need to
be protected.
• Do not allow direct access to DB servers
• Use firewalls and data storage networks to isolate DB
servers
• Perform input validation to applications that will
access databases to avoid SQL injection attacks.
• Patch, Patch, Patch
File and Print Servers (269)
File and Printer Sharing is a necessity of any
networked organization. These services must be
protected
• Restrict access using permissions (NTFS or Unix)
• Require authentication to resources
• Encrypt data in transit
• Enable Quotas
• Keep Servers Isolated, do not allow Internet
Access to them.
• Patch, Patch, Patch
FTP (270)
File Transport Protocol (FTP) is an ancient protocol to move
data around the Internet. It was created before HTTP and
really has very little purpose anymore. It is dangerous and
should be avoided.
Uses:
TCP / 20 (data) and TCP / 21 (control)
Problems:
• No data encryption, including authentication data
• Anonymous access often enabled, which leads to your
server becoming a warez server
• Hard to firewall
FTP
Instead of using FTP, consider
• Using a web server (HTTP) instead
• Using SFTP
• Using SCP
DNS (271)
Domain Name Services is one of the most important
services on the Internet.
Uses
TCP/53 and UDP/53
Maps hostnames to resources records (usually an IP
address or Address Record)
Example:
www.paladingrp.com -> A record: 63.251.79.14
DNS
DNS can also be used to find a organizations mail
servers, find domain controllers and other service
information, or find what is the name of an IP
address.
DNS concerns
• Zone Transfers (TCP/53 usually)
– countermeasures
• DNS Cache Poisoning
– countermeasures
• Leakage of Internal only data
– countermeasures
• Buffer Overflow Attacks
– countermeasures
Domain Controllers
Windows Network Management servers, including
user authentication.
• Physically secure Domain controllers
• Backup the domain controllers
• Do not run any other services on the Domain
Controllers such as web servers or email servers.
Instant Messaging (273)
Real Time Communications. Sometimes authorized
sometimes unauthorized
Problems:
• Data Leakage
• Lack of Encryption
• A way for Malware to spread
Virtualization
Virtualization (275)
Virtualization is a technology that abstracts
hardware away from physical servers, allowing
you to run multiple operating systems on a server
and protect them from each other.
•
•
•
•
Allows you to have 1 virtual server per service
Allows for easy system management
Allows for each testing
Allows for clustering and high availability