Figure 6-1: Hardening Host Computers
Host Hardening The Problem { Computers installed out of the box have known vulnerabilities
Not just Windows computers Chapter 6 { Hackers can take them over easily
{ They must be hardened—a complex process that Panko, Corporate Computer and Network Security Copyright 2005 Prentice-Hall involves many actions
2
Figure 6-1: Hardening Host Computers Figure 6-1: Hardening Host Computers
Elements of Hardening Elements of Hardening (continued)
{ Physical security (Chapter 2). { Manage users and groups
{ Secure installation and configuration { Manage access permissions
{ Fix known vulnerabilities For individual files and directories, assign access permissions specific users and groups { Turn off unnecessary services (applications) { Back up the server regularly { Harden all remaining applications (Chapter 9) { Advanced protections { (more on next page)
3 4
Figure 6-1: Hardening Host Computers Figure 6-1: Hardening Host Computers
Server Administrators Are Called Systems Security Baselines Guide the Hardening Effort Administrators { Specifications for how hardening should be done { A sysadmin manages one { Different for different operating systems or several servers—not necessarily all of a firm’s { Different for different types of servers (webservers, New servers mail servers, etc.) { Sometimes, groups of { Needed because it is easy to forget a step sysadmins manage multiple servers
5 6
1 Figure 6-2: Windows 2000 Server User Figure 6-1: Hardening Host Computers Interface
Windows Computers
{ Microsoft Network Operating Systems (NOSs)
LAN Manager (LANMAN)
Windows NT Server
Windows 2000 Server
Windows 2003 Server (called .NET in the book)
{ Graphical user interface looks like client versions to ease learning (Figure 6-2)
7 8
Figure 6-3: Computer Management Microsoft Figure 6-1: Hardening Host Computers Management Console (MMC)
Windows Computers
{ Administrative Tools Group under Programs has Microsoft Management Consoles (MMCs) (Figure System 6-3) Tools snap-in Used to conduct most administrative actions
Can add snap-ins for specific functionality
9 10
Figure 6-1: Hardening Host Computers Figure 6-1: Hardening Host Computers
Windows Computers UNIX
{ Windows 2000 introduced hierarchical domain { Many versions of UNIX structure with Active Directory { LINUX is a set of versions for PCs—there are Domain is a collection of resources several different distributions
{ User can select the user interface—GUI or Domain contains one or more domain controllers, member servers, client PCs command-line interface (CLI) { CLIs are called shells (Bourne, BASH, etc.) Group policy objects (GPOs) on a domain controller can implement policies throughout a { CLIs have picky syntax, capitalization, and spacing domain 11 12
2 Figure 6-1: Hardening Host Computers Figure 6-4: Installation and Patching
Internetwork Operating System (IOS) Installation Offers Many Options, Some of Which Affect Security { For Cisco Routers, Some Switches, Firewalls
{ For example, in Windows, the NTFS file system is Other Host Operating Systems better for security than FAT32 { Macintosh { Need a security baseline to guide option choices { Novell NetWare during installation { Firewalls
{ Even cable modems with web-based management interfaces
13 14
Figure 6-4: Installation and Patching Figure 6-4: Installation and Patching
Known Vulnerabilities Known Vulnerabilities
{ Most programs have known vulnerabilities { Vulnerability reporters send vulnerability reports to vendors { Exploits are programs that take advantage of known vulnerabilities { Vulnerability reporters often say that vendors take too long to fix vulnerabilities
{ Vendors say that vulnerability reporters do not give them enough time, report too much detail to the press
15 16
Figure 6-4: Installation and Patching Figure 6-4: Installation and Patching
Fixes Upgrades
{ Work-around: A series of actions to be taken; no { Often, security vulnerabilities are fixed in new new software versions
{ Patches: New software to be added to the { If a version is too old, the vendor might stop offering operating system fixes
{ Upgrades: Newer versions of programs usually fix { It might be good to wait to upgrade until after the older vulnerabilities. first round of bug and security fixes
17 18
3 Figure 6-4: Installation and Patching Patching
Mechanics of Patching
{ Microsoft Windows Server
Windows Update on Start menu (Figure 6-2) in Windows 2000
Automatic notification of update availability in Windows 2003
{ LINUX distributions often use rpm for updates
19 20
Figure 6-4: Installation and Patching Figure 6-4: Installation and Patching
Patches Often Are Not Applied Patches Often Are Not Applied
{ Companies get overwhelmed by number of patches { Cost of Patch installation
Use many products, vendors release many Mitigated by patch servers that distribute patches per product patches to general servers
Especially a problem for application programs More easy-to-use vendor tools are needed
Might simply lack the resources to apply all; might be selective
21 22
Figure 6-5: Turning Off Unnecessary Figure 6-4: Installation and Patching Services
Patches Often Are Not Applied Unnecessary Services
{ Risks of Patch installation { Operating system vendors used to install many Reduced functionality services by default
Freeze machines, do other damage—sometimes { This made them easier to use. When use changes, with no Uninstall possible services do not have to be turned on. Should test patch on a test system before { Attackers have found flaws in many of these rare deployment services Special problem for mission-critical production systems that must work
23 24
4 Figure 6-5: Turning Off Unnecessary Figure 6-5: Turning Off Unnecessary Services Services
Unnecessary Services Turning Off Services In Windows Server
{ Vendors now install fewer services by default—lock { Go to the Computer Management MMC down mode { On the tree, select Services and Applications { Turn to security baseline to see what services to (Figure 6-6) turn on and off Status tells whether the service is active
{ Easier to install too few and add than to install too Startup tells how the service is started many and remove unwanted services (automatic, manual, disabled, etc.)
{ Right click on a service or select and choose Action to stop a service, start it, disable it, etc. 25 26
Figure 6-6: Services and Applications in Figure 6-5: Turning Off Unnecessary Windows Services
Turning Off Services In UNIX
{ Three ways to start services
inetd to start services when requests come in from users (Figure 6-7)
rc scripts to start services automatically at book up (Figure 6-8)
Start a service manually by typing its name or executing a batch file that does so
27 28
Figure 6-7: UNIX inetd Daemon for Figure 6-8 The UNIX rc.d Method of Responding to Client Requests Automatically Starting Services
rc.d directory
1. Client Request /etc/rc.d Scripts for services. 4. Start and To Port 80 1. Script for Service A Contain scripts to start Program A Process 2. Script for Service B or kill services. This Request 3. Script for Service F Program B inetd 4. Script for Service H 3. Program B 2. Port 80 rc0.d [scripts to run during System Mode 0-shutdown] Program C K2 . . . [Run the Kill portion of Script 2: Kills Service B] Port 23 Program A inetd.config K3 . . . [Run the Kill portion of Script 3: Kills Service F] Program D Port 80 Program B . . . Port 123 Program C Directory rc0.d. Subdirectory of rc.d. Contains scripts to run Port 1510 Program D start or kill portions of scripts in rc.d directory. These scripts are executed if run mode 0 occurs—system shutdown 29 30
5 Figure 6-8 The UNIX rc.d Method of Figure 6-5: Turning Off Unnecessary Automatically Starting Services Services rc1.d Turning Off Services In UNIX Other subdirectories of rc.d for scripts to rc2.d execute in different run modes, such as run { Identifying services that are running at any moment rc3.d mode 6—startup rc4.d ps (processor status), usually with –aux rc5.d parameters, lists running programs rc6.d [scripts to run during System Mode 6-startup] S1 . . . [Run the Start portion of Script 1: Starts Service A] { Shows process name and process ID (PID) S2 . . . [Run the Start portion of Script 2: Starts Service B] netstat tells what services are running on what . . . ports rcs.d [scripts to run during System Mode s—single-user mode]
31 32
Figure 6-5: Turning Off Unnecessary Services Figure 6-9: Managing Users and Groups
Turning Off Services In UNIX Introduction
{ kill PID to kill a particular process { Every user must have an account { kill 47 (If PID=47) { There can also be groups Add parameters –SIGTERM, -SIGHUP, -SIGKILL in order of increasing urgency Can assign security measures to groups { kill 47 –SIGTERM (PID = 47) These measures apply to the individual group Only kills for now. members automatically
Must search inetd.config, rc scripts, batch files to Faster and easier than assigning security see where it is being started automatically. measures to individuals Difficult to do. 33 34
Figure 6-10: Users and Groups in Figure 6-9: Managing Users and Groups Windows
Creating and Managing Groups in Windows
{ Computer Management: Local Users and Groups snap-in (Figure 6-10)
{ Select Users
{ Select user from list
Right click on user and select Properties: password restrictions, disable box
Or select Action: change password, etc.
Add, delete users
35 36
6 Figure 6-11: Figure 6-12: Windows Creating a User New User Account in Windows Properties
To get this screen, right click on user account in Figure 6-10, select Properties 37 38
Figure 6-9: Managing Users and Groups Figure 6-9: Managing Users and Groups
Creating and Managing Groups in Windows Creating and Managing Groups in Windows
{ Select user from list { Select user from list Administrator is the super account Guest account should be disabled (the default { Change its name and create a new during installation) Administrator account with no permissions
{ Administrators should not log in as Administrators; log in as their own account, use RunAs to get temporary Administrator status when needed
39 40
Figure 6-9: Managing Users and Groups Figure 6-9: Managing Users and Groups
Creating and Managing Groups in Windows Managing Users and Groups in UNIX
{ Select Groups { Different versions of UNIX do this differently, so it is difficult to talk in general terms Assign rights to groups { The super account is root Standard groups: Administrators, Power Users, Backup Operators, etc. su (switch user) allows administrators to log in as regular accounts, su to get root privileges { Have appropriate permissions by default for when desired their tasks { Guest account should be disabled
41 42
7 Figure 6-13: Managing Permissions Figure 6-13: Managing Permissions
Principle of Least Permissions: Give Users the Assigning Permissions in Windows Minimum Permissions Needed for Their Job (Figure 6-14)
{ More feasible to add permissions selectively than to { Right click on file or directory in My Computer start with many, reduce for security { Select Properties, then Security tab
{ Select a user or group
{ NOT done through the start menu, selecting Administrative Tools
43 44
Figure 6-13: Managing Permissions
Figure 6-14: Assigning Permissions in Windows (Figure 6-14) Assigning Permissions { Click on or off the 6 standard policies (permit or deny) in Windows List Folder Contents (see what is in a directory) Read (read only) To bring up this screen, Read and Execute (for programs) right click on a Write (change files) folder, select Modify (Write plus delete) Properties. Click on Full control: all permissions Security tab 45 46
Figure 6-13: Managing Permissions Figure 6-13: Managing Permissions
Assigning Permissions in UNIX Assigning Permissions in Windows (Figure 6-14) { ls -l shows details of files and directories in long format { Click on or off the 6 standard policies (permit or deny) First character is - for a file, d for a directory
{ For more fine-grained control, 13 special permissions Ends with name of file or directory collectively give the standard 6 -rwxr-x---1 root . . . purple.exe { This gives highly granular access controls, especially compared to UNIX (next) drw-r---- 1 brows . . . reports -rw-rw-r--1 lighter . . . bronze.txt
Note: purple.exe is a file; reports is a directory. What is bronze.txt? 47 48
8 Figure 6-13: Managing Permissions Figure 6-13: Managing Permissions
Assigning Permissions in UNIX rwx Assigning Permissions in UNIX
{ ls -l shows files in a directory in long format { ls -l shows files in a directory in long format
Only three permissions: read (only), write Next three characters are permissions (rwx (change), and execute (run program) possible) for the file owner
Format is rwx for all or various combinations (r-x is read and execute but not write) -rwxr-x---1 root . . . purple.exe drw-r---- 1 brows . . . reports -rwxr-x---1 root . . . purple.exe -rw-rw-r--1 lighter . . . bronze.txt drw-r---- 1 brows . . . reports -rw-rw-r--1 lighter . . . bronze.txt purple.exe’s owner has all three permissions reports’ owner has only read and write permissions 49 50
Figure 6-13: Managing Permissions Figure 6-13: Managing Permissions
Assigning Permissions in UNIX Assigning Permissions in UNIX Next three are permissions (rwx possible) for the Next comes the number of links group Next comes the name of the owner Next three are permissions for the rest of the world Group might be shown (not here)
-rwxr-x---1 root . . . purple.exe drw-r---- 1 brows . . . reports -rwxr-x---1 root . . . purple.exe -rw-rw-r--1 lighter . . . bronze.txt drw-r---- 1 brows . . . reports -rw-rw-r--1 lighter . . . bronze.txt purple’s group has read and execute permissions. purple has no permissions for the rest of the world. 51 52
Figure 6-16: Advanced Server Figure 6-13: Managing Permissions Hardening Techniques
Assigning Permissions in UNIX Reading Event Logs (Chapter 10)
{ Changing permissions { The importance of logging to diagnose problems
umask (user mask) command sets the default Failed logins, changing permissions, starting permissions for future assignments programs, kernel messages, etc.
chmod (change mode) changes permissions for { Windows 2000 Event Viewer (Figure 6-17) the file
chown (change owner) changes the ownership of a file
53 54
9 Figure 6-17: Windows 2000 Event Figure 6-16: Advanced Server Viewer for Logging Hardening Techniques
Reading Event Logs (Chapter 10)
{ UNIX has many logging facilities controlled by syslog program (Figure 6-18)
Syslog program sends log entries of different types to specific directories on the host or on other hosts
The file syslog.config specifies which log entries and which severity levels should go to which directories on which hosts
55 56
Figure 6-16: Advanced Server Figure 6-18: syslog in UNIX Hardening Techniques
Host A 4. 1. Event. Backup (Chapter 10) (Runs syslog) Remote Type=Login, Logging Level=Err Event { UNIX backup From syslog Internal tar command (tape archive) System 2. Login/Err Create tape archive of a file, group of files, 3. Host A directory tree in a .tar file … Login.Err HostA syslog.config Can use tar to look at table of contents of files in .. .tar file Host Wishing Restart.* /errors/restart to Do Remote .. Can use tar to restore one, some, or all files Logging 57 58
Figure 6-16: Advanced Server Figure 6-16: Advanced Server Hardening Techniques Hardening Techniques
Backup (Chapter 10) File Encryption
{ Windows backup { Protects files even if attacker breaks in
Start, Programs, Accessories, System Tools, { Key escrow: Copy of encryption key is kept Backup elsewhere to protect in case of key loss { Windows Encrypting File System (EFS) { Note that Backup is under Accessories rather than under Administrative Tools like most Select file in Windows Explorer, select MMCs Properties Click on General tab’s Advanced button GUI to create backups, restore backups Click on the box Encrypt contents to secure data
59 60
10 Figure 6-16: Advanced Server Figure 6-16: Advanced Server Hardening Techniques Hardening Techniques
File Encryption File Integrity Checker
{ Windows Encrypting File System (EFS) { Creates snapshot of files: a hashed signature (message digest) for each file Encryption is transparent: Save, retrieve, copy
files as usual { After an attack, compares post-hack signature with Encrypted files generally cannot be sent over the snapshot network { This allows systems administrator to determine There is a Recovery agent (usually on the which files were changed domain controller) for key escrow { Tripwire is the usual file integrity checker for UNIX (Figure 6-19) 61 62
Figure 6-19: Tripwire File Integrity Figure 6-16: Advanced Server Checker Hardening Techniques Reference Base
File 1 File 1 Signature File Integrity Checker 1. File 2 File 2 Signature Earlier … Tripwire … { If applied to too many files, too many false alarms Time Other Files in … will occur Policy List { Must be selective—core programs likely to be 3. Comparison to Find Changed Files Trojanized during attacks
Post-Attack Signatures Server Host Firewalls File 1 2. File 2 File 1 Signature { Rules can be specific to the server’s role (e-mail, After … Tripwire File 2 Signature etc.) Attack Other Files in … Policy List … 63 64
Figure 6-20: Types of UNIX Vulnerability Assessment Tools Figure 6-21: Hardening Clients
Importance of Clients Auditing External { Contain important information Computer Audit Tool Network { If taken over, can get in as user, passing through Network Traffic Monitoring firewalls and other protections Attack Tool Packet
Host Assessment Tool
65 66
11 Figure 6-21: Hardening Clients Figure 6-21: Hardening Clients
Central Control is Desirable for Clients Enforcing Good Practice { For example, Microsoft Group Policy Objects { Patching (GPOs) for home clients { Antivirus software { Require certain programs (antivirus, etc.), forbid { Firewall software programs not on list
{ Limiting client software to an approved list (e.g., { Even lock down desktop so use cannot add new forbidding P2P file exchange products) software or even change the interface
{ Save passwords? { Central vulnerability scanning
{ File encryption { Difficult to enforce on personally owned home computers 67 68
Topics Covered Topics Covered
Firewalls and other Elements of Hardening protections { Physical security (Chapter 2). sometimes break { Secure installation and configuration down { Fix known vulnerabilities Computers must be { Turn off unnecessary services (applications) hardened to survive { Harden all remaining applications (Chapter 9) when attackers reach { Manage users and groups them { Manage access permissions Defense in depth { Back up the server regularly { Advanced protections 69 70
Topics Covered Topics Covered
Baselines are needed to specify everything { Microsoft Network Operating Systems (NOSs)
that must be done to harden a server LAN Manager (LANMAN)
Server administrators are called systems Windows NT Server
administrators Windows 2000 Server
{ Each server has one or more sysadmins Windows 2003 Server (called .NET in the book)
Familiar Windows interface gives ease of learning and use
71 72
12 Topics Covered Topics Covered
UNIX Installation
{ Many versions of UNIX { Many options affect security
{ LINUX distributions { Need a baseline to guide installation
{ CLIs are difficult to use
Other
{ Novell NetWare
{ Cisco IOS for routers and switches
{ Firewalls, cable modems, etc. 73 74
Topics Covered Topics Covered
Patching vulnerabilities Turn Off Unnecessary Services
{ The most critical hardening step { To give attackers fewer targets
{ Fixes, patches, and upgrades { Windows Server { Often not applied because of sysadmin overload Computer management MMC GUI
{ Need to test patches before roll out { Unix { Linux uses rpm to get patches inetd.config modification { Windows 2000 uses the Windows Update item on rc scripts the start menu ps –aux, netstat show process IDs (PIDs) { Automatic notification in Windows 2003 kill PID kills the process with that PID 75 76
Topics Covered Topics Covered
Managing Users and Groups Managing Users and Groups
{ Assign permission to users { Windows Server Computer Management: Local Users and Groups snap-in to manage users and { Can also assign permissions to groups groups Group members receive all assigned permissions { Assign permission to directories by right clicking on them { Assign permissions for individuals and groups to individual directories { Windows has 6 standard permissions which can be subdivided into 13 special permissions
{ Windows can assign permissions in a directory to many users and groups 77 78
13 Topics Covered Topics Covered
Permissions in Unix File Integrity Checking
{ Only three (read, write, and execute) { Tripwire for Unix and Windows
{ Can only be assigned to a file or directory owner, a Host Firewall single group, and the rest of the world { Protections tailored to host’s specific services { ls -l shows permissions
{ chmod changes permissions for a file or directory Vulnerability Assessment
{ chown changes the owner of a file or directory { Unix external audit, network monitoring, and host assessment tools
79 80
Hardening Clients
Good Practice
{ Many Aspects Patching Antivirus software Firewall software Limiting client software to an approved list Etc.
{ Difficult to enforce Centralized management (e.g., Microsoft GPOs) can enforce policies 81
14