Figure 6-1: Hardening Host Computers

Host Hardening „ The Problem { Computers installed out of the box have known vulnerabilities

„ Not just Windows computers Chapter 6 { Hackers can take them over easily

{ They must be hardened—a complex process that Panko, Corporate Computer and Network Security Copyright 2005 Prentice-Hall involves many actions

2

Figure 6-1: Hardening Host Computers Figure 6-1: Hardening Host Computers

„ Elements of Hardening „ Elements of Hardening (continued)

{ Physical security (Chapter 2). { Manage users and groups

{ Secure installation and configuration { Manage access permissions

{ Fix known vulnerabilities „ For individual files and directories, assign access permissions specific users and groups { Turn off unnecessary services (applications) { Back up the server regularly { Harden all remaining applications (Chapter 9) { Advanced protections { (more on next page)

3 4

Figure 6-1: Hardening Host Computers Figure 6-1: Hardening Host Computers

„ Server Administrators Are Called Systems „ Security Baselines Guide the Hardening Effort Administrators { Specifications for how hardening should be done { A sysadmin manages one { Different for different operating systems or several servers—not necessarily all of a firm’s { Different for different types of servers (webservers, New servers mail servers, etc.) { Sometimes, groups of { Needed because it is easy to forget a step sysadmins manage multiple servers

5 6

1 Figure 6-2: Windows 2000 Server User Figure 6-1: Hardening Host Computers Interface

„ Windows Computers

{ Microsoft Network Operating Systems (NOSs)

„ LAN Manager (LANMAN)

„ Windows NT Server

„ Windows 2000 Server

„ Windows 2003 Server (called .NET in the book)

{ Graphical user interface looks like client versions to ease learning (Figure 6-2)

7 8

Figure 6-3: Computer Management Microsoft Figure 6-1: Hardening Host Computers Management Console (MMC)

„ Windows Computers

{ Administrative Tools Group under Programs has Microsoft Management Consoles (MMCs) (Figure System 6-3) Tools snap-in „ Used to conduct most administrative actions

„ Can add snap-ins for specific functionality

9 10

Figure 6-1: Hardening Host Computers Figure 6-1: Hardening Host Computers

„ Windows Computers „ UNIX

{ Windows 2000 introduced hierarchical domain { Many versions of UNIX structure with Active Directory { LINUX is a set of versions for PCs—there are „ Domain is a collection of resources several different distributions

{ User can select the user interface—GUI or „ Domain contains one or more domain controllers, member servers, client PCs command-line interface (CLI) { CLIs are called shells (Bourne, BASH, etc.) „ Group policy objects (GPOs) on a domain controller can implement policies throughout a { CLIs have picky syntax, capitalization, and spacing domain 11 12

2 Figure 6-1: Hardening Host Computers Figure 6-4: Installation and Patching

„ Internetwork Operating System (IOS) „ Installation Offers Many Options, Some of Which Affect Security { For Cisco Routers, Some Switches, Firewalls

{ For example, in Windows, the NTFS file system is „ Other Host Operating Systems better for security than FAT32 { Macintosh { Need a security baseline to guide option choices { Novell NetWare during installation { Firewalls

{ Even cable modems with web-based management interfaces

13 14

Figure 6-4: Installation and Patching Figure 6-4: Installation and Patching

„ Known Vulnerabilities „ Known Vulnerabilities

{ Most programs have known vulnerabilities { Vulnerability reporters send vulnerability reports to vendors { Exploits are programs that take advantage of known vulnerabilities { Vulnerability reporters often say that vendors take too long to fix vulnerabilities

{ Vendors say that vulnerability reporters do not give them enough time, report too much detail to the press

15 16

Figure 6-4: Installation and Patching Figure 6-4: Installation and Patching

„ Fixes „ Upgrades

{ Work-around: A series of actions to be taken; no { Often, security vulnerabilities are fixed in new new software versions

{ Patches: New software to be added to the { If a version is too old, the vendor might stop offering operating system fixes

{ Upgrades: Newer versions of programs usually fix { It might be good to wait to upgrade until after the older vulnerabilities. first round of bug and security fixes

17 18

3 Figure 6-4: Installation and Patching Patching

„ Mechanics of Patching

{ Microsoft Windows Server

„ Windows Update on Start menu (Figure 6-2) in Windows 2000

„ Automatic notification of update availability in Windows 2003

{ LINUX distributions often use rpm for updates

19 20

Figure 6-4: Installation and Patching Figure 6-4: Installation and Patching

„ Patches Often Are Not Applied „ Patches Often Are Not Applied

{ Companies get overwhelmed by number of patches { Cost of Patch installation

„ Use many products, vendors release many „ Mitigated by patch servers that distribute patches per product patches to general servers

„ Especially a problem for application programs „ More easy-to-use vendor tools are needed

„ Might simply lack the resources to apply all; might be selective

21 22

Figure 6-5: Turning Off Unnecessary Figure 6-4: Installation and Patching Services

„ Patches Often Are Not Applied „ Unnecessary Services

{ Risks of Patch installation { Operating system vendors used to install many „ Reduced functionality services by default

„ Freeze machines, do other damage—sometimes { This made them easier to use. When use changes, with no Uninstall possible services do not have to be turned on. „ Should test patch on a test system before { Attackers have found flaws in many of these rare deployment services „ Special problem for mission-critical production systems that must work

23 24

4 Figure 6-5: Turning Off Unnecessary Figure 6-5: Turning Off Unnecessary Services Services

„ Unnecessary Services „ Turning Off Services In Windows Server

{ Vendors now install fewer services by default—lock { Go to the Computer Management MMC down mode { On the tree, select Services and Applications { Turn to security baseline to see what services to (Figure 6-6) turn on and off „ Status tells whether the service is active

{ Easier to install too few and add than to install too „ Startup tells how the service is started many and remove unwanted services (automatic, manual, disabled, etc.)

{ Right click on a service or select and choose Action to stop a service, start it, disable it, etc. 25 26

Figure 6-6: Services and Applications in Figure 6-5: Turning Off Unnecessary Windows Services

„ Turning Off Services In UNIX

{ Three ways to start services

„ inetd to start services when requests come in from users (Figure 6-7)

„ rc scripts to start services automatically at book up (Figure 6-8)

„ Start a service manually by typing its name or executing a batch file that does so

27 28

Figure 6-7: UNIX inetd Daemon for Figure 6-8 The UNIX rc.d Method of Responding to Client Requests Automatically Starting Services

rc.d directory

1. Client Request /etc/rc.d Scripts for services. 4. Start and To Port 80 1. Script for Service A Contain scripts to start Program A Process 2. Script for Service B or kill services. This Request 3. Script for Service F Program B inetd 4. Script for Service H 3. Program B 2. Port 80 rc0.d [scripts to run during System Mode 0-shutdown] Program C K2 . . . [Run the Kill portion of Script 2: Kills Service B] Port 23 Program A inetd.config K3 . . . [Run the Kill portion of Script 3: Kills Service F] Program D Port 80 Program B . . . Port 123 Program C Directory rc0.d. Subdirectory of rc.d. Contains scripts to run Port 1510 Program D start or kill portions of scripts in rc.d directory. These scripts are executed if run mode 0 occurs—system shutdown 29 30

5 Figure 6-8 The UNIX rc.d Method of Figure 6-5: Turning Off Unnecessary Automatically Starting Services Services rc1.d „ Turning Off Services In UNIX Other subdirectories of rc.d for scripts to rc2.d execute in different run modes, such as run { Identifying services that are running at any moment rc3.d mode 6—startup rc4.d „ ps (processor status), usually with –aux rc5.d parameters, lists running programs rc6.d [scripts to run during System Mode 6-startup] S1 . . . [Run the Start portion of Script 1: Starts Service A] { Shows process name and process ID (PID) S2 . . . [Run the Start portion of Script 2: Starts Service B] „ netstat tells what services are running on what . . . ports rcs.d [scripts to run during System Mode s—single-user mode]

31 32

Figure 6-5: Turning Off Unnecessary Services Figure 6-9: Managing Users and Groups

„ Turning Off Services In UNIX „ Introduction

{ kill PID to kill a particular process { Every user must have an account { kill 47 (If PID=47) { There can also be groups „ Add parameters –SIGTERM, -SIGHUP, -SIGKILL in order of increasing urgency „ Can assign security measures to groups { kill 47 –SIGTERM (PID = 47) „ These measures apply to the individual group „ Only kills for now. members automatically

„ Must search inetd.config, rc scripts, batch files to „ Faster and easier than assigning security see where it is being started automatically. measures to individuals Difficult to do. 33 34

Figure 6-10: Users and Groups in Figure 6-9: Managing Users and Groups Windows

„ Creating and Managing Groups in Windows

{ Computer Management: Local Users and Groups snap-in (Figure 6-10)

{ Select Users

{ Select user from list

„ Right click on user and select Properties: password restrictions, disable box

„ Or select Action: change password, etc.

„ Add, delete users

35 36

6 Figure 6-11: Figure 6-12: Windows Creating a User New User Account in Windows Properties

To get this screen, right click on user account in Figure 6-10, select Properties 37 38

Figure 6-9: Managing Users and Groups Figure 6-9: Managing Users and Groups

„ Creating and Managing Groups in Windows „ Creating and Managing Groups in Windows

{ Select user from list { Select user from list „ Administrator is the super account „ Guest account should be disabled (the default { Change its name and create a new during installation) Administrator account with no permissions

{ Administrators should not log in as Administrators; log in as their own account, use RunAs to get temporary Administrator status when needed

39 40

Figure 6-9: Managing Users and Groups Figure 6-9: Managing Users and Groups

„ Creating and Managing Groups in Windows „ Managing Users and Groups in UNIX

{ Select Groups { Different versions of UNIX do this differently, so it is difficult to talk in general terms „ Assign rights to groups { The super account is root „ Standard groups: Administrators, Power Users, Backup Operators, etc. „ su (switch user) allows administrators to log in as regular accounts, su to get root privileges { Have appropriate permissions by default for when desired their tasks { Guest account should be disabled

41 42

7 Figure 6-13: Managing Permissions Figure 6-13: Managing Permissions

„ Principle of Least Permissions: Give Users the „ Assigning Permissions in Windows Minimum Permissions Needed for Their Job (Figure 6-14)

{ More feasible to add permissions selectively than to { Right click on file or directory in My Computer start with many, reduce for security { Select Properties, then Security tab

{ Select a user or group

{ NOT done through the start menu, selecting Administrative Tools

43 44

Figure 6-13: Managing Permissions

Figure 6-14: „ Assigning Permissions in Windows (Figure 6-14) Assigning Permissions { Click on or off the 6 standard policies (permit or deny) in Windows „ List Folder Contents (see what is in a directory) „ Read (read only) To bring up this screen, „ Read and Execute (for programs) right click on a „ Write (change files) folder, select „ Modify (Write plus delete) Properties. Click on „ Full control: all permissions Security tab 45 46

Figure 6-13: Managing Permissions Figure 6-13: Managing Permissions

„ Assigning Permissions in UNIX „ Assigning Permissions in Windows (Figure 6-14) { ls -l shows details of files and directories in long format { Click on or off the 6 standard policies (permit or deny) „ First character is - for a file, d for a directory

{ For more fine-grained control, 13 special permissions „ Ends with name of file or directory collectively give the standard 6 -rwxr-x---1 root . . . purple.exe { This gives highly granular access controls, especially compared to UNIX (next) drw-r---- 1 brows . . . reports -rw-rw-r--1 lighter . . . bronze.txt

Note: purple.exe is a file; reports is a directory. What is bronze.txt? 47 48

8 Figure 6-13: Managing Permissions Figure 6-13: Managing Permissions

„ Assigning Permissions in UNIX rwx „ Assigning Permissions in UNIX

{ ls -l shows files in a directory in long format { ls -l shows files in a directory in long format

„ Only three permissions: read (only), write „ Next three characters are permissions (rwx (change), and execute (run program) possible) for the file owner

„ Format is rwx for all or various combinations (r-x is read and execute but not write) -rwxr-x---1 root . . . purple.exe drw-r---- 1 brows . . . reports -rwxr-x---1 root . . . purple.exe -rw-rw-r--1 lighter . . . bronze.txt drw-r---- 1 brows . . . reports -rw-rw-r--1 lighter . . . bronze.txt purple.exe’s owner has all three permissions reports’ owner has only read and write permissions 49 50

Figure 6-13: Managing Permissions Figure 6-13: Managing Permissions

„ Assigning Permissions in UNIX „ Assigning Permissions in UNIX „ Next three are permissions (rwx possible) for the „ Next comes the number of links group „ Next comes the name of the owner „ Next three are permissions for the rest of the world „ Group might be shown (not here)

-rwxr-x---1 root . . . purple.exe drw-r---- 1 brows . . . reports -rwxr-x---1 root . . . purple.exe -rw-rw-r--1 lighter . . . bronze.txt drw-r---- 1 brows . . . reports -rw-rw-r--1 lighter . . . bronze.txt purple’s group has read and execute permissions. purple has no permissions for the rest of the world. 51 52

Figure 6-16: Advanced Server Figure 6-13: Managing Permissions Hardening Techniques

„ Assigning Permissions in UNIX „ Reading Event Logs (Chapter 10)

{ Changing permissions { The importance of logging to diagnose problems

„ umask (user mask) command sets the default „ Failed logins, changing permissions, starting permissions for future assignments programs, kernel messages, etc.

„ chmod (change mode) changes permissions for { Windows 2000 Event Viewer (Figure 6-17) the file

„ chown (change owner) changes the ownership of a file

53 54

9 Figure 6-17: Windows 2000 Event Figure 6-16: Advanced Server Viewer for Logging Hardening Techniques

„ Reading Event Logs (Chapter 10)

{ UNIX has many logging facilities controlled by syslog program (Figure 6-18)

„ Syslog program sends log entries of different types to specific directories on the host or on other hosts

„ The file syslog.config specifies which log entries and which severity levels should go to which directories on which hosts

55 56

Figure 6-16: Advanced Server Figure 6-18: syslog in UNIX Hardening Techniques

Host A 4. 1. Event. „ Backup (Chapter 10) (Runs syslog) Remote Type=Login, Logging Level=Err Event { UNIX backup From syslog Internal „ tar command (tape archive) System 2. Login/Err „ Create tape archive of a file, group of files, 3. Host A directory tree in a .tar file … Login.Err HostA syslog.config „ Can use tar to look at table of contents of files in .. .tar file Host Wishing Restart.* /errors/restart to Do Remote .. „ Can use tar to restore one, some, or all files Logging 57 58

Figure 6-16: Advanced Server Figure 6-16: Advanced Server Hardening Techniques Hardening Techniques

„ Backup (Chapter 10) „ File Encryption

{ Windows backup { Protects files even if attacker breaks in

„ Start, Programs, Accessories, System Tools, { Key escrow: Copy of encryption key is kept Backup elsewhere to protect in case of key loss { Windows Encrypting File System (EFS) { Note that Backup is under Accessories rather than under Administrative Tools like most „ Select file in Windows Explorer, select MMCs Properties „ Click on General tab’s Advanced button „ GUI to create backups, restore backups „ Click on the box Encrypt contents to secure data

59 60

10 Figure 6-16: Advanced Server Figure 6-16: Advanced Server Hardening Techniques Hardening Techniques

„ File Encryption „ File Integrity Checker

{ Windows Encrypting File System (EFS) { Creates snapshot of files: a hashed signature (message digest) for each file „ Encryption is transparent: Save, retrieve, copy

files as usual { After an attack, compares post-hack signature with „ Encrypted files generally cannot be sent over the snapshot network { This allows systems administrator to determine „ There is a Recovery agent (usually on the which files were changed domain controller) for key escrow { Tripwire is the usual file integrity checker for UNIX (Figure 6-19) 61 62

Figure 6-19: Tripwire File Integrity Figure 6-16: Advanced Server Checker Hardening Techniques Reference Base

File 1 File 1 Signature „ File Integrity Checker 1. File 2 File 2 Signature Earlier … Tripwire … { If applied to too many files, too many false alarms Time Other Files in … will occur Policy List { Must be selective—core programs likely to be 3. Comparison to Find Changed Files Trojanized during attacks

Post-Attack Signatures „ Server Host Firewalls File 1 2. File 2 File 1 Signature { Rules can be specific to the server’s role (e-mail, After … Tripwire File 2 Signature etc.) Attack Other Files in … Policy List … 63 64

Figure 6-20: Types of UNIX Vulnerability Assessment Tools Figure 6-21: Hardening Clients

„ Importance of Clients Auditing External { Contain important information Computer Audit Tool Network { If taken over, can get in as user, passing through Network Traffic Monitoring firewalls and other protections Attack Tool Packet

Host Assessment Tool

65 66

11 Figure 6-21: Hardening Clients Figure 6-21: Hardening Clients

„ Central Control is Desirable for Clients „ Enforcing Good Practice { For example, Microsoft Group Policy Objects { Patching (GPOs) for home clients { Antivirus software { Require certain programs (antivirus, etc.), forbid { Firewall software programs not on list

{ Limiting client software to an approved list (e.g., { Even lock down desktop so use cannot add new forbidding P2P file exchange products) software or even change the interface

{ Save passwords? { Central vulnerability scanning

{ File encryption { Difficult to enforce on personally owned home computers 67 68

Topics Covered Topics Covered

„ Firewalls and other „ Elements of Hardening protections { Physical security (Chapter 2). sometimes break { Secure installation and configuration down { Fix known vulnerabilities „ Computers must be { Turn off unnecessary services (applications) hardened to survive { Harden all remaining applications (Chapter 9) when attackers reach { Manage users and groups them { Manage access permissions „ Defense in depth { Back up the server regularly { Advanced protections 69 70

Topics Covered Topics Covered

„ Baselines are needed to specify everything { Microsoft Network Operating Systems (NOSs)

that must be done to harden a server „ LAN Manager (LANMAN)

„ Server administrators are called systems „ Windows NT Server

administrators „ Windows 2000 Server

{ Each server has one or more sysadmins „ Windows 2003 Server (called .NET in the book)

„ Familiar Windows interface gives ease of learning and use

71 72

12 Topics Covered Topics Covered

„ UNIX „ Installation

{ Many versions of UNIX { Many options affect security

{ LINUX distributions { Need a baseline to guide installation

{ CLIs are difficult to use

„ Other

{ Novell NetWare

{ Cisco IOS for routers and switches

{ Firewalls, cable modems, etc. 73 74

Topics Covered Topics Covered

„ Patching vulnerabilities „ Turn Off Unnecessary Services

{ The most critical hardening step { To give attackers fewer targets

{ Fixes, patches, and upgrades { Windows Server { Often not applied because of sysadmin overload „ Computer management MMC GUI

{ Need to test patches before roll out { Unix { Linux uses rpm to get patches „ inetd.config modification { Windows 2000 uses the Windows Update item on „ rc scripts the start menu „ ps –aux, netstat show process IDs (PIDs) { Automatic notification in Windows 2003 „ kill PID kills the process with that PID 75 76

Topics Covered Topics Covered

„ Managing Users and Groups „ Managing Users and Groups

{ Assign permission to users { Windows Server Computer Management: Local Users and Groups snap-in to manage users and { Can also assign permissions to groups groups „ Group members receive all assigned permissions { Assign permission to directories by right clicking on them { Assign permissions for individuals and groups to individual directories { Windows has 6 standard permissions which can be subdivided into 13 special permissions

{ Windows can assign permissions in a directory to many users and groups 77 78

13 Topics Covered Topics Covered

„ Permissions in Unix „ File Integrity Checking

{ Only three (read, write, and execute) { Tripwire for Unix and Windows

{ Can only be assigned to a file or directory owner, a „ Host Firewall single group, and the rest of the world { Protections tailored to host’s specific services { ls -l shows permissions

{ chmod changes permissions for a file or directory „ Vulnerability Assessment

{ chown changes the owner of a file or directory { Unix external audit, network monitoring, and host assessment tools

79 80

Hardening Clients

„ Good Practice

{ Many Aspects „ Patching „ Antivirus software „ Firewall software „ Limiting client software to an approved list „ Etc.

{ Difficult to enforce „ Centralized management (e.g., Microsoft GPOs) can enforce policies 81

14