close

Вход

Забыли?

вход по аккаунту

?

Host Hardening

код для вставкиСкачать
Host Hardening
Series of actions to be taken in order to
make it hard for an attacker to
successfully attack computers in a
network environment
(March 19, 2014)
© Abdou Illia – Spring 2014
Computer system #1
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
IntelВ® CoreВ® i7 Processor (3.20GHz)
2GB SDRAM PC3200 (800MHz), Dual Channel
1TB Serial ATA 7200rpm Hard Disk Drive
16x Multi-Format DVD Writer (DVDВ±R/В±RW)
Gateway 7-Bay Tower Case
Integrated Ultra ATA Controller
(1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use
(7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE
1394 Firewire Ports, Parallel, Serial and (2) PS/2
20" Black LCD Flat Panel Display (19" viewable)
Gateway Premium 104+ Keyboard
Two-Button PS/2 Wheel Mouse
Napster 2.0 and 150 Song Sampler
IntelВ® High Definition Audio
GMAX 2100 2.1 Speakers with Subwoofer
56K PCI data/fax modem
10/100/1000 (Gigabit) Ethernet
Microsoft Office 2010 Professional on DVD
2
Computer Hardware & Software
Productivity Software
Operating System
Computer Hardware
3
Computer system #2
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
IntelВ® CoreВ® i7 Processor (3.20GHz)
2GB SDRAM PC3200 (800MHz), Dual Channel
1TB Serial ATA 7200rpm Hard Disk Drive
16x Multi-Format DVD Writer (DVDВ±R/В±RW)
Gateway 7-Bay Tower Case
Integrated Ultra ATA Controller
(1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use
(7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE
1394 Firewire Ports, Parallel, Serial and (2) PS/2
20" Black LCD Flat Panel Display (19" viewable)
Gateway Premium 104+ Keyboard
Two-Button PS/2 Wheel Mouse
Napster 2.0 and 150 Song Sampler
IntelВ® High Definition Audio
GMAX 2100 2.1 Speakers with Subwoofer
56K PCI data/fax modem
10/100/1000 (Gigabit) Ethernet
Windows 7 Professional
Google Chrome 16 installed
4
Microsoft Office 2010 Professional installed
Computer Hardware & Software
Web browser
Productivity Software
Operating System
Computer Hardware
5
Computer system #3
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
IntelВ® CoreВ® i7 Processor (3.20GHz)
2GB SDRAM PC3200 (800MHz), Dual Channel
1TB Serial ATA 7200rpm Hard Disk Drive
16x Multi-Format DVD Writer (DVDВ±R/В±RW)
Gateway 7-Bay Tower Case
Integrated Ultra ATA Controller
(1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use
(7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE
1394 Firewire Ports, Parallel, Serial and (2) PS/2
20" Black LCD Flat Panel Display (19" viewable)
Gateway Premium 104+ Keyboard
Two-Button PS/2 Wheel Mouse
Napster 2.0 and 150 Song Sampler
IntelВ® High Definition Audio
GMAX 2100 2.1 Speakers with Subwoofer
56K PCI data/fax modem
10/100/1000 (Gigabit) Ethernet
Windows Server 2008 Enterprise installed
Internet Explorer 8 installed
6
IIS 6.0 installed
Computer Hardware & Software
Web service software (IIS, Apache, ...)
Web browser
Productivity Software
Client &
server
application
programs
Operating System
Computer Hardware
7
Your knowledge about Host hardening
пЃ® Which of the following is most likely to
make a computer system unable to
perform any kind of work or to provide any
service?
Client application programs get hacked
b) Server application programs (web service software,
database service, network service, etc.) get hacked
c) The operating system get hacked
d) The connection to the network/Internet get shut down
a)
8
OS Vulnerability test
2010 by omnired.com
пЃ® OS tested:
пЃ®
пЃ®
пЃ®
Win XP, Win Server 2003, Win Vista Ultimate,
Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger OS market share
FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse
Enterprise 10, Ubuntu 6.10
пЃ® Tools used to test vulnerabilities:
пЃ®
пЃ®
пЃ®
Scanning tools (Track, Nessus)
Network mapping (Nmap command)
All host with OS installation defaults
пЃ® Results
пЃ®
пЃ®
пЃ®
Microsoft's Windows and Apple's OS X are ripe with remotely
accessible vulnerabilities and allow for executing malicious code
The UNIX and Linux variants present a much more robust exterior to
the outside
Once patched, however, both Windows and Apple’s OS are secure. 9
Your knowledge about Host hardening
пЃ®
You performed an Out-of-the-box installation of
Windows XP and Linux FreeBSD 6.2 on two
different computers. Which computer is more likely
to be secure ?
a)
b)
c)
пЃ®
Windows XP
Linux FreeBSD 6.2
They will have the same level of security
What needs to be done, first, in order to prevent a
hacker from taking over a server with OS installation
defaults that has to be connected to the Internet?
a)
b)
c)
Lock the server room
Configure the firewall to deny all inbound traffic to the server
Download and install patches for known vulnerabilities
10
Security Baseline
 Because it’s easy to overlook something in the
hardening process, businesses need to adopt a
standard hardening methodology: standard
security baseline
пЃ® Need to have different security baseline for
different kind of host; i.e.
пЃ®
пЃ®
пЃ®
Different security baselines for different OS and versions
Different security baselines for different types of server
applications (web service, email service, etc.)
Different security baselines for different types of client
applications.
11
Options for Security Baselines
пЃ® Organization could use different standards
пЃ®
OS vendors’ baselines and tools
пЃ®
пЃ®
Standards Agencies baselines
пЃ®
пЃ®
e.g. Follow MS Installation procedure and use
Microsoft Baseline Security Analyzer (MBSA)
e.g. CobiT* Security Baseline
Company’s own security baselines
пЃ® Security Baseline to be implemented by
пЃ®
Server administrators known as systems admin
* Control Objectives for Information and Related Technology
12
Elements of Hardening
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
Physical security
Secure installation and configuration
Fix known vulnerabilities
Remove/Turn off unnecessary services (applications)
Harden all remaining applications
Manage users and groups
Manage access permissions
пЃ®
For individual files and directories, assign access
permissions to specific users and groups
пЃ® Back up the server regularly
пЃ® Advanced protections
A
c
c
o
r
d
i
n
g
t
o
13
b
a
s
e
l
i
n
e
Example of Security Baseline for
Win XP Clients
пЃ® OS Installation
Create a single partition on HDD
пЃ® Format disk using NTFS file system
пЃ® Install Win XP and Service Pack 3
Fixing OS vulnerabilities
пЃ® Download and install latest patches
 Turn on Windows’ Automatic Updates checking
Configure Windows Firewall
пЃ® Block incoming connections except KeyAccess and Remote
Assistance
Turn off unnecessary services
пЃ® Turn off Alerter, Network Dynamic Data Exchange, telnet
Application Installation
пЃ® Centrally assign applications using group policies
Fixing applications’ vulnerabilities
 Turn on each application’s automatic update checking
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
14
Hardening servers
 The 5 P’ s of security and compliance: Proper Planning Prevents Poor
Performance
пЃ® Plan the installation
пЃ®
Identify
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
Determine
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
The purpose of the server. Example: provides easy & fast access to Internet
services
The services provided on the server
Network service software (client and server)
The users or types of users of the server
Privileges for each category of users
If and how users will authenticate
How appropriate access rights will be enforced
Which OS and server applications meet the requirements
The security baseline(s) for installation & deployment
Install, configure, and secure the OS according to the security baseline
Install, configure, and secure server software according to sec. baseline
Test the security
Add network defences
Monitor and Maintain
15
Hardening servers (cont.)
пЃ® Choose the OS that provides the following:
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
Ability to restrict admin access (Administrator vs. Administrators)
Granular control of data access
Ability to disable services
Ability to control executables
Ability to log activities
Host-based firewall
Support for strong authentication and encryption
пЃ® Disable or remove unnecessary services or
applications
пЃ®
пЃ®
пЃ®
пЃ®
If no longer needed, remove rather than disable to prevent re-enabling
Additional services increases the attack vector
More services can increase host load and decrease performance
Reducing services reduces logs and makes detection of intrusion
16
easier
Hardening servers (cont.)
пЃ® Configure user authentication
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
Remove or disable unnecessary accounts
(e.g. Guest account)
Change names and passwords for default accounts
Disable inactive accounts
Assign rights to groups not individual users
Don't permit shared accounts if possible
Configure time sync
Enforce appropriate password policy
Use 2-factor authentication when necessary
Always use encrypted authentication
17
UNIX / Linux Hardening
пЃ® Many versions of UNIX
пЃ®
No standards guideline for hardening
пЃ® User can select the user interface
пЃ®
пЃ®
Graphic User Interface (GUI)
Command-Line Interfaces (CLIs) or shells
пЃ® CLIs are case-sensitive with commands in
lowercase except for file names
18
UNIX / Linux Hardening
пЃ® Three ways to start services
пЃ®
Start a service manually (a) through the GUI, (b) by
typing its name in the CLI, or (c) by executing a
batch file that does so
пЃ®
Using the inetd program to start services when
requests come in from users
пЃ®
Using the rc scripts to start services automatically
at boot up
Inetd = Internet daemon; i.e. a computer program that runs in the background
19
UNIX / Linux Hardening
пЃ® Starting services upon client requests
пЃ®
пЃ®
пЃ®
Services not frequently used are dormant
Requests do not go directly to the service
Requests are sent to the inetd program which is started at server boot up
Program A
Program B
4. Start and
Process
This Request
Program C
Program D
1. Client Request
To Port 123
inetd
3. Program C
Port 23
Port 80
Port 123
Port 1510
2. Port 123
Program A
Program B
Program C
Program D
/etc/inetd.config
20
UNIX / Linux Hardening
пЃ® Turning On/Off unnecessary Services In UNIX
пЃ®
Identifying services running at any moment
пЃ®
ps command (process status), usually with –aux
parameters, lists running programs
 Shows process name and process ID (PID)
пЃ®
пЃ®
netstat tells what services are running on what ports
Turning Off Services In UNIX
пЃ® kill PID command is used to kill a particular process
 kill 47
(If PID=47)
21
Advanced Server Hardening Techniques
пЃ® File Integrity Checker
пЃ®
Creates snapshot of files: a hashed signature
(message digest) for each file
пЃ®
After an attack, compares post-hack signature
with snapshot
пЃ®
This allows systems administrator to
determine which files were changed
пЃ®
Tripwire is a file integrity checker for
Linux/UNIX, Windows, etc.: www.tripwire.com
(ftp://coast.cs.purdue.edu/pub/tools/unix)
22
Advanced Server Hardening Techniques
Reference Base
1.
Earlier
Time
File 1
File 2
…
Other Files in
Policy List
Tripwire
File 1 Signature
File 2 Signature
…
…
3. Comparison to Find Changed Files
Post-Attack Signatures
2.
After
Attack
File 1
File 2
…
Other Files in
Policy List
Tripwire
File 1 Signature
File 2 Signature
…
…
File Integrity problem: many files change for legitimate reasons. So it is difficult to know
which ones the attacker changed.
23
Other types of host that can be
Hardened
пЃ® Internetwork Operating System (IOS)
пЃ®
For Cisco Routers, Some Switches, Firewalls
пЃ® Even cable modems with web-based
management interfaces
24
Документ
Категория
Без категории
Просмотров
9
Размер файла
378 Кб
Теги
1/--страниц
Пожаловаться на содержимое документа