Cscu module 02 securing operating systems

Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.

1

Securing Operating Systems

Simplifying Security.

Module 2


2

In its latest edition of Security Intelligence Report that Microsoft released on May 12, 2011, the company reveals that the infection rate on Windows 7 rose over 30% in H2‐2010, while that on Windows XP dropped over 20%.

Says Principal Group Program Manager Jeff Williams for Microsoft Malware Protection Center, the rate of contamination on Windows 7 increased, that's because of more malware attacks prevailing in cyber space. Computerworld.com published this on May 12, 2011.

Notably, during July‐December 2010, there was a mean rate of more than 4 32‐bit Windows 7 computers getting infected for every 1,000 such computers, a rise of 33% compared to about 3 such PCs getting infected for every 1,000 during H1‐2010.

Malware Contamination on Windows 7 High, While for XP Low

http://www.spamfighter.com

May 21, 2011


3

Apple ‐‐ and many Mac users ‐‐ argue that Mac OS X has a special recipe for security that makes it less likely to be infected with malware. Many security researchers counter that the Mac's seeming immunity stems not from its security, but from its lack of market share.

The debate may finally be settled.

The emergence of a serious malware construction kit for the Mac OS X seems to mimic a 2008 prediction by a security researcher. The prediction comes from a paper written in IEEE Security & Privacy (in .pdf), which used game theory to predict that Macs would become a focus for attackers as soon as Apple hit 16 percent market share.

Last week, security researchers pointed to a construction kit for creating Trojans for the Mac OS X as a major issue for Mac users. Currently, three countries ‐‐ Switzerland, Luxembourg and the United States ‐‐have Mac market share around that level.

Mac Malware Goes From Game to Serious

http://www.csoonline.com

May 11, 2011


4

Module Objectives

System Security

Threats to System Security

How Does Malware Propagate?

Guidelines for Windows Operating System Security

Two‐Way Firewall Protection in Windows

Windows Encrypting File System (EFS)

How to Hide Files and Folders?

Windows Security Tools

Guidelines for Securing Mac OS X

Resources on the Internet for Computer Security

Operating System Security Checklists


5

Module Flow

System Security


How DoesMalware Propagate?

Guidelines for Windows OS Security





6

System Security

Every operating system and application is subject to security flaws

Software vendors usually develop patches to address these flaws

Users have to install the patches and configure the software

System compromise can be prevented by applying security patches in a timely manner


7

Module Flow

System Security








8


Virus

A program that replicates by copying itself to other programs, system boot sectors, or documents, and alters or damages the computer files and applications

Worm

A self‐replicating virus that does not alter files but resides in computer memory and replicates itself

Backdoor

An unauthorized mean of accessing the system and bypassing the security mechanisms

Trojan

A program that seems to be legitimate but acts maliciously, when executed

Logic Bomb

A program that releases a virus or a worm

Rootkit

A set of programs or utilities that allows someone to maintain root‐level access to the system


9

Keylogger

Password Cracking

Keylogger is a hardware device or small software program that monitors and records each keystroke on a user's computer keyboard

Password cracking is the process of identifying or recovering an unknown or forgotten password

Spyware Spyware includes Trojans and other malicious software that steals personal information from the system without the users’ knowledge. Example: Keylogger



10

Password Cracking

Trying different passwords until one works

Tricking people to reveal their password or other information that can be used to guess the password

It uses a pre‐defined list of words

Trying combinationsof all the characters until the correct password is discovered

Watching someone type the password

Password cracking is the process of identifying or recovering an unknown or forgotten password

Victim

Attacker

Server

Original Connection

Attacker gets the

password of the victimSniff

GuessingBrute Forcing

DictionaryAttack

Shoulder Surfing

SocialEngineering


11

Module Flow

System Security








12


Through Email Attachments

Emails containing attachments may include malware

Clicking the attachment installs a malicious program on the computer

A virus create an autorun.inf file that is a system hidden and a read‐only fileWhen the user opens the pen drive files, the autorun.inf is executed and copies the virus files into the system

Through Infected Websites

Visiting compromised sites may result in installation of malicious software, designed to steal personal information, on users computer

Through USB Memory Sticks


13

How Does Malware Propagate ?

http://www.sonicwall.com


14

Through Fake Codec

If the user is prompted to download and install a decoder to watch the video, the codec may be a malicious program that would be downloaded onto the system

Through Shared Folders

Malware may propagate via network shares

The malware can spread by creating copies of itself in shared folders



15

Through Fake Antivirus

Antivirus 2009 is a fake antivirus that performs a fake scan of the users’ system and shows viruses that are not present on the system

Clicking the Register or Scan buttons downloadsmalware onto the system

Through Downloads

Downloading software, music, photos, and videos from untrusted websites may also cause downloading a malicious file infected with a virus, worm, Trojan, etc.

A large number of malicious applications are available over the Internet with a description that may trick users into downloading them



16

Peer‐to‐peer (P2P) file sharing enables sharing of music, audio, images, documents, and software programs between two computers over the Internet

Shared files may contain security risks such as viruses, spyware, and other malicious software

Attackers can share malware disguised as a useful application

P2P networks can be used to illegally distributethe copyrighted material that may attract civil and/or criminal penalties

http://www.entertane.com



17

Module Flow

System Security








18

Guidelines for Windows Operating System Security

Lock the System, WhenNot in Use

Create Strong User Password

Disable the Guest Account

Lock Out Unwanted Guests

Apply Software Security Patches

Use Windows Firewall

Use NTFS

Kill Unnecessary Processes

Configure Audit Policy

Rename the AdministratorAccount

Use Windows Encrypting File System

Hide Files and Folders

Disable Start up Menu

Disable Simple File Sharing

Use Windows User Account Control (UAC)

Implement Malware Prevention

Disable Unnecessary Services

Enable BitLocker


19

Lock the System When Not in UsePress the ‘Windows’ and ‘L’ keys together on the keyboard to lock the system

Click Start Lock

Right‐click on the Desktop and select Personalize Screensaver select the time and check “On resume, display logon screen”


20

1. To create a password, go to Start Control Panel Select User Accounts click Manage another account

2. Click User name for whom the password has to be changed and choose Create a password (If the password is already set, this option will be Change your password )

3. In the Create a password for user’s account window, type the password to be assigned to the selected user and confirm the password

4. Provide a password hint (optional)

5. If a password is already assigned to the user account and are trying to change it, Windows will ask you to verify the current password

6. Click the Create/Change Password button

Note: Use strong passwords for logging into the system

Create a Strong User Password


21

Change Windows User Password: Windows 7


22

Disable the Guest Account: Windows 7

Click Start right click Computer selectManage

When the Computer Management window opens, go to Local Users and GroupsUsers

Verify that the Guest account is disabled by looking at the icon

If the account is not disabled, double‐click the account name to open its Propertieswindow

In the Guest account's properties window select the checkbox next to Account is disabled click OK


23

Lock Out Unwanted Guests in Windows 7

Go to Control Panel click Administrative Tools

Double‐click the Local Security Policy Account Policies double‐click the Account Lockout Policy double‐clickAccount Lockout Threshold

At the Account lockout threshold Properties window, enter the number of invalid logins (e.g., 3)

Click OK and Close


24

Click Start right click Computer click Manage

In the Computer Management window click Local Users and Groupsselect Users

Rename the Administrator Account in Windows 7

Right click on user Admin or Administratorselect Rename type the new name for account and click OK


25

Right click on the Taskbar select Properties click Start Menu tab

Uncheck both Store and display recently opened programs in the Start menu and Store and display recently opened items in the Start menu and the taskbar click Apply click OK

Disable Start up Menu in Windows 7


26

•

Windows Updates in Windows 7

Windows Updates

Click Start Control Panel select System and Security

Select Windows Update Change Settings

Choose how Windows can install updates


27

Pointers for Updates

Always patch the OS and applications to the latest patch levels

Ensure that you are downloading patches only from authentic sources ‐‐preferably the vendor site

Use patch management tools for easier updating–there are several free tools

Do not send patches through email

Do not open executable files from sources of questionable integrity

Choose to be notified by the vendor about vulnerability announcements


28

Apply Software Security Patches

1

2

3

4

5

Updates can be installed automatically or manually

Automatic updates can be installed on a scheduled basis

Updates must be installed from the vendor’s website

The update process can be hidden and restored

Software updates are used to keep the OS and other software up‐to‐date


29

Open Windows Firewall by clicking the Start button click Control Panel

In the search box, type Firewall click Windows Firewall

In the left pane, click Turn Windows Firewall ON or OFF

Configuring Windows Firewall in Windows 7


30

Adding New Programs in Windows Firewall in Windows 71. Click Start Control Panel type Firewall in the

search box press Enter

2. Click Allow a program through Windows Firewall

3. Click Change Settings


31

4. Click Allow another Program

5. The Add A Program window opens, which lists pre‐installed programs Click Browse to add a program (if required)

Adding New Programs in Windows Firewall in Windows 7


32

6. Navigate to the Location of the program select its executable file click Open

7. Click Add click OK to exit the Windows Firewall

The change is applied to the list of added programs

Adding New Programs in Windows Firewall in Windows 7


33

Removing/Disabling Programs Rules from the Windows Firewall in Windows 7

Click Start Control Panel search Windows Firewall go to Allow a Program through Windows Firewallclick Change Settings

Select the rule you want to Remove/Disable

To Disable any rule for any specific network location, uncheck its respective checkbox click OK

To remove any program completely from the allowed program list, click Remove click YES click OK


34

Advance settings in Windows Firewall allow users to create custom rules

Steps to create a new rule:

1. Click Start Control Panel search for firewall click Check Firewall Status click Advanced Settings

Creating a New Windows Firewall Rule in Windows 7


35

2. In the Windows Firewall with Advanced Security window, click Inbound Rules click New Rule

3. The New Inbound Rule Wizard opens select the type of rule (Program, Port, Predefined, and Custom rules) you would like to create click Next



36

4. Select the type of protocol (TCP/UDP) and provide the port numbers or select the option All Local Ports for the rule you want to be applied click Next

5. Decide what Action to take when a connection matches the specified condition (here, Allow the Connection) click Next



37

6. Select a Profile for which the rule has to be applied click Next

7. Give a Name to the newly created Rule and description (optional) click Finish

The rule is created and it allows TCP Inbound traffic to all the ports.

Note: To create a rule for Outbound traffic, follow the same steps. But select UDP protocol and enter 5679 as the port number



38

Two-Way Firewall Protection in Windows

Click the Start button type wf.msc or Firewall in search bar press EnterClick the Windows Firewall with Advanced Security iconThis management interface displays the inbound and outbound rulesClick Windows Firewalls PropertiesA dialog box with several tabs will appearFor each profile‐‐Domain, Private, and Public‐‐change the setting to Block, and then click OK


39

Close any open programs running on the partition or logical drive to be converted

Click Start All Programs Accessories, right‐click Command Prompt, and then click Run as administrator. Type the password or provide confirmation if prompted

In the Command Prompt, type convert drive_letter: /fs:ntfs, where drive_letter is the letter of the drive to be converted to NTFS, and then press ENTER

Type the name of the volume you want to convert, and then press ENTER

Always Use NTFSNTFS file system provides better performance and security for data on hard disks and partitions than the FAT file system

Convert partitions that use the earlier FAT16 or FAT32 file system to NTFS by using the convertcommand

Note: Converting a partition from FAT to NTFS does not affect the data on it. You need to restart the computer for the NTFS conversion if the partition contains system files.


40

Module Flow

System Security








41


Windows Encrypting File System (EFS) allows Windows 7 system users to encrypt files and folders in an NTFS formatted disk drive

Right‐click the file to be encrypted select Properties on the General tab click the Advancedbutton. The Advanced attributes dialog box appears.

There are two options under Compress or Encrypt attributes, Compress contents to save disk space and Encrypt contents to secure data

Select Encrypt contents to secure data click OK to close the Compress or Encrypt Attributes dialog box click Apply

An Encryption Warning dialog box appears, check any of the two options: Encrypt the file and its parent folder and Encrypt the file only click OK


42

• Right‐click the file to be decrypted select Properties

• On the General tab, click the Advanced button. An Advanced Attributes dialog box appears

• There are two options under Compress or Encrypt Attributes, Compress contents to save disk space and Encrypt contents to secure data

• Uncheck Encrypt contents to secure data click OK to close the Compress/Encrypt Attributes dialog box apply the settings click OK

How to Decrypt a File Using EFS in Windows?


43

Using Windows DefenderWindows Defender is an antispyware software that offers real‐time protection against spyware and other potentially malicious programs infecting the computer

To turn Windows Defender ON or OFF openWindows Defender by clicking the Start button click All Programs clickWindows Defender or type Windows Defender in the search space

Click Tools click Options click Administrator select or clear the Use Windows Defender check box click Save


44

Enable BitLocker in Windows 71. BitLocker Drive Encryption provides better data protection by encrypting an entire Windows operating system

volume

2. The hard drive and any removable media on the computer can be encrypted

3. Encrypted removable media can be decrypted and re‐encrypted on any Windows 7 computer

4. Click Start click Computer Right click on any drive and select the option Turn on BitLocker…

Note: BitLocker is available only in the Enterprise and Ultimate editions of Windows Vista and Windows 7


45

Launching Event Viewer in Windows 7

Windows XP Windows 7

Event Viewer is a built‐in Windows utility that allows users to view and manage the event logs, gather information about hardware and software problems, and monitor Windows security events

To start Event Viewer in Windows 7 click Start Control Panel System and SecurityAdministrative Tools Event Viewer


46

1. Event Viewer categorizes events into five types: Error, Warning, Information, Audit Success, and Audit Failure

2. Each event log is differentiated by its level and contains header information and a description of the event

3. Each event header contains a detailed description of the level, date, time, source, event ID, and task category

Event Viewer: Events and How to Read Logson the System


47

A service is a long‐running executable that performs specific functions without requiring any user intervention

Services normally start during the system start up or booting

Some services load automatically, while others are called when a program is used

To view running services, click StartControl Panel Administrative Tools double‐click Services

Alternatively, select Start type services.msc in search bar press ENTER

Once the Services window is loaded, the user can turn off any unneeded services

Disabling Unnecessary Services in Windows 7


48

Killing Unwanted Processes

Killing a process

Press [Alt]+ [Ctrl] + [Del] keys simultaneously click Task Manager

In Task Manager go to Processes tab select the Process click End Process

Alternatively, right click on a selected target process select End Process

Killing a Process Tree

Run the Task Manager select the target process right‐click and select End Process Tree

Kill or terminate unnecessary and suspicious processes to increase system performance and protect system against malwares


49

Finding Open Ports Using Netstat ToolKnowing open ports, and services and applications associated with these ports helps in detecting the presence of malware such as virus, worms, Trojans, etc. in the system

Malware generally open ports to receive or send data packets from attackers

Netstat, a Windows inbuilt utility, can be used to determine open ports in the system and associated applications

Click Start All Programs Accessories, right‐click Command Prompt, and then click Run as administrator. Type the password or provide confirmation if prompted

Type netstat –b in the command prompt window to see the open ports and associated applications


50

Configuring Audit Policy

1. Click Start type secpol.msc in search bar, and press Enter

2. Click Local Policies select Audit Policy double‐click the Audit account logon events policycheck the Success and Failure boxes click Apply click OK

3. Similarly, change the security setting for all the policies listed in the right hand pane of Local Security Policy window

4. Close the Local Security Policywindow

Audit policies should be configured to identify attempted or successful attacks on system and network


51

How to Hide Files and Folders?Right‐click the file or folder to be hidden click Properties under Attributescheck Hidden click Apply click OK

On the Organizemenu from Windows Explorer click Folder and search options

On the View tab, Select the Do not show hidden files and folders option


52

Disable Simple File Sharing in Windows1. Go to Start Control Panel Folder

Options

2. From the Folder Options window select the View tab

3. Scroll to the bottom of the Advanced Settings pane

4. Uncheck the checkbox for Using sharing wizard (for Windows 7)click OK


53

Raise the UAC Slider Bar in Windows 7User Account Control (UAC) helps the user to make critical decisions while installing software

Click Start Control Panel Action Center Change User Account Control SettingsRaise/Adjust the UAC slider bar to Always notify


54

Module Flow

System Security








55

Windows Security Tools: Microsoft Security Essentials

http://www.microsoft.com

Microsoft Security Essentials provides real‐time protection for a home PC that guards against viruses, spyware, and other malicious software


56

KeePass is a password manager that manages passwords in a secure way and carries all passwords in one database, which is locked with one master key or a key‐disk

The databases are encryptedusing current known secure encryption algorithms (AES‐256 and Twofish)

Windows Security Tools: KeePass Password Safe Portable

http://portableapps.com


57

http://www.pctools.com

Windows Security Tools: Registry Mechanic1. Registry Mechanic offers tools to speed up and improve the stability of Windows7, Windows Vista, or

Windows XP PC2. Registry Mechanic safely cleans, repairs, and optimizes the registry and automatically backs up changes

for future recovery3. Permanently erases Internet activity, personal files, and free space to keep information away from

prying eyes


58

http://www.microsoft.com

Windows Security Tools: Windows DefenderWindows Defender helps protect a computer against pop‐ups, slow performance, and security threats caused by spyware and other unwanted software by detecting and removing known spyware from a computer


59

Module Flow

System Security








60

Step 1: Enabling and Locking Down the Login Window

Click Apple menu System Preferences AccountsLogin options Display Login Windows as Name and Password

Uncheck Automatically login as:

Check Hide the Sleep, Restart, and Shut Down buttons

Uncheck Enable fast usersswitching if not used


61

Step 2: Configuring Accounts Preferences

From the Apple menu choose System Preferences from the View menu choose Accounts select the username whose password you want to change

Click Reset Password (Mac OS X v10.3 and v10.4) or Change Password (Mac OS X v10.5 or later)

Enter a new password in both the Password and Verify fields click the Reset Password (Mac OS X v10.3 and v10.4) or the Change Password (Mac OS X v10.5 or later)

If a dialog box appears with the message Your Keychain password will be changed to your new account password, click OK


62

Never create accounts that are shared by several users

Each user should have his or her own standard or managed account

Individual accounts are necessary to maintain accountability

Administrators should only use their administratoraccounts for administration purposes

Step 3: Guidelines for Creating Accounts


63

Step 4: Securing the Guest Account

The guest account must be used for temporary access to the system

The guest account should be disabled by default as it does not require a password to login to the computer

If the guest account is enabled, Enable Parental Controls to limit what the user can do

If the user permits the guest account to access shared folders, an attacker can easily attempt to access shared folders without a password


64

Step 5: Controlling Local Accounts with Parental Controls

Network Traffic Analysis

Open System Preferences click Accounts

If the lock icon is locked click the lock icon and provide an Administrator name and Password

Select the user account to be managed with parental controlsselect the Enable Parental Controlscheckbox

Click Open Parental Controls click System, Content, Mail & iChat, Time Limits, and Logs


65

Step 6: Use Keychain SettingsKeychain stores passwords on the disk in an encrypted form and it is difficult for a non‐root user to sniff a password between applications

Go to Applications Utilities Keychain Access Edit Change settings for Keychain "login"

Check Lock after change minutes of inactivity to the desired number of minutes check Lockwhen sleeping click Save


66

Step 7: Use Apple Software UpdateMac OS X includes an automatic software update tool to patch the majority of Apple applications

Software Update often includes important security updates that should be applied to a user’s machine

To update software :

Open Software Update preferences click the Scheduled Check pane

Deselect Download updates automatically click Check Now


67

Step 8: Securing Date & Time Preferences

1. Open Date & Time preferences in the Date & Time pane, enter a secure and trusted NTP server in the Set date & time automatically field

2. Click the Time Zone button choose a Time Zone


68

Step 9: Securing Network Preferences

It is recommended to disable unused hardware devices listed in Network preferencesOpen Network preferences from the list of hardware devices, select the hardware device that connects one’s networkFrom the Configure pop‐up menu, choose ManuallyEnter the user’s static IP address, Subnet Mask, Router, DNS Server, and Search Domain configuration settingsClick Advanced in the Configure IPv6pop‐up menu, choose Off click OK


69

Step 10: Enable Screen Saver PasswordTo prevent unauthorized access to a system, enable a screen saver password

1. From the Applemenu select SystemPreferences click Security click the Lockicon to make changes

2. If prompted, type the admin userid and password

3. In the Security window click the Generaltab check Require password to wake this computer from sleep or screen saver (Leopard) or Require password immediately after sleep or screen saver begins (Snow Leopard)

4. In addition to the screen saver password, also secure the system by selecting:

Disable automatic login

Require password to unlock each System Preference.

Use secure virtual memory

Click the lock icon to prevent further changes

Close the Security window and restart your machine


70

Step 11: Set Up FileVault to Keep Home Folder Secure

Click System Preferences click Security click FileVaultclick Set Master Password

Create the master password for the computer but ensure this password is different from user account password

Verify the password click OK


71

Step 12: Firewall Security Mac OS X firewall blocks unwanted networkcommunication with the computer:1. Click System Preferences click Security click

Firewall

2. Click the Lock Icon to make changes

3. If prompted, type the admin userid and password

4. By default, the firewall allows all incomingconnections, change the option by clicking the second option (Allow only essential services) or third option (Set access for specific services and applications)

5. Choose which application(s) you want the firewall to allow and which to block

6. Click the lock icon to prevent further changes and close the Security window


72

Internet Fraud Complaint Center (IC3)http://www.ic3.gov

TECS: The Encyclopedia of Computer Security http://www.itsecurity.com

Virus Bulletin http://www.virusbtn.com

Common Vulnerabilitiesand Exposureshttp://www.cve.mitre.org

Windows Security Guide http://www.winguides.com

Stay Safe Onlinehttp://www.staysafeonline.org

CYBERCRIMEhttp://www.cybercrime.gov

Macintosh Security Sitehttp://www.securemac.com

Resources on the Internet for Computer Security


73

Module Summary

Attackers discover new vulnerabilities and bugs to exploit in computer software

Software vendors usually develop patches to address the problems

Encryption is the process of converting data into a secret code

Regularly update the operating system and other applications

Windows System Restore is used to return one’s computer to an earlier state in case of a system failure or other major problem with the system

Microsoft Security Essentials provides real‐time protection for the PC that guards against viruses, spyware, and other malicious software

Windows Defender helps to protect the system against pop‐ups, slow performance, and security threats


74

Operating Systems Security Checklist

Install antivirus software and scan the system regularly

Do not open any email from unknown senders

Perform an antivirus scan while downloading

Regularly update the operating system and other applications

Lock the system when not in use

Physically secure the system from unauthorized access

Enable firewall protection and configure all the computer settings for high security

Use strong passwords, at least eight characters long, containing both letters and numbers


75

Operating Systems Security Checklist

Delete the Internet history files, logs, and personal files

Make backups of important data and store them safely

Disable or limit the number of unnecessary accounts

Configure antivirus to check all mediums (CD‐ROMs, email, websites, downloaded files, etc.,) for viruses

Use encryption to enhance privacy

Keep up‐to‐date with hotfixes and service packs

Disable AutoRun for the DVD/CD‐ROM

Secure the wireless network


76

Use Windows Defender to help prevent spyware and other potentially unwanted software from being installed on the computer automatically

User Account Control asks for permission before installing software or opening certain kinds of programs that could potentially harm your computer or make it vulnerable to security threats

Back up your files and settings regularly so that if you get a virus or have any kind of hardware failure, you can recover your files

Set Windows Update to download and install the latest updates for the computer automatically

Windows Firewall can help prevent hackers and malicious software, such as viruses, from gaining access to your computer through the Internet

Use Action Center to make sure the firewall is ON, antivirus software is up to date, and the computer is set to install updates automatically

Windows 7 Security Checklist


77

MAC OS Security Checklist

Securely erase the Mac OS X partition before installation

Set parental controls for managed accounts and Use Password Assistant to generate complex passwords

Securely configure Accounts preferences and Date & Time preferences

Install Mac OS X using Mac OS Extended disk formatting

Create an administrator account and a standard account for each administrator

Create keychains for specialized purposes

Securely configure Security preferences

Documents

Cscu module 02 securing operating systems