Host Hardening

(March 21, 2011)

© Abdou Illia – Spring 2011

2

CERT Report on systems vulnerabilities

Source: CERT Report @ http://www.kb.cert.org/vuls/bymetric

3

OS market share for 2006

OS Vulnerability test Source: http://www.omninerd.com/articles/2006_Operating_System_Vulnerability_Summary

OS tested: Win XP, Win Server 2003, Win Vista Ultimate, Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse Enterprise 10,

Ubuntu 6.10 Tools used to test vulnerabilities:

Scanning tools (Track, Nessus) Network mapping (Nmap command) All host with OS installation defaults

Results Microsoft's Windows and Apple's OS X are ripe with remotely accessible

vulnerabilities and allow for executing malicious code The UNIX and Linux variants present a much more robust exterior to the outside Once patched, however, both Windows and Apple’s OS are secure, at least

from the outside.

4

Your knowledge about Host hardening

Today, how long it will take for a hacker to “own” a server with OS installation defaults that is connected to the Internet?

a) A week

b) A day or two

c) Two weeks

What needs to be done, first, in order to prevent a hacker from taking over a server with OS installation defaults that has to be connected to the Internet?

a) Lock the server room

b) Configure the firewall to deny all inbound traffic to the server

c) Download and install patches for known vulnerabilities

5

Your knowledge about Host hardening

You performed an Out-of-the-box installation of Windows XP and Linux FreeBSD 6.2 on two different computers. Which computer is more likely to be secure ?

a) Windows XP

b) Linux FreeBSD 6.2

c) They will have the same level of security

6

What is Hardening Host Computers?

A series of actions to be taken in order to make it hard for an attacker to successfully attack computers in a network environment

Because it’s easy to overlook something in the hardening process, businesses need to adopt a standard hardening methodology or a standard security baseline

Need to have different security baseline for different kind of host; i.e.

Different security baselines for different OS and versions Different security baselines for different types of servers

(web servers, mail servers, etc.) and applications

7

Security Baseline

Organization could use different standards OS vendors’ baselines and tools

e.g. Follow MS Installation procedure and use Microsoft Baseline Security Analyzer (MBSA)

Standards Agencies baselines e.g. CobiT* Security Baseline

Company’s own security baselines Security Baseline to be implemented by

Server administrators known as systems admin

* Control Objectives for Information and Related Technology

8

Elements of Hardening

Physical security Secure installation and configuration Fix known vulnerabilities Remove/Turn off unnecessary services (applications) Harden all remaining applications Manage users and groups Manage access permissions

For individual files and directories, assign access permissions to specific users and groups

Back up the server regularly Advanced protections

According to

baseline

9

Example of Security Baseline for Win XP Clients OS Installation

Create a single partition on HDD Format disk using NTFS file system Install Win XP and Service Pack 3

Fixing OS vulnerabilities Download and install latest patches Turn on Windows’ Automatic Updates checking

Configure Windows Firewall Block incoming connections except KeyAccess and Remote

Assistance Turn off unnecessary services

Turn off Alerter, Network Dynamic Data Exchange, telnet Application Installation

Centrally assign applications using group policies Fixing applications’ vulnerabilities

Turn on each application’s automatic update checking

10

Hardening servers Be aware of the 5 ‘P’ s of security and compliance

Proper Planning Prevents Poor Performance Plan the installation

Identify The purpose of the server. Example: provides easy & fast access to Internet

services The services provided on the server Network service software (client and server) The users or types of users of the server

Determine Privileges for each category of users If and how users will authenticate How appropriate access rights will be enforced Which OS and server applications meet the requirements The security baseline(s) for installation & deployment

Install, configure, and secure the OS according to the security baseline Install, configure, and secure server software according to sec. baseline Test the security Add network defenses Monitor and Maintain

11

Hardening servers (cont.)

Choose the OS that provides the following: Ability to restrict admin access (Administrator vs. Administrators) Granular control of data access Ability to disable services Ability to control executables Ability to log activities Host-based firewall Support for strong authentication and encryption

Disable or remove unnecessary services or applications Remove rather than disable to prevent re-enabling Additional services increases the attack vector More services can increase host load and decrease performance Reducing services reduces logs and makes detection of intrusion easier

12

Hardening servers (cont.)

Configure user authentication Remove or disable unnecessary accounts

(e.g. Guest account) Change names and passwords for default accounts Disable inactive accounts Assign rights to groups not individual users Don't permit shared accounts if possible Configure time sync Enforce appropriate password policy Use 2-factor authentication when necessary Always use encrypted authentication

13

Windows Hardening Most Windows hardening done using Graphical

User Interface

14

Windows Hardening Turning services and applications on/off in Windows

Q: Reducing services can increase host load and decrease performance: T F

15

Windows Hardening

Domain configuration and directory service needed for central security setting

Windows 2000 introduced hierarchical domain structure with Active Directory

Domain is a collection of resources

Domain contains one or more domain controllers, member servers, client PCs

Group policy objects (GPOs) on a domain controller can implement security policies throughout a domain

16

UNIX / Linux Hardening

Many versions of UNIX No standards guideline for hardening

User can select the user interface Graphic User Interface (GUI) Command-Line Interfaces (CLIs) or shells

CLIs are case-sensitive with commands in lowercase except for file names

17

UNIX / Linux Hardening

Three ways to start services

inetd program used to start services when requests come in from users

rc scripts to start services automatically at boot up

Start a service manually by typing its name or executing a batch file that does so

Inetd = Internet daemon; i.e. a computer program that runs in the background

18

UNIX / Linux Hardening

Program A

Program B

Program C

Program D

inetd

Port 23 Program APort 80 Program BPort 123 Program CPort 1510 Program D

1. Client RequestTo Port 123

4. Start and Process

This Request

3. Program C 2. Port 123

/etc/inetd.config

Starting services upon client requests Services not frequently used are dormant Requests do not go directly to the service Requests are sent to the inetd program which is started at server boot up

19

UNIX / Linux Hardening

Turning On/Off unnecessary Services In UNIX

Identifying services running at any moment

ps command (processor status), usually with –aux parameters, lists running programs

Shows process name and process ID (PID)

netstat tells what services are running on what ports

Turning Off Services In UNIX kill PID command is used to kill a particular process

kill 47 (If PID=47)

Q: You kill some services but see that they are running again the next day. Explain why?

20

Advanced Server Hardening Techniques

Need to read Event Logs to diagnose problems

Failed logins, changing permissions, starting programs, kernel messages, etc.

21

Advanced Server Hardening Techniques

File Encryption Protects files even if attacker breaks in Key escrow: Copy of encryption key is kept

elsewhere to protect in case of key loss Windows Encrypting File System (EFS)

Select file in Windows Explorer, select Properties Click on General tab’s Advanced button Click on the box Encrypt contents to secure data

22

Advanced Server Hardening Techniques

File Integrity Checker

Creates snapshot of files: a hashed signature (message digest) for each file

After an attack, compares post-hack signature with snapshot

This allows systems administrator to determine which files were changed

Tripwire is a file integrity checker for Linux/UNIX, Windows, etc.: www.tripwire.com (ftp://coast.cs.purdue.edu/pub/tools/unix)

23

Advanced Server Hardening Techniques

File 1File 2…Other Files inPolicy List

File 1File 2…Other Files inPolicy List

File 1 SignatureFile 2 Signature……

File 1 SignatureFile 2 Signature……

Tripwire

Tripwire

1.EarlierTime

2.After

Attack

Post-Attack Signatures

3. Comparison to Find Changed Files

Reference Base

File Integrity problem: many files change for legitimate reasons. So it is difficult to know which ones the attacker changed.

24

Other types of host that can be Hardened Internetwork Operating System (IOS)

For Cisco Routers, Some Switches, Firewalls Even cable modems with web-based

management interfaces