Server Hardening PrimerDr. Eric VanderburgDirector, Information Systems and SecurityComputer Forensic and Investigation ServicesJURINNOV LTD

John Tsai, CEH, CISSPSecurity EngineerJURINNOV LTD

2

Objectives

•Disable nonessential systems

•Harden operating systems

•Harden applications

•Harden networks

3

Disabling Nonessential Systems

• First step in establishing a defense against computer attacks is to turn off all nonessential systems

• The background program waits in the computer’s random access memory (RAM) until the user presses a specific combination of keys (a hot key), such as Ctrl+Shift+P

• Then, the idling program springs to life

4

Disabling Nonessential Systems (continued)

• Early terminate-and-stay-resident (TSR) programs performed functions such as displaying an instant calculator, small notepad, or address book

• In Microsoft Windows, a background program, such as Svchostexe, is called a process

• The process provides a service to the operating system indicated by the service name, such as AppMgmt

5

Disabling Nonessential Systems (continued)

•Users can view the display name of a service, which gives a detailed description, such as Application Management

•A single process can provide multiple services

6

Disabling Nonessential Systems (continued)

• A service can be set to one of the following modes:• Automatic

• Manual

• Disabled

• Besides preventing attackers from attaching malicious code to services, disabling nonessential services blocks entries into the system

7

Disabling Nonessential Systems (continued)

• The User Datagram Protocol (UDP) provides for a connectionless TCP/IP transfer

• TCP and UDP are based on port numbers

• Socket: combination of an IP address and a port number• The IP address is separated from the port

number by a colon, as in 19814611820:80

8

Hardening Operating Systems

• Hardening: process of reducing vulnerabilities

• A hardened system is configured and updated to protect against attacks

• Three broad categories of items should be hardened:• Operating systems

• Applications that the operating system runs

• Networks

9

Hardening Operating Systems (continued)

• You can harden the operating system that runs on the local client or the network operating system (NOS) that manages and controls the network, such as Windows Server 2008 R2 or Linux

10

Applying Updates

• Operating systems are intended to be dynamic

• As users’ needs change, new hardware is introduced, and more sophisticated attacks are unleashed, operating systems must be updated on a regular basis

• However, vendors release a new version of an operating system every two to four years

• Vendors use certain terms to refer to the different types of updates

11

Applying Updates (continued)

• A service pack (a cumulative set of updates including fixes for problems that have not been made available through updates) provides the broadest and most complete update

• A hotfix does not typically address security issues; instead, it corrects a specific software problem

12

Applying Updates (continued)

• A patch or a software update fixes a security flaw or other problem• May be released on a regular or irregular

basis, depending on the vendor or support team• A good patch management system includes

documentation and consistent implementation

13

Securing the File System

• Another means of hardening an operating system is to restrict user access

• Generally, users can be assigned permissions to access folders (also called directories in the command shell and UNIX/Linux) and the files contained within them

14

Securing the File System (continued)

•Microsoft Windows provides a centralized method of defining security on the Microsoft Management Console (MMC) • A Windows utility that accepts additional

components (snap-ins)• After you apply a security template to

organize security settings, you can import the settings to a group of computers (Group Policy object)

15

Securing the File System (continued)

• Group Policy settings: components of a user’s desktop environment that a network system administrator needs to manage

• Group Policy settings cannot override a global setting for all computers (domain-based setting)

• Windows stores settings for the computer’s hardware and software in a database (the registry)

16

Hardening Applications

• Just as you must harden operating systems, you must also harden the applications that run on those systems

• Hotfixes, service packs, and patches are generally available for most applications; although, not usually with the same frequency as for an operating system

17

Hardening Servers

•Harden servers to prevent attackers from breaking through the software

•Web server delivers text, graphics, animation, audio, and video to Internet users around the world

18

Hardening Servers (continued)

• Mail server is used to send and receive electronic messages

• In a normal setting, a mail server serves an organization or set of users

• All e-mail is sent through the mail server from a trusted user or received from an outsider and intended for a trusted user

19

Hardening Servers (continued)

• In an open mail relay, a mail server processes e-mail messages not sent by or intended for a local user

• File Transfer Protocol (FTP) server is used to store and access files through the Internet• Typically used to accommodate users who

want to download or upload files

20

Hardening Servers (continued)

• FTP servers can be set to accept anonymous logons using

• A Domain Name Service (DNS) server makes the Internet available to ordinary users• DNS servers frequently update each other by

transmitting all domains and IP addresses of which they are aware (zone transfer)

21

Hardening Servers (continued)

• IP addresses and other information can be used in an attack

• USENET is a worldwide bulletin board system that can be accessed through the Internet or many online services

• The Network News Transfer Protocol (NNTP) is the protocol used to send, distribute, and retrieve USENET messages through NNTP servers

22

Hardening Servers (continued)

• Print/file servers on a local area network (LAN) allow users to share documents on a central server or to share printers

• Hardening a print/file server

• A DHCP server allocates IP addresses using the Dynamic Host Configuration Protocol (DHCP)

• DHCP servers “lease” IP addresses to clients

23

Hardening Data Repositories

•Data repository: container that holds electronic information

• Two major data repositories: directory services and company databases

•Directory service: database stored on the network that contains all information about users and network devices along with privileges to those resources

24

Hardening Data Repositories (continued)

• Active Directory is the directory service for Windows

• Active Directory is stored in the Security Accounts Manager (SAM) database

• The primary domain controller (PDC) houses the SAM database

25

Hardening Networks

• Two-fold process for keeping a network secure: • Secure the network with necessary updates• Properly configure it

26

Firmware Updates

• RAM is volatile―interrupting the power source causes RAM to lose its entire contents

• Read-only memory (ROM) is different from RAM in two ways:• Contents of ROM are fixed

• ROM is nonvolatile―disabling the power source does not erase its contents

27

Firmware Updates (continued)

• ROM, Erasable Programmable Read-Only Memory (EPROM), and Electrically Erasable Programmable Read-Only Memory (EEPROM) are firmware

• To erase an EPROM chip, hold the chip under ultraviolet light so the light passes through its crystal window

• The contents of EEPROM chips can also be erased using electrical signals applied to specific pins

28

Network Configuration

• You must properly configure network equipment to resist attacks

• The primary method of resisting attacks is to filter data packets as they arrive at the perimeter of the network

29

Network Configuration (continued)

• Rule base or access control list (ACL): rules a network device uses to permit or deny a packet (not to be confused with ACLs used in securing a

file system)

• Rules are composed of several settings

30

Summary

• Establishing a security baseline creates a basis for information security

• Hardening the operating system involves applying the necessary updates to the software

• Securing the file system is another step in hardening a system

31

Summary (continued)

• Applications and operating systems must be hardened by installing the latest patches and updates

• Servers, such as Web servers, mail servers, FTP servers, DNS servers, NNTP servers, print/file servers, and DHCP servers, must be hardened to prevent attackers from corrupting them or using the server to launch other attacks

For assistance or additional information

• Phone: 216-664-1100

• Web: www.jurinnov.com

• Email: Eric.Vanderburg@jurinnov.com

John.Tsai@jurinnov.com

JurInnov Ltd.

The Idea Center

1375 Euclid Avenue, Suite 400

Cleveland, Ohio 4411532