Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security for Student-Administered Computers.

Published byMaurice Wiggins Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Security for Student-Administered Computers."— Presentation transcript:

1 Computer Security for Student-Administered Computers

2 Agenda " What's the Problem? " Security Risk " Security Incidents " Defenses " Vigilance

3 What's the Problem at UW? – http://staff.washington.edu/dittrich/talks/security/incidents.html http://staff.washington.edu/dittrich/talks/security/incidents.html " port-scanning: looking for systems to target " buffer-overrun attacks: command execution via coding errors " open account exploits: to login " packet sniffing: to learn login secrets " trojan horse attacks: to fool user into executing infected program " shared/stolen accounts: to login " denial of service attacks: to prevent or hamper use of computers " file storage: to pirate software/music/etc. " forging email or other electronic messages: to harass/threaten/fool

4 Security Goals – Microsoft Prescriptive Guidance: Security Operations Guide for Windows 2000 Server " http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/ prodtech/windows/windows2000/staysecure/default.asp " Get secure " Stay secure (over time, amidst changes)

5 Security Risk " Managing risk to protected resources " Resources: data, applications, servers, etc. – what's its value? " Threat: something that could access/harm resources – natural/physical, unintentional/intentional " Vulnerability: point where resource can be attacked " Exploit: use of a vulnerability by a threat – could result in loss of confidentiality, integrity or availability " Risks need to be ranked: low, medium, high

6 Security Incidents " physical: earthquake, water leak, power failure, etc. " technical vulnerability exploits: attacks, buffer overflows,... " information gathering exploit: OS identification, wireless leak, social engineering " denial of service exploit: resource removal, physical damage, etc.

7 Defenses " Data: encryption and backups; antivirus software " Application: developer needs to enforce " Host: limit server to specific roles " Network: blocking and/or encrypting traffic " Perimeter: firewalls; authorized PCs are clean before connecting " Physical: removable media, locks, redundancy, restricted areas " Policies and Procedures: raise awareness and prevent abuse

8 Windows 2000 Defenses " Planning " Isolation " Installation and Upgrades " Antivirus software " Group Policy/Registry Changes " IPSec/Filtering " Application Lockdown

9 Windows 2000 Defenses: Planning " What kind? – server: member or domain controller? – workstation? " What role? – basic? web server? cluster? " What’s required for other services? – need to think about this

10 Windows 2000 Defenses: Isolation " On Internet-connected computer: – gather all upgrades, antivirus software " http://www.washington.edu/computing/software " download – Network Associates/McAfee Netshield (server) – McAfee VirusScan (workstation) – upgrades and updates – burn on CD " Connect to a hub not connected to Internet – Use static, non-routable IP addresses: 10.10.xxx.xxx

11 Windows 2000 Defenses: Installation and Upgrades " Install Windows 2000 – don’t do it blindly -- read and think about it " Install latest service packs " Install security patches/hotfixes to service packs " Switch to non-privileged account – use RUNAS whenever elevated privileges needed " Watch logs (use EventViewer)

12 Windows 2000 Defenses: Antivirus " Install Netshield " Install latest upgrades/updates – don’t schedule to update/upgrade (not connected)

13 Windows 2000 Defenses: Group Policy/Registry Changes – %SystemRoot%\security\templates " Basic – Basicwk.inf (workstation) – Basicsv.inf (member server) – Basicdc.inf (domain controller) " Incremental – securedc.inf (domain controller) – securews.inf (workstations or member servers) – IIS Incremental.inf (IIS only)

14 Windows 2000 Defenses: Apply AD Group Policy " Active Directory Users and Computers/Domain Controllers/Properties/Group Policy/New – type “BaselineDC Policy” " press enter, then right-click on BaselineDC Policy " select “No Override " Edit/Windows Settings (expand)/Security Settings/Import Policy – locate template BaselineDC.inf and place name in “Import Policy From” box – close Group Policy and then click Close " replicate to other domain controllers and reboot

15 Windows 2000 Defenses: Apply Member Group Policy " Active Directory Users and Computers/Member Servers/Properties/Group Policy/New – type “Baseline Policy” " Edit/Windows Settings (expand)/Security Settings/Import Policy – locate template Baseline.inf and place name in “Import Policy From” box – close Group Policy and then click Close " repeat above for Incremental template files " replicate to other domain controllers and reboot

16 Windows 2000 Defenses: Verify Group Policy " Verify with secedit (compare with existing template) " secedit /analyze /db secedit.sdb /cfg xxxxx.inf " look at log file " Test!

17 Windows 2000 Defenses: Registry Changes (in Baseline) " HKLM\System\CurrentControlSet\Services\Tcpip\Parameters – EnableICMPRedirect=0 – SynAttackProtect=2 – DisableIPSourceRouting=2 – PerformRouterDiscovery=0 " HKLM\System\CurrentControlSet\Services\AFD\Parameters – DynamicBacklogGrowthDelta=10 – EnableDynamicBacklog=1 – MinimumSynamicBacklog=20 – MaximumDynamicBacklog=20000

18 Windows 2000 Defenses: IP Filtering " Block all ports not needed for servers

19 Windows 2000 Defenses: Application Lockdown – Read application’s notes on security " IIS – IS Incremental.inf – follow guidelines " SQL Server – change default system DBA passwords – protect DBs with access rights/file permissions

20 Linux Defenses " Planning " Isolation " Installation and Upgrades " Antivirus software??? " IP Filtering " Application Lockdown

21 Linux Defenses: Planning " What kind? – workstation? – server? " What servers? – web server? insecure servers? " What apps are required? " What services are required?

22 Linux Defenses: Isolation " On Internet-connected computer: – gather all upgrades – burn on CD " Connect to a hub not connected to Internet – Use static, non-routable IP addresses: 10.10.xxx.xxx

23 Linux Defenses: Installation and Upgrades " Install Linux – don’t do it blindly -- read and think about it – put /tmp, /home and /var/log in separate partitions " Install latest upgrades " Switch to non-privileged account – use “su -” whenever elevated privileges needed " Watch logs (usually in /var/log)

24 Linux Defenses: IP Filtering " tcp wrappers – /etc/hosts.deny " ALL:ALL – /etc/hosts.allow " ALL: 10. LOCAL " sshd: ALL – /etc/xinetd.d " disable=yes for undesired services – killall -USR2 xinetd

25 Linux Defenses: Apache Lockdown " Apache -- start by restricting everything Options None AllowOverride None Order deny,allow Deny from all – then allow by specific directories " want to disable CGI, includes

26 Linux Defenses: FTP Lockdown " should not use -- sends passwords in plain text – use ssh/scp/sftp instead " /etc/ftpusers " should NOT include root or other privileged accounts " disallow anonymous FTP – should read: class all real *

27 References – http://www.washington.edu/computing/security – Microsoft Baseline Security Analyzer " for 2000/XP " requires Internet access to run " http://www.microsoft.com/technet/treeview/default.asp?url =/technet/security/tools/Tools/mbsahome.asp – SANS Institute Bookstore (Windows 2000 & Linux) " SANS = System Administration, Networking and Security) " https://www.washington.edu/computing/software/sitelicens es/sans/sw/access.html

Download ppt "Computer Security for Student-Administered Computers."

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.

Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Hardening Small Business Server 2003 Published: July 2005 Dana Epp Computer Security Software Architect Scorpion Software Corp. SBS Security HOWTO.

Hardening Small Business Server 2003 Published: July 2005 Dana Epp Computer Security Software Architect Scorpion Software Corp. SBS Security HOWTO.

Similar presentations

Ads by Google