Host Hardening (March 30, 2015) © Abdou Illia – Spring 2015 Series of actions to be taken in order to make it hard for an attacker to successfully attack.

Slides:



Advertisements
Similar presentations
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Advertisements

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Host Hardening (March 21, 2011) © Abdou Illia – Spring 2011.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 3 IT278 Network Administration Course Name – IT278 Network Administration Instructor.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.
IT Infrastructure: Software September 18, LEARNING GOALS Identify the different types of systems software. Explain the main functions of operating.
Network Security Testing Techniques Presented By:- Sachin Vador.
CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
1 SOFTWARE TECHNOLOGIES BUS Abdou Illia, Spring 2007 (Week 2, Thursday 1/18/2007)
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Installing software on personal computer
Installing and Configuring a Secure Web Server COEN 351 David Papay.
Tripwire Enterprise Server – Getting Started Doreen Meyer and Vincent Fox UC Davis, Information and Education Technology June 6, 2006.
2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Hands-On Microsoft Windows Server 2008
Chapter 7 Microsoft Windows XP. Windows XP Versions XP Home XP Home XP Professional XP Professional XP Professional 64-Bit XP Professional 64-Bit XP Media.
Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.
Managing Windows Server 2008 R2 Lesson 2. Objectives.
Chapter SIx Maintaining a Computer Part I: Configuring, Updating, and Upgrading the OS.
1 Host Hardening Chapter 6 Copyright 2003 Prentice-Hall.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Troubleshooting Windows Vista Security Chapter 4.
1 Chapter Overview Using the New Connection Wizard to configure network and Internet connections Using the New Connection Wizard to configure outbound.
Module 14: Configuring Server Security Compliance
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
DIT314 ~ Client Operating System & Administration CHAPTER 2 INTRODUCTION TO WINDOWS XP PROFESSIONAL Prepared By : Suraya Alias.
Windows XP Professional Features ©Richard L. Goldman February 5, 2003.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Host Hardening Chapter 6 Panko, Corporate Computer and Network Security Copyright 2005 Prentice-Hall.
1 Host Hardening Chapter 6 Copyright 2003 Prentice-Hall.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
NetTech Solutions Protecting the Computer Lesson 10.
IS493 INFORMATION SECURITY TUTORIAL # 1 (S ) ASHRAF YOUSSEF.
1 Syllabus at a glance – CMCN 6103 Introduction Introduction to Networking Network Fundamentals Number Systems Ethernet IP Addressing Subnetting ARP DNS.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
How to Mitigate Stay Safe. Patching Patches Software ‘fixes’ for vulnerabilities in operating systems and applications Why Patch Keep your system secure.
1 Figure 6-5: Turning Off Unnecessary Services Unnecessary Services  Operating system vendors used to install many services by default  This made them.
2: Operating Systems Networking for Home & Small Business.
Windows Administration How to protect your computer.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Working at a Small-to-Medium Business or ISP – Chapter 8
Chapter 6 Application Hardening
SOFTWARE TECHNOLOGIES
CompTIA Server+ Certification (Exam SK0-004)
IT Infrastructure: Software
Implementing Client Security on Windows 2000 and Windows XP Level 150
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Host Hardening (March 30, 2015) © Abdou Illia – Spring 2015 Series of actions to be taken in order to make it hard for an attacker to successfully attack computers in a network environment

2 Computer system #1 Intel® Core® i7 Processor (3.20GHz) 2GB SDRAM PC3200 (800MHz), Dual Channel 1TB Serial ATA 7200rpm Hard Disk Drive 16x Multi-Format DVD Writer (DVD±R/±RW) Gateway 7-Bay Tower Case Integrated Ultra ATA Controller (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire Ports, Parallel, Serial and (2) PS/2 20" Black LCD Flat Panel Display (19" viewable) Gateway Premium 104+ Keyboard Two-Button PS/2 Wheel Mouse Napster 2.0 and 150 Song Sampler Intel® High Definition Audio GMAX Speakers with Subwoofer 56K PCI data/fax modem 10/100/1000 (Gigabit) Ethernet Microsoft Office 2010 Professional on DVD

3 Computer Hardware & Software Computer Hardware Operating System Productivity Software

4 Computer system #2 Intel® Core® i7 Processor (3.20GHz) 2GB SDRAM PC3200 (800MHz), Dual Channel 1TB Serial ATA 7200rpm Hard Disk Drive 16x Multi-Format DVD Writer (DVD±R/±RW) Gateway 7-Bay Tower Case Integrated Ultra ATA Controller (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire Ports, Parallel, Serial and (2) PS/2 20" Black LCD Flat Panel Display (19" viewable) Gateway Premium 104+ Keyboard Two-Button PS/2 Wheel Mouse Napster 2.0 and 150 Song Sampler Intel® High Definition Audio GMAX Speakers with Subwoofer 56K PCI data/fax modem 10/100/1000 (Gigabit) Ethernet Windows 7 Professional Google Chrome 16 installed Microsoft Office 2010 Professional installed

5 Computer Hardware & Software Computer Hardware Operating System Web browser Productivity Software

6 Computer system #3 Intel® Core® i7 Processor (3.20GHz) 2GB SDRAM PC3200 (800MHz), Dual Channel 1TB Serial ATA 7200rpm Hard Disk Drive 16x Multi-Format DVD Writer (DVD±R/±RW) Gateway 7-Bay Tower Case Integrated Ultra ATA Controller (1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use (7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire Ports, Parallel, Serial and (2) PS/2 20" Black LCD Flat Panel Display (19" viewable) Gateway Premium 104+ Keyboard Two-Button PS/2 Wheel Mouse Napster 2.0 and 150 Song Sampler Intel® High Definition Audio GMAX Speakers with Subwoofer 56K PCI data/fax modem 10/100/1000 (Gigabit) Ethernet Windows Server 2008 Enterprise installed Internet Explorer 8 installed IIS 6.0 installed

7 Computer Hardware & Software Computer Hardware Operating System Web service software (IIS, Apache,...) Web browser Productivity Software Client & server application programs

8 Your knowledge about Host hardening Which of the following is most likely to make a computer system unable to perform any kind of work or to provide any service? a) Client application programs get hacked b) Server application programs (web service software, database service, network service, etc.) get hacked c) The operating system get hacked d) The connection to the network/Internet get shut down

9 OS market share OS Vulnerability test 2010 by omnired.com OS tested: Win XP, Win Server 2003, Win Vista Ultimate, Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse Enterprise 10, Ubuntu 6.10 Tools used to test vulnerabilities: Scanning tools (Track, Nessus) Network mapping (Nmap command) All host with OS installation defaults Results Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities and allow for executing malicious code The UNIX and Linux variants present a much more robust exterior to the outside Once patched, however, both Windows and Apple’s OS are secure.

10 Your knowledge about Host hardening You performed an Out-of-the-box installation of Windows XP and Linux FreeBSD 6.2 on two different computers. Which computer is more likely to be secure ? a) Windows XP b) Linux FreeBSD 6.2 c) They will have the same level of security What needs to be done, first, in order to prevent a hacker from taking over a server with OS installation defaults that has to be connected to the Internet? a) Lock the server room b) Configure the firewall to deny all inbound traffic to the server c) Download and install patches for known vulnerabilities

11 Security Baseline Because it’s easy to overlook something in the hardening process, businesses need to adopt a standard hardening methodology: standard security baseline Need to have different security baseline for different kind of host; i.e. Different security baselines for different OS and versions Different security baselines for different types of server applications (web service, service, etc.) Different security baselines for different types of client applications.

12 Options for Security Baselines Organization could use different standards OS vendors’ baselines and tools e.g. Follow MS Installation procedure and use Microsoft Baseline Security Analyzer (MBSA) Standards Agencies baselines e.g. CobiT* Security Baseline Company’s own security baselines Security Baseline to be implemented by Server administrators known as systems admin * Control Objectives for Information and Related Technology

13 Elements of Hardening Physical security Secure installation and configuration Fix known vulnerabilities Remove/Turn off unnecessary services (applications) Harden all remaining applications Manage users and groups Manage access permissions For individual files and directories, assign access permissions to specific users and groups Back up the server regularly Advanced protections According toAccording to baselinebaseline

14 Example of Security Baseline for Win XP Clients OS Installation Create a single partition on HDD Format disk using NTFS file system Install Win XP and Service Pack 3 Fixing OS vulnerabilities Download and install latest patches Turn on Windows’ Automatic Updates checking Configure Windows Firewall Block incoming connections except KeyAccess and Remote Assistance Turn off unnecessary services Turn off Alerter, Network Dynamic Data Exchange, telnet Application Installation Centrally assign applications using group policies Fixing applications’ vulnerabilities Turn on each application’s automatic update checking

15 Hardening servers The 5 P’ s of security and compliance: Proper Planning Prevents Poor Performance Plan the installation Identify The purpose of the server. Example: provides easy & fast access to Internet services The services provided on the server Network service software (client and server) The users or types of users of the server Determine Privileges for each category of users If and how users will authenticate How appropriate access rights will be enforced Which OS and server applications meet the requirements The security baseline(s) for installation & deployment Install, configure, and secure the OS according to the security baseline Install, configure, and secure server software according to sec. baseline Test the security Add network defences Monitor and Maintain

16 Hardening servers (cont.) Choose the OS that provides the following: Ability to restrict admin access (Administrator vs. Administrators) Granular control of data access Ability to disable services Ability to control executables Ability to log activities Host-based firewall Support for strong authentication and encryption Disable or remove unnecessary services or applications If no longer needed, remove rather than disable to prevent re-enabling Additional services increases the attack vector More services can increase host load and decrease performance Reducing services reduces logs and makes detection of intrusion easier

17 Hardening servers (cont.) Configure user authentication Remove or disable unnecessary accounts (e.g. Guest account) Change names and passwords for default accounts Disable inactive accounts Assign rights to groups not individual users Don't permit shared accounts if possible Configure time sync Enforce appropriate password policy Use 2-factor authentication when necessary Always use encrypted authentication

18 UNIX / Linux Hardening Many versions of UNIX No standards guideline for hardening User can select the user interface Graphic User Interface (GUI) Command-Line Interfaces (CLIs) or shells CLIs are case-sensitive with commands in lowercase except for file names

19 UNIX / Linux Hardening Three ways to start services Start a service manually (a) through the GUI, (b) by typing its name in the CLI, or (c) by executing a batch file that does so Using the inetd program to start services when requests come in from users Using the rc scripts to start services automatically at boot up Inetd = Internet daemon; i.e. a computer program that runs in the background

20 UNIX / Linux Hardening Program A Program B Program C Program D inetd Port 23 Program A Port 80 Program B Port 123 Program C Port 1510 Program D 1. Client Request To Port Start and Process This Request 3. Program C 2. Port 123 /etc/inetd.config Starting services upon client requests Services not frequently used are dormant Requests do not go directly to the service Requests are sent to the inetd program which is started at server boot up

21 UNIX / Linux Hardening Turning On/Off unnecessary Services In UNIX Identifying services running at any moment ps command (process status), usually with –aux parameters, lists running programs  Shows process name and process ID (PID) netstat tells what services are running on what ports Turning Off Services In UNIX kill PID command is used to kill a particular process  kill 47 (If PID=47)

22 Advanced Server Hardening Techniques File Integrity Checker Creates snapshot of files: a hashed signature (message digest) for each file After an attack, compares post-hack signature with snapshot This allows systems administrator to determine which files were changed Tripwire is a file integrity checker for Linux/UNIX, Windows, etc.: ( ftp://coast.cs.purdue.edu/pub/tools/unix ) ftp://coast.cs.purdue.edu/pub/tools/unix

23 Advanced Server Hardening Techniques File 1 File 2 … Other Files in Policy List File 1 File 2 … Other Files in Policy List File 1 Signature File 2 Signature … File 1 Signature File 2 Signature … Tripwire 1. Earlier Time 2. After Attack Post-Attack Signatures 3. Comparison to Find Changed Files Reference Base File Integrity problem: many files change for legitimate reasons. So it is difficult to know which ones the attacker changed.

24 Other types of host that can be Hardened Internetwork Operating System (IOS) For Cisco Routers, Some Switches, Firewalls Even cable modems with web-based management interfaces

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.