Presentation is loading. Please wait.

Presentation is loading. Please wait.

System Hardening Borrowed from the CLICS group. System Hardening How do we respond to problems? (e.g. operating system deadlock) Detect Detect (Detect.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "System Hardening Borrowed from the CLICS group. System Hardening How do we respond to problems? (e.g. operating system deadlock) Detect Detect (Detect."— Presentation transcript:

1 System Hardening Borrowed from the CLICS group

2 System Hardening How do we respond to problems? (e.g. operating system deadlock) Detect Detect (Detect and) Terminate (Detect and) Terminate Prevent Prevent Security Analogy Better to prevent than try to clean up Better to prevent than try to clean up

3 System Hardening - Goals Prevent intrusion on a particular system Note: idea can (and should) be applied to network as well Note: idea can (and should) be applied to network as well Two main approaches 1) Develop and ship in hardened state 1) Develop and ship in hardened state 2) Harden after setup 2) Harden after setup

4 Security Certification Levels Department of Defense, Trusted Computer System Evaluation Criteria (TCSEC) Orange book – systems; Red book – systems/networks Levels Class D (minimal protection) Class D (minimal protection) Class C1 (discretionary security protection) Class C1 (discretionary security protection) Class C2 (controlled access protection) Class C2 (controlled access protection) Class B1 (labeled security protection) Class B1 (labeled security protection) Class B2 (structured protection) Class B2 (structured protection) Class B3 (security domains) Class B3 (security domains) Class A1 (verified design) Class A1 (verified design)

5 1) Hardening Before Shipping System architecture should be designed to prevent attacks/intrusion Configured for high security as default Configured for high security as default System programmed defensively System programmed defensively assume any user could be unfriendly System is audited for security problems System is audited for security problems System built to contain known problems System built to contain known problems Examples – Operating System Level OpenBSD ( http://www.openbsd.org ) OpenBSD ( http://www.openbsd.org )http://www.openbsd.org SELinux ( http://www.nsa.gov/selinux ) SELinux ( http://www.nsa.gov/selinux )http://www.nsa.gov/selinux

6 2) Hardening After Delivery Techniques Configuration Configuration Changing system configuration to deal with security issues Wrappers Wrappers Proxy programs that are run in place of actual program, check for certain problems before calling original program (which is moved to a non-public directory)

7 Wrapper Example TCP Wrappers (Linux) Monitors and filters incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services Provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files The wrappers report the name of the client host and of the requested service Imposes no overhead on the actual conversation between the client and server applications

8 System Hardening Tools - Linux Example: bastille http://www.bastille-linux.org http://www.bastille-linux.org http://www.bastille-linux.org Script to help automate security changes in a number of areas (file transfer, mail, general configuration) Script to help automate security changes in a number of areas (file transfer, mail, general configuration) Bastille --assessment Bastille --assessment Certain actions still have to be done manually Certain actions still have to be done manually Be careful not to turn off needed services accidentally Be careful not to turn off needed services accidentally E.g. Don’t disallow root access at console unless you have other accounts you can use to gain superuser status

9 System Hardening Tools (Windows) Microsoft Baseline Security Analyzer More accurately a vulnerability analysis tool More accurately a vulnerability analysis tool But notes contain links or information are very useful in system hardening But notes contain links or information are very useful in system hardening Start/Programs/Microsoft Baseline Security Analyzer Start/Programs/Microsoft Baseline Security Analyzer Tools for specific applications E.g. Internet Information Server is weak point E.g. Internet Information Server is weak point IIS Lockdown Tool IIS Lockdown Tool C:\Tools\IISLockD C:\Tools\IISLockD

10 Port/Service Closure - Linux GUI Interface Utilities -> Server Settings -> Services -> Server Settings -> Services Choose run-level (e.g. 3: without X; 5: with X) Choose run-level (e.g. 3: without X; 5: with X) Remove services through checkboxes Remove services through checkboxesManually Directory hierarchy: /etc/rc.d Directory hierarchy: /etc/rc.d Subdirectories for different run-levels, main script directory (init.d)

11 Port/Service Closure - Windows Add and remove services Start/Programs/Administrative Tools/Services Start/Programs/Administrative Tools/Services See processes currently running Task Manager (ctrl-alt-del), Processes tab Task Manager (ctrl-alt-del), Processes tab

Download ppt "System Hardening Borrowed from the CLICS group. System Hardening How do we respond to problems? (e.g. operating system deadlock) Detect Detect (Detect."

Similar presentations

Windows 2003 Server. Windows 2003 Server Contents Fitur Windows 2003 Server Installation And Configuration Windows Management Resource  User Management.

Windows 2003 Server. Windows 2003 Server Contents Fitur Windows 2003 Server Installation And Configuration Windows Management Resource  User Management.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Host Hardening (March 21, 2011) © Abdou Illia – Spring 2011.

Host Hardening (March 21, 2011) © Abdou Illia – Spring 2011.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.

Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.
Linux Operations and Administration

Linux Operations and Administration
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Guide to MCSE 70-270, Second Edition, Enhanced1 Windows XP Network Overview Most versatile Windows operating system Supports local area network (LAN) connections.

Guide to MCSE , Second Edition, Enhanced1 Windows XP Network Overview Most versatile Windows operating system Supports local area network (LAN) connections.
Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.

Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.

Similar presentations

Ads by Google