Chapter 12 – Security Baselines doc
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.21 MB, 68 trang )
Security+
All-In-One Edition
Chapter 12 – Security Baselines
Brian E. Brzezicki
Hardening and Baselines
Operating systems and software are written to
be functional and easy to use and install.
Otherwise vendors will have a hard time
selling them ;-)
Unfortunately they generally come configured
insecure (or less secure that possible) out of
the box.
There are two important terms we need to
understand in regards to securing systems
out of the box.
Hardening
Hardening – the process of securing a system as
much as possible for production
•
Installing updates/patches
•
Disabling or removing* un-necessary
software/services
•
Securing services
–
Setting application configuration controls to max security
–
Setting OS configuration controls to max security
–
Restricting access to authorized users
•
Installing add on host based tools such as firewalls
and anti-virus.
Baseline –
The row of
shields above
your fighter
that protects
you from
attack by
hordes of
aliens
Baselines
Close actually…
Baselines – the process of establishing a
minimum set of protections that protects a
computer system/network from attack from
the hordes of script-kiddies and crackers.
•
MINIMUM set of protections and
configurations
•
Important to have baselines in any
organization – why?
Password Policies (340)
One baseline concept that is often
overlooked is the idea of requiring strong
password practices (policy).
Why is a password policy important?
(more)
Password Policy Concepts (343)
What are all these things?
•
Minimum password lengths - 8
•
Minimum password ages – days to weeks
•
Maximum password ages 60 - 90 days
•
Case changes, number and special characters
–
1 or more A-Z
–
1 or more a-z
–
1 or more 0-9
–
1 or more special character
•
Password History 5 - 10
•
No personal information (usernames, real name,
children's names, birthdates)
Password Usability vs. Security
However you have to balance “usability” vs. security
•
what do I mean by this
•
What problems occur with “too secure” passwords?
I like to use a “passphrase” to generate a password
“I Like to drink Iced Tea and Lemon”
I L T D I T A L
1 L t d 1 t @ l
Attacks against passwords (342)
Some types of attacks that you should
understand the terminology of
•
Dictionary Attack – go through the
dictionary
•
Hybrid attack – makes substitutions on
dictionary words
•
Brute force – try everything!
Password Crackers (341)
As an security administrator, you should use software
that enforces your companies password policies
such as
•
PASSFILT.DLT (NT 4.0 SP2)
•
Windows Group Polices (Windows 2000+)
•
Npasswd or PAM on Unix/Linux
You should also try to “crack” passwords periodically
•
Cain and Abel (windows)
•
John the Ripper (windows, Unix)
•
Crack (Unix)
Random password term
Virtual password – Some software asks you
to type passphrase, like a sentence.
Software often takes the passphrase and
uses it to create a “virtual password”.
Anyone have any ideas how they could do
that?
Hardening
Windows 2003 (345)
Windows 2003 was MS first product using their
“Trustworthy Computing Initiative”. Concept was
“Secure by design, secure by default” This included
•
Fewer default installed features (19 less than 2000
Next slide)
•
Official Security Guides for securing services
•
Security Configuration Wizards – easily install and
lockdown services
•
Software Restriction policy – allows an administrator
to define what software should be allowed to run on
a system – Why is this important?
(more)
Services
Show for real on workstation.
Windows 2003
•
IIS – allows isolation between web
applications.
•
Enhanced auditing features
•
Network Access Quarantine – explain this.
•
MBSA – Microsoft Baseline Security
Analyzer… this is a type of vulnerability
assessment program for MS OS and
software You should run this on all MS
machines.
Windows 2008 (346)
•
Bit locker – drive encryption software
•
Roles-based installation of network services.
(Web server only installs Web server, not
DNS etc)
•
Read only Domain Controllers
•
NAP – controls access to networks resources
based on computers compliance to security
policy.
Difference between NAQ and NAP
/>px
Always Make sure your up to date
on patches/service packs (361)
Staying up to date is one of the best ways to protect
from network service attacks (especially buffer
overflows)
Some terms you should understand (Microsoft specific)
•
Hot Fix
•
Patch
•
Service Pack
Updates can be applied, either manually or
automatically. They can also be downloaded
automatically and stored until install.
Unix (347)
•
Keep software up to date (see next slide)
•
Disable/remove un-necessary accounts
•
Disable un-necessary software (remove it actually)
•
Turn off un-necessary services out of /etc/rc.*
•
Turn off un-necessary services out of “xinetd” (2
slides away)
•
Remove compilers
•
Tighten file/directory permissions
•
Remove SUID programs
•
Install TCP wrappers (in a few slides)
•
Configure host based firewall
•
Install and maintain tripwire scanning
yum-updatesd (n/b)
yum
Xinetd (354)
•
Xinetd is a program that manages various
services and starts up an instance of a
service when a user tries to access this
service. Services are defined by text
configuration files in /
The predecessor to xinetd is “inetd” Still used
in Solaris last time I checked (Solaris 9)
Xinetd config file example next slide
Xinetd
TCP wrappers (n/b)
Before Unix had host based firewalls included. TCP
wrappers was used to limit access to network
services to certain IP addresses. It is still heavily
used today and a good practice to use them.
TCP wrappers takes 2 text based files
•
/etc/hosts.allow
–
read first, overrides /etc/hosts.deny if conflict
•
/etc/hosts.deny
–
Read last
Example next page
/etc/host.deny (tcpwrappers)
