More Related Content
Similar to Information Security Lesson 4 - Baselines - Eric Vanderburg (20)
More from Eric Vanderburg (20)
Information Security Lesson 4 - Baselines - Eric Vanderburg
- 2. Basic Security
• TSR (Terminate and Stay Resident)
programs – Applications that are running
even when you close them so that they
can be loaded faster.
• Process – program or program component
that runs in the background.
Information Security © 2006 Eric Vanderburg
- 3. Services
•
Perform a specific function for the OS. Each requires a process or
processes to function. They run in these modes:
– Automatic
– Manual
– Disabled
•
Services.msc
Information Security © 2006 Eric Vanderburg
- 4. Services
• Netstat - Displays active TCP connections,
ports on which the computer is listening
Information Security © 2006 Eric Vanderburg
- 5. Services
• Disable unused services
– Difficult because it is hard to find which ones are not
used
– Processes can be monitored but many services could
use a process
• Unused services are great for attackers because
you do not see their activity and they are always
running.
• Malicious code could be added to the service to
run with it.
• Network services have an associated port that
must be open for them to function. This is an
entry point for an attacker.
– Port numbers? Review
Information Security © 2006 Eric Vanderburg
- 6. TCP/IP
• Socket
– Protocol, Address, Port
– TCP 13.154.33.61:53
• IP Address review
• 65,535 ports, 1000 and lower are most
used
Information Security © 2006 Eric Vanderburg
- 7. Securing the system
• OS Hardening – securing
the system against
vulnerabilities. (see
guides for each system)
– Patch management is one
component
– Patch – fixes an issue and
is tested
– Hot fix – less tested than a
patch
– Service Pack – Group of
patches together. The
entire group is tested
together for stability.
Information Security © 2006 Eric Vanderburg
- 8. Patch Management
• SUS (Software Update Services) or 3rd
party tools
• Define patches for groups of computers
• Update computers on a schedule
• Verify that patches have been installed
(log)
Information Security © 2006 Eric Vanderburg
- 9. MMC (Microsoft Management Console)
• Custom MMCs
– Saved as .msc in your documents and
settings
– Can work for local or remote computers
– Taskpad
– Snap-ins
• Security Policy
– Security Configuration and Analysis MMC
snap-in
– Command-line SECEDIT utility
Information Security © 2006 Eric Vanderburg
- 10. Security Templates (Windows)
• Security Templates
– Setup Security - default security settings.
– Compatible (compatws.inf) - members of the Users group can
run applications that are not a part of the Designed for Windows
Logo Program.
– Secure (securedc.inf / securews.inf) - modifies security
settings that impact the operating system and network protocols
such as the password policy, account policy, and various
Registry settings. It also removes all members from the Power
Users group.
– Highly Secure (hisecdc.inf / hisecws.inf) - This template
increases the security of the parameters defined within the
secure template. This template also removes all members from
the Power Users group.
– Internet Explorer (lesacls.inf) – locks down IE
– Reset file permissions (rootsec.inf) – reset permissions
starting from the root.
Information Security © 2006 Eric Vanderburg
- 11. Group Policy
• Make environmental changes to groups of
clients or servers
• Change policies such as password length
or complexity for a domain
• Enforce restrictions on users or computers
• Restrict available software
Information Security © 2006 Eric Vanderburg
- 12. Default GPOs
• Default Domain Policy
– Applied to domain
– Password policy, account policy, & kerberos
can only be set here
• Default Domain Controllers Policy
– Applied to DC container
• Create others in the Group Policy Object
Editor MMC or from AD Users &
Computers
Information Security © 2006 Eric Vanderburg
- 13. Hardening
• Application Hardening
– Patch
– MBSA (Microsoft Baseline Security Analyzer) can check for
patch compliance with Microsoft applications
– Cisco Security Agent can restrict the abilities of certain
applications
• Web Server Hardening
–
–
–
–
ACLs
Patch
Delete sample web pages
Put the web server in a separate area of the network DMZ
(Demilitarized Zone)
– Delete scripts and applications that are not used
– Enable encryption for sensitive data
Information Security © 2006 Eric Vanderburg
- 14. Hardening
• Mail Server Hardening
– Use a single purpose machine
– Require authentication for mail protocols to protect
against open mail relay (bouncing messages from
your mail server to another).
– Set an ACL for those who can send messages
– Enable logging for defense and legal purposes.
• File Servers Hardening
– Set appropriate permissions
– Log access to sensitive files
– Keep behind the firewall
Information Security © 2006 Eric Vanderburg
- 15. Hardening
• NNTP (Network News Transfer Protocol)
Hardening
– ACLs
– Authentication
– Patch
• FTP Server Hardening
–
–
–
–
Disable anonymous logon
Use an ACL
Set appropriate privileges
Set account logon restrictions such as time-outs, lockouts for failed logon, and auditing.
Information Security © 2006 Eric Vanderburg
- 16. Hardening Data Repositories
• Directory Services
– Windows
•
•
•
•
•
–
–
–
–
AD (Active Directory)
SAM (Security Accounts Manager) – Local database
DC (Domain Controller)
PDC (Primary Domain Controller)
BDC (Backup Domain Controller)
Novell (eDirectory)
LDAP (Lightweight Directory Access Protocol)
Use ACLs
Restrict the right to log on locally to domain
controllers
Information Security © 2006 Eric Vanderburg
- 17. Hardening Data Repositories
• DBMS (Database Management System)
– Oracle, SQL Server, Informix, Sybase, DB2
– Buffer Overflow
– SQL (Structured Query Language) Injection – send a
malformed SQL query
•
•
•
•
•
Utilize user views
Segment the database
Keep the database tables behind the firewall
Utilize authentication
Stored procedures and web forms should use
proper coding techniques to protect against
buffer overflow, SQL injection, and other attacks.
Information Security © 2006 Eric Vanderburg
- 18. Hardening Networks
• Update firmware on network devices
– EEPROM (Electrically Erasable Programmable Read
Only Memory)
• Filter data at the edge of the network (Firewalls)
• Filter by:
–
–
–
–
–
–
Address (IP or MAC)
Domain name
Protocol
Port
Message content
Session
Information Security © 2006 Eric Vanderburg
- 19. Hardening Networks
• ACLs and Rule bases are used in filtering
– Keep rule bases small to increase efficiency in
filtering (max: 40 rules)
Information Security © 2006 Eric Vanderburg
- 20. Acronyms
•
•
•
•
•
•
•
•
BDC, Backup Domain Controller
DNS, Domain Name Service
DHCP, Dynamic Host Configuration Protocol
EEPROM, Electrically Erasable Programmable
Read Only Memory
EPROM, Erasable Programmable Read Only
Memory
FTP, File Transfer Protocol
MMC, Microsoft Management Console
NNTP, Network News Transfer Protocol
Information Security © 2006 Eric Vanderburg
- 21. Acronyms
•
•
•
•
•
•
•
•
NOS, Network Operating System
PDC, Primary Domain Controller
ROM, Read Only Memory
SAM, Security Accounts Manager
TSR, Terminate and Stay Resident
DBMS, Database Management System
AD, Active Directory
LDAP, Lightweight Directory Access
Protocol
• SQL, Structured Query Language
Information Security © 2006 Eric Vanderburg