330 likes | 491 Views
CIST 1601 Information Security Fundamentals. Chapter 7 Operating System and Application Security. Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College.
E N D
CIST 1601 Information Security Fundamentals Chapter 7 Operating System and Application Security Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College
Hardening the Operating System The three basic areas of hardening are operating system, application, and the network. Operating system hardening includes configuring log files and auditing, changing default administrator account names and default passwords, and the institution of account lockout and password policies to guarantee strong passwords that can resist brute-force attacks. File-level security and access control mechanisms serve to isolate access attempts within the operating system environment. Disabling Unnecessary Services Some of the more attack-prone services include IIS, FTP, and other common web technologies. Make sure these services are disabled if they aren’t needed, and keep them up-to-date with the most recent security and service packs. Here are some tips: File and Print Servers Vulnerable to DoS and access attacks. Make sure these servers run only the protocols needed to support the network. Networks with PC-Based Systems Make sure NetBIOS services are disabled (ports 135, 137, 138, and 139) on servers or that an effective firewall is in place between the server and the Internet. On Unix, disable port 111, the Remote Procedure Call. Directory Sharing Limit directory sharing to what is essential. Make sure root directories are hidden from browsing. Do not share the root directory. Root Directories If an attacker penetrates the root directory, all the subdirectories under that directory are vulnerable.
Hardening the Operating System Protecting Management Interfaces and Applications The person running the administrative interfaces can make configuration changes to the system(s) and modify settings in ways that can have wide-sweeping consequences. To protect against this, access to management/administrative interfaces should be restricted to only those administrators who need it. Group Policy can be used for ease of administration in managing the environment of users. This can include installing software and updates or controlling what appears on the desktop based on the user’s job function and level of experience. The Group Policy object (GPO) is used to apply Group Policy to users and computers. Group Policy enables you to set consistent common security standards for a certain group of computers and enforce common computer and user configurations. It also simplifies computer configuration by distributing applications and restricting the distribution of applications that may have limited licenses. Security templates are sets of configurations that reflect a particular role or standard established through industry standards or within an organization, assigned to fulfill a particular purpose. Examples include a “minimum access” configuration template assigned to limited access kiosk systems, whereas a “high-security” template could be assigned to systems requiring more stringent logon and access control mechanisms.
Hardening the Operating System Password Protection Passwords should always be as long and as complicated as possible. Most vendors recommend that you use nonalphabetic characters such as #, $, and % in your password, and some go so far as to require it. Disabling Unnecessary Accounts Enabled accounts that are not needed on a system provide a door in which attackers can gain access. You should disable all accounts that are not needed immediately, on servers and workstations. Following are some types of accounts you should disable: Employees who have left the company Temporary employees Default Guest account – a likely target for hackers.
Operating System Hardening (10:08) Hardening the OS and NOS Hardening an operating system (OS) or network operating system (NOS) refers to the process of making the environment more secure from attacks and intruders. OS hardening includes encrypted file support and secured file systems selection. This allows the proper level of access control and allows you to address newly identified exploits and apply security patches, hotfixes, and service packs.
Hardening Filesystems File Allocation Table (FAT) FAT is a Microsoft file system that provides share-level and user-level access privileges. If a user has the appropriate permission to a drive or directory, the user can access any file in that directory. The FAT file system offers the least security and is especially unsecure in an Internet environment. The New Technology File System (NTFS) NTFS is a Microsoft file system that uses access control lists (ACLs) to configure permissions for users and groups. Each file, directory, and volume can have an assigned ACL. Each entry in the ACL can specify the access type granted. Encrypting File System (EFS) can also be used to encrypt data stored on the hard disk. Microsoft strongly recommends that all network shares be established using NTFS.
Hardening Filesystems Novell NetWare Storage Services NSS is Novell’s newest filesystem. It’s a proprietary environment for servers. NSS allows complete control of every file resource on a NetWare server. The NSS file system provides security, high performance, large file storage capacities, and uses the NDS or eDirectory to provide authentication for access. Unix Filesystem The Unix filesystem is a completely hierarchical filesystem. Each file, filesystem, and subdirectory has complete granularity of access control. The three primary attributes in a Unix file or directory are Read, Write, and Execute. The ability to individually create these capabilities, as well as to establish inheritance to subdirectories, gives Unix the highest level of security available for commercial systems. NTFS is based on this method of file organization. Hierarchical file structure used in Unix and other operating systems
Hardening Filesystems Network File System (NFS) NFS is the Unix standard for remote file systems. NFS allows computers to mount the file system from a remote location, thereby enabling the client system to view the server storage as part of the local client. Apple File Sharing (AFS) AFS was intended to provide simple networking for Apple Macintosh systems. AFS allows the file owner to establish password and access privileges, similar to the Unix filesystem. OS X, the newest version of the Macintosh operating system, has more fully implemented a filesystem that is based on the Unix model. The major weakness of the operating system involves physical control of the systems.
Application Patch Management (5:21) Patch Management (4:16) Updating Your Operating System It is imperative to include regular update reviews for all deployed operating systems, to address newly identified exploits and apply security patches, hotfixes, and service packs. Automated attacks make use of common vulnerabilities. Hotfixes A hotfix makes repairs to a computer during its normal operation so that the computer can continue to operate until a permanent repair can be made. It usually involves replacing files with an updated version. A hotfix can also be referred to as a bug fix. Hotfixes are, typically, small and specific-purpose updates that alter the behavior of installed applications in a limited manner. These are the most common type of update. A hotfix is related to a service pack and should be deployed with this in mind. Service Packs and Support Packs A service pack is a major, crucial update for the OS or application for which it is intended, and consists of a collection of all hotfixes and patches released to date since the OS or product was shipped. A service pack is mandatory for all users, addresses a new vulnerability, and should be deployed as soon as possible. Service packs are the least common type of update, often requiring extensive testing to ensure against service failure in integrated network environments before application. A support pack is another term used for service packs. Patches A patch is a temporary workaround of a bug or problem in code that is applied manually. Patches typically focus on updates that affect installed applications. Security patches eliminate security vulnerabilities. They may be mandatory if the circumstances match and need to be deployed quickly. Once more data is known about an issue, a service pack or hotfix may be issued to fix the problem on a larger scale. A patch should be installed on a server only after it has been tested on a non-production server and by the computing community. A common method for hackers to infect your systems is to send an official-looking e-mail about software that you need. The only way to ensure that a patch or service pack comes from the vendor is to go to the vendor’s Web site. This ensures that you are obtaining the security patch directly from the vendor.
Application Configuration Baselining and Hardening (4:10) Application Hardening Application hardening includes default application administration accounts, standard passwords, and common services and protocols installed by default. They should be reviewed and changed or disabled as required. Applications must be maintained in an updated state through the regular review of hotfixes, patches, and service packs.
Application Hardening FuzzingMost applications that are written to accept input expect a particular type of data to be given such as string values, numerical values, etc. Fuzzing is the technique of providing unexpected values as input to an application to try to make it crash. A common method is to flood the input with a stream of random bits. The best way to prevent fuzzing from being an exploit possible on your systems is to do fuzz testing to find and fix the problems first. Cross-Site Request Forgery Cross-Site Request Forgery, also known as XSRF, session riding, and one-click attack, involves unauthorized commands coming from a trusted user to the website, often without the user’s knowledge and employing some type of social engineering. With the increased usage of Internet Relay Chat (IRC), this type of attack can happen anywhere one user can talk and interact with other users. Characteristics common to these attacks include ascertaining a user’s identity, exploiting their trust (often by trickery), and using HTTP requests. The major limitation of this attack is that the victim must be lured in; header checking can stop it cold.
Application Hardening Application Configuration BaseliningBaselining always involves comparing performance toa metric, which is an historical measurement that you can point to and identify as being before a configuration change, before the site became busy, before you added new services, etc. Baselining can be done for things like CPU, memory, hard disk, networking usage etc.. It is advisable to do baselining with key applications prior to major configuration changes. Application Patch Management Just as with your OS, you need to keep your application patches up to date. Most vendors post patches on a regular basis, and you should routinely scan for any that are available.
Hardening Web Servers Web servers are favorite areas for attackers to exploit. Every service and capability supported on a website is potentially a target for exploitation. Make sure they’re kept to the most current software standards. Regular log review is critical for web servers, to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits. You must also make certain that you’re allowing users to have only the minimal permissions necessary to accomplish their tasks. If users are accessing your server via an anonymous account, then make certain the anonymous account has only the permissions needed to view web pages and nothing more. Filters allow you to limit the traffic that is allowed through. Limiting traffic to only that which is required for your business can help ward off attacks. Executable scripts, such as Common Gateway Interface (CGI) scripts, often run at elevated permission levels. Under most circumstances this isn’t a problem, however, if the user can break out of the script while at the elevated level then you have a problem. CGI scripts may be exploited to leak information including details about running server processes and daemons, samples included in some default installations are not intended for security and include well-known exploits, and buffer overflows may allow arbitrary commands to be executed on the server. The best course of action is to verify that all scripts on your server have been thoroughly tested, debugged, and approved for use.
Hardening E-Mail Servers An e-mail server is a middle man in the delivery of the message. The primary firewall to protect you from e-mail viruses would be e-mail servers with active virus scanners. E-mail servers detect the viruses in the messages received from various sources and send warnings to the recipient to warn him/her of the risky mail. This server has the necessary means to reject infected mail content. SMTP is the primary protocol used in e-mail. An SMTP virus filter checks all incoming and outgoing e-mails for suspicious code. If a file is potentially infected, the scanner notifies the originator and quarantines the file. Email service hardening includes preventing SMTP relay from being used by spammers, and limiting attachment and total storage per user to prevent denial-of-service attacks using large file attachments. E‑mail virus scanner on an e‑mail server
Hardening FTP Servers FTP servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication. Always disable the anonymous user account. In most environments, FTP sends User IDs and password information unencrypted. This makes these accounts vulnerable to network sniffing. Regular log review is critical for FTP servers. FTP logs should be spot-checked for password-guessing and brute-force attacks. Because of limitations in FTP, unless an encapsulation scheme is used between the client and host systems the logon and password details are passed in clear text and may be subject to interception by packet sniffing. Most FTP servers allow you to create file areas on any drive on the system. You should create a separate drive or subdirectory on the system to allow file transfers. If possible, use virtual private network (VPN) or Secure Shell (SSH) connections for FTP-type activities. FTPS (FTP over SSL) uses TCP port 21.
DNS (2:04) Hardening DNS Servers DNS is one of the most popular directory services in use today. DNS can identify an individual computer system on the Internet. DNS maps IP addresses to domain names and to individual systems. Because DNS servers usually store a vast quantity of information on the network and its configuration, they are also typically targeted by network footprinting attacks, which attempts to gather information on your network. To protect your DNS servers from network footprinting attacks, ensure that all information on the network, which gets stored in external DNS servers, are kept at a minimum. One of the primary reasons hardening is necessary for DNS servers is to prevent poisoning by unauthorized zone transfers. Query results that are forged and returned to the requesting client or recursive DNS query can poison the DNS records. Limiting the registration of name and IP address to authorized clients prevents an unauthorized entry from being created on the DNS server’s zone database file.
Hardening DNS Servers The Windows 2000 DNS version implements DNS security. This assists in preventing DNS spoofing, and ensures that client systems access the proper DNS server. You should set up DNS servers so that they only perform zone transfers to specific secondary DNS servers. For the perimeter network, use a separate DNS server. This server should not contain information which you do not want public users to access. DNS Poisoning Query results that are forged and returned to the requesting client or recursive DNS query can poison the DNS records. Use a version of DNS that includes the correction for preventing DNS cache poisoning, or alternatively, obtain the relevant security patch to address this issue. ARP poisoning Because ARP does not require any type of validation, as ARP requests are sent, the requesting devices believe that the incoming ARP replies are from the correct devices. This can allow a perpetrator to trick a device into thinking any IP address is related to any MAC address.
Hardening DHCP Services Dynamic Host Configuration Protocol (DHCP) is used in many networks to automate the assignment of IP addresses to workstations. DHCP services can be provided by routers, switches, and servers. DHCP servers share many of the same security problems associated with other network services, such as DNS servers. DHCP servers may be overwhelmed by lease requests if bandwidth and processing resources are insufficient. In a given network or segment, only one DHCP server should be running. An exception would be if you are implementing redundant DHCP services without overlapping scopes. DHCP-enabled clients can be serviced by a Network Address Translation (NAT) server. DHCP usage should be limited to workstation systems. If the OS in use does not support DHCP server authentication, attackers may also configure their own DHCP servers within a subnet, taking control of the network settings of clients and obtaining leases from these rogue servers. Microsoft’s Active Directory requires that DHCP servers be authorized.
Working with Data Repositories Directory services are tools that help organize and manage complex networks. They allow data files, applications, and other information to be quickly and easily relocated within a network. In addition to creating and storing data, directory services must publish appropriate data to users. Security for directory services is typically accomplished by using both authentication and access control. Data repositories of any type might require specialized security considerations based on the bandwidth and processing resources required to prevent DoS attacks, removal of default password and administration accounts such as the SQL sa account, and security of replication traffic to prevent exposure of access credentials to packet sniffing. Role-based access control may be used to improve security, and the elimination of unneeded connection libraries and character sets may help to alleviate common exploits.
Working with Data Repositories Active Directory Microsoft implemented a directory service called Active Directory (AD) with Windows 2000. AD is the backbone for all security, access, and network implementations. AD gives administrators full control of resources. It provides services for other directory services, such as LDAP. One or more servers manage AD functions; these servers are connected in a tree structure that allows information to be shared or controlled through the entire AD structure. In conjunction with Active Directory, LDAP uses four different name types: A Distinguished Name (DN) exists for every object in AD. These values can’t be duplicates and must be unique. This is the full path of the object, including any containers. A Relative Distinguished Name (RDN) doesn’t need to be a wholly unique value as long as there are no duplicates within the organizational unit (OU). As such, an RDN is the portion of the name that is unique within its container. A User Principal Name (UPN) is often referred to as a friendly name. It consists of the user account and the user’s domain name and is used to identify the user (think of an e‑mail address). The Canonical Name (CN) is the DN given in a top-down notation.
Working with Data Repositories X.500 The International Telecommunications Union (ITU) implemented the X.500 standard, which was the basis for directory structures such as LDAP. The major problem implementing a full-blown X.500 structure revolved around it’s complexity. Novell was one of the first manufacturers to implement X.500 in its NetWare NDS product. eDirectory eDirectory is the backbone for new Novell networks. It stores information on all system resources and users and any other relevant information about systems attached to a NetWare server. eDirectory is an upgrade and replacement for NDS, and has gained wide acceptance.
Databases and Technologies The primary tool for data management is the database. The relational database is the most common approach. It allows data to be viewed in dynamic ways based on the user’s or administrator’s needs. The most common language used to speak to databases is called Structured Query Language (SQL). SQL allows queries to be configured in real time and passed to database servers. This flexibility causes a major vulnerability when it isn’t implemented securely. Database servers suffer from all the vulnerabilities discussed so far. To improve system performance and the security of databases, companies have implemented the tiered model of systems: One-tier model The database and application reside on one system. The one-tier model is usually used to host a stand-alone database. Two-tier model In the two-tier and three-tier model, the application being run by the client PC or system accesses a database hosted on a different server. Three-tier model A middle-tier server receives and verifies requests from clients, before passing it to the server on which the database resides. After the request is processed by the database server, the server passes the information to the middle-tier server, who then passes the data to the client. The middle-tier server provides additional security.
Injection Problems SQL Injection SQL (Structured Query Language) is the de facto language used for communicating with online (and other relational) databases. With a SQL injection attack (aka a SQL insertion attack), an attacker manipulates the database code to take advantage of a weakness in it. Various types of exploits use SQL injection, and the most common fall beneath the following categories: Escape character not filtered correctly Type handling not properly done Conditional errors Time delays The best way to prevent SQL injection attacks is to make certain you type all parameters correctly and filter all user input. Also make certain you keep your server current with all patches. LDAP Injection An LDAP injection attack exploits weaknesses in LDAP (Lightweight Directory Access Protocol) implementations. This can occur when the user’s input is not properly filtered, and the result can be executed commands, modified content, or results returned to unauthorized queries. To prevent LDAP injection attacks, filter the user input and use a validation scheme to make certain queries do not contain exploits. Buffer-overflow vulnerabilities may be used to enact arbitrary commands on the LDAP server. Format string vulnerabilities may result in unauthorized access to enact commands on the LDAP server or impair its normal operation. Improperly formatted requests may be used to create an effective denial-of-service attack against the LDAP server, preventing it from responding to normal requests.
Injection Problems XML Injection When the user enters values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack. XPath works similarly to SQL except that it does not have the same levels of access control, and taking advantage of weaknesses within can return entire documents. To prevent XML injection attacks, filter the user’s input and sanitize it to make certain it does not cause XPath to return more data than it should. Directory Traversal/Command Injection If an attacker is able to gain access to restricted directories (such as the root directory) through HTTP, it is known as a directory traversal attack. The root directory of a website is far from the true root directory of the server; an absolute path to the site’s root directory is likely to be something in IIS such as C:\inetpub\wwwroot. If an attacker can get out of this directory and get to C:\windows, the possibility for inflicting harm is increased exponentially. One of the simplest ways to perform directory traversal is by using a command injection attack. The ability to perform command injection is rare these days. Most vulnerability scanners will check for weaknesses with directory traversal/command injection and inform you of their presence. Keep the web server software patches up to date.
Host Security The entire network should be considered only as strong as the weakest host. Focus should be on keeping all host current in terms of malware protection and baselining. Antimalware To keep all hosts safe from malware, there are a number of things you should implement at a minimum: Install Antivirus Software It should run on all servers and workstations. Install Antispam Filters Install Antispyware Software Utilize Pop-up Blockers Employ Host-Based Firewalls Host Software BaseliningA security baseline defines the level of security that will be implemented and maintained. The security baseline, which can also be called a performance baseline, provides the input needed to design, implement, and support a secure network. Microsoft Baseline Security Analyzer is a free tool from Microsoft that can be downloaded and run on Windows to create security reports and scan for errors.
Mobile Devices Mobile devices, including pagers and personal digital assistants (PDAs) use either RF signaling or cellular technologies for communication. If the device uses the Wireless Application Protocol (WAP), the device in all likelihood doesn’t have security enabled. Several levels of security exist in the WAP protocol: Anonymous authentication, which allows virtually anyone to connect to the wireless portal Server authentication, which requires the workstation to authenticate against the server Two-way (client and server) authentication, which requires both ends of the connection (client and server) to authenticate to confirm validity Many new wireless devices are also capable of using certificates to verify authentication. The Wireless Session Protocol (WSP) manages the session information and connection between the devices. The Wireless Transaction Protocol (WTP) provides services similar to TCP and UDP for WAP. The Wireless Datagram Protocol (WDP) provides the common interface between devices. Wireless Transport Layer Security (WTLS) is the security layer of the Wireless Application Protocol. A mobile environment using WAP security. This network uses both encryption and authentication to increase security.
Best Practices for Security URL Filtering URL filtering involves blocking websites based solely on the URL; restricting access to specified websites and certain web-based applications. Within Internet Explorer 8, SmartScreen runs in the background and sends the address of the website being visited to the SmartScreen server, where it is compared against a list kept of phishing and malware sites. If a match is found, a blocking web page appears (in red) and encourages you to not continue on.
Best Practices for Security Content Inspection Instead of relying on a website to be previously identified as questionable, as URL filtering does, content inspection works by looking at the data coming in. Within the most recent versions of Internet Explorer, content filtering can be configured using Content Advisor. Malware Inspection While tools that identify malware when they find it on a system are useful, real-time tools that stop it from ever making it to the system are better. One of those tools available for Windows is Microsoft Security Essentials, and it runs on Windows 7 as well as Vista and XP with SP2. You can download it for free. Once it’s installed, and the definition files are current, you can configure it. Another free tool from Microsoft is the Malicious Software Removal Tool, which helps remove any infection found. An updated version of this tool is released on the second Tuesday of each month and, once installed, it is included, by default, in Microsoft Update and Windows Update.
Whole-disk Encryption (5:19) Best Practices for Security Data Loss Prevention Data Loss Prevention (DLP) systems monitor the contents of systems to make sure key content is not deleted or removed. They also monitor who is using the data and transmitting the data. One of the best known DLP systems is MyDLP, an open source solution that runs on most Windows platforms. Data Encryption Bitlocker is available with Windows Vista Enterprise and Ultimate versions and Windows 7 Ultimate. BitLocker encrypts the drive contents so that data cannot be stolen. It can encrypt both user and system files, and is enabled or disabled by an administrator for all computer users. It requires Trusted Platform Module (TPM) hardware. Whole disk encryption helps mitigate the risks associated with lost or stolen laptops and accompanying disclosure laws when the organization is required to report data breaches. Hardware-Based Encryption Devices Within the advanced configuration settings on some BIOS configuration menus, you can choose to enable or disable TPM. A Trusted Platform Module (TPM) can be used to assist with hash key generation. A TPM is the name assigned to a chip that can store cryptographic keys, passwords, or certificates. The TPM can be used to generate values used with whole disk encryption as well as protect cell phones and devices other than PCs. It can also be used to generate values used with whole disk encryption such as BitLocker. The TPM chip may be installed on the motherboard; when it is, in many cases it is set to off in the BIOS by default.
Attack Types to Be Aware Of Session Hijacking Also referred to as TCP/IP hijacking, enables an attacker to capture and analyze the data addressed to a target system. This allows an attacker to gain access to critical resources and user credentials, such as passwords, and to gain unauthorized access to critical systems of an organization. Session hijacking involves assuming control of an existing connection after the user has successfully created an authenticated session. Header Manipulation A header manipulation attack uses methods such as hijacking, cross-site forgery, etc., to change values in HTTP headers and falsify access. When used with XSRF, the attacker can even change a user’s cookie. IE8 and above include InPrivate Filtering to help prevent some of this. With InPrivate Filtering, you can configure the browser to not share information that can be captured and manipulated.