1 / 179

Lesson 14-Security Baselines

Lesson 14-Security Baselines. Background. The many uses for systems and operating systems require flexible components. Allows users to design, configure, and implement the systems they need. This flexibility causes the biggest weaknesses in computer systems. Background.

Download Presentation

Lesson 14-Security Baselines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lesson 14-Security Baselines

  2. Background • The many uses for systems and operating systems require flexible components. • Allows users to design, configure, and implement the systems they need. • This flexibility causes the biggest weaknesses in computer systems.

  3. Background • Securing systems effectively and consistently requires a structured and logical approach. • Some of the best security practices to follow are: • Examining the intended functions and capabilities. • Determining the processes and applications on the system. • Removing or disabling anything that is not required. • Applying appropriate patches, hotfixes, and settings to protect and secure the systems.

  4. Background • This process of establishing a system's security state is called baselining. • The resulting product is a security baseline that allows the system to run safely and securely.

  5. Background • Once the baseline process is completed: • Any similar configuration can be built with the same baseline. • Similar systems will have the same level and depth of security and protection.

  6. Objectives • Upon completion of this lesson, the learner will be able to: • Describe ways of hardening various operating systems. • Describe methods for hardening network devices. • Describe issues related to hardening various applications.

  7. Password Selection • Selecting a good password for all user accounts is critical to protecting information systems.

  8. Password Policy Guidelines • The username and password combination is most poorly configured, neglected, and easily circumvented.

  9. Password Policy Guidelines • The first step in addressing the password issue is to create a password policy for system administrators and users. • People should be informed about the password policy, once it has been created. • A copy of it should be given to all users. • Every user should understand the policy. • The second step is to enforce the policy to make it effective.

  10. Password Policy Guidelines • Password Rules • Set a minimum number of characters. • Implement password aging. • Prompt users to change passwords on a regular basis. • Do not accept passwords based on dictionary words. • Do not allow users to reuse passwords.

  11. Password Policy Guidelines • Password Rules • Audit password files with some popular password-cracking utilities. • Perform audits as often as possible. • Monthly, every other month, or every quarter. • If accounts with easily-cracked passwords exist, have users review the password policy and change passwords immediately.

  12. Selecting a Password • There are two methods of selecting a password. • They range from random generation to one-time use. • Each method has its strengths and weaknesses. • When security increases, usability decreases. • The best compromise between security and usability is the selection of secure passwords using a passphrase.

  13. Selecting a Password • A password-based passphrase can be formed in the following ways: • Taking the first letter of each word in a sentence. • Taking the first letter from the first word, second letter from the second word, and so on. • Combining words. • Replacing letters with other characters.

  14. Selecting a Password • Any method can be chosen, but the end result should be a difficult-to-guess, easy-to-remember password. • Some examples of passphrases and their passwords are given below. • Sentence 1: I love to drive my 1969 Mustang! • Password: Iltdm69M! • Sentence 2: Bad to the Bone • Password: Bad2theB1

  15. Components of a Good Password • Users should create their own easy-to-remember passwords with passphrases. • A password prevents unauthorized access to resources. • A password should not be easy for someone to guess or obtain using password-cracking utilities.

  16. Components of a Good Password • A password can be made more difficult to guess or obtain by following the guidelines given below: • A password should be at least eight characters long. • Some operating systems require longer passwords by default.

  17. Components of a Good Password • It should have at least three of the following four elements: • One or more uppercase letters (A – Z) • One or more lowercase letters (a – z) • One or more numerals (0 – 9) • One or more special characters or punctuation marks (!@#$%^&*,.:;?)

  18. Components of a Good Password • It should not consist of dictionary words. • It should never be the same as the login name or contain the login name. • It should not contain the user's first or last name, family member's names, birth dates, pet names, or any other item that is easily identified with the user.

  19. Password Aging • Virtually, any password can be cracked by testing all possible passwords. • Therefore, users: • Should change their passwords on a regular basis. • Should not “recycle” passwords (use the same passwords over and over).

  20. Password Aging • To enforce password aging and prevent password reuse: • Have users change their passwords every 60 to 90 days. • Secure facilities require users to change passwords every 30 to 45 days. • “Remember” the last five to ten passwords. • Do not allow users to use old passwords again.

  21. Hardening Operating Systems • The operating system (OS) of a computer handles tasks such as: • Input • Output • Display • Memory management • The operating system supports the user environment and applications.

  22. Hardening Operating Systems • A network operating system (NOS) is an operating system that includes additional functions and capabilities to assist in connecting computers and devices.

  23. Hardening Operating Systems • Modern operating systems, including Windows 2000, Solaris, and Linux, use the terms operating system and network operating system interchangeably. • They perform all the basic function and provide enhanced capabilities for connecting to LANs.

  24. Hardening Operating Systems • Operating system developers and manufacturers share a common problem. • There is no way to anticipate the configurations and variations users require from their products.

  25. Hardening Operating Systems • Instead of spending time and money to meet every need, manufacturers provide a “default” installation for their products. • These contain the base operating system and some commonly desirable options, such as drivers, utilities, and enhancements.

  26. Hardening Operating Systems • Manufacturer-provided recommendations or tools and settings facilitate securing the system. • End users are responsible for securing their systems.

  27. Hardening Operating Systems • The process of securing an operating system is called hardening. • It makes the system more resistant to attacks.

  28. Hardening Operating Systems • Each operating system has its own approach to security. • The process of hardening is the same. • Different steps must be taken to secure each operating system.

  29. Hardening Microsoft OS • Hardening of Microsoft systems focuses on: • Windows NT • Windows 2000 • Windows XP family of operating systems

  30. Hardening Microsoft OS • Older Microsoft operating systems, such as Windows 3.11, Windows 95, Windows 98, and Windows ME, were designed with few security capabilities. • Not much can be done to harden those operating systems.

  31. Hardening Windows 2000 • The security of Windows 2000 can be improved using a number of guides available that assist in securing the Windows system.

  32. Hardening Windows 2000 • The following section contains the steps recommended by Microsoft's security team. • Determine the version of the operating system to be secured: • Professional • Server • Advanced Server • Determine the purpose of the system: • User desktop • Web server • File server

  33. Hardening Windows 2000 • Install the latest Windows 2000 service pack. • Follow the recommended steps in the “Microsoft Windows 2000 Service Pack Installation and Deployment Guide.”

  34. Hardening Windows 2000 • Configure Windows “Automatic Updates” service to check the Microsoft site and inform about new security fixes when they are available.

  35. Hardening Windows 2000 • Keep up with the latest security patches using Microsoft's Security Bulletins Search. • Follow the guidelines in the “Microsoft Windows 2000 Server Baseline Security Checklist.” • Update antivirus tools and signature files.

  36. Hardening Windows 2000 • Check Microsoft's virus alerts regularly. • Read “Securing Windows 2000 Server,” “Security Operations Guide for Windows 2000 Server,” and the “Security Administration Operations Guide.” • Use the “Baseline Security Analyzer” tool to scan and evaluate the security of the system.

  37. Hardening Windows 2000 • Service packs are Microsoft's way of bundling updates, fixes, and new functions into a large, self-installing package. • The “Automatic Updates” service automatically checks the Windows Update site for new security fixes.

  38. Hardening Windows 2000 • The “Baseline Security Analyzer” is a free tool from Microsoft that scans and evaluates the security state of the Windows system to ensure the latest patches and fixes are in place and user accounts are secured. • Appropriate permissions have been applied to files and directories.

  39. Win2K Security Checklist • The checklist applies to both the Windows 2000 Server and Advanced Server operating systems and outlines the steps to achieve a minimum baseline of security.

  40. Win2K Security Checklist • Verify all disk partitions are formatted with NTFS.

  41. Win2K Security Checklist • NTFS allows setting access permissions using an access control list on files and directories. • You can control what users or groups of users can read the contents of a particular file, or modify it. • Microsoft's permissions consist of none, read, write, execute, delete, change permissions, and take ownership, and they can be applied to both files and directories in various combinations.

  42. Win2K Security Checklist • Verify that the Administrator account has a strong password. • The Administrator account is a special account under the Windows 2000 operating system. • It is the “superuser” account that has the ability to control virtually everything on that system, much like the “root” account on UNIX systems.

  43. Win2K Security Checklist • Disable unnecessary services. • Any service not required to support the function of the server should be disabled or completely removed from the system.

  44. Win2K Security Checklist • Permissions • Disable or delete unnecessary accounts. • Make sure the Guest account is disabled.

  45. Win2K Security Checklist • Protect files and directories. • Certain Windows operating systems can restrict access to files and directories by using access control lists (ACLs). • An ACL is a list of permissions that controls who may write, modify, delete, or access a specific file or directory.

  46. Win2K Security Checklist • Sample Rights Screen

  47. Win2K Security Checklist

  48. Win2K Security Checklist • Protect the Registry from anonymous access. • Apply appropriate Registry ACLs. • Restrict access to public local security authority (LSA) information.

  49. Win2K Security Checklist • To prevent attackers from extracting information from a system anonymously, create the following Registry key using regedit: • Hive –HKEY_LOCAL_MACHINE\SYSTEM • Key –CurrentControlSet\Control\LSA • Value Name –RestrictAnonymous • Type –REG_DWORD • Value –1

  50. Win2K Security Checklist • Restrict anonymous connection with the Local Security Policy Setting tool. • Select Administrative Tools from the Control Panel. • Select Local Security Policy. • In the drop-down box, select: • None, Do Not Allow Enumeration Of SAM Accounts And Shares. • No Access Without Explicit Anonymous Permissions.

More Related