830 likes | 1.3k Views
Section 1 System Hardening. Cyber-utopia Definition: A magical place, where all systems are already hardened out of the box and forever remain impregnable to attack. Objectives (1 of 2). Describe the basic steps required to harden the PC hardware.
E N D
Section 1System Hardening Cyber-utopia Definition: A magical place, where all systems are already hardened out of the box and forever remain impregnable to attack
Objectives (1 of 2) • Describe the basic steps required to harden the PC hardware. • Describe the basic steps required to harden any Operating System. • Evaluate the hardening requirements of a PC running a MS Windows-based OS.
Objectives (2 of 2) • Evaluate the requirements of a system running a Linux-based OS. • Labs: • Using MBSA to check for missing MS Windows patches. • Installing MS Windows updates and patches with QChain. • Performing vulnerability scanning with Nessus.
Hardening the Hardware (1 of 12) • Why do we need to harden the hardware? • Prevention of local access on a stand-alone isolated system. • Prevention against boot-up alteration or booting from anything other than the internal HDD. • Prevention against configuration alteration.
Hardening the Hardware (2 of 12) • Prevention of local access on a stand-alone isolated system. • All too often systems are placed in remote location for sight monitoring or data collection. • There are no remote staff ensuring the security and safety of the system. • The remote system has access to internal systems and can be used to access those systems directly.
Hardening the Hardware (3 of 12) • Prevention against boot-up alteration or booting from anything other than the internal HDD. • Unlocked BIOS allows local users to alter what device they are booting from. • Bootable “auditing” tools and other applications can be used to collect data, passwords, etc from PC.
Hardening the Hardware (4 of 12) • Entire Operating Systems, including MS Windows, Linux and even MS DOS can be made to boot from external USB devices and CD/DVDs. • Many malware applications can be spread through bootable CDs, floppies and DVDs that are infected. • Bootable USB drives can be used to copy entire local HDD or even worse format, erase or encrypt local HDD data.
Hardening the Hardware (7 of 12) • Prevention against configuration alteration. • Somewhat related to preventing boot-up alteration. • Many BIOS updates can be installed from floppy disk. • Local BIOS configuration can be altered enough to prevent PC from booting properly or at all.
Hardening the Hardware (10 of 12) • So what do we need to do? • Install security screws on the system cases. • Lock the BIOS with a password. • User password • Admin Password • Boot-up/Power-on Password • Enable only system HDD boot-up, disable all other possibilities.
Hardening the Hardware (11 of 12) • Enable only interfaces that are actually required for proper system functionality. • System comm. ports (parallel, serial, USB) • Sound system ports (onboard or peripheral) • Keyboard/mouse ports • Network interfaces (onboard or peripheral) • Monitor ports
Hardening the Hardware (12 of 12) • Record BIOS settings. • Export option • Manual recording • Prevent BIOS resets and updates • Jumper settings (should already be done) • Floppy installs (may already be done) • Disable non-required onboard controllers • SATA • SCSI • IDE/E-IDE
OS Hardening Basics (1 of 10) • Is this a new (clean) install? • Yes (are you sure), No? • What applications are installed and running on the system? • Licensed, Open Source? • Have these been verified as clean? • Has the machine been connected to the network? • Yes, No (are you sure)?
OS Hardening Basics (2 of 10) • Who has access to install applications on the system? • Administrator, SU, Users, anybody? • Have all of the current patches and services packs required for this system’s function been applied? • Yes (are you sure), No?
OS Hardening Basics (3 of 10) • Has an anti-malware application been installed and is it operational? • Yes (are you sure), No? • Does the system have a personal firewall installed and is it operational? • Yes (are you sure), No?
OS Hardening Basics (4 of 10) • Have user accounts been created? • Yes, No (are you sure)? • Have default passwords been appropriately altered? • Yes (are you sure), No? • Are the log files correctly setup to for: • user access tracking? • the anti-malware application? • the personal firewall?
OS Hardening Basics (5 of 10) • Is this a new (clean) install? • Yes (are you sure), No? • What is the current security posture of the system? • If “Clean” treat like newly installed system (are you sure). • If “Compromised” we can either try to fix (recover from backup) or re-install from scratch (often the best solution depending on the criticality of the system and type of breach).
OS Hardening Basics (6 of 10) • If “Unknown” treat as if “compromised” until you determine otherwise. • Check user lists and groups. • Are there any “new” users or groups? • Is the guest account enabled? • Are the user passwords weak or set to default? • Are there any accounts that should be removed or disabled? • When are the user’s logging in?
OS Hardening Basics (7 of 10) • What do the log files tell you. • Have the log files been correctly set up? • Are there any time gaps in the log files? • When was the last time the log files were review, cleaned or purged? • Who has rights to install software and perform updates? • Administrator, Users, Super-Users?
OS Hardening Basics (8 of 10) • What software has been installed on the system? • Same as when originally setup. • Various approved applications installed by the administrator. • User installed and/or unapproved apps. • Unrecognized (possibly spyware, etc.) that has been installed through web browsing or by user.
OS Hardening Basics (9 of 10) • Have the OS, anti-malware, and personal firewall applications been patched regularly and correctly? • Never been patched! • Missing a lot of patches. • Missing a few patches. • Up to date.
OS Hardening Basics (10 of 10) Up to this point we have treated “new” system slightly differently then the “compromised” and “unknown” systems. The main reason for this is because they are different. • The “new” system should have only what we put on it. • The “compromised” and “unknown” systems may have a lot more then you were expecting.
Windows Hardening (1 of 10) • Windows installs a lot of “additional” software with the base install and you don’t have the option of not installing it. • We will look at this from a “very” small network point of view as it will be easier to get your bearings. • What’s a very small network – 1 to 2 PCs with a server. (How’s your home network???)
Windows Hardening (2 of 10) • You should read following two documents: • Windows XP Security Guide.doc – located in the Windows_XP_ Security_Guide.zip file (219 pages) • Windows Server 2003 Security Guide.doc located in the Windows_Server_2003_Security_Guide.zip file (254 pages)
Windows Hardening (3 of 10) • Additional documents are available on the BAIST ftp site
Windows Hardening (4 of 10) • Ensure the system’s password policy meets or exceeds the written policy. • Ensure the Anti-malware (virus) application is up to date. • Ensure the system has all of the patches and service packs required for its function. • Ensure the user is unable to install software.
Windows Hardening (5 of 10) • Ensure there are no errant or unnecessary processes running on the system. • Ensure there are no errant or unnecessary system services running on the system. • Ensure the Remote Administration function is disabled or locked down. • Ensure all Administrative PCs are locked down.
Windows Hardening (8 of 10) • Ensure that there are no unnecessary TCP or UDP ports open. • Ensure that wireless networking, and infrared file transfer functions are disabled or locked down. • Ensure that system administrators have their own “regular” UserID and they use the RunAs command to perform any administrative work, unless logging in as Administrator is the only way to correct the issue.
Windows Hardening (10 of 10) • Ensure the Default administrator account has been renamed. • Ensure the Administrative accounts have inactivity timeouts configured. • Ensure the “File and Print Sharing” feature has been disabled or locked down. • Ensure the personal firewall is turned on and configured correctly.
Windows Hardening - Vista • Microsoft Trustworthy Computing Initiative • Introduced in 2002 • A result of several high profile worms and viruses • e.g. MS Blaster • Major paradigm shift for Microsoft • Shift from producing feature-rich software to prioritizing security and integrity
Windows Hardening - Vista • Microsoft Trustworthy Computing Initiative (cont.) • Tenets of MTCI • Secure by design • Secure coding philosophies • Secure by Default • Ensure components of Windows default to most secure setting • Secure in Deployment • Creation of tools and prescriptive guidance to help business and users
Windows Hardening - Vista • Microsoft Trustworthy Computing Initiative (cont.) • Resulted in major improvements in security • XP could not benefit fully as it was released 2 years prior
Windows Hardening - Vista • Trustworthy Computing Initiative (cont.) • Enter Vista • First Microsoft OS fully compliant with goals of Trustworthy Computing • Vista Services Hardening • Secure by Default • Designed to thwart errant service behavior
Windows Hardening - Vista • Windows Services • Formerly known as NT services • Long-running executables running in their own Windows sessions • Can be started at system boot, paused, and restarted • Usually have no user interface • Can run in different security context than the user currently logged in • Allow for great flexibility in application development
Windows Hardening - Vista • Windows Services (cont.) • Traditionally vulnerable to exploitation for several reasons • Generally run in security context of privileged accounts (eg. Local Administrator) • If service is compromised, malware has a good chance of doing anything it desires • eg. Remote Procedure Call (RPC) in XP • Prior to SP2, ran under Local System account
Windows Hardening - Vista • Windows Services (cont.) • Traditionally vulnerable to exploitation for several reasons (Cont.) • Many services are network facing • Allow malware to exploit via inbound connections • Allows infected services to make outbound connections to infect other systems • Services are long-running • Run from the time the system starts to when it shuts down • Allows malware plenty of time to do business
Windows Hardening - Vista • Windows Services (cont.) • Service Hardening • Accomplished 4 ways in MS Vista • Running services with Least Privilege • Service Isolation • Restricted Network Access • Session 0 Isolation
Windows Hardening - Vista • Windows Services (cont.) • Service Hardening (cont.) • Running with Least Privilege • Although many Windows services historically ran as Local System, many only need a small subset of privileges • XP could run in “all or nothing” manner. Not able to pick and choose required privileges • Vista allows services to run with the minimum privileges required to function
Windows Hardening - Vista • Windows Services (cont.) • Service Hardening (cont.) • Service Isolation • Prior to Vista, services needing to access an object could gain access in 3 ways 1 – Use the Local System account 2 – Decrease security on the object 3 – Create an account specifically allowed to run the service • Vista allows a service to reserve an object for its exclusive use by securing the resource with an access control entry (ACE) that contains a SID
Windows Hardening - Vista • Windows Services (cont.) • Service Hardening (cont.) • Restricted Network Access • Vista firewall builds on capabilities of XP SP2 firewall • New capabilities include outbound filtering and Ipsec integration • Vista firewall also integrates with Windows Vista Services Hardening - Makes is harder for malware to function • Could have prevented Blaster, Sasser, or Wlechia from using infected services
Windows Hardening - Vista • Windows Services (cont.) • Service Hardening (cont.) • Session 0 Isolation • Fast User Switching in XP accommodates simultaneous logged on users by putting each in a different Windows session • Session 0 is created during startup (more are added as required) • Services have always run in Session 0 • Before Vista, user applications have been able to run in Session 0 as well allowing cross contamination resulting in exploits • Vista reserves Session 0 for services only and makes it non-interactive
Linux/Unix Hardening (1 of 6) • Still thinking small here…, 1 to 2 systems (workstations or servers). • If you have the option (new install), only install the services you will need for your system. • Linux/Unix installs usually give you much greater flexibility about what options you want to install.
Linux/Unix Hardening (2 of 6) • Gathering Linux Hardening documentation can be cumbersome at best. • There are dozens of versions of Linux/Unix. • Everybody has there own opinion, with many commonalities. • What works in one, probably works in others. • Suggested reading includes: • rhel-sg-en.pdf • rhl-sg-en-9.pdf • Security-HOWTO.pdf
Linux/Unix Hardening (3 of 6) • Like MS Windows, you should read these documents, however other shorter documents have also been provided. • You should use these documents as a guide for your installations, but you should really build your own installation specific documentation.