1 / 27

Computer Security for Student-Administered Computers

Computer Security for Student-Administered Computers. Agenda. What's the Problem? Security Risk Security Incidents Defenses Vigilance. What's the Problem at UW?. http://staff.washington.edu/dittrich/talks/security/incidents.html port-scanning: looking for systems to target

shandi
Download Presentation

Computer Security for Student-Administered Computers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security forStudent-Administered Computers

  2. Agenda • What's the Problem? • Security Risk • Security Incidents • Defenses • Vigilance

  3. What's the Problem at UW? • http://staff.washington.edu/dittrich/talks/security/incidents.html • port-scanning: looking for systems to target • buffer-overrun attacks: command execution via coding errors • open account exploits: to login • packet sniffing: to learn login secrets • trojan horse attacks: to fool user into executing infected program • shared/stolen accounts: to login • denial of service attacks: to prevent or hamper use of computers • file storage: to pirate software/music/etc. • forging email or other electronic messages: to harass/threaten/fool

  4. Security Goals • Microsoft Prescriptive Guidance: Security Operations Guide for Windows 2000 Server • http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/prodtech/windows/windows2000/staysecure/default.asp • Get secure • Stay secure (over time, amidst changes)

  5. Security Risk • Managing risk to protected resources • Resources: data, applications, servers, etc. • what's its value? • Threat: something that could access/harm resources • natural/physical, unintentional/intentional • Vulnerability: point where resource can be attacked • Exploit: use of a vulnerability by a threat • could result in loss of confidentiality, integrity or availability • Risks need to be ranked: low, medium, high

  6. Security Incidents • physical: earthquake, water leak, power failure, etc. • technical vulnerability exploits: attacks, buffer overflows, ... • information gathering exploit: OS identification, wireless leak, social engineering • denial of service exploit: resource removal, physical damage, etc.

  7. Defenses • Data: encryption and backups; antivirus software • Application: developer needs to enforce • Host: limit server to specific roles • Network: blocking and/or encrypting traffic • Perimeter: firewalls; authorized PCs are clean before connecting • Physical: removable media, locks, redundancy, restricted areas • Policies and Procedures: raise awareness and prevent abuse

  8. Windows 2000 Defenses • Planning • Isolation • Installation and Upgrades • Antivirus software • Group Policy/Registry Changes • IPSec/Filtering • Application Lockdown

  9. Windows 2000 Defenses: Planning • What kind? • server: member or domain controller? • workstation? • What role? • basic? web server? cluster? • What’s required for other services? • need to think about this

  10. Windows 2000 Defenses: Isolation • On Internet-connected computer: • gather all upgrades, antivirus software • http://www.washington.edu/computing/software • download • Network Associates/McAfee Netshield (server) • McAfee VirusScan (workstation) • upgrades and updates • burn on CD • Connect to a hub not connected to Internet • Use static, non-routable IP addresses: 10.10.xxx.xxx

  11. Windows 2000 Defenses: Installation and Upgrades • Install Windows 2000 • don’t do it blindly -- read and think about it • Install latest service packs • Install security patches/hotfixes to service packs • Switch to non-privileged account • use RUNAS whenever elevated privileges needed • Watch logs (use EventViewer)

  12. Windows 2000 Defenses: Antivirus • Install Netshield • Install latest upgrades/updates • don’t schedule to update/upgrade (not connected)

  13. Windows 2000 Defenses:Group Policy/Registry Changes • %SystemRoot%\security\templates • Basic • Basicwk.inf (workstation) • Basicsv.inf (member server) • Basicdc.inf (domain controller) • Incremental • securedc.inf (domain controller) • securews.inf (workstations or member servers) • IIS Incremental.inf (IIS only)

  14. Windows 2000 Defenses:Apply AD Group Policy • Active Directory Users and Computers/Domain Controllers/Properties/Group Policy/New • type “BaselineDC Policy” • press enter, then right-click on BaselineDC Policy • select “No Override • Edit/Windows Settings (expand)/Security Settings/Import Policy • locate template BaselineDC.inf and place name in “Import Policy From” box • close Group Policy and then click Close • replicate to other domain controllers and reboot

  15. Windows 2000 Defenses:Apply Member Group Policy • Active Directory Users and Computers/Member Servers/Properties/Group Policy/New • type “Baseline Policy” • Edit/Windows Settings (expand)/Security Settings/Import Policy • locate template Baseline.inf and place name in “Import Policy From” box • close Group Policy and then click Close • repeat above for Incremental template files • replicate to other domain controllers and reboot

  16. Windows 2000 Defenses:Verify Group Policy • Verify with secedit (compare with existing template) • secedit /analyze /db secedit.sdb /cfg xxxxx.inf • look at log file • Test!

  17. Windows 2000 Defenses:Registry Changes (in Baseline) • HKLM\System\CurrentControlSet\Services\Tcpip\Parameters • EnableICMPRedirect=0 • SynAttackProtect=2 • DisableIPSourceRouting=2 • PerformRouterDiscovery=0 • HKLM\System\CurrentControlSet\Services\AFD\Parameters • DynamicBacklogGrowthDelta=10 • EnableDynamicBacklog=1 • MinimumSynamicBacklog=20 • MaximumDynamicBacklog=20000

  18. Windows 2000 Defenses:IP Filtering • Block all ports not needed for servers

  19. Windows 2000 Defenses:Application Lockdown • Read application’s notes on security • IIS • IS Incremental.inf • follow guidelines • SQL Server • change default system DBA passwords • protect DBs with access rights/file permissions

  20. Linux Defenses • Planning • Isolation • Installation and Upgrades • Antivirus software??? • IP Filtering • Application Lockdown

  21. Linux Defenses: Planning • What kind? • workstation? • server? • What servers? • web server? insecure servers? • What apps are required? • What services are required?

  22. Linux Defenses: Isolation • On Internet-connected computer: • gather all upgrades • burn on CD • Connect to a hub not connected to Internet • Use static, non-routable IP addresses: 10.10.xxx.xxx

  23. Linux Defenses: Installation and Upgrades • Install Linux • don’t do it blindly -- read and think about it • put /tmp, /home and /var/log in separate partitions • Install latest upgrades • Switch to non-privileged account • use “su -” whenever elevated privileges needed • Watch logs (usually in /var/log)

  24. Linux Defenses: IP Filtering • tcp wrappers • /etc/hosts.deny • ALL:ALL • /etc/hosts.allow • ALL: 10. LOCAL • sshd: ALL • /etc/xinetd.d • disable=yes for undesired services • killall -USR2 xinetd

  25. Linux Defenses: Apache Lockdown • Apache -- start by restricting everything <Directory /> Options None AllowOverride None Order deny,allow Deny from all </Directory> • then allow by specific directories • want to disable CGI, includes

  26. Linux Defenses: FTP Lockdown • should not use -- sends passwords in plain text • use ssh/scp/sftp instead • /etc/ftpusers • should NOT include root or other privileged accounts • disallow anonymous FTP • should read: class all real *

  27. References • http://www.washington.edu/computing/security • Microsoft Baseline Security Analyzer • for 2000/XP • requires Internet access to run • http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/mbsahome.asp • SANS Institute Bookstore (Windows 2000 & Linux) • SANS = System Administration, Networking and Security) • https://www.washington.edu/computing/software/sitelicenses/sans/sw/access.html

More Related