Desktop Security I with an emphasis on XP

1
Desktop Security Iwith an emphasis on XP

• Laurie Walters - lwalters_at_psu.edu
• Ken Layng - kml18_at_psu.edu

2
Introduction and Overview

• Signing In
• Overview of Seminar
• About Us
• About You

3
XP Security I Seminar Objectives

• Why Worry About Security?
• Key Security Principles
• Insight into the Dark Side
• What You Can Do
• Incident Response and Disaster Recovery

4
XP Security I Seminar Objectives

• Why Worry About Computer Security?
• What is Computer Security?
• Why Should I Care and Whats it all for?
• Why Would Someone Break In To My Computer?
• Leading Causes Of Security Problems

5
What is Computer Security?

• The process of detecting and protecting against
  unauthorized use of your computer.
• 3 Components
• Awareness
• Detection
• Prevention

6
Why Should I Care?

• Computers are used for everything!
• Banking account numbers
• Shopping credit card numbers
• Investing brokerage houses
• Directory of contacts
• Identity theft is costly !

7
Security vs- Convenience

• To the extent you want security, you will make
  corresponding sacrifices
• Web history, cookies, form-filling, store pages
  in cache, can all be disabled
• Cookies keep track of information you provide to
  the Web site and are stored on your PC
• Good article on cookies http//www.ilovejackdanie
  ls.com/security/are-cookies-dangerous/

8
A few examples

• PC security is not black and white
• Varying degrees of security
• From least privilege to Wide open
• Separate user accounts?
• Automatically remember password?
• Password protected screensaver
• Log on using administrator account
• Store cookies?

9
Personalizing security settings

• What do you use your PC for?
• Banking? Password protect the application
• Trading? Dont set PC to remember login
• Shopping? Look for https, use secure browser
• Email? Keep your client patched (updated)
• What information is stored on it?
• Account numbers?
• Social Security numbers?
• Use encryption

10
Why Should I care?

• Do you want strangers to
• Read your e-mail?
• Access your accounts?
• Use your computer to attack other systems?
• Send forged e-mail from your computer?
• Examine stored personal information?

11
Whats it all for?

• Authentication
• Accountability
• Authorization / Access Control
• Integrity of Data
• Confidentiality
• Availability

12
Why My Computer?

• Dont flatter yourself!
• Intruders usually dont care about your identity
  unless they can exploit it for profit
• Your compromised PC is worth about 50 in the
  hacking community
• Sensitivity of data
• Available hard drive space / bandwidth

13
Why My Computer?

• Stepping stone for other activities
• Networks of compromised PCs
• Yours is a building block
• Used to launch DoS attacks
• Used for spam attacks

14
Leading Causes of Security Problems

• Ignorance / Lack of training
• If it aint broke, dont fix it
• Fear that updates will overwrite critical data or
  machine will crash
• Lack of time
• Laziness
• Maliciousness

15
XP Security I Seminar Objectives

• Why Worry About Security?
• Key Security Principles
• Defense in Depth
• Minimalism
• Separation
• Least Privilege Principle
• Be Better Than the Other Guys

16
Defense In Depth

• Security Is a Multi-faceted Problem
• Many issues must be considered
• Physical
• Social
• System
• Application-based
• Network
• Combine strategies to do whatever necessary so
  that youre at least better off than average

17
Minimalism

• Less is More.Secure
• Dont install things such as Windows Messenger,
  Fax Services, IIS, if you are not planning on
  using them!
• Beware the free / trial trap

18
Separation

• Dont put all your eggs in one basket
• Vital services should be spread amongst machines
• Dont put an IIS, SQL, or Exchange server on a
  domain controller!
• Dont put your crucial data on the System
  partition
• Put your IIS Web content on D\Webdata instead of
  in the default location of C\Inetpub\WWWroot

19
Least Privilege Principle

• All employees should access computers with least
  privilege possible (as user or power user status)
• Non-system administrator accounts are more
  restricted.
• Can control programs and files that are
  accessible
• No installation or administration abilities
• Administrator uses Runas command or Fast User
  Switching to increase privileges for system
  administration tasks.

20
Be Better Than the Other Guys

• NO SUCH THING as a hack-proof computer.
• Hackers and script-kiddies are generally going
  to exploit the easy-pickings first.
• Even a few steps to make your PC more secure
  greatly decrease your chance of being hacked

21
XP Security I Seminar Objectives

• Why Worry About Security?
• Key Security Principles
• An Insight into the dark side
• And now its time for
• Who is this guy?
• Test your knowledge of a few of the more
  notorious hackers
• A quick scroll 4 hackers, about 20 slides
• Hacking tools and methods
• Types of threats

22
Who is this guy?
23
John Draper (aka Captain Crunch)

• Worlds first phreaker
• In 1972, he discovered a toy whistle in a box of
  Capn Crunch cereal produced a 2600 hz tone which
  provided access to ATTs long distance network
• Developed the blue box tone generator

24
Captain Crunch (cont.)

• Arrested by the FBI and sent to prison numerous
  times
• Stephen Wozniak, a student at Berkeley,
  manufactured and sold the blue box to make money
  to finance the first Apple computer
• Wozniak also called the Pope using a blue box
• Where is Captain Crunch now? Founder of ShopIP
  which sells the CrunchBox firewall system
  (endorsed by Steve Wozniak)

25
Who is this Guy?
26
Robert Morris, Jr.

• Released Morris worm in 1988
• First major Internet Worm
• Cornell University student
• Released the worm through MIT
• Morris worm exploited vulnerabilities in
  sendmail, fingerd, rsh/rexec and weak passwords
• Infected 6000 Unix machines
• Damage estimate 10m - 100m

27
Robert Morris, Jr. (cont.)

• First person to be tried and convicted under the
  1986 Computer Fraud and Abuse Act
• Received 3 years probation and a 10,000 fine
• CERT was created in response to the Morris worm
• Morriss father was chief security officer for
  the National Security Agency (NSA)
• Where is he now? A professor at MIT, of course!

28
Who is this Guy?
29
Kevin Mitnick

• Fugitive Hacker
• Started as a phreaker
• Inspired by John Draper (Captain Crunch)
• Using a modem and a PC, he would take over a
  local telephone switching office

30
Kevin Mitnick (cont.)

• Arrested multiple times
• Broke into Pacific Bell office to steal passwords
  and operators manuals
• Breaking into a Pentagon computer
• Stole software from Santa Cruz Operation (SCO)
• Stealing software from DEC
• Fled when FBI came to arrest him for breaking
  terms of probation

31
Kevin Mitnick (cont.)
The Lost Boy of Cyberspace
32
Kevin Mitnick (cont)

• Tsutomu Shimomura helped track down the fugitive
  Mitnick in 1995. This was documented in the book
  Takedown.

33
Kevin Mitnick (cont.)
Kevin served 5 years in federal prison
34
Kevin Mitnick (cont.)

• Where is he now? Author and co-founder of
  security firm called Defensive Thinking

35
Kevin Mitnick (cont).
36
Kevin Mitnick (cont.)

• The simple truth is that Kevin never sought
  monetary gain from his hacking, though it could
  have proven extremely profitable. Nor did he hack
  with the malicious intent to damage or destroy
  other people's property. Rather, Kevin pursued
  his hacking as a means of satisfying his
  intellectual curiosity and applying Yankee
  ingenuity. These attributes are more frequently
  promoted rather than punished by society.
• excerpt from Kevins WEB site

37
Hacker party

• Captain Crunch with friends Kevin Mitnick and
  Stephen Wozniak

38
Who is this Guy?
39
Who is this Guy?

• David Smith Author of the Melissa Virus

40
Melissa Virus

• Virus released in March, 1999
• A macro virus
• Infects Microsoft Word document
• Spread via Microsoft Outlook
• Requires user to open attachment
• Sends itself to first 50 entries in address book
• Relatively non-destructive

41
Melissa Virus

• Damage estimated at 80 million
• One of earliest viruses to be spread by email
• Smith was caught within a week
• FBI working with AOL
• Smith sentenced to 20 months in jail and a 5000
  fine
• Could have been 10 years in jail, but he agreed
  to help FBI catch other hackers

42
David Smith (Melissa virus)

• "When I posted the virus, I expected that any
  financial injury would be minor and incidental,"
  he said.
• Where is he now? Serving time at the federal
  prison in Fort Dix, N.J.

43
Who is this Guy?

44
Who is this Guy?

• Onel de Guzman accused of releasing the I LOVE
  YOU (Love Bug) virus

45
I Love You Virus

• Infected 45 million computers in 2000
• Clogged e-mail worldwide
• Destroyed music graphics files
• As much as 10 billion in damage
• Replicates itself through
• E-mail
• Internet Chat
• Shared drives

46
I Love You virus

• De Guzman was a former student at the AMA
  Computer College in the Philippines.
• Failed to graduate because AMA professors
  rejected his thesis which described a program
  which steals internet passwords
• Admitted he may have accidentally released the
  virus
• Where is Guzman now? Charges were dismissed -
  Philippines had no anti-hacking laws in place
  when the crime occurred

47
Hacking tools

• Increased sophistication of hackware
• It will get better
• But not before it gets worse
• The hacking community is organized
• A form of organized crime
• Hacking tools are MUCH more sophisticated
• Curious, novice hackers can do incredible damage

48
Overview of hacker scanning

• PC are addressed with IP addresses
• Ping sweep checks a broad range of addresses
  for signs of life
• Are you there?
• Automated
• Can scan thousands of addresses in minutes
• Port scan
• Looks for open ports (unsecured doors) to your PC

49
Types of threats

• Trojan Horse
• Virus
• Worm

50
Be attachment savvy

• Never open attachments from strangers
• Be suspicious of attachments even from someone
  you do know
• Beware of the trojan horse
• Shy away from vague, impersonal subject lines
• Check out this picture!
• The information you requested
• Dont use these types of subject lines either

51
Worm

• A program that propagates itself over a network,
  reproducing itself as it goes.
• For example, some worms will replicate by sending
  an infected email to every person in your address
  book

52
Virus

• Infects one or more other programs by embedding a
  copy of itself in them.
• When these programs are executed, the embedded
  virus is executed too, thus propagating the
  "infection.
• Usually transparent to the user.

53
Types of attacks

• DoS Denial of Service
• DDoS Distributed DoS
• BOT most prevalent worldwide
• Many others

54
Denial of Service

• A "denial-of-service" attack is characterized by
  an explicit attempt by attackers to prevent
  legitimate users of a service from using that
  service.

55
Distributed DoS

• A DDoS attack is sourced from multiple
  compromised systems simultaneously

56
BOT attacks

• Creates networks of compromised machines
• Can use your PC for future attacks
• Attempts multiple access methods
• Upon success, they infect you in multiple ways,
  and leave backdoors which are difficult to find
  / clean.

57
Blended Threats

• Combine several attack methods within one complex
  attack
• Several methods to gain access
• Several vulnerabilities exploited
• Backdoor left open

58
Effects of a compromised PC

• Lost data
• Poor system performance
• Back doors
• Present vulnerabilities to future attacks
• Bot-nets
• Compromising the security of friends and
  colleagues (email subnets)
• More

59
XP Security I Seminar Objectives

• Why Worry About Security?
• Key Security Principles
• An Insight into the Dark Side
• What You Can Do
• Physical Security
• Installing O.S. and Patching
• Passwords, Account Policies, and XP User Accounts
• Antivirus
• Firewalls
• Anti-spyware
• Additional Security Protection

60
What you can do

• Physically Secure Machine
• Install OS and Security Updates before computer
  is put on network for first time and apply
  regularly thereafter
• Account and password policies
• Use antivirus software
• Use a personal firewall
• Install Anti-Spyware program

61
Physical Security

• Is location of machines secure?
• Server Room must be highly guarded
• Lock machine cover, Enable Bios Password
• Disable CMOS Boot-up from Floppy Drive CD-Rom
• Create Boot Up Password (unless it is integral
  that machine reboots automatically after power
  outage).
• Password-Protected Screen Savers
• Create Redundant storage for integral data
• Maintain Backups in a SECURE location

62
Common Physical Security Breaches

• Placing hard drive in another machine
• Remove CMOS battery
• Dos Boot disk / NTFS Dos / Linux
• Leaving machine unattended and logged-in

63
Installing XP

• Install from a previously secured Image (e.g.
  Drive Image, Ghost) then Verify or install from
  scratch.
• Format hard drives with NTFS rather than FAT to
  use ACLs
• Install OS with Network cable unplugged!
• Patch OS with SP1
• NT4.0 Service Pack 6A
• Windows 2000 Service Pack 3
• Install ALL major patches and fixes for
  Applications before placing machine on network!

64
Install XP SP2 from Removable Media

• Network cable should still be unplugged until
  after XP SP2 is installed and administrative
  accounts have secure passwords.
• Otherwise, the machine WILL be quickly
  compromised.
• Machine must reboot after SP2.

65
Install other Critical Patches from Removable
Media (Esp. 04-038)

• Cumulative patch for I.E.
• There are a large number of other XP Critical
  Patches which you must install such as for the
  O.S., I.E., Outlook, Office, etc.

66
Windows Update on an Individually Administered
Machine

• After machine is plugged in to network, manually
  go to Start Menu ? All Programs ? Windows Update
  (at top of Menu).
• Click on Scan for Updates
• Three types of updates
• Critical Updates and Service Packs
• Windows XP (recommended patches)
• Driver Updates
• Install all critical updates immediately and look
  through XP and driver updates for which you
  should install

67
Setting Automatic Updates on Standalone
Workstations

• In the Control Panel,
• select System. Then click
• Automatic Updates tab
• Be sure the check box
• near the top is checked,
• then select the radio
• button below which
• suits you.

68
Require complex passwords on all accounts

• All accounts should have passwords, not just
  administrative users
• Make sure hidden Administrator account has a
  password. By default it is blank.
• You can change the way users log off
• - Use the Welcome Screen and Fast User
  Switching
• Use RunAs to log in as a regular user and use
  runas to execute a program as an administative
  user.

69
Departmental Account Policies

• Employees signed written policy
• One user per account
• Disable Guest Account on local machines
• Rename Administrator Account
• Who has access to Administrator (root) Account?
• Assign administrators each an account rather than
  everyone logging on as admin or root

70
XP Passwords

• When setting up XP, you are prompted for type of
  Account/Password Scheme
• Use the Welcome Screen (user selected by clicking
  on picture of account). This can be
  password-protected or password-less.
• User must enter user name and password to log on
  to computer

71
Strong Passwords

• Impossible to guess
• Use numbers, letters, special characters
• Do not use names or words found in a dictionary
• Use different passwords for each account and
  application
• Change passwords regularly
• Never share passwords
• Use passphrases
• Dont configure to remember password

72
More XP Password Setup

• Navigate to the Control Panel and choose
  Category View. Click on the User Accounts
  icon.
• At the bottom you will see icons of the accounts
  on the machine. Look at the icon for
  Administrator (chess board by default). It
  should say Password Protected
• If administrator is not password protected, click
  on it and then choose change my password

73
Setting an Administrator Password

• The administrator account will not appear in the
  list of users in the Users and Accounts section
  of the control panel unless you are logged into
  the Administrator account.
• Log into the Administrator account either by
  booting into safe mode (press F8 on bootup) or by
  logging out of your other account and pressing
  Control Alt Delete and typing the name
  Administrator and leave the password field blank.
• Set a good password for the Administrator account
  just as you would for any other XP account.

74
Create an XP user account

• On left hand side of user account menu, choose
  Create another account
• Choose Create a new account
• Choose Limited
• For more information about what a limited account
  is, choose Account Types from the left hand menu.

75
Change the way users log on or off

• Located on main User Accounts page.
• Use the Welcome screen
• Use Fast User Switching
• This will force users to authenticate like the
  traditional NT/2000 dialog boxes.
• These two may become disabled when updating with
  SP1 for XP Pro (not Home) and when machine
  becomes a domain member.

76
Run As

• People often use administrative accounts to log
  on to ease administration.
• Staying logged in with administrative privileges
  increases chance of malicious code execution
  (e.g. Trojan Horse, backdoor, etc.)
• For many hacks, Intruder can leverage privilege
  of currently logged in user.
• To perform Runas in Windows XP, hold down the
  shift key and use right hand mouse button to
  click on desired icon. Runas will show up in the
  menu and you type in the user name of desired
  user and password.

77
Virus Protection

• Install anti-virus software
• Set the virus software to update virus
  definitions automatically

78
Virus Protection Freebies

• Symantec Antivirus is available at no cost to all
  PSU faculty, staff, and students through a site
  license.
• http//computerstore.psu.edu/softwaredist/index.ht
  ml
• Keeping virus definition files up to date is
  vital.
• Virus definition files should be set to update
  automatically, at least weekly (Should be
  manually downloaded sooner if you hear of a new
  virus in the news).

79
Install Antivirus Software

• In addition, XP SP2 may not properly identify
  Symantec antivirus versions 7 and 8. They are
  working on a patch to fix this. For version 9,
  you can download Maintanance Pack 2 at
• http//www.symantec.com/techsupp/enterprise/produc
  ts/sav_ce/savce_9.0/files.html
• Thanks to Mike Waite for the link to that patch!

80
Virus Protection

• Consulting and Support Help Desk can assist with
  questions in cleaning up an infected machine
• 863-2494
• 863-1035
• or helpdesk_at_psu.edu
• Report receipt of infected messages to
  virus_at_psu.edu
• Include full header information

81
(No Transcript)
82
(No Transcript)
83
Email header Views

• http//sos.its.psu.edu/header.html

84
Firewalls

• A Firewall restricts access from unauthorized
  users on your network.
• A Firewall contains specified rule-sets.
  Restrictions are based upon
• IP Addresses
• Port numbers
• The Firewall examines internet traffic to
  determine if access is allowed or disallowed. If
  disallowed, the traffic is blocked.

85
Example of A Firewall

Server Computer Port 80
Firewall
User Computer Ephemeral Port
86
XP Firewall Windows Firewall

• Control Panel ? Classic View ?Network ? Network
  Connections
• Right click on your internet connection icon and
  select properties
• Choose the Advanced tab.
• Under Advanced, choose Protect my computer and
  network by limiting or preventing access to this
  computer from the network.

87
Setting up Windows Firewall

• Click on Settings button under Advanced.
• Choose the services you are running (Web, FTP,
  SMTP, Remote Desktop, Telnet Server, etc.)
• Under security logging tab set location and size
  of logs and enable logging of successful connects
  to machine
• Default C\windows\pfirewall.log, 4096Kb
• Under ICMP tab, choose ICMP packets that you wish
  to allow through
• ICF is simple to use and setup and is free but
  doesnt block outgoing traffic

88
Install Personal Firewall

• Blocks incoming and outgoing packets as opposed
  to Windows Firewall
• You specify which programs, ports, or IP
  addresses may access the internet from your
  machine AND which may access your machine from
  the internet
• Examples include Zone Alarm, Integrity, Symantec)

89
Install Anti-Spyware program

• Install an anti-spyware program such as Spybot
  Search and Destroy or Adaware
• Links to both of these programs are found on the
  Pac-ITS cd and at http//downloads.its.psu.edu

90
Additional Security Protection

• Use Encryption where possible
• Use Secure Services Whenever Possible
• Plugins for Email (Kerberos, PGP)
• SSh vs. Telnet
• HTTPS vs. HTTP
• Scp vs. FTP

91
Performing Backups

• Backup system files
• Backup methods
• Seagate Backup exec, ArcServe
• NT Backup
• TSM (formerly ADSM)
• Backup types
• Full
• Incremental
• Differential

92
Request Vulnerability Scans

• http//sos.its.psu.edu/scan.html
• Ask network contacts to request a scan of your
  network via this page.
• Results returned within 48 business hours.

93
Other Security Strategies

• Run chkdsk /f c and back up data frequently
• Redundancy
• Multi Factor Authentication
• Ported Unix tools for NT(Tripwire, nmap, SSH,
  etc)
• Subscribe to listservs Microsofts Security
  Notification Service, Security Focus Bugtraq

94
XP Security I Seminar Objectives

• Why Worry About Security?
• Key Security Principles
• An Insight into the Dark Side
• What You Can Do
• Incident Response and Disaster Recovery
• Security Incident Response Strategies
• Creating a Disaster Recovery Plan
• Testing Disaster Recovery

95
Incident Response

• Determine Course Of Action For Different Security
  Incidents (e.g.)
• Viruses
• System Compromise
• Determine If Machine Should Be Fixed Or Rebuilt
• Contact Security Operations And Services (SOS) In
  Case Of Compromise.
• Phone (814) 863-9533
• Email security_at_psu.edu

96
Creating A Disaster Recovery Plan

• Create A Plan BEFOREHAND
• Determine What The Longest Acceptable Downtime Is
• Rank order/prioritize Systems

97
Testing Disaster Recovery Strategies

• What Good Is A Plan If You Dont Know If It
  Works?
• Should Test For
• The Worst Thing That Could Happen
• The Most Likely Thing That Could Happen

98
Wrapping it up

99
The Penn State Dilemma

• Open computing environment
• Reliance on cooperation
• Different enforcement approaches
• PSUs policy trusts you
• Reactive rather than proactive
• 50,000 users on the network

100
You are the solution

• Incumbent upon you
• 90 of PSUs compromises and instability can be
  addressed at the desktop
• When you secure yourself, you secure everyone
• The network doesnt discriminate
• It doesnt forgive you because you dont know
• Whether faculty, staff, student, new user, system
  admin, Kathy Kimball or Graham Spanier

101
XP Security I Seminar Objectives

• Why Worry About Computer Security?
• What is Computer Security?
• Why Should I Care and Whats it all for?
• Why Would Someone Break In To My Computer?
• Leading Causes Of Security Problems

102
XP Security I Seminar Objectives

• Key Security Principles
• Defense in Depth
• Minimalism
• Separation
• Least Privilege Principle
• Be Better Than the Other Guys

103
XP Security I Seminar Objectives

• An Insight into the dark side
• And now its time for
• Who is this guy?
• Test your knowledge of a few of the more
  notorious hackers
• A quick scroll 4 hackers, about 20 slides
• Hacking tools and methods
• Types of threats

104
XP Security I Seminar Objectives

• What You Can Do
• Physical Security
• Installing O.S. and Patching
• Passwords, Account Policies, and XP User Accounts
• Antivirus
• Firewalls
• Anti-spyware
• Additional Security Protection

105
XP Security I Seminar Objectives

• Incident Response and Disaster Recovery
• Security Incident Response Strategies
• Creating a Disaster Recovery Plan
• Testing Disaster Recovery

106
What you can do Sneak peek at XP II

• Disable unnecessary services / applications and
  limit network access to the necessary ones
• Set Security policies such as expiration date on
  passwords and Change name of default
  Administrator account

107
Questions?
108
Thank you !!!

109
Appendixes

110
Appendix A PSU Security Policies

• Located at http//sos.its.psu.edu/policy.html

111
Appendix B Good Passwords

• http//www.alw.nih.gov/Security/Docs/passwd.html

112
Appendix C Additional Resources

• SANS guidelines
• /../common/docs/SANS
• NSA Guide to Securing W2K
• nsa2.www.conxion.com/win2k/download.htm
• Microsofts Guide to Securing Windows 2000 Server
• http//www.microsoft.com/technet/security/prodtech
  /windows/secwin2k/default.asp

113
Appendix D Creating a Departmental Policy

• Clearly explain rights and responsibilities of
• All Users
• System Administrators
• Management
• Enumerate consequences of violations
• Help eliminate Social Engineering
• Who is responsible for ensuring policies are
  maintained?
• All departmental users, administrators, and
  management should sign this policy
• Penn State Policies are located at
  http//sos.its.psu.edu/policy.html

114
Appendix D Maintaining Departmental Policies

• E.g. All employees/departments must adhere to
  certain policies (e.g. AD-20, AD-53), certain
  departments can have more restrictive policies
• That which is not specifically allowed is denied,
  or
• That which is not specifically prohibited is
  allowed (usual PSU setting)
• See Appendix A for PSU Security Policies Link.

115
Appendix D Sample Items For Departmental
Security Policy

• Password Policy
• Physical Security
• Services Settings to Be Disabled Or Configured
• Virus Policy
• Backup Policy
• Auditing and Logging Policy
• Backups and Disaster Recovery Policy
• Privilege Policy
• Use of network server is for work-related
  materials only

116
Appendix D Updating Departmental Policies

• Periodically review policies to ensure that they
  are sensible, still pertinent, and reflect new
  security threats.
• Management must agree to and support all changes.
  (This may be the hardest part!)
• If you dont have management back you up, you
  might as well not have a policy!

117
Note

• Powerpoint slides to this and other seminars,
  links to utilities, patches, and suggestions for
  securing Windows operating systems and
  applications can be found at http//www.personal.
  psu.edu/lxm30/windows/windows.html