Security Best Practices

1
Security Best Practices

• What are we fighting?
• What are we trying to protect?
• How can we best combat these problems?

2
Security Best Practices

• Overall Top Issues
• PC Security
• Internal Network Security
• Wireless Security
• File System Security
• Firewall or Perimeter Security

3
What are we fighting?

• Viruses
• Sophos polled 3,000 IT administrators and learned
  that most do not update antivirus signatures for
  remote offices and telecommuters as often as they
  do for office-based systems
• Normally attaches to files
• Worms
• Propagates over the network
• Unpatched systems are at risk

4
What are we fighting?

• Trojans
• May look friendly
• Client/server approach Zombie
• Network Attacks
• Scanning, sniffing, intrusion attempts, buffer
  overflows, DDOS attacks
• Internal Attacks
• Unauthorized attempts

5
What are we trying to protect?

• Perimeter
• Local Networks
• PCs

6
Overall Top Issues - 1

• Implement Physical Controls
• Servers and networking equipment in a locked area
• Backup devices and media in locked area
• Login access to backup server secured

7
Overall Top Issues - 2

• Require or strongly encourage employees to choose
  strong passwords
• Let upper management know the reasons why this is
  important to protect the businesses assets
• Internet programs use brute force dictionary
  attacks which contain tens of thousands of common
  passwords that hackers use to break in to
  unsecured computer systems
• Passwords should have a minimum of seven
  characters, be nondictionary words, and combine
  uppercase, lowercase, and special characters
• 10 trillion combinations

8
Overall Top Issues - 3

• Require new passwords
• Every 90 days or at least twice a year
• Why?
• A stagnate network is a perfect test bed for
  exploitation
• At the very least, if an intrusion was occurring,
  it raises the deterrent factor
• If your company was profiled by a hacker and
  recorded that passwords frequently change, they
  may not waste time on you
• Set account lockout parameters
• Use a brute force attack on your own passwords

9
Overall Top Issues - 4

• Verify that your virus-protection subscription is
  current and working
• Can you include spyware protection also?
• Does engine updates to the antivirus programs
  occur automatically or manually?

10
Overall Top Issues - 5

• Email Issues
• Internal Email Server
• Install either a gateway or API filtering
  solution
• Both is better as some solutions will allow it
• Client PCs should also email scanning
  functionality for a second layer of defense
• Train or educate employees about email
  attachments
• Including the need to avoid opening attachments
  from unknown sources

11
Overall Top Issues - 6

• Beware of Social Engineering
• On-site visits to gather data
• Person posing on the phone as an employee
• Spoofed email
• Train employees to be cautious
• Lock PC when away

12
Overall Top Issues - 7

• Install a total protection solution
• If you host your own web sites locally, using
  just a firewall is not going to make it secure
• Install an IDS system and policy management

13
Overall Top Issues - 8

• Test your security posture regularly
• Hackers have all the time in the world to update
  their technology and skills
• See where your holes exist before someone else
  does

14
Overall Top Issues 9

• Terminating employees
• Remove their network access immediately
• Escort them out

15
Overall Top Issues 10

• Secure Telecommuting and remote access
• As VPN solutions are increasing to allow greater
  flexibility and more productivity, securing
  remote access is critical.
• Use Quarantine services built into Windows Server
  2003 RRAS

16
Overall Top Issues 11

• Especially if youre hosting web sites, update
  your Web server software regularly
• Stay up-to-date on current patch level and
  service packs for underlying OS

17
Overall Top Issues 12

• Kill network services that are not needed
• May include
• Web
• Email
• FTP
• Network browsing

18
Overall Top Issues 13

• Filter Connections
• Protect and scan HTTP and FTP traffic
• IS IM used?
• Consider hosting your own
• Filter the traffic

19
Overall Top Issues 14

• Log everything you can
• Firewall, Web Server, Email Server, File Server,
  etc
• Copy logs to another system
• Consider a centralized approach

20

• Questions?

21
PC Security

• Implement a Firewall
• BlackIce, ZoneAlarm, McAfee, Symantec
• Install Patches and Service Packs
• Turn on the Automatic Updates feature
• Windows Update
• Office Update
• Keep the antivirus software up-to-date
• Check for updates every 2 hours minimum
• Is the scanning engine updated automatically?
• Use Spyware detection/removal software

22
Internal Network Security

• What makes up the network?
• Routers, Switches, Firewalls
• SERVERS
• File, Email, Web, Database, Dedicated
  Application, Backup, Testing
• PCs
• And the BIG one, USERS!
• Basically, anything connected

23
Securing Basic Network Devices

• Why secure a switch?
• Man in the Middle Attacks
• Traffic Sniffing
• LAN port forwarding
• What about a router?
• Table poison
• Reroute traffic

24
Server Security Best Practices

• Disable the Alerter service and the Messenger
  service
• Alerter service notifies users of administrative
  alerts
• This service usually is not required under normal
  circumstances

25
Server Security Best Practices

• Disable the Messenger service
• This service provides the ability to send
  messages between clients and servers
• Allows users to use "net send" messages hitting
  your computer from the internet
• The Messenger service uses UDP ports 135, 137,
  and 138 TCP ports 135, 139, and 445

26
Server Security Best Practices

• Disable the Clipbook service
• Used to store information (cut / paste) and share
  it with other computers
• Service has nothing to do with moving data from
  Excel to Word

27
Server Security Best Practices

• Disable the Human Interface Device service,
  except for those users who need it
• Service enables the use of specialized devices
  such as game controllers and virtual reality
  devices

28
Server Security Best Practices

• Disable the Indexing service
• Makes searching the local hard drive faster by
  keeping a virtual index of the files
• Uses about 500 K to 2 MB in an idle state
• Sore spot for buffer overflow attacks

29
Server Security Best Practices

• Disable Machine Debug Manager
• Provides support for program debugging
• Typically used by developers
• Disable it in Internet Explorer

30
Server Security Best Practices

• Don't run any unnecessary network services
• World Wide Web Publishing Service
• Simple Mail Transport Protocol (SMTP)
• FTP Publishing Service
• Network News Transfer Protocol

31
Email Server Security Best Practices

• Using a separate relay
• Virus/Spam Protection
• Test to verify an open relay doesnt exist
• Tools
• www.samspade.org
• www.abuse.net/relay.html

32
Web Server Security Best Practices

• Use IIS 6.0 if at all possible
• Separate protected application pools
• URLScan
• http//www.microsoft.com/technet/security/tools/ur
  lscan.mspx
• Keep current on patch level

33
User Best Practices

• Hardening user passwords
• Educate them as to why this is important
• Show them how to create strong passwords
• Password Rules
• Putting a password on a sticky note
• Do not store miscellaneous passwords on hard
  drives
• Administrators and sensitive account users should
  have stronger than normal passwords
• Enforce the policy

34

• Questions?

35
Wireless Security Best Practices

• Change the default SSID (wireless equivalency of
  workgroup name) to something less common
• Or better yet, disable SSID broadcasts
• Use a unique login name and password to gain
  access to the device
• Default login and passwords are publicly
  available on the Internet

36
Wireless Security Best Practices

• Enable the highest method of security the device
  will allow
• WEP is not bulletproof, but it provides
  additional protection
• 128-bit is preferred
• Make sure the device has up-to-date firmware

37
Wireless Security Best Practices

• Implement media-access control (MAC) filtering
• Allows only the wireless adapters specified to
  access the device
• Not bulletproof or spoofproof, but adds another
  layer of security
• SNMP community names
• If not being used, turn it off
• Change the string to something other than public

38
Wireless Security Best Practices

• Minimize the amount of signal leaked to the
  outside
• If there is no need for wireless access outside
  the building, place the device to the center of
  the building
• Audit the wireless network
• Walk around the outside of the building with a
  laptop
• Use Network Stumbler to assist with the
  security audit

39
Wireless Security Best Practices

• Small number of wireless clients?
• Consider using static IP addresses instead of
  DHCP
• Use subnets different from the default setting
• Consider using a VLAN or VPN to protect the
  traffic
• L2TP with IPSec is a common method

40
Wireless Security Best Practices

• Public Wireless Access Points
• All transmissions are unencrypted
• At the very least, use a firewall
• Turn off Windows File and Print Sharing
• Use a VPN solution if connecting to something
  secure

41
Wireless Security Best Practices

• If a RADIUS server exists, use it
• For sites without a Remote Authentication Dial-In
  User Service (RADIUS) infrastructure, WPA
  supports the use of a preshared key. For sites
  with a RADIUS infrastructure, Extensible
  Authentication Protocol (EAP) and RADIUS is
  supported.

42
Wireless Security Best Practices

• Using WPA on Your Wireless Network
• Wi-Fi Protected Access is a stronger protocol
  that fixes the weaknesses in WEP
• The encryption key changes with every frame
• Three critical components needed to upgrade
  wireless security from WEP to WPA
• access point (AP) or wireless router that
  supports WPA
• wireless network card that has WPA drivers
  available
• client that supports WPA and your operating
  system

43
Wireless Security Best Practices

• Updating the OS to include WPA functionality
• Microsoft provides a free WPA upgrade, but it
  only works with Windows XP
• Microsoft Knowledge Base Article 815485
• If the OS other than Win XP, you'll need
  third-party client software
• MeetingHouse Data Communications
• http//www.mtghouse.com/products/index.shtml

44

• Questions?

45
File System Security

• NTFS vs FAT
• FAT 16
• DOS
• FAT 32
• Windows 98, ME, 2000, XP
• NTFS
• Windows NT, 2000, XP
• NTFS5
• Windows 2000, XP

46
File System Security

• NTFS Security
• Object ownership
• Permission inheritance
• Auditing
• Encrypting File System (EFS)
• Sharing and File Permissions
• Full Control, Change, and Read
• Is there a difference between Server 2000 and
  2003?

47
Firewall Technology

• Basically three types of Firewall technology
• Packet filter
• Routes traffic based on IP/port
• Stateful packet inspection
• Analyzes traffic on top of routing
• Application proxy
• Works as a translator
• Most Firewalls are a combination or hybrid
• The general role is to block unsolicited traffic

48
Firewall or Perimeter Security

• Do we need publicly accessible servers?
• How to protect transports?
• Remote access
• VPN
• Lock down where inbounds are coming from
• Email
• An Intrusion Detection System (IDS) is a
  necessity today

49

• Questions?
• This presentation can be found online at
• http//www.kirbykomputing.com/Shared20Documents/F
  orms/AllItems.aspx

Brian Kirby SEDA Council of Governments bkirby_at_s
eda-cog.org bkirby_at_kirbykomputing.com