Host Security

1

• Host Security
• Workshop
• Avi Baumstein
• avi_at_ufl.edu
• January 2006

2
Last Line of Defense
3
SPICE Policy

• Not much
• User access control (passwords)
• Malware control
• Some software guidance
• Physical security
• UF Node Security standard
• Mostly have to rely on system administration best
  practices

4
Physical Security

• Server rooms
• Dedicated space
• Locks (auditable, changeable)
• Environmental control/fire suppression/UPS
• Log and escort visitors
• No exterior signage
• Log repairs to security components
• Backup/contingency plans

5
Best Practices

• Build script
• Imaging
• Login banners
• Patching/Updates
• Limit user privs
• Host firewall
• Logging
• Testing/Verification

6
Build Script

• Step-by-step to ensure consistency
• Can be automated or checklist
• Allows less experienced to prepare builds
• Ensure everything ready before imaging...
• See sample from IT Center

7
Imaging

• Consistency
• Speed
• Easy to recover after compromise
• Systems are secured as soon as they brought up
  (if the original was)

8
Login Banners

• Recommended text from DOJ and approved by UF
  General Counsel
• Displayed prior to login or access

9
Login Banners

• Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi
  ndows NT\CurrentVersion\WinLogon
• LegalNoticeCaption "WARNING!"
• LegalNoticeText "This system is for the use..."
• /etc/issue
• /etc/motd

10
Patching/Updates

• Use automatic process, sneakernet no longer good
  enough
• Be prepared for quick rollout of patches or
  workarounds
• Be able to push updates
• Be able to monitor, log hosts to verify compliance

11
Limit User Privs

• Many exploits run with user privs, so the less
  the user can do, the less the attacker can
• Limit user's ability to defeat security controls
• Bonus less a user can break, thus fewer helpdesk
  calls

12
Host Firewall

• Probably your best defence against common
  attacks!
• Build a matrix to decide what ports to
  block/allow
• Only allow ports you need

13
Firewall host/port Matrix
14
Logging

• Should be logging on all hosts, not just servers
• Standard TS0001
• Logs should be reviewed. Documentation of review
  saved 6 years
• Store logs at least one year
• Please do real-time monitoring
• See IR Workshop for more info

15
Logging

• Items to log
• successful and failed logins
• logoffs
• privilege escalations
• security events (user creations, password
  changes, etc)
• Optional, depending on need
• File/record access
• Application usage

16
Testing/Verification

• Check that security measures are really in place
• Check that all steps have been followed
• Check for changes in a system
• Objective measure of security for comparison
  purposes

17
Testing

• Vulnerability scans
• Test from an external perspective
• Gives a good idea of what an attacker will see
• Can only look for known weaknesses
• We can run scans for you

18
Verification

• Test against a known policy set
• Looks for omissions in configuration
• Verify patch compliance
• Provides a benchmark to measure against
• Monitor for changes
• www.cisecurity.com

19
CISecurity Benchmarks

• Benchmarks for most platforms
• Host based tool
• Provides a numeric compliance score, useful for
  time series comparisons
• Score based on the policy template
• Can be automated (cis-scan)
• Provides good descriptions and remedies for
  problems found

20
CIS-NG
21
Vendor Managed Hosts

• Discuss security BEFORE purchase
• Plan a security strategy
• Benchmarking
• Standards
• Firewall
• VPN access
• Patches/updates
• Periodic re-assessments
• Document in contract, signed agreement
• http//www.it.ufl.edu/policies/security/business-a
  ssoc-agreement.html

22
Windows Best Practices

• Don't install on the network
• Security policy template
• Firewall
• Disable uneeded services
• Secure Apps
• Patching
• Baseline

23
Don't install on the network

• Install from a slipstreamed CD
• Install behind a firewall (i.e. Linksys
  NAT/Router)
• Install from original CD, config TCP/IP
  filtering, then connect to network for update
• See next few slides

24
TCP/IP Filtering for Installation

• Properties on nic
• select 'Internet Protocol(TCP/IP)'
• Properties button
• Advanced button
• Options tab
• TCP/IP filtering
• Properties button

25
TCP/IP Filtering for Installation

• Permit Only for TCP and UDP
• Allow Ports 80, 443, and 53
• Just enough to connect to Windows Update

• Don't forget to disable TCP/IP Filtering after
  updates are successfully installed

26
Security Policy Template

• Administrative Tools - Local Security Policy
• mmc.exe, Add/Remove Snapins, Security Templates
• Apply on WS, with AD GPO, or ZEN GPO

27
Firewall with Windows tools

• Firewall tools depends on the OS
• Win2k IP Security Filters
• WinXPsp2 Windows Firewall
• W2k3 Security Configuration Wizard
• All allow for blocking traffic by
• port
• source/dest ip range

28
W2k IP Security Filters

• Simple Port/Address filters
• Not very granular (ex. can't define ICMP type
  codes)
• Connectionless
• No automatic handling of reverse connections
• No logging of block/deny decisions
• Use WRK ipsecpol.exe to apply to multiple
  computers

29
IP Security Filters Howto

• Local Security Settings
• Right click on IP Security Policies, then
  'create'
• Default response rule, then finish edit
• Create block all traffic
• Create allow rule per protocol
• Create filter action per host/subnet for each
  protocol

30
W2k IP Filters

• Right click on IP Security Policies on Local
  Machine, choose 'create'

31
W2k IP Filters

• Name policy
• Choose all network connections
• Default authentication method
• Finish Edit

32
W2k IP Filters

• First rule should block all
• Click 'Add' to run wizard
• 'This rule does not specify a tunnel'
• Select 'All network connections'
• Default authentication method

33
W2k IP Filter

• Source address 'any'
• Dest address 'My IP address'
• Select protocol (TCP)

34
W2k IP Filter

• Select ports
• Enter description

35
W2k IP Filter

• Review rule

36
W2k IP Filter

• Pick filter from list
• Choose action

37
XPsp2 Firewall GUI Config
38
XPsp2 Firewall Config Port
39
XPsp2 Firewall Config Scope
40
XPsp2 Firewall config via reg

• Build config with GUI, then grab reg entries
• Example
• 137TCP159.178.78.0/255.255.254.0Enabledtcp137
• See sample firewall.reg
• Distribute via GPO, ZEN, etc

41
W2k3 security config wizard

• Included w/ SP1, but not installed
• Add/Remove programs
• Configure security by role of server (i.e. Web
  server, file server)
• Create firewall ruleset
• Creates XML files that can be moved to other
  servers

42
Disable Unneeded services

• A list of possible services to disable (from
  Black Viper http//web.archive.org/web//http//ww
  w.blackviper.com
• Computer Browser
• Distributed Link Tracking Client
• Error Reporting Service
• Indexing Service
• Logical Disk Manager
• NetMeeting Remote Desktop Sharing
• Network Location Awareness

43
Disable Unneeded Services

• Portable Media Serial Number Service
• QoS RSVP
• Remote Desktop Help Session Manager
• Remote Registry Service
• Server
• System Restore Service
• TCP/IP NetBios Helper
• WebClient
• Wireless Zero Configuration

44
Don't forget apps

• IIS
• IIS Lockdown tool (Microsoft.com)
• SQL/MSDE
• Change default passwords
• SQL Server 2000 security checklist
• http//www.microsoft.com/technet/prodtechnol/sql/2
  000/maintain/sp3sec04.mspx

45
Patching

• WSUS, Shavlik, Update Expert, Patchlink,
  whatever...
• If you don't already have your own, just use IT
  Center's WSUS
• They manage it, approve updates
• Good per-dept reporting
• Contact rdeason_at_ufl.edu

46
MBSA

• Should be run periodically on every system
• Can be run on multiple machines
• a Windows Domain or workgroup
• an IP address range
• CLI version from a script

47
MBSA

• Checks for
• Missing or partial updates
• User accounts (admins, pwords, guest, etc)
• Firewall enabled
• Shares, services
• IIS, SQL, IE Zones, Office

48
MBSA
49
CISecurity Baseline

• CIS NG Scoring Tool handles W2k, XP, and W2k3
• Several templates for various needs
• Provides a numeric compliance score, useful for
  time series comparisons
• Doesn't run MBSA anymore, asks you!
• Provides good descriptions and remedies for
  problems found

50
Unix/Linux Best Practices

• Remove uneeded services
• Disable/delete unused accounts
• Patching
• Firewall
• Pay attention to apps (sendmail, apache, mysql,
  etc)
• Baseline

51
Remove uneeded services

• Uninstall software you don't need
• Rh/Fedora
• chkconfig list grep on
• chkconfig nfs off
• /etc/init.d/nfs stop
• chkconfig list xinetd
• netstat -tulp

52
Unused Accounts

• Lots of special service accounts (uucp, apache,
  postgres, named, squid..)
• Do a find to see if any files used by system
  accounts, delete those that don't own files
• Make sure system accounts don't have a useable
  shell
• Make sure all accounts have a in the password
  field in /etc/passwd
• Make passwords for system accounts start with !
  or in /etc/shadow

53
Patching

• Install apps from your distro, they'll get
  patched automatically
• Configure to patch automatically
• fedora /etc/init.d/yum start
• RHEL Red Hat Network
• SuSE configure in YaST
• Don't forget to update Tripwire

54
Firewall

• Many distros have a built-in front-end
• All use iptables
• Can standardize firewall using a set iptables
  config
• See iptables script from IT Center

55
Pay Attention to Apps

• Easy to forget about, since they come with the
  system
• Each requires some configuration
• Default accounts, passwords (mysql, postgres,
  wiki, etc)
• Even 'safe' apps can be a danger
• Protect with a firewall

56
Baseline

• Nessus
• Nmap
• CISecurity benchmark
• Tripwire

57
NetWare Best Practices

• Apps
• Apache
• MySQL
• PHP
• Backup
• Patching
• Don't use rconsole (prefer sshd)
• Firewall (filtcfg)

58
Vendor Managed Hosts

• Discuss security BEFORE purchase
• Plan a security strategy
• Benchmarking
• Standards
• Firewall/IP Filter
• VPN access
• Patches/updates
• Periodic re-assessments
• Document all this with vendor

59
Training

• SANS SEC 505 Securing Windows
• SANS-EDU is cheapest option
• Watch Unisog for classes
• http//www.educause.edu/EventsCalendar/1011
• New Horizons
• Netg (http//netg.ufl.edu)

60
Resources

• security.health.ufl.edu/training/
• sample windows build/image steps
• firewall.reg and wsus.reg
• iptables config
• Login banner legal text
• Server room visitor log

61
Links

• Microsoft IT Pro Security Community
• http//www.microsoft.com/technet/security/en-us/co
  mmunity/security/default.mspx
• Microsoft Security Bulletin notifications
• http//www.microsoft.com/technet/security/bulletin
  /notify.mspx
• Using a least-privileged account
• http//www.microsoft.com/technet/security/secnews/
  articles/lpuseacc.mspx

62
Links

• Windows 2000 IP Security Filters
• http//online.securityfocus.com/infocus/1559
• http//online.securityfocus.com/infocus/1566
• Windows non-admin blog
• http//blogs.msdn.com/aaron_margosis/

63
Links

• Securing and hardening Linux
• http//www.puschitz.com/SecuringLinux.shtml
• Netfilter, home of IPTables (see Documentation)
• http//www.netfilter.org
• IPFilter (for Solaris, BSD, IRIX, HPUX, etc)
• http//coombs.anu.edu.au/avalon/ip-filter.html
• SELinux
• http//selinux.sourceforge.net
• AppArmor
• http//www.opensuse.org/AppArmor