Computer Security for Student-Administered Computers

1
Computer Security forStudent-Administered
Computers
2
Agenda

• What's the Problem?
• Security Risk
• Security Incidents
• Defenses
• Vigilance

3
What's the Problem at UW?

• http//staff.washington.edu/dittrich/talks/securit
  y/incidents.html
• port-scanning looking for systems to target
• buffer-overrun attacks command execution via
  coding errors
• open account exploits to login
• packet sniffing to learn login secrets
• trojan horse attacks to fool user into executing
  infected program
• shared/stolen accounts to login
• denial of service attacks to prevent or hamper
  use of computers
• file storage to pirate software/music/etc.
• forging email or other electronic messages to
  harass/threaten/fool

4
Security Goals

• Microsoft Prescriptive Guidance Security
  Operations Guide for Windows 2000 Server
• http//www.microsoft.com/technet/treeview/default.
  asp?url/TechNet/security/prodtech/windows/windows
  2000/staysecure/default.asp
• Get secure
• Stay secure (over time, amidst changes)

5
Security Risk

• Managing risk to protected resources
• Resources data, applications, servers, etc.
• what's its value?
• Threat something that could access/harm
  resources
• natural/physical, unintentional/intentional
• Vulnerability point where resource can be
  attacked
• Exploit use of a vulnerability by a threat
• could result in loss of confidentiality,
  integrity or availability
• Risks need to be ranked low, medium, high

6
Security Incidents

• physical earthquake, water leak, power failure,
  etc.
• technical vulnerability exploits attacks, buffer
  overflows, ...
• information gathering exploit OS identification,
  wireless leak, social engineering
• denial of service exploit resource removal,
  physical damage, etc.

7
Defenses

• Data encryption and backups antivirus software
• Application developer needs to enforce
• Host limit server to specific roles
• Network blocking and/or encrypting traffic
• Perimeter firewalls authorized PCs are clean
  before connecting
• Physical removable media, locks, redundancy,
  restricted areas
• Policies and Procedures raise awareness and
  prevent abuse

8
Windows 2000 Defenses

• Planning
• Isolation
• Installation and Upgrades
• Antivirus software
• Group Policy/Registry Changes
• IPSec/Filtering
• Application Lockdown

9
Windows 2000 Defenses Planning

• What kind?
• server member or domain controller?
• workstation?
• What role?
• basic? web server? cluster?
• Whats required for other services?
• need to think about this

10
Windows 2000 Defenses Isolation

• On Internet-connected computer
• gather all upgrades, antivirus software
• http//www.washington.edu/computing/software
• download
• Network Associates/McAfee Netshield (server)
• McAfee VirusScan (workstation)
• upgrades and updates
• burn on CD
• Connect to a hub not connected to Internet
• Use static, non-routable IP addresses
  10.10.xxx.xxx

11
Windows 2000 Defenses Installation and Upgrades

• Install Windows 2000
• dont do it blindly -- read and think about it
• Install latest service packs
• Install security patches/hotfixes to service
  packs
• Switch to non-privileged account
• use RUNAS whenever elevated privileges needed
• Watch logs (use EventViewer)

12
Windows 2000 Defenses Antivirus

• Install Netshield
• Install latest upgrades/updates
• dont schedule to update/upgrade (not connected)

13
Windows 2000 DefensesGroup Policy/Registry
Changes

• SystemRoot\security\templates
• Basic
• Basicwk.inf (workstation)
• Basicsv.inf (member server)
• Basicdc.inf (domain controller)
• Incremental
• securedc.inf (domain controller)
• securews.inf (workstations or member servers)
• IIS Incremental.inf (IIS only)

14
Windows 2000 DefensesApply AD Group Policy

• Active Directory Users and Computers/Domain
  Controllers/Properties/Group Policy/New
• type BaselineDC Policy
• press enter, then right-click on BaselineDC
  Policy
• select No Override
• Edit/Windows Settings (expand)/Security
  Settings/Import Policy
• locate template BaselineDC.inf and place name in
  Import Policy From box
• close Group Policy and then click Close
• replicate to other domain controllers and reboot

15
Windows 2000 DefensesApply Member Group Policy

• Active Directory Users and Computers/Member
  Servers/Properties/Group Policy/New
• type Baseline Policy
• Edit/Windows Settings (expand)/Security
  Settings/Import Policy
• locate template Baseline.inf and place name in
  Import Policy From box
• close Group Policy and then click Close
• repeat above for Incremental template files
• replicate to other domain controllers and reboot

16
Windows 2000 DefensesVerify Group Policy

• Verify with secedit (compare with existing
  template)
• secedit /analyze /db secedit.sdb /cfg xxxxx.inf
• look at log file
• Test!

17
Windows 2000 DefensesRegistry Changes (in
Baseline)

• HKLM\System\CurrentControlSet\Services\Tcpip\Param
  eters
• EnableICMPRedirect0
• SynAttackProtect2
• DisableIPSourceRouting2
• PerformRouterDiscovery0
• HKLM\System\CurrentControlSet\Services\AFD\Paramet
  ers
• DynamicBacklogGrowthDelta10
• EnableDynamicBacklog1
• MinimumSynamicBacklog20
• MaximumDynamicBacklog20000

18
Windows 2000 DefensesIP Filtering

• Block all ports not needed for servers

19
Windows 2000 DefensesApplication Lockdown

• Read applications notes on security
• IIS
• IS Incremental.inf
• follow guidelines
• SQL Server
• change default system DBA passwords
• protect DBs with access rights/file permissions

20
Linux Defenses

• Planning
• Isolation
• Installation and Upgrades
• Antivirus software???
• IP Filtering
• Application Lockdown

21
Linux Defenses Planning

• What kind?
• workstation?
• server?
• What servers?
• web server? insecure servers?
• What apps are required?
• What services are required?

22
Linux Defenses Isolation

• On Internet-connected computer
• gather all upgrades
• burn on CD
• Connect to a hub not connected to Internet
• Use static, non-routable IP addresses
  10.10.xxx.xxx

23
Linux Defenses Installation and Upgrades

• Install Linux
• dont do it blindly -- read and think about it
• put /tmp, /home and /var/log in separate
  partitions
• Install latest upgrades
• Switch to non-privileged account
• use su - whenever elevated privileges needed
• Watch logs (usually in /var/log)

24
Linux Defenses IP Filtering

• tcp wrappers
• /etc/hosts.deny
• ALLALL
• /etc/hosts.allow
• ALL 10. LOCAL
• sshd ALL
• /etc/xinetd.d
• disableyes for undesired services
• killall -USR2 xinetd

25
Linux Defenses Apache Lockdown

• Apache -- start by restricting everything
• ltDirectory /gt
• Options None
• AllowOverride None
• Order deny,allow
• Deny from all
• lt/Directorygt
• then allow by specific directories
• want to disable CGI, includes

26
Linux Defenses FTP Lockdown

• should not use -- sends passwords in plain text
• use ssh/scp/sftp instead
• /etc/ftpusers
• should NOT include root or other privileged
  accounts
• disallow anonymous FTP
• should read
• class all real

27
References

• http//www.washington.edu/computing/security
• Microsoft Baseline Security Analyzer
• for 2000/XP
• requires Internet access to run
• http//www.microsoft.com/technet/treeview/default.
  asp?url/technet/security/tools/Tools/mbsahome.asp
  
• SANS Institute Bookstore (Windows 2000 Linux)
• SANS System Administration, Networking and
  Security)
• https//www.washington.edu/computing/software/site
  licenses/sans/sw/access.html