Computer Security Workshops

1
Computer Security Workshops

• Module 5 - System Hardening

2
System Hardening

• How do we respond to problems? (E.g. operating
  system deadlock)
• Detect
• (Detect and) Terminate
• Prevent
• Security Analogy
• Better to prevent than try to clean up

3
System Hardening - Goals

• Prevent intrusion on a particular system
• Note idea can (and should) be applied to network
  as well
• Two main approaches
• 1) Develop and ship in hardened state
• 2) Harden after setup

4
Security Certification Levels

• Department of Defense, Trusted Computer System
  Evaluation Criteria (TCSEC)
• Orange book systems Red book networks
• Levels
• Class D (minimal protection)
• Class C1 (discretionary security protection)
• Class C2 (controlled access protection)
• Class B1 (labeled security protection)
• Class B2 (structured protection)
• Class B3 (security domains)
• Class A1 (verified design)
• Now largely replaced by Common Criteria for
  Information Technology Security

5
1) Hardening Before Shipping

• System architecture should be designed to prevent
  attacks/intrusion
• Configured for high security as default
• System programmed defensively
• assume any user could be unfriendly
• System is audited for security problems
• System built to contain known problems
• Examples Operating System Level
• OpenBSD ( http//www.openbsd.org )
• SELinux ( http//www.nsa.gov/selinux )

6
2) Hardening After Delivery

• Techniques
• Configuration
• Changing system configuration to deal with
  security issues
• Wrappers
• Proxy programs that are run in place of actual
  program, check for certain problems before
  calling original program (which is moved to a
  non-public directory)

7
Wrapper Example

• TCP Wrappers (Linux)
• Monitors and filters incoming requests for the
  SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC,
  TFTP, TALK, and other network services
• Provides tiny daemon wrapper programs that can be
  installed without any changes to existing
  software or to existing configuration files
• The wrappers report the name of the client host
  and of the requested service
• Imposes no overhead on the actual conversation
  between the client and server applications

8
System Hardening Tools - Linux

• Example bastille
• http//www.bastille-linux.org
• Script to help automate security changes in a
  number of areas (file transfer, mail, general
  configuration)
• Certain actions still have to be done manually
• Be careful not to turn off needed services
  accidentally
• E.g. Dont disallow root access at console unless
  you have other accounts you can use to gain
  superuser status
• There is a RevertBastille application

9
System Hardening Tools (Windows)

• Microsoft Baseline Security Analyzer
• More accurately a vulnerability analysis tool
• But notes contain links or information are very
  useful in system hardening
• Start/Programs/Microsoft Baseline Security
  Analyzer 2.1

10
Port/Service Closure - Linux

• GUI Interface Utilities
• Ubuntu System / Administration / Services
• Need to unlock, provide password
• Remove services through checkboxes
• Manually
• Main script directory /etc/init.d
• Directory hierarchy for different run levels
  /etc/rcX.d (X 0 through 6)

11
Port/Service Closure - Windows

• Add and remove services
• Start/Programs/Administrative Tools/Services
• See processes currently running
• Task Manager (ctrl-alt-del), Processes tab