Transcript Security Baselines
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Baselines
© 2010
Chapter 14
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Objectives
• • •
Harden operating systems and network operating systems.
Harden applications.
Establish group policies.
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010
• • • • • • • • • •
Key Terms Application hardening Baseline Baselining Firmware update Globally unique identifier (GUID) Group policy Group policy object (GPO) Hardening Hotfix Network operating system (NOS)
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010
• • • • • • • • • •
Key Terms
(
continued)
Operating system (OS) Patch Patch management Pluggable Authentication Modules (PAM) Process identifier (PID) Run levels Security template Service pack Shadow file TCP wrappers
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
• • • •
Overview of Baselines
The process of establishing a system’s security state is called baselining.
The resulting product is a security baseline that allows the system to run safely and securely.
Once the process has been completed, any similar systems can be configured with the same baseline to achieve the same level of security and protection. Uniform baselines are critical in large-scale operations.
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Password Selection
• • •
The heart of the problem is that most systems today are protected only by a simple user ID and password. Selecting a good password for all user accounts is critical to protecting information systems.
This is especially true for servers.
•
Compromise of a server can mean access to multiple user passwords.
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Operating System and Network Operating System Hardening
•
Common hardening tasks:
‐ Disabling unnecessary services ‐ Restricting permissions on files and directories ‐ Removing unnecessary software ‐ Applying patches ‐ Removing unnecessary users ‐ Applying password guidelines
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Hardening Windows Server 2003
• • • • • • •
IIS 6 isolates individual web applications.
19 services running under Windows 2000 by default were disabled under Server 2003.
Two new service accounts with lower privilege levels introduced.
Security Configuration Wizard (SCW).
Software Restriction Policy (SRP).
Enhanced audit capabilities were provided.
Network Access Quarantine Control was introduced.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Hardening Windows Vista
• • • • • •
© 2010 User Account Control allows users to operate the system without requiring administrative privileges. An outbound filtering capability was added to Windows Firewall.
BitLocker allows encryption of all data on a server, including any data volumes. Vista clients work with Network Access Protection (NAP). Windows Defender is a built-in malware detection and removal tool.
A new, more-secure version of Internet Explorer.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition Vista’s User Access Control in Action © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Hardening Windows Server 2008
• • • • • •
BitLocker allows encryption of all data on server.
Role-based installation of functions and capabilities minimizes server footprint.
Network Access Protection (NAP).
Read-only domain controllers.
More granular password policies.
IIS 7 administration of web sites and web applications.
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition Windows 2008 Initial Configuration Tasks © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition Hardening UNIX- or Linux-based Operating Systems
• General UNIX hardening is the same as
hardening for Windows OS
- Disable unnecessary services - Restrict permissions on files and directories - Remove unnecessary software - Apply patches - etc.
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Hardening UNIX- or Linux-based Operating Systems
(
continued
) •
ps command run on a Fedora 10 system © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Hardening UNIX- or Linux-based Operating Systems
(
continued
) •
Service configuration utility from a Fedora 10 system © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Hardening Solaris
• • • •
Define the system’s purpose.
Install the operating system.
Install the software.
– –
pkgadd pkgrm Patch the system.
– – – –
patchadd patchrm smpatch pkgparam © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition Solaris Product Registry Tool © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition Sun Update Manager © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition Solaris Management Console © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition Hardening Solaris
• • • •
TCP wrappers are filters that compare incoming connection requests to lists of authorized and unauthorized connections.
Controlled by two files:
–
hosts.allow
–
hosts.deny
Other commands:
–
chmod, chown, chgrp, useradd, passwd Pluggable Authentication Modules (PAM).
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Hardening Linux
•
Fedora Add/Remove Software utility © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Hardening Linux
(
continued
) •
Fedora User Manager © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Hardening Linux
(
continued
) •
Fedora Firewall Configuration GUI © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition Hardening Mac OS X
• •
Apple’s operating system is essentially a new variant of the UNIX operating system. The same rough guidelines for all UNIX systems apply to Mac OS X.
– – – – – –
Mandatory access controls for system resources Tagged downloads Execute disable Library randomization FileVault Application-aware firewall © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Hardening Mac OS X
(
continued
) •
Firewall utility in Mac OS X 10.5
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Hardening Mac OS X
(
continued
) •
Setting file permissions in Mac OS X © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
• • •
Updates Hotfix
–
Small software update to address a specific problem Patch
–
More formal larger update
– –
Addresses several problems Developed over longer period of time Service pack
–
Collection of patches and hotfixes in on large package © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
XP Automatic Updates
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Windows Update Utility in Vista
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Fedora Software Package Update Utility
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Network Hardening
•
Securing network infrastructure components typically involves the following activities:
‐ ‐
Software updates Device configuration © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Software Updates
• • •
Maintaining current vendor patch levels for your infrastructure is one of the most important things you can do to maintain security.
The different vendors for the different software and hardware must be tracked.
Software and firmware for each device must be kept current.
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition Device Configuration
• •
Properly configured network devices are an important part of network hardening:
–
Routers, switches, firewalls, servers, proxies, etc Some general steps:
– – – –
Limit access.
Choose good passwords.
Turn off unnecessary services.
Change SNMP community strings.
© 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
•
Application Hardening
•
Securing an application against local and Internet-based attacks Securing applications typically involves the following activities:
‐ ‐
Application patches
‐ Hotfixes, patches, upgrades
Patch management © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
• •
Patch Management
A disciplined approach to the acquisition, testing, and implementation of patches.
Ability to inventory applications and operating systems in use
– – – – – –
Notification of patches Continual scanning of systems patch status Select which patches to apply Push patches to systems Ability to report patch success or failure Ability to report patch status on any or all systems in the environment © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition Windows Update Utility in Vista © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
•
Patch Management
Windows Server Update Services © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
• • • •
Group Policies
Group policy Group policy object (GPO) Globally unique identifier (GUID) Microsoft’s new group policy capabilities:
– –
Network location awareness Ability to process without ICMP
–
VPN compatibility
– – –
Power management Device access blocking Location-based printing © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition Group Policy Object Editor © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010
Security Templates
• A collection of security settings that can be applied to a
system.
• They configure the following areas: • •
Account policies Event log settings
•
File permissions
•
Registry permissions
•
Restricted groups
•
System services
•
User rights
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition The MMC with Security Templates Snap-in © 2010
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition
Chapter Summary
• • •
Harden operating systems and network operating systems.
Harden applications.
Establish group policies.
© 2010