Computer Security for Student
Download
Report
Transcript Computer Security for Student
Computer Security
for
Student-Administered Computers
Agenda
What's the Problem?
Security Risk
Security Incidents
Defenses
Vigilance
What's the Problem at UW?
http://staff.washington.edu/dittrich/talks/security/incidents.html
port-scanning: looking for systems to target
buffer-overrun attacks: command execution via coding errors
open account exploits: to login
packet sniffing: to learn login secrets
trojan horse attacks: to fool user into executing infected program
shared/stolen accounts: to login
denial of service attacks: to prevent or hamper use of computers
file storage: to pirate software/music/etc.
forging email or other electronic messages: to harass/threaten/fool
Security Goals
Microsoft
Prescriptive Guidance: Security Operations
Guide for Windows 2000 Server
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/
prodtech/windows/windows2000/staysecure/default.asp
Get secure
Stay secure (over time, amidst changes)
Security Risk
Managing risk to protected resources
Resources: data, applications, servers, etc.
what's
its value?
Threat: something that could access/harm resources
natural/physical,
unintentional/intentional
Vulnerability: point where resource can be attacked
Exploit: use of a vulnerability by a threat
could
result in loss of confidentiality, integrity or
availability
Risks need to be ranked: low, medium, high
Security Incidents
physical: earthquake, water leak, power failure, etc.
technical vulnerability exploits: attacks, buffer overflows, ...
information gathering exploit: OS identification, wireless
leak, social engineering
denial of service exploit: resource removal, physical damage,
etc.
Defenses
Data: encryption and backups; antivirus software
Application: developer needs to enforce
Host: limit server to specific roles
Network: blocking and/or encrypting traffic
Perimeter: firewalls; authorized PCs are clean before
connecting
Physical: removable media, locks, redundancy, restricted
areas
Policies and Procedures: raise awareness and prevent abuse
Windows 2000 Defenses
Planning
Isolation
Installation and Upgrades
Antivirus software
Group Policy/Registry Changes
IPSec/Filtering
Application Lockdown
Windows 2000 Defenses: Planning
What kind?
server:
member or domain controller?
workstation?
What role?
basic?
web server? cluster?
What’s required for other services?
need
to think about this
Windows 2000 Defenses: Isolation
On Internet-connected computer:
gather
all upgrades, antivirus software
http://www.washington.edu/computing/software
download
Network Associates/McAfee
Netshield (server)
McAfee VirusScan (workstation)
upgrades and updates
burn
on CD
Connect to a hub not connected to Internet
Use
static, non-routable IP addresses: 10.10.xxx.xxx
Windows 2000 Defenses:
Installation and Upgrades
Install Windows 2000
don’t
do it blindly -- read and think about it
Install latest service packs
Install security patches/hotfixes to service packs
Switch to non-privileged account
use
RUNAS whenever elevated privileges needed
Watch logs (use EventViewer)
Windows 2000 Defenses: Antivirus
Install Netshield
Install latest upgrades/updates
don’t
schedule to update/upgrade (not connected)
Windows 2000 Defenses:
Group Policy/Registry Changes
%SystemRoot%\security\templates
Basic
Basicwk.inf
(workstation)
Basicsv.inf (member server)
Basicdc.inf (domain controller)
Incremental
securedc.inf
(domain controller)
securews.inf (workstations or member servers)
IIS Incremental.inf (IIS only)
Windows 2000 Defenses:
Apply AD Group Policy
Active Directory Users and Computers/Domain
Controllers/Properties/Group Policy/New
type
“BaselineDC Policy”
press enter, then right-click on BaselineDC Policy
select “No Override
Edit/Windows Settings (expand)/Security Settings/Import
Policy
locate
template BaselineDC.inf and place name in “Import Policy
From” box
close Group Policy and then click Close
replicate to other domain controllers and reboot
Windows 2000 Defenses:
Apply Member Group Policy
Active Directory Users and Computers/Member
Servers/Properties/Group Policy/New
type
“Baseline Policy”
Edit/Windows Settings (expand)/Security Settings/Import
Policy
locate
template Baseline.inf and place name in “Import Policy
From” box
close Group Policy and then click Close
repeat above for Incremental template files
replicate to other domain controllers and reboot
Windows 2000 Defenses:
Verify Group Policy
Verify with secedit (compare with existing
template)
secedit /analyze /db secedit.sdb /cfg xxxxx.inf
look at log file
Test!
Windows 2000 Defenses:
Registry Changes (in Baseline)
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
EnableICMPRedirect=0
SynAttackProtect=2
DisableIPSourceRouting=2
PerformRouterDiscovery=0
HKLM\System\CurrentControlSet\Services\AFD\Parameters
DynamicBacklogGrowthDelta=10
EnableDynamicBacklog=1
MinimumSynamicBacklog=20
MaximumDynamicBacklog=20000
Windows 2000 Defenses:
IP Filtering
Block all ports not needed for servers
Windows 2000 Defenses:
Application Lockdown
Read
application’s notes on security
IIS
IS
Incremental.inf
follow
guidelines
SQL Server
change
default system DBA passwords
protect
DBs with access rights/file permissions
Linux Defenses
Planning
Isolation
Installation and Upgrades
Antivirus software???
IP Filtering
Application Lockdown
Linux Defenses: Planning
What kind?
workstation?
server?
What servers?
web
server? insecure servers?
What apps are required?
What services are required?
Linux Defenses: Isolation
On Internet-connected computer:
gather
burn
all upgrades
on CD
Connect to a hub not connected to Internet
Use
static, non-routable IP addresses: 10.10.xxx.xxx
Linux Defenses:
Installation and Upgrades
Install Linux
don’t
put
do it blindly -- read and think about it
/tmp, /home and /var/log in separate partitions
Install latest upgrades
Switch to non-privileged account
use
“su -” whenever elevated privileges needed
Watch logs (usually in /var/log)
Linux Defenses:
IP Filtering
tcp wrappers
/etc/hosts.deny
ALL:ALL
/etc/hosts.allow
ALL: 10. LOCAL
sshd: ALL
/etc/xinetd.d
disable=yes for undesired services
killall
-USR2 xinetd
Linux Defenses:
Apache Lockdown
Apache -- start by restricting everything
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>
then
allow by specific directories
want to disable CGI, includes
Linux Defenses:
FTP Lockdown
should not use -- sends passwords in plain text
use
ssh/scp/sftp instead
/etc/ftpusers
should NOT include root or other privileged accounts
disallow anonymous FTP
should
read:
class all real *
References
http://www.washington.edu/computing/security
Microsoft
Baseline Security Analyzer
for 2000/XP
requires Internet access to run
http://www.microsoft.com/technet/treeview/default.asp?url
=/technet/security/tools/Tools/mbsahome.asp
SANS
Institute Bookstore (Windows 2000 & Linux)
SANS = System Administration, Networking and Security)
https://www.washington.edu/computing/software/sitelicens
es/sans/sw/access.html