Transcript Windows Security

Operating System Security
A Windows and UNIX Introduction
UNIX Security
Unix is a multi-user computing environment with multitasking
capabilities. It is widely used because it is generally more
stable, more reliable and more scalable than most other
operating systems.
Typical Uses:

Enterprise Resource Planning (SAP, PeopleSoft, Oracle, etc.)

Engineering Applications (CAD/CAM, process controllers,
etc.)

Electronic Commerce (web servers, transaction processors,
etc.)

Database Servers (Oracle, Informix, etc.)

Firewalls (Checkpoint Firewall-1, Sidewinder, etc.)
Some UNIX History
 Unix was developed at AT&T Bell Labs in 1969.
 By the early 1970s, it was rewritten to make it an
“open” system with portability.
 As an open system, Unix became widespread as
universities and others began using it more and
more.
 Two UNIX coding schemes became dominant. Most
subsequent Unix variants are based on them.
 System V - AT&T
 BSD - Berkeley Software Distribution
UNIX Features
Written in the C programming language.
First to include TCP/IP in computers. This
made possible the Internet and the WorldWide Web.
Linux is based on Unix.
Unix runs most Internet Service Providers.
Unix is generally insecure upon default
installation and is one of the most vulnerable
operating systems to hackers.
Unix Architecture - Shells
Program
UnixLogin
Architecture
- Shells
Shell Program
(C, Bourne, Korn)
Commands being sent to system
User Accounts - Overview
Every person who uses a UNIX computer
system must have an account or username to
log in with.
Each account is identified by user
identification number (“UID”).
All accounts are stored in the /etc/passwd file.
Each user has a line in /etc/passwd.
When a user logs in, UNIX needs the
password file to authenticate the user and
execute several start-up files.
Users - The /etc/passwd file
daemon:*:1:1::/tmp:
root:diw&5kdiwlj^#:0:1::/:
ftp:*:2:2:FTP User:/usr/spool/ftp
bobp:Je834,dfsjiv@:10:5:Bob
Paris:/home/admin:/bin/sh
rodj:9Iuh,.KjhgTr4:10:5:Rod
Jackson:/home/admin:/bin/sh
kevl:M,mnnh875Jkg:100:100:Klevrone:/home/a
cc:/bin/sh
leel:8JHgjgj45d.,L:102:100:LeeLabrada:/home/
acc/:bin/sh
/etc/passwd - The username
bobp:Je834,dfsjiv@:10:5:BobParis:/home/admin:/usr/bin/sh



can be 1-8 characters in length
can be alphabetic or numeric
problems with special characters
/etc/passwd - Passwords
bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh

passwords encrypted using DES

an asterisk (*) means EITHER:


account is revoked or
there is a shadow password file – to explain later

if blank, then the account has no password

NP is also sometimes used to lock an account
etc/passwd - User ID numbers (UID)
bobp:Je834,dfjiv@:10:5:BobParis:/home/admin:/usr/bi
n/sh




UID 0-9 used for system accounts.
Unix identifies user by UID not username i.e.
10
Users can have the same UID
UID = 0 assigns superuser privileges
/etc/passwd - Group ID (GID)
bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh



GID defines user’s primary group
GID=0 assigns superuser group
Users can belong to more than one group. This
is evidenced by being included in several
groups in the /etc/group file.
/etc/passwd - The GECOS field

bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh



General Electric Computer Operating System
free text field (should be meaningful)
used as output for finger command
/etc/passwd - Home directory
bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh



location of user’s startup files
includes user’s /.profile file
default directory
/etc/passwd - The shell field
bobp:Je834,dfsjiv@:10:5:Bob Paris:/home/admin:/usr/bin/sh



different types of Unix shells
can be something like /prod/payroll/menu
a blank defaults to Bourne Shell (/bin/sh)
Password Security
 Different flavors of UNIX provide different
level of account and password controls:




password aging
minimum password length
alpha-numeric passwords
account lockout
Shadowed Passwords
 UNIX requires all users to be able to read the
/etc/passwd for login purposes
 To protect the encrypted password against users with
password guessers, a shadow file is used:
/etc/shadow (Sun), /etc/security/passwd (AIX)
 The encrypted password is a one-way hash algorithm
 Format of entries is different among Unix variants
 Your participant guide has standard shadow names!
/etc/shadow
Entry format (Sun): username:password:lastchg
Sample: markmcguire:cob6j4NEL3H7Q:9827
password: A 13-character encrypted password for the
user, a
lock string to indicate that the login is not
accessible,
or no string, which shows that there is no
password
for the login.
lastchg: The number of days between January 1, 1970,
and the
date that the password was last modified.
Default Accounts
 Default user IDs are common to most systems (therefore known and
attacked). These IDs are powerful system IDs that are used by the kernel
to run applications and internal processes.
Typical Unix default accounts:
root adm bin dev daemon sync sys lp nobody listen
uucp
 Access must be controlled. No system user ID (except root) should be
able to login and obtain a prompt!
 Applications and databases often create a default user account when they
are being installed. If root is installing the program these install user IDs
could be powerful and are usually not needed after installation.
Administrators often fail to remove these accounts.
Example accounts: oracle, informix, sap, tivoli, tng
Generic Accounts
Administrators more interested in flexibility than security often
assign users generic user accounts. Generic user accounts are
user IDs that often represent a group, class, or department of
user instead of the name of the individual.
Samples: guest, trainer, student, accounting, accounts_payable
operator, helpdesk, sales, consultant, temp1

Unless needed, generic accounts are generally a BAD idea because they
fail to assign responsibility of the user ID’s actions to a specific
individual.
Good practices for user ID:
employee number, employee name, specific identification of
consultants and temporary employees
Superusers
 Commonly called “root”
 Any UID number 0 is a superuser
 Superusers can:



override all file permissions
bypass all normal security checks
create new users
Hacking Superusers
A HACKER’S GOAL IS TO BECOME THE ROOT USER
Once users have become root they may:

Modify log files to cover their tracks

Add users they can use later to access the system

Install backdoor programs to gain later access or to
launch malicious code, such as distributed denial of
service attacks (e.g. Yahoo, CNN, etc.)

Install daemons that capture and transmit sensitive
information to the hackers
File Permissions in UNIX
r (read)

List (ls) the directory's contents
w (write)
Add or remove files in the directory
x (execute)
 Make the directory your current directory
 Open files within the directory

TCP Wrappers - Overview






TCP wrapper is a mechanism for providing access
control.
It is a program allowing you to control which hosts your
inet daemons will accept connections from.
Can be done on basis of service (e.g. ftpd, telnetd, etc.)
Has support for wildcards (e.g. *.ncsa.uiuc.edu)
Can be configured strict (e.g. only allow connections
from *.ncsa.uiuc.edu)
Can be configured loose (e.g. allow connections from
everyone but *.spam.net)
Job Scheduling - Cron
Cron is a clock daemon that starts a process that
executes commands at specified dates and times.
 Regularly scheduled commands can be specified
according to instructions found in crontab files in the
directory /var/spool/cron/crontabs.
 Users can submit their own crontab file using the
crontab command.
 Cron only examines crontab files during its own
process initialization phase and when the crontab or
“at” command is run.
CRON – Cont’d
 All executables and files referenced by cron
should NOT be world-readable or worldwriteable!
 Usually administrators are the only ones
with a need to use cron. If users have access
to execute the crontab command, ask why
there is a need.
Audit Subsystem and Audit Files
 UNIX has limited auditing capabilities
 Basic audit features provided for logging






Last logins
Login and logout
Failed logins
System accounting
Use of su command
System events
Sample Audit Files







acct/pacct records user commands
lastlog
records users last login
loginlog
records failed logins
messages records syslog messages
sulog
records su attempts
utmp
records each user logged in
wtmp
records logins and logouts