HARDENING

Hay Noticias como:

Informe sobre las vulnerabilidades de sistemas

Most vulnerable operating systems and applications in 2014

2015 was another banner year for vulnerabilities, exceeding even the
hype of 2014. The NVD added a total of 8822 new vulnerabilities in
2015, far exceeding 2014. Heres how the past few years are trending.

Most vulnerable operating systems and applications in 2015

Most vulnerable operating systems and applications in 2015

Most vulnerable operating systems in 2015

Host Hardening
Series of actions to be taken in order to
make it hard for an attacker to
successfully attack computers in a
network environment

(March 30, 2015)

Abdou Illia Spring 2015

Computer system #1

Intel Core i7 Processor (3.20GHz)

2GB SDRAM PC3200 (800MHz), Dual Channel
1TB Serial ATA 7200rpm Hard Disk Drive
16x Multi-Format DVD Writer (DVDR/RW)
Gateway 7-Bay Tower Case
Integrated Ultra ATA Controller
(1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use
(7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire
Ports, Parallel, Serial and (2) PS/2
20" Black LCD Flat Panel Display (19" viewable)
Gateway Premium 104+ Keyboard
Two-Button PS/2 Wheel Mouse
Napster 2.0 and 150 Song Sampler
Intel High Definition Audio
GMAX 2100 2.1 Speakers with Subwoofer
56K PCI data/fax modem
10/100/1000 (Gigabit) Ethernet
Microsoft Office 2010 Professional on DVD
11

Computer Hardware & Software

Productivity Software
Operating System
Computer Hardware
12

Computer system #2

Intel Core i7 Processor (3.20GHz)

2GB SDRAM PC3200 (800MHz), Dual Channel
1TB Serial ATA 7200rpm Hard Disk Drive
16x Multi-Format DVD Writer (DVDR/RW)
Gateway 7-Bay Tower Case
Integrated Ultra ATA Controller
(1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use
(7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire Ports, Parallel,
Serial and (2) PS/2
20" Black LCD Flat Panel Display (19" viewable)
Gateway Premium 104+ Keyboard
Two-Button PS/2 Wheel Mouse
Napster 2.0 and 150 Song Sampler
Intel High Definition Audio
GMAX 2100 2.1 Speakers with Subwoofer
56K PCI data/fax modem
10/100/1000 (Gigabit) Ethernet
Windows 7 Professional
Google Chrome 16 installed
Microsoft Office 2010 Professional installed
13

Computer Hardware & Software

Web browser
Productivity Software

Operating System
Computer Hardware
14

Computer system #3

Intel Core i7 Processor (3.20GHz)

2GB SDRAM PC3200 (800MHz), Dual Channel
1TB Serial ATA 7200rpm Hard Disk Drive
16x Multi-Format DVD Writer (DVDR/RW)
Gateway 7-Bay Tower Case
Integrated Ultra ATA Controller
(1) PCI-E x16 Expansion Slot, (1) PCI-E x1, (3) PCI with 2 available for use
(7) USB 2.0 (6 in back and 1 in front in the media card reader), (2) IEEE 1394 Firewire Ports, Parallel,
Serial and (2) PS/2
20" Black LCD Flat Panel Display (19" viewable)
Gateway Premium 104+ Keyboard
Two-Button PS/2 Wheel Mouse
Napster 2.0 and 150 Song Sampler
Intel High Definition Audio
GMAX 2100 2.1 Speakers with Subwoofer
56K PCI data/fax modem
10/100/1000 (Gigabit) Ethernet
Windows Server 2008 Enterprise installed
Internet Explorer 8 installed
IIS 6.0 installed
15

Computer Hardware & Software

Web service software (IIS, Apache, ...)
Web browser
Productivity Software

Client &
server
application
programs

Operating System
Computer Hardware
16

Your knowledge about Host hardening

Which of the following is most likely to make a computer system unable to

perform any kind of work or to provide any service?
a)
Client application programs get hacked
b) Server application programs (web service software, database service,
network service, etc.) get hacked
c)
The operating system get hacked
d) The connection to the network/Internet get shut down

17

OS Vulnerability test
2010 by omnired.com

OS tested:
OS market share
Win XP, Win Server 2003, Win Vista Ultimate,
Mac OS Classic, OS X 10.4 Server, OS X 10.4 Tiger
FreeBSD 6.2, Solaris 10, Fedora Core 6, Slackware 11.0, Suse Enterprise 10, Ubuntu 6.10
Tools used to test vulnerabilities:
Scanning tools (Track, Nessus)
Network mapping (Nmap command)
All host with OS installation defaults
Results
Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities and
allow for executing malicious code
The UNIX and Linux variants present a much more robust exterior to the outside
Once patched, however, both Windows and Apples OS are secure.

18

Your knowledge about Host hardening

You performed an Out-of-the-box installation of Windows XP and Linux FreeBSD 6.2 on two
different computers. Which computer is more likely to be secure ?
a)
Windows XP
b)
Linux FreeBSD 6.2
c)
They will have the same level of security

What needs to be done, first, in order to prevent a hacker from taking over a server with
OS installation defaults that has to be connected to the Internet?
a)
Lock the server room
b)
Configure the firewall to deny all inbound traffic to the server
c)
Download and install patches for known vulnerabilities

19

Security Baseline
Because its easy to overlook something in the hardening process,
businesses need to adopt a standard hardening methodology: standard
security baseline
Need to have different security baseline for different kind of host; i.e.
Different security baselines for different OS and versions
Different security baselines for different types of server applications
(web service, email service, etc.)
Different security baselines for different types of client applications.

20

Options for Security Baselines

Organization could use different standards

OS vendors baselines and tools
e.g. Follow MS Installation procedure and use Microsoft Baseline Security
Analyzer (MBSA)
Standards Agencies baselines
e.g. CobiT* Security Baseline
Companys own security baselines
Security Baseline to be implemented by
Server administrators known as systems admin
* Control Objectives for Information and Related Technology

21

Elements of Hardening

Physical security
Secure installation and configuration
Fix known vulnerabilities
Remove/Turn off unnecessary services (applications)
Harden all remaining applications
Manage users and groups
Manage access permissions
For individual files and directories, assign access
permissions to specific users and groups

Back up the server regularly

Advanced protections

A
c
c
o
r
d
i
n
g
t
o

22

b
a
s
e
l
i
n
e

Example of Security Baseline for Win XP Clients

OS Installation
Create a single partition on HDD
Format disk using NTFS file system
Install Win XP and Service Pack 3
Fixing OS vulnerabilities
Download and install latest patches
Turn on Windows Automatic Updates checking
Configure Windows Firewall
Block incoming connections except KeyAccess and Remote Assistance
Turn off unnecessary services
Turn off Alerter, Network Dynamic Data Exchange, telnet
Application Installation
Centrally assign applications using group policies
Fixing applications vulnerabilities
Turn on each applications automatic update checking
23

Hardening servers

The 5 P s of security and compliance: Proper Planning Prevents Poor Performance

Plan the installation
Identify
The purpose of the server. Example: provides easy & fast access to Internet services
The services provided on the server
Network service software (client and server)
The users or types of users of the server
Determine
Privileges for each category of users
If and how users will authenticate
How appropriate access rights will be enforced
Which OS and server applications meet the requirements
The security baseline(s) for installation & deployment
Install, configure, and secure the OS according to the security baseline
Install, configure, and secure server software according to sec. baseline
Test the security
Add network defences
Monitor and Maintain
24

Hardening servers (cont.)

Choose the OS that provides the following:

Ability to restrict admin access (Administrator vs. Administrators)
Granular control of data access
Ability to disable services
Ability to control executables
Ability to log activities
Host-based firewall
Support for strong authentication and encryption
Disable or remove unnecessary services or applications
If no longer needed, remove rather than disable to prevent re-enabling
Additional services increases the attack vector
More services can increase host load and decrease performance
Reducing services reduces logs and makes detection of intrusion easier

25

Hardening servers (cont.)

Configure user authentication
Remove or disable unnecessary accounts
(e.g. Guest account)
Change names and passwords for default accounts
Disable inactive accounts
Assign rights to groups not individual users
Don't permit shared accounts if possible
Configure time sync
Enforce appropriate password policy
Use 2-factor authentication when necessary
Always use encrypted authentication
26

UNIX / Linux Hardening

Many versions of UNIX
No standards guideline for hardening
User can select the user interface
Graphic User Interface (GUI)
Command-Line Interfaces (CLIs) or shells
CLIs are case-sensitive with commands in lowercase except
for file names

27

UNIX / Linux Hardening

Three ways to start services
Start a service manually (a) through the GUI, (b) by typing its
name in the CLI, or (c) by executing a batch file that does so

Using the inetd program to start services when requests come in

from users
Using the rc scripts to start services automatically at boot up

Inetd = Internet daemon; i.e. a computer program that runs in the background

28

UNIX / Linux Hardening

Starting services upon client requests
Services not frequently used are dormant
Requests do not go directly to the service
Requests are sent to the inetd program which is started at server boot up

Program A
Program B

4. Start and
Process
This Request

Program C
Program D

1. Client Request
To Port 123

inetd

3. Program C

Port 23
Port 80
Port 123
Port 1510

2. Port 123

Program A
Program B
Program C
Program D

/etc/inetd.config
29

UNIX / Linux Hardening

Turning On/Off unnecessary Services In UNIX
Identifying services running at any moment

ps command (process status), usually with aux parameters,

lists running programs
Shows process name and process ID (PID)

netstat tells what services are running on what ports

Turning Off Services In UNIX
kill PID command is used to kill a particular process
kill 47

(If PID=47)
30

Advanced Server Hardening Techniques

File Integrity Checker
Creates snapshot of files: a hashed signature (message digest) for
each file

After an attack, compares post-hack signature with snapshot

This allows systems administrator to determine which files were
changed

Tripwire is a file integrity checker for Linux/UNIX, Windows, etc.:

www.tripwire.com (ftp://coast.cs.purdue.edu/pub/tools/unix)

31

Advanced Server Hardening Techniques

Reference Base
1.
Earlier
Time

File 1
File 2

Other Files in
Policy List

Tripwire

File 1 Signature
File 2 Signature

3. Comparison to Find Changed Files

Post-Attack Signatures
2.
After
Attack

File 1
File 2

Other Files in
Policy List

Tripwire

File 1 Signature
File 2 Signature

File Integrity problem: many files change for legitimate reasons. So it is difficult to know which
32
ones the attacker changed.

Other types of host that can be Hardened

Internetwork Operating System (IOS)
For Cisco Routers, Some Switches, Firewalls

Even cable modems with web-based

management interfaces

33

REFERENCIAS:

https://wikis.utexas.edu/display/ISO/Redhat+Linux+Hardening+Checklist
http://www.tecmint.com/linux-server-hardening-security-tips/
https://www.suse.com/documentation/sles11/singlehtml/book_hardenin
g/book_hardening.html
https://security.berkeley.edu/node/143