Security+ All-In-One Edition Chapter 12 – Security Baselines Brian E. Brzezicki Hardening and Baselines Operating systems and software are written to be functional and easy to use and install. Otherwise vendors will have a hard time selling them ;-) Unfortunately they generally come configured insecure (or less secure that possible) out of the box. There are two important terms we need to understand in regards to securing systems out of the box. Hardening Hardening – the process of securing a system as much as possible for production • Installing updates/patches • Disabling or removing* un-necessary software/services • Securing services – Setting application configuration controls to max security – Setting OS configuration controls to max security – Restricting access to authorized users • Installing add on host based tools such as firewalls and anti-virus. Baseline – The row of shields above your fighter that protects you from attack by hordes of aliens Baselines Close actually… Baselines – the process of establishing a minimum set of protections that protects a computer system/network from attack from the hordes of script-kiddies and crackers. • MINIMUM set of protections and configurations • Important to have baselines in any organization – why? Password Policies (340) One baseline concept that is often overlooked is the idea of requiring strong password practices (policy). Why is a password policy important? (more) Password Policy Concepts (343) What are all these things? • Minimum password lengths - 8 • Minimum password ages – days to weeks • Maximum password ages 60 - 90 days • Case changes, number and special characters – 1 or more A-Z – 1 or more a-z – 1 or more 0-9 – 1 or more special character • Password History 5 - 10 • No personal information (usernames, real name, children's names, birthdates) Password Usability vs. Security However you have to balance “usability” vs. security • what do I mean by this • What problems occur with “too secure” passwords? I like to use a “passphrase” to generate a password “I Like to drink Iced Tea and Lemon” I L T D I T A L 1 L t d 1 t @ l Attacks against passwords (342) Some types of attacks that you should understand the terminology of • Dictionary Attack – go through the dictionary • Hybrid attack – makes substitutions on dictionary words • Brute force – try everything! Password Crackers (341) As an security administrator, you should use software that enforces your companies password policies such as • PASSFILT.DLT (NT 4.0 SP2) • Windows Group Polices (Windows 2000+) • Npasswd or PAM on Unix/Linux You should also try to “crack” passwords periodically • Cain and Abel (windows) • John the Ripper (windows, Unix) • Crack (Unix) [...]... (19 less than 2000 Next slide) • Official Security Guides for securing services • Security Configuration Wizards – easily install and lockdown services • Software Restriction policy – allows an administrator to define what software should be allowed to run on a system – Why is this important? (more) Services Show for real on workstation Windows 2003 • IIS – allows isolation between web applications... for network management • Allows for “reads” – Ex How many packets were routed – Ex How many web pages were served • Allows “writes” – Ex Reboot – Ex Shutdown interface • Plain text communication (earlier versions) • Communities (like passwords) – Public/Private for read and write access Vulnerability Assessment and Penetration Testing (n/b) Network Mapping – The act of using software to try to determine... Access Quarantine – explain this • MBSA – Microsoft Baseline Security Analyzer… this is a type of vulnerability assessment program for MS OS and software You should run this on all MS machines Windows 2008 (346) • Bit locker – drive encryption software • Roles-based installation of network services (Web server only installs Web server, not DNS etc) • Read only Domain Controllers • NAP – controls access... used today and a good practice to use them TCP wrappers takes 2 text based files • /etc/hosts.allow – read first, overrides /etc/hosts.deny if conflict • /etc/hosts.deny – Read last Example next page /etc/host.deny (tcpwrappers) /etc/hosts.deny (tcpwrappers) Verifying (All OSes) (n/b) • After applying baselines you should ALWAYS verify your settings have been taken One good way is to look at what ports... software/services of your network Vulnerability Assessment – The process of scanning/probing your systems to determine what software exists and what holes might exist on the network/systems All systems should have Vulnerability Assessments done Vulnerability Assessment and Penetration Testing (n/b) Penetration Testing – A process of actually trying to test your security posture by exploiting holes determined... Roles-based installation of network services (Web server only installs Web server, not DNS etc) • Read only Domain Controllers • NAP – controls access to networks resources based on computers compliance to security policy Difference between NAQ and NAP http://technet.microsoft.com/en-us/library/bb726973.as px Always Make sure your up to date on patches/service packs (361) Staying up to date is one of the...Random password term Virtual password – Some software asks you to type passphrase, like a sentence Software often takes the passphrase and uses it to create a “virtual password” Anyone have any ideas how they could do that? Hardening Windows . Security+ All-In-One Edition Chapter 12 – Security Baselines Brian E. Brzezicki Hardening and Baselines Operating systems and software are written. max security – Setting OS configuration controls to max security – Restricting access to authorized users • Installing add on host based tools such as firewalls and anti-virus. Baseline – The. 8 • Minimum password ages – days to weeks • Maximum password ages 60 - 90 days • Case changes, number and special characters – 1 or more A-Z – 1 or more a-z – 1 or more 0-9 – 1 or more special character • Password