Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Information Security Mark Lachniet [email protected] Analysts International Introductions • Mark Lachniet ([email protected]) • Senior Security Engineer at Analysts International – Sequoia Services Group • Technical lead for the Security Group • MCNE, MCSE, CCSE, LPIC-1 • Worked for 6 years as a technician and later the IS Director at Holt Public Schools • Former board member and conference organizer for MAEDS (http://maeds.org) • Frequent presenter at MAEDS, MACUL, MIEM and for private engagements Purpose of Today’s Presentation • Provide a macroscopic overview of security issues, technologies, and concerns for schools – – – – – General Overview Operations Security Physical Security For administrators and technicians Will be presented first. Non-technical people may not need to hear about server hardening, but technical people definitely need to hear everything • Provide technical information about specific technologies of concern – Network Security – Host Security Purpose of Today’s Presentation • Provide links, works cited and references for continued research and investigation • Provide time for discussion (via e-mail) about specific issues of concern • Most importantly – to raise awareness. Things are bad in computer security, and we don’t want Michigan schools to be a casualty! Agenda • • • • Security Background Operations Security Physical Security Network Security – Wireless • Host Security – – – – Macintosh (OS/X) Novell Netware Linux / UNIX Microsoft • Short breaks about every 45 minutes for questions and more coffee General Overview Computer Crime on the Rise • We know that computer security is a real problem. We are here, aren’t we? • September 11th has further raised the bar on computer security awareness and funding • Computer security is about economic impact – our reliance on the Internet and computers mean that our livelihood can be threatened by digital attackers from around the world • Consider how skittish the stock market is, and how it affects the overall economy • More and more people are getting connected • Tools and attacks are increasingly easy to find and use, lowering the intellectual bar The CSI Computer Crime and Security Survey • The CSI survey, released 4/7/2002 has some very interesting pieces of information: • 90% of respondents detected a security breach within the last 12 months. Have you? If not, it is probably happening without your knowledge! • 44% of respondents were able to quantify their losses due to a security breach. The result was $455,848,000 over 223 respondents, for an average loss of $2,044,161 each The CSI Computer Crime and Security Survey • 74% of attacks cited were against the Internet border and devices (web servers, firewalls) • 33% of attacks cited were against internal systems (internal file/print, workstations) • 40% detected penetrations from the outside • 40% detected Denial of Service (DoS) attacks • 78% detected employees abusing privileges (pornography, pirated software, etc.) The CIA Triangle Confidentiality Integrity Availability The CIA Triangle • Confidentiality – The unintended or unauthorized disclosure of computer data or information • Integrity – The unintended or unauthorized modification of computer data or information • Availability – The loss of service of critical applications, systems, data, networks or computer services • K-12 Schools need to worry about all three! Reasons for Security in K-12 Education • • • • • • Funding requirements (USF) Integrity of critical data Public opinion / negative publicity Student safety & disciplinary issues Avoid costly litigation Lost productivity, both for technical and nontechnical personnel • Lost educational potential, inability to teach on broken computers, lost files, etc. • To be a good Internet citizen Important K-12 Data to Protect • Grades / Attendance: changing (for better or worse) student grades or attendance: School Accreditation, state funding (count day) etc. • Information considered private: SS#, special education status, free lunch programs, notes from councilors, discipline, medication (Ritalin), etc. • Integrity of financial data – online PO’s, budgetary information (balances, accounts, responsibility reports) • Payroll and Human Resources – criminal history, disciplinary actions, disability, etc. • Educational and administrative documents – tests, lessons, etc. These are essentially “congealed money” Protecting Students and Staff • We must protect children and staff who are threatened by electronic means • Pedophiles, stalkers, and bad people • Student to student threats, assault • Recorded information about drugs, sexual activity, abuse, gang activity, violence, or other crime • Questionable Internet content – bombmaking instructions, how to hack, etc. • The problem of IM and chat rooms • Student info – last names & pictures • South Carolina’s law The Public • As a public school employee, anyone can question or criticize your methods and actions at a school board meeting, PTO or school function, or in the media • Bad security may expose the district to significant lawsuits, especially for failing to protect children’s information such as special ed. Status • Bad security can (and eventually probably will) equal bad publicity, as more than one local district knows • Be aware of FOIA laws – what can they legally obtain??? All e-mail? What is protected? • And… of course… Internet filtering. Downtime and Discipline • Broken systems – deleted files, missing software, physical vandalism • Prevents students from learning • Requires extensive time and $$ to fix • Frequently leads to disciplinary action. The computer tech as computer-narc (Think S.C.) • Take good notes of what you do • Learn to use windows find! Alt-PrtScn it, print it out, and start a file • Parents….. “my son would never do that!” • Hopefully, it takes less time to proactively secure things than to fix them Justifying the Cost of Security • Security work can be expensive! It takes tools, training and time (or money to hire out) • Compared to “firefighting”, yearly replacement, keeping servers running, and imaging workstations, it is usually not seen as a priority (until there is an incident, anyway) • Or worse, it is a priority but nobody ever gets the time to do it • Talk to the school board, H.R. and Finance directors, and superintendents about the risk (and get help from someone) • Security is a proactive cost savings, not reactive Scare Them… With Reality • Discuss the frequency of computer breaches in the media and at peer organizations • The national cost of computer incidents – Code Red alone = $1.2 BILLION • Compute the cost in lost productivity if the HR, payroll, or student system dies (lots!) • Discuss the cost of a lawsuit. Even a lawsuit without merit will cost thousands of dollars • Discuss the need for student safety – could a child be exposed to harm due to a failure in the existing system? Can you put a price on that? Scare Them… With Reality • Discuss the educational ramifications – what if all student and staff directories were wiped out and no backups existed? • Discuss privacy issues – some choice e-mail from the superintendent’s or spec. ed director’s account being sent to the local paper for example • Loss of USF funding, loss of accreditation? • Loss of community confidence and support • Loss of valuable computer technician time that could otherwise be spent keeping everything working properly • Loss of YOUR JOB! Hacking The Goal of Network Security • Simply put: “To be more annoying to break into than your neighbor” • The house and neighborhood metaphor • Increase the “work factor” of attacking you by erecting as many barriers as possible (defense in depth) • Ultimately, network security is all about preserving the functionality of the organization. Technology is just the tool. Why People Hack (Crack) • Crackers are generally regarded as being motivated by one of four primary reasons: – Economic gain (espionage, embezzlement) – Egocentric (to prove they can do it, play god, get recognition from other crackers) – Ideological (to prove a political point – attacking the World Trade Organization or NATO web sites for example) – Psychotic (they are just sick in the head and probably destructive) Types of Hack Attacks • Reconnaissance – Scan networks and online resources (whois, DNS), dumpster diving, etc. to gain interesting information about the target. Typically non-invasive, usually untraceable • Exploits – Attack servers in an attempt to exploit a system vulnerability of some kind (e.g. NIMDA, Code Red, etc.) Very invasive, can be detected by IDS systems or careful log analysis • Denial of Service (DoS) – Attack servers to take them down and render them unusable. You will probably know when this is happening from the complaint phone calls Types of Hack Attacks • Attacks can be both personal and manual, or automated and generic • Many attacks are the result of systems that have already been attacked, and are now attempting to hack other machines. NIMDA was a good example of this. Usually the system owners have no idea what is happening • If you monitor any Internet connection long enough (say, 15 minutes) you are bound to see attacks coming through. It is just part of doing business nowadays • It is the manual attacks that you need to be worried about – deliberate, careful, and focused • Most hackers aren’t that smart – they just use programs given to them – and are thus known as “script kiddies” Common Security Practices • Security is a nascent field in many respects • Terminology, procedures and skill levels vary drastically between people and organizations • Some disagreement over what best practices actually are (i.e. the best placement of an IDS) • Few objective benchmarks to allow “apples to apples” comparisons for HW, SW, Services • There is a big technical curve for security – you must first be an expert in the technology, and then learn security on top of it • Whether you do it internally or get external help, it needs to be done What We Have to Work With Common Security Services • A firewall and Internet border security is simply not enough! This gives rise to the “candy” network – hard on the outside, soft on the inside (and tasty for attackers, too) • Embrace the concept of “defense in depth.” In other words, have security at multiple layers and in many places to make attacks as difficult as possible. • There is value in getting help from an external perspective – there is less ego on the line and a fresh viewpoint Vulnerability Assessments • Sometimes called “penetration testing” • Uses scripts and vulnerability assessment tools such as “Nessus” and the “ISS Internet Scanner” to scan all hosts for all known vulnerabilities • Also uses “human logic” to find problems – manually connecting to services, analyzing portscans, researching various software packages, making connections, etc. • Human logic is the most important step! Anyone can run a scanner program, but interpreting results and applying knowledge of the technologies involved is essential. Vulnerability Assessments • People and companies that specialize in security are important for a good vulnerability assessment project • The deliverable of a vulnerability assessment should include a list of all IP addresses, open ports, explanation and ranking of vulnerabilities, and hopefully some dialog on how to start fixing them • Vulnerability assessments should be done regularly – new vulnerabilities come out all the time – so you must stay up to date • Be warned – other people are assessing your network. Are you? Security Assessment Services • Sometimes called an audit • Sometimes performed in a very limited capacity by financial auditors (mainly backup systems) • Can be used to audit an actual environment against a set criteria, for example to determine compliance • Should be performed by one or more individuals with backgrounds in both network systems and organizational administration • Takes a macroscopic view of the organization • Analyze technology as well as policies and procedures, configurations, and other items that a tool cannot assess Security Assessment Services • Uses interviews, inspection of documentation, and manual analysis (depending upon the focus) • Should make recommendations on a wide variety of things to improve security • Should provide a description of the current situation, what best practices are, and what the recommended changes are • Should provide for estimation of pricing and priority, so that it could be used as a planning document for department priorities and budgets Example Recommendations Physical Security Project #1: War Dial Telephone Exchanges Project #2: Improve Physical Security Network Security Project #3: Audit Firewall Configuration Project #4: Implement RFC 1918 addressing Machine Security Project #5: Secure Externally-Maintained Machines Project #6: Deploy warning banners Policies and Procedures Project #7: Security Awareness and Responsibilities Project #8: Improve User Password Security Disaster Recovery Planning • Concerned with minimizing the effect of a problem with a technological system • Focuses on things like tape backup, off-site storage, network and machine redundancy, and recovery procedures • Must identify critical assets, and all of the resources that support them (power, network, etc.) • Put into place preventative measures and recovery procedures • DRP is highly interactive and labor-intensive, primarily conducted through lots of interviews • In the private sector, failure to have a Disaster Recovery Plan in place constitutes a failure of due diligence, and CEOs can be held legally liable for damages Business Continuity Planning • BCP is similar to DRP, but it looks at the health of the entire organization, and not just technological systems • Why? Approx 65% of businesses that are down for more than a week never recover! School must continue regardless, but it will cost a fortune, and that may mean cutting back on services and employees to compensate (you won’t be popular) • BCP looks at things like alternate locations, backup telephone systems, contacting employees, interfacing with public service agencies and the media, forming relationships with support vendors, etc. • BCP typically is larger than, and contains, DRP measures • Takes even longer than DRP VPN / Remote Access Services • Providing remote access to school resources from outside of the network is risky • Access should only be given to those with a legitimate need (not just complainers) • Frequently, programs like PC/Anywhere, VNC, and dial-up modem pools are used. Bad! • A better option is to use VPN devices • Can use the existing Internet connection, and reduce the reliance on dial-up lines to save $ • Can enforce proper authentication, provide logging, and protect traffic through the use of encryption • Can be used for client-site or site-site Intrusion Detection Systems • Are designed to detect (and sometimes respond to) significant security events • Configuration is critical to success! • IDS works in two ways: – Signature matching, like antivirus software – Pattern matching, finding strange behaviors or fluctuations from the norm (ie, a DoS attack) Intrusion Detection Systems • IDS comes in a few different forms: – Network based, “sniffs” the network – Host based, monitor local traffic and API calls – Intrusion Prevention Systems, a combination of other types but with the ability to intercept and *stop* attacks (e.g. Entercept) – Filesystem integrity based, monitor changes in the filesystem, registry, routers, etc. for changes (e.g. TripWire) • Popular IDS Systems: – Snort (free, open source, harder to manage) – ISS RealSecure (nice, but expensive) – Cisco Secure IDS (great for internal switches, especially) Intrusion Detection Systems • Can be configured to take different actions upon noting an event such as logging to a database, sending an e-mail or page to a network admin, or working with a firewall or router to block the attack • Be warned of active response IDS systems! What happens if I spoof an attack from your DNS server? • IMO, IDS systems are somewhat overrated because of the sheer volume of attacks that occur on a daily basis • Without very careful configuration, especially sensor placement and signature tuning, you could be so overwhelmed by alerts that you can’t filter the noise from the important stuff • Are probably best suited for the internal network, or on a DMZ network with a heavily tuned signature database Server Hardening • Probably the single most important aspect of security • A firewall cannot protect an insecure host • Hardening includes a number of steps including keeping up to date with patches, and other proactive steps • Simply keeping up with patches is not true hardening • True hardening takes steps to make a compromise more difficult – even for exploits that have not yet been discovered • Server hardening is time consuming, especially on NT and UNIX systems, and requires a lot of upkeep • We will discuss server hardening in the technical portion of this presentation Operations Security Operations Security • Concerned with ways to mitigate security risks through administration – policies, procedures and practices • The weakest link in the security chain are individual humans (or as Dilbert calls them, “in-duh-viduals”) • Part of “defense in depth” • Administration support is critical to any security initiative • Helps to minimize risk, respond to incidents, and establish standards for how things should be done Personnel Controls • Pre-hiring background checks for important positions. Do they have a criminal history with computers? Did they lie on their resume? Do they have heavy debt? • Coordinate user ID practices with human resources: – Hirings (create new IDs) – Firings (delete all IDs) – Position Changes (change ID rights) • Requires that the IS department maintain a list of all places where IDs are stored! Do you have this? • Create an “ID Maintenance” form as part of the H.R. standard procedures? Require sign-off on AUP • Create checks and balances in power such that no single individual can take a process from start to finish by themselves. Especially in regards to money (payroll, POs, etc.) Acceptable Use Policies • Should be well-plowed ground for most school districts, so we’ll just touch on it • Provides guidance and expectation settings on what behavior is acceptable an unacceptable • Should apply to both students and staff • Should use “implicit deny” language • Should state that all equipment is the property of the district and may be monitored at any time • Should require sign-off on the part of users to document that they have read it and agree with the requirements • Should address password security • Should address information privacy standards such as the treatment of confidential data (special ed records, etc.) Warning Banners • Use warning banners when possible • Functions somewhat like an AUP, and can contain the AUP itself (or items of it) • Can provide additional legal ammunition in the event that something needed to go to court • Should be placed on public servers (web server, e-mail servers, etc.) and on local workstations • Should contain three distinct statements: – Definition of the appropriate use of the resource – Warning that the system is monitored – That there is no expectation of privacy • http://www.ciac.org/ciac/bulletins/j-043.shtml Formal I.S. Staff Security Responsibilities • Security it takes time! If nobody is given sufficient time to keep up with security, it will never happen • The buck must stop somewhere. Who is responsible for it? • Define explicit security responsibilities for one or more staff members such as firewall maintenance, log review, server patching, etc. (good on a resume) • Document these responsibilities and how they are done – this will help in the case of a vacation or staff change (hit by a bus or wins the lotto, you choose) • Provide tools and training opportunities (such as SANS, or Microsoft for K-12 security training) • Put it in the budget! Formal Employee Security Responsibilities • Every computer user has responsibilities they must live up to (or not use the computers) • For example - don’t share passwords, don’t write passwords on a sticky notes, don’t use your last name as your password, etc. • Information privacy – don’t store confidential information in an inappropriate place • Don’t let student aides log into the student information system to enter grades • Don’t let students use a teacher ID • This and more needs to be in the AUP and also reinforced! Incident Response Plans • Have a plan in place on how to respond to security incidents before it happens • May be different for student discipline vs. external hacks • It is better to plan ahead than to figure it out when you are under stress • What is the criteria for alerting superiors? • What is the criteria for alerting law enforcement? • Who will be responsible for responding? • How will the response be escalated? • What type of documentation will you keep? Change Control • Change control is the process of requesting changes to systems, implementing and testing them, and documenting results • Security can be improved through change control because it reduces error and improves availability • Keep detailed records of before and after configurations • Require approval of changes by another party to ensure that the change is appropriate, needed, and does not create problems • Test changes on a non-production system prior to full implementation Security Awareness • Staying abreast of the latest issues and solutions in security is critical • Administrators must budget for and offer training opportunities to technical staff • Administrators should require that technical staff be signed up for security listserves such as: – BugTraq / NT BugTraq (www.securityfocus.com) – Microsoft Bulletins (security.microsoft.com) • Consider conducting regular internal trainings on security topics • Consider ways to keep staff up to speed Physical Security Why Physical Security? • Without physical security, all other measures can be circumvented • For example, if I can boot a computer, I can probably enter some kind of single user mode (bootable CD’s, single user mode, etc.) • There are many types of physical attacks as well (such as key loggers) • Access to critical areas such as wiring closets can provide unrestricted access to the network or damage of equipment (“oooh, look at the blinky lights”) • Physical security is needed to prevent the loss of equipment The $59 KEYkatcher • The hardware key logger – no need to install any software whatsoever • Could be placed on a server, log a few passwords, and then removed • Could be placed on a “broken” student workstation, then scarf the password when you turn off your desktop protection and log in as admin to fix the problem • If this doesn’t scare you, you aren’t really paying attention • Only $59 each from TigerDirect.com KeyKatcher Physically Securing Servers • As you can see from the last example, restricting physical access to the console is important • There are other steps to take such as: – Set the BIOS to boot to C: only – Use a BIOS admin password (though it can be beaten) – Disconnect floppy and CD-ROM drives (since they can be booted or be used to bring in malicious code) – Lock the cases to stop modifications or “walkaway RAM” – Beware of other system ports such as USB! – Set swap file to be deleted on shut-down – Don’t allow booting to DOS or another OS – Use Encryption on the filesystem The $40 USB Hard Drive • Now there are USB storage devices that work like hard drives • These are harder to restrict • Can be used to bring in hacking software, and circumvent security • If USB is not needed, perhaps turn it off or disable the loading of new drivers • Windows XP will automagically load drivers for these when detected! Physical Availability • Also keep in mind availability as a security requirement • Use redundant power supplies and other types of hardware • Use RAID-5 striping or RAID-1 disk mirroring on critical applications • Be aware of power conditioning needs and UPS systems • Consider the use of Storage Area Networks (SANs) for highly-available and centrally managed storage Environmental Control • Temperature is an obvious problem – if its too hot, things can overheat and fail. If they are too cold, media and LCDs can be damaged • Too much humidity = corrosion • Too little humidity = static shock • Be aware of fire control systems – where are the sensors located? What type of fire extinguisher systems are in use? Where are the output heads located? • Ever think of the water sprinkler above your servers? What would happen if it went off? Network Infrastructure The Importance of a Good Net • Firewalls and routers aren’t enough to protect you, but you still need them • There are two critical factors: – Control – Restrict communication between parties (the Internet to the DMZ, the Internet to the inside, inside to inside, etc.) – Accountability – There must be audit trails and logging sufficient to recreate a sequence of events. Without accountability, you will never know how your network is being used The Unprotected Network • • • • • • This is really, really bad! There is no protection at all All hosts are directly connected to the Internet All hosts can theoretically be attacked Typically found in very small schools or universities For goodness sake, get a firewall! Juicy targets for hacking and setting up servers for pirated software, etc. The Firewalled Network • Network access to inside is controlled at the firewall • “Sacrificial” hosts are unprotected outside the fw • Ideally, RFC1918 addressing and Network Address Translation (NAT) are used on the inside network • Strict access control lists are used to stop all incoming traffic to the inside network • Rely on hardening of Internet servers for protection The Pseudo-DMZ Network • Internal hosts are made available to the outside – usually for web and mail servers (often Exchange) • This is better than nothing, but still a very bad idea! • Internal systems are exposed to the Internet, if one of them can be hacked, it can be used to hack the rest of the Internal network (the leapfrog!) The True DMZ Network • Internet servers are on a DMZ network and protected by the firewall with access control and logging • The DMZ cannot talk to the inside (no leapfrog) • DMZ servers may use RFC1918 addressing & NAT • Easier to maintain and monitor critical servers • The inside is protected Use Network Address Translation (NAT) • Best practices dictate that you use RFC1918 addresses such as: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/24 • Use one-to-one NAT for externally accessible hosts or special clients (such as a DMZ) • Use many-to-one (PAT, IP Masquerading, overloaded nat) for internal client access to the Internet • NAT can break a lot of software, so be aware of address translation issues –anything that requires a host-to-host communication channel • Use ACLs (access control lists) to deny all traffic except for that which is needed Client VPN Services • As before, but with a VPN concentrator as a means of ingress to the network • Clients use VPN client software over the Internet • Beware split tunneling! (leapfrog) Site to Site VPN • Using firewalls or VPN devices, traffic between district#1 and district#2 is encrypted across the net • Assumes compatible addressing! Have a plan! • Useful for sharing resources, hooking schools up to a WAN when all you have is cable modems and DSL • Client access still possible IDS Sensor Placement • • • • Where you “listen” is critical – inside, outside, DMZ Outside = see all the attacks, be overwhelmed DMZ = see a lot of attacks, manageable with tuning? Inside = see internal attacks, or those that somehow got in, but no monitoring of Internet servers • DMZ and Inside best? The “Partner Problem” • • • • • Partners connected behind the firewall! Common for vendor maintenance, services No control over the partner’s security! These connections should be controlled by a firewall Never trust a vendor or partner! E-mail Virus Filtering • • • • Work as an inline proxy, reverse arrows for outgoing ACL allows SMTP InternetDMZ, DMZInside Example product – Trend Micro Virus Wall Can protect ANY SMTP server, but only if inline. Use special agent software for mail server databases (Guinivere, NAV, etc.) • Doesn’t protect e-mail between internal users • Filter e-mail CONTENT? Content Virus Filtering • Works much like a content filter – can intercept transparently via the firewall, or by browser proxy settings • Must integrate with content filtering and proxy caching! • Good for stopping web attacks over HTTP, FTP, etc. • May or may not be able to look inside of HTTPS • Must make this network path mandatory (filter port 80 except from the virus content filter) Web Access Servers • Model used for Groupwise / Outlook Web Access • Put the web server component on the DMZ, allow Web Access server to talk ONLY to internal mail • Groupwise web access on DMZ is relatively secure • Outlook web access is a problem – must open full NetBIOS access between the OWA server and the inside. An accident waiting to happen! • Relay SMTP if needed Wireless Security • Wireless security has typically been very bad • Uses WEP encryption up to 128bits, but only if properly configured on the AP and on the client • WEP can be broken within a few hours given the proper hardware and software (freely available) • Signals leak further than you may think, giving access to your network from areas outside of your physical control (like the street) • “Wardriving” is becoming very popular – drive around in a car w/ an omnidirectional antenna and a GPS to locate insecure access points • Geographical databases are being compiled that give the coordinates of insecure networks • Newer products have true security (radius) Wireless Security • Net Stumbler is one popular utility • Above are all the access points between work (Lansing) and home (Haslett), many of which were found at 45mph on Mount Hope Highway • Be afraid. Be very afraid. My Wireless Solution • Only trust wireless users as much as Internet users • Put the WAP on a DMZ, require VPN access to the internal network • Disallow all other access (e.g. wireless to the Internet) • This will allow strong authentication and logging for use of internal servers • Should stop abuse (freeloading) Logging and Reporting • In order to know how your network is being used, you need to log all traffic • Use reporting tools to summarize and make sense of it! • Its too hard and time consuming to scan through logs to find suspicious information • Instead, use a log reporting tool such as “Web Trends Firewall Suite” to make sense of it • These tools should summarize information such as host and protocol activity, usage trends, most popular hosts, etc. • The “Cheap Man’s IDS” Web Trends Firewall Suite Host Security General Host Security • Not nearly enough time to talk about everything we need to! • We must refer to OS hardening guides instead – there are many good ones out there • We will touch on a few highlights, things that are perhaps not so obvious • Make sure to properly configure auditing and logging capabilities • Make sure that machines are properly patched • Make sure that password security is adequate Hardening Guides • http://nsa1.www.conxion.com/ Windows NT/2000, Cisco routers, e-mail • http://www.sans.org Windows, Solaris, Linux (not free) • http://www.microsoft.com/security Microsoft (of course) • Analysts International Hardening Checklist (Normally used internally) Macintosh Security Macintosh OS/X Security • Warning: I am not a Macintosh expert. I am a UNIX geek. I can only speak about the underlying packages that are common to other platforms • We’ll focus on OS/X because it is actually a UNIXlike operating system underneath the hood • Because of this, security must now be a bigger concern than before • OS/X is relatively secure by default – it is not intended to be a multi-user system. Root is disabled • Check out http://www.securemac.com for articles • http://www.apple.com/support/security/security_upda tes.html For security updates so far • Brush up on UNIX security, especially how privileges work (su, sudo, root account, low level ports) Macintosh OS/X Security • One of the most dangerous security problems on the Mac is actually from Microsoft • IE 5.1 may allow a remote user to take over your Mac (two problems so far, more to come) • Microsoft office scripting / Macro viruses / Exchange are always a problem • Various issues with UNIX apps underneath • Apache mod_SSL remote root compromise • PHP, Tomcat, sudo, openssh, etc. root compromises • Beware of password security! • Appletalk brute force attacks & tools • Other brute force attacks (FTP, HTTP) Macintosh OS/X Steps to Take • Learn UNIX security (sorry!) • Keep up to date with patches. Use the auto updater if you are trusting or short on time • Use workstation firewalling to block incoming access to everything! • Never run unnecessary services – Especially the remote command line option and FTP • Never run plaintext protocols like Telnet or FTP, use SSH instead • Don’t enable root access • Use good Antivirus software (make sure it works in both environments) Novell Security Novell Security • Novell is not hacked casually, because its not that much fun • There are some issues, though, that you should know about • http://www.nmrc.org/faqs/netware/index.html is where to start reading • There are several problems in older versions. We will assume version 4.x or later • Also assume that patches are up to date (including GroupWise and Border Manager) • Do not run the web server Novell Security • Check all accounts for inappropriate access • Check user_template! Sometimes you can log in as the template user with rights • Check service accounts such as Arcserve, backup, and GroupWise agents • Physically protect the server – there is a debug key combination that can disable the console screen saver and dump you to the console • It is also possible to modify the disk directly using Norton to disable the security settings Novell Security • • • • • • • • Beware Pandora by NMRC.ORG A great tool for admins and hackers alike Great for auditing password security Can brute-force attack passwords from directory services: BACKUP.DS, BACKUP.NDS, DSREPAIR.DIB – are these files laying around? Can also spoof and hijack connections and file copies (use network switches and turn on packet signatures to stop some of this) Put SET PACKET SIGNATURE LEVEL=3 as the first line of STARTUP.NCF Numerous DoS attacks (the “yang” attack) Bad NDS permissions are common Novell Security • Never use RCONSOLE if possible (definitely don’t put an rconsole password in the .NCF file) • Beware of Compaq Insight Manager • Beware of the Web Server: – – – – – – Remove all sample code and unneeded stuff SEWSE.NLM allows read access to any file Multiple DoS attacks – Netware Remote Manager NDSOBJ.NLM Allows browsing of NDS Old GW Web Access applet allows read access GWWEB.EXE allows read access • Enable intruder detection • Enable auditing of critical files Linux / UNIX Security Linux / UNIX Security • Linux/UNIX is in some ways more secure than other alternatives • Open Source means that people can look for security problems on their own, a mixed blessing • Linux is the sum of a number of software pieces by various people – the kernel, GNU libraries, application software, etc. • Thus, a bug in one of the applications can affect the whole OS, especially if the process runs as root • Despite this fact, security is generally pretty good by default, but it is still important to harden and maintain the servers properly • Use the NSA hardening guide Linux Hardening • Read the (free) Linux Administrator’s Security Guide http://seifried.org/lasg/ • Do a minimal installation and add packages later • Double-check for updates before putting on net • Create your disk partitions wisely – it affects how symbolic and hard links work: – /tmp (temp files) – /var (log files, working files) – /home (user files) • Use a BIOS / LILO / GRUB password • Booting to single user mode ‘linux single’ • Use the ‘immutable’ property: chmod +i lilo.conf UNIX Security • Filesystem “gotchas” setuid and setgid writable files ‘find / -perm +4000’ and ‘find / -perm +2000’ • Remove setuid privs for unnecessary utils such as ‘rlogin’ on single user systems ‘chmod –s /bin/rlogin’ • Find all files that are world writable (and make sure they are not important!) ‘find / -perm -g+w’ and ‘find / -perm –o+w’ • World-writable scripts are a no-no (such as those that are run by users or especially root) ‘chmod og-w bigscript.sh’ UNIX Security • Turn off all unnecessary services • Use ipchains firewalling to block incoming connections – default policy of deny all, allow specific source addresses and ports only. • From /etc/sysconfig/ipchains: -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT • Test these rules from somewhere else with NMAP and Nessus! Never trust a local portscan UNIX Security • Use TCP WRAPPERS or xinetd security features to restrict incoming connections by source and service • Use Secure Shell (SSH) as a replacement for Telnet • Use SSH / SCP to transfer files with encryption (nice, and very scriptable) • Use TripWire (tripwire.com) to monitor filesystem changes • Use SNORT (snort.org) as a free IDS • Use Psionic Portscan Detection and log watch from http://www.psionic.com to find attacks and suspicious activity in the logs • Log to an alternate syslog server • Use ‘netstat –a –n | grep LISTEN’ or ‘lsof | grep LISTEN’ to find programs listening on network ports Microsoft Security General Microsoft Security • Obviously, Microsoft has had a few problems • It requires good hardening and constant patching, but it can be made (pretty) secure • Microsoft is making a genuine attempt to improve their security (developer camp) • Requires updating all kinds of components: – – – – – Core operating system Internet Information Server Microsoft Exchange / Outlook Microsoft SQL Server Internet Explorer • Build this expectation into your time estimates and total cost of ownership when evaluating operating systems During Installation • Do not connect to the Internet while installing (can be hacked during install) • Install the minimal number of packages • Make Internet servers standalone – not part of any domain or active directory • Format all volumes as NTFS • Install IIS on a separate volume or hard drive. (note that this requires an unattended installation and script) • Use strong administrator passwords Install all service packs • • • • Operating system Internet Information Server Internet Explorer SQL server, others as needed • hfnetchk.exe should come up clean* before the server is deployed Filesystem Security • The ‘everyone’ group has full access to all drives by default! This is dangerous and unnecessary • Carefully remove ‘everyone’ and add administrators, users, etc. to disks using descriptive groups • Create a ‘web user’ group that has READ access to IIS directories • Create a ‘web admin’ group that has WRITE access to IIS directories • Add IUSR~BOX and IWAM~BOX to ‘web users’ maybe ‘web admin’ Filesystem Security • Delete or remove access to dangerous programs to make hacking harder: ARP.EXE ATSVC.EXE CACLS.EXE CMD.EXE CSCRIPT.EXE DIALER.EXE EDLIN.EXE FTP.EXE HTIMAGE.EXE IPCONFIG.EXE MSIEXEC.EXE NET.EXE NETSH.EXE PING.EXE POSIX.EXE QFECHECK.EXE RDISK.EXE REGEDIT32.EXE ROUTE.EXE RUNAS.EXE SECFIXUP.EXE SYSKEY.EXE TFTP.EXE TSKILL.EXE WSCRIPT.EXE NETSTAT.EXE AT.EXE ATTRIB.EXE CLIPSRV.EXE COMMAND.COM DEBUG.EXE EDIT.EXE FINGER.EXE HYPERTRM.EXE IMAGEMAP.EXE ISSYNC.EXE NBTSTAT .EXE NET1.EXE NSLOOKUP.EXE POLEDIT.EXE QBASIC.EXE RCP.EXE REGEDIT.EXE REXEC.EXE RSH.EXE RUNONCE.EXE SYSEDIT.EXE TELNET.EXE TRACERT.EXE UNINST.EXE XCOPY.EXE Filesystem Security • Remove all resource kits and SDKs • Disable indexing of disks recursively • Never allow the emergency console to boot from the hard drive • Delete backup copies of the registry from X:\%System Root%\repair\ • Configure the recycle bin to immediately delete files • Configure the system swap file to be deleted at shutdown High-accountability logging • Enable auditing of filesystem accesses • Configure auditing to log all failed file accesses by the ‘everyone’ group • Increase the size of the event log to 512mb if possible • Set event viewer to delete events that are N days old, where N matches your backup schedule • Audit the use of privileges Monitor suspicious log events • Filter event logs for interesting events – – – – – – – – – – 529: Unknown Username or Bad Password 537: Unsuccessful Logon 530: Account Logon Time Restriction Violation 531: Account Currently Disabled 532: Account Has Expired 533: User Not Allowed to Log on 534: Logon Type Restricted 535: Password Expired 516: Some Audit Event Records Discarded 517: Audit Log Cleared More Suspicious Events – – – – – – – – – – – – 624: User Account Created 630: User Account Deleted 627: Change Password Attempt 636: Local Group Member Added 632: Global Group Member Added 642: User Account Changed 643: Domain Policy Changed 608: User Right Assigned 609: User Right Removed 612: Audit Policy Change 610: New Trusted Domain 611: Removing Trusted Domain Network Adapter Settings • Disable all bindings except TCP/IP • Use IP filters to limit incoming traffic to only required ports (80, 443, 25, etc.) • Disable remote access to the registry • Disable NetBIOS over TCP/IP • Disable IP routing • Do not make “dual-homed” hosts that connect insecure (external) networks to secure (internal) networks • Harden TCP/IP stack to DoS attacks Disable Unnecessary Services • • • • • • • • • Alerter Clipbook server Computer browser Distributed File System Distributed Link Tracking Systems Server Distributed Link Tracking Systems Client IPSEC policy agent (unless IPSEC is used) Licensing Logging Service Logical Disk Manager Administrator Service (needed for software RAID) • Messenger • Net Logon Disable Unnecessary Services • • • • • • • • • • • • Network DDE Network DDE DSDM Print Spooler Remote Registry Service Removable Storage Server Services (needed for SMTP services) Task Scheduler TCP/IP NetBIOS Helper Telephony (needed for terminal server) Windows Installer Windows Time Workstation Service (needed for some maintenance tasks) Accounts and User IDs • Configure password strength enforcement for users • Rename the administrator account • Create a bogus administrator account with no rights and log its use • Rename and disable the guest account • Remove ‘access this computer from the network’ rights from administrator and ‘everyone’ group Accounts and User IDs • Remove the ‘log on locally’ right from all users and groups that don’t need it • Perform periodic password cracking to find bad passwords (including products that log in and run as services) • Disable remote access to the registry • Disable anonymous access to NetBIOS services (used for anonymously iterating user IDs and other NetBIOS information across the network) Use Group Policy • A key advantage of Windows 2000 is the ability to really control machines with group policy • The NSA hardening guides have great documentation about group policy – read their guides as a starting place: http://nsa2.www.conxion.com/win2k/guides/w2k-3.pdf IIS Security • • • • Don’t use Front Page extensions Disable the HTML administration site Store web content on a separate drive Bind the web server process to specific IP addresses (not all available) • Disable the WebDAV service • Remove all unneeded ISAPI mappings, especially IDA/IDC (indexing service) and .printer (Internet Printing) IIS Security • Remove support for Internet printing – Remove the /printers virtual directory – Delete files from %SystemRoot%\web\printers – Disable local or group policy options for “Web-Based Printing” • Delete default and sample IIS files – – – – – – \Inetpub\iissamples \Inetpub\AdminScripts \Program Files\Common Files\System\msadc\Samples %SystemRoot%\help\iishelp %SystemRoot\System32\Inetsrv\iisadmpwd %SystemRoot%\web\printers IIS Security • Use restrictive IIS permissions – On "Home Directory" tab, disable Read, Write, Directory browsing – Add specific rights as necessary – The Script Source Access IIS permission is not assigned to any folder – Use authentication on all folders with Write / Write-Execute access – If HTTP basic authentication is required, use SSL – If using NTLM authentication, require NTLM v2 IIS Security • Protect global.asa files – NTFS permissions set for System, Administrators and Operators = full control – NTFS permissions set for Authors = modify – NTFS permissions set to explicitly deny IUSR_server and IWAM_server accts. – All failed accesses to global.asa are logged • Protect the metabase.bin file – MetaBase.bin has full control for System and Administrators – MetaBase.bin has Modify for Operators – Audit all failed and successful NTFS access to MetaBase.bin • Enable the maximum level of logging • Set the UseHostName metabase value to hide the true IP address of the server Good Web Sites • http://www.securityfocus.com (sign up for bugtraq and read the articles) • http://www.packetstormsecurity.org (seems to change a lot, but lots of dirt) • http://www.microsoft.com/security • http://www.sans.org (check out the student papers) • http://www.cert.org • http://www.gocsi.com • http://www.securityportal.com • http://www.isc2.org Discussion Thank You! Mark Lachniet, MCNE, MCSE, CCSE, LPIC-1 Sr. Security Engineer Analysts International - Sequoia Services Group 3101 Technology Blvd, Suite A Lansing, MI 48910 (517) 336-1004 - voice (517) 336-1100 - fax mailto:[email protected]