Securing Your OS and Detecting Intruders

1
Securing Your OS and Detecting Intruders

• Laurie Walters
• Security Operations and Services
• Lwalters_at_psu.edu

2
Use Common Sense To Reduce Web Server Surface Area

• Would you ever bolt your windows shut for
  security reasons but leave your front door wide
  open? Obviously, not on purpose!
• When considering security for your web site you
  need to place a strong emphasis on system
  security.

3
Choosing Which Web Server to Use

• Determine which web server to run based on how
  comfortable you are with the OS as well as the
  Web server software.
• Use an OS that allows you to set file and
  directory permissions

4
Not So Fast!

• Install OS from an already secured image or from
  CD rather than a network install.
• Do not install web server software until OS and
  other necessary apps are completely secured.

5
Four Security Principles

• Defense in Depth
• Minimalism
• Separation
• Least Privilege Principle

6
Defense In Depth

• Security Is a Multi-faceted Problem
• Many issues must be considered
• Physical
• Social
• System
• Application-based
• Network

7
Minimalism

• Less is More.Secure
• If you run it, they will come
• Dont install services if you are not planning
  on using them!
• E.g. telnet, ftp server, r services, etc.

8
Separation

• Dont put all your eggs in one basket
• Vital services should be spread amongst machines

9
Least Privilege Principle

• All employees should access computers with least
  privilege possible (as user or power user status)
• Non-system administrator accounts are more
  restricted.
• Can control programs and files that are
  accessible
• No installation or administration abilities
• Administrator uses Runas command or Fast User
  Switching to increase privileges for system
  administration tasks.

10
Accounts

• Web server accounts IUSR, Apache Anonymous users
• Admin accounts everyone has his/her own
• Su vs root, Runas
• Delete any unused accounts on machine(s).

11
Passwords

• Choose appropriate good passwords for all
  remaining accounts.
• NEVER, UNDER ANY CIRCUMSTANCES, USE BLANK
  PASSWORDS, SAME USERID AND PASSWORD, OR
  MACHINENAME AND PASSWORD!!!

12
Restrict Access to Data

• Install Web Server on a separate partition
• Check and change permissions on all folders
• Unix ls lact / Chmod
• Windows Properties / Security tab
• Restrict access to web software directories, web
  content, other data, and log files
• Do not allow access to binaries / executables

13
Patch Your Server

• Before putting on net
• Use an already secured machine to download
  critical patches and software updates
• Unix Apache, SSH, SSL
• Windows OS Service Pack, IIS 4/5 Rollup patch
• Band aids versus fixing the problem

14
Continue to Apply Patches

• Keeping your system patched is (unfortunately) a
  continuous process.
• Subscribe to pertinent listservs for your OS and
  applications.

15
Shares

• Do not create any non-password protected shares
  on your web server for any reason.

16
Shut Down Services

• Esp FTP, telnet, remote access, r services
• Dont install portions of web software that you
  dont need (e.g. FTP, SMTP, Webdav, etc.)
• Use secure services where possible

17
Disabling Services

• Non-BSD based Unix (e.g Linux)
• /etc/rc.d
• KXXServiceName and SXXServiceName
• BSD based Unix (e.g. OpenBSD, Solaris)
• /etc/rc.local, /etc/rc.startup, /etc/rc.system
• Windows 2000
• Control Panel ? Services
• Disable Remote Registry Access if not needed
• Windows 2003
• Need to enable necessary services (IIS!)

18
Set up Appropriate Windows Security Auditing
Policies

• Control Panel ? Administrative Tools ? Local
  Security Settings
• Set success and failure for Account Logon Events,
  Logon Events, Account Management, and Policy
  Change

19
Setting Password Policies

• Windows Local Security Policies ? Account
  Policies ? Password Policy
• Set Password History (5), Password Length (7),
  and Password Complexity (Enabled)
• Windows Local Security Policies ? Account
  Policies ? Account Lockout Policy
• Set Lockout Duration (15), Lockout Threshold
  (5-), and Lockout Reset Counter(15)

20
Setting Account Policies

• In Unix, use can set account policies using PAM
• With PAM, you can set rules for authentication
  modules for services.

21
Install Virus Protection

• (For Mac and Windows only)
• http//www.computerstore.psu.edu
• Connect to an update server or set a schedule for
  automatic updates (Patch manually if you hear of
  a new virus)

22
Use Security Tightening Tools

• WARNING Be careful using Automatic tools to lock
  down your system.
• Windows STPP Use hfnetchk, MBSA
• Unix Titan in Verify mode

23
Install Tripwire

• Install and run a baseline scan to make a one-way
  MD5 hash for each file.
• Detects undesired changes in the files if they
  have been modified (if the MD5 checksum does not
  match).
• Linux Open Source vs. Windows Tripwire for
  Servers

24
Use a Firewall

• A firewall is a combination of hardware and
  software used to implement a security policy
  governing the network traffic between two or more
  networks
• Principle of Minimum access
• "That which is not explicitly permitted is
  denied."
• Stateful Inspection firewalls are preferred
• What should be filtered??? Good Question!

25
Hardware Firewalls

• Hardware firewalls offer more protection than
  software-based personal firewalls
• Cisco Pix
• Nokia Checkpoint

26
Unix Firewalls IP Chains IP Tables

• Create rulesets, which are then loaded into
  memory/the kernel and are processed for every
  packet that passes the system.
• In ipchains, the fate of every packet is decided
  solely on the makeup of that packet. It does not
  depend on what has happened previously. With
  iptables, however, you can (optionally) make such
  decisions based on what has happened before

27
Windows Firewalls

• ICF not stateful
• Zonealarm Pro
• Tiny
• Symantec

28
Intrusion Detection

• Monitoring activity that is occurring to
  determine if it is legitimate
• Can be host-based or network-based
• Why?
• Catch hackers or worms before they cause damage

29
Statistical Anomaly Detection

• Make a baseline of what is considered normal
• Track characteristics of data
• Network packet (e.g. protocol, port, size,
  source, etc)
• User login, time, files accessed, programs used,
  etc
• Compare traffic to baseline to determine what is
  not normal.

30
Rule-based Intrusion Detection

• Certain predefined signatures loaded into IDS for
  intrusions.
• E.g. Rules for Code Red / Nimda

31
Intrusion Detection

• Most users will be legitimate
• E.g. 95 of users will have normal activity.
  Of other 5, what is considered hostile?
• The challenge of Intrusion Detection
  determining which are illegitimate

32
Detecting Intruders Without An IDS

• Benefits
• Free!
• Can help to further lock down your system or
  catch an incident in progress.

33
Warning Detecting Intruders

• Unplug the network cable but DO NOT shut down the
  system because
• Evidence of the attack may be lost (programs
  resident in memory or services that arent set to
  run upon startup will be lost, logs may be wiped,
  etc.)
• Any signs of active connections to your machine
  may be lost
• Important files, such as system files, may be
  lost or destroyed

34
Continued in Part 2

• Please see Web2003_2.pdf for remaining slides.