06 System Hardening
Transcript of 06 System Hardening
-
8/8/2019 06 System Hardening
1/60
1
Hardening Windows 2003Web Servers
-
8/8/2019 06 System Hardening
2/60
Ezenta A/S 2005
2
A genda
Physic al Se curi t yOS In s tallat io nAccou nt Po licie sLoc al Po licie sSe rvic e sUs e r Accou nt sIP Po licie sPe rmissio n sHa rd en ing IISAddi t ional Ha rd en ing
-
8/8/2019 06 System Hardening
3/60
3
General
-
8/8/2019 06 System Hardening
4/60
Ezenta A/S 2005
4
G eneralW ho shou ld take t his cours e
S ys te m Co n su ltant sSe curi t y Co n su ltant sS ys te m Archi te ct sAn yo ne w ho is r e spo n sib le f or th e co nf ig ur at io n an d / or th ea dmi n is t rat ion of a W in do w s 2003 en viro n m ent
-
8/8/2019 06 System Hardening
5/60
Ezenta A/S 2005
5
G eneralSt rateg y: Creat ing a s e cur e en viro n m ent
Se cur e curr ent an d / or new imp le m entat io n s o f t h e W in do w s 2003 op e rat ing sys te m
-
8/8/2019 06 System Hardening
6/60
Ezenta A/S 2005
6
G eneralSt rateg y: Ma inta in ing a s e cur e en viro n m ent
Ma inta in a s e cur e en viro n m ent by s ta ying o n t op o f s e curi t y issu e s th at a re rele vant t o your in s tallat ion
This is a pro a ct ive proc e ss!!
-
8/8/2019 06 System Hardening
7/60
Ezenta A/S 2005
7
G eneralS cop e o f t his cours e
This cours e w ill f ocus o n t h e s e cur e co nf ig ur at ion o f aW in do ws 2003 s e rv e r hos t ing Inte rnet Inf orm at ion Se rvic e s (IIS) ve rsio n 6.0
-
8/8/2019 06 System Hardening
8/60
Ezenta A/S 2005
8
G eneralPr e req uisi te s
Ex p e rien ce w it h IT s e curi t yEx p e rien ce w it h MMCEx p e rien ce d e p loyi ng we b a pp licat io n s in ente rpris een viro n m ent sS om e we b a pp licat ion d e vel opm ent kn owle d ge w ill b e us ef u l
bu t is n o t m an d at ory
-
8/8/2019 06 System Hardening
9/60
Ezenta A/S 2005
9
G eneralW h at h a pp en s if I do nt h a rd en my we b s e rv e r?
Mos t sys te ms can b e compromis e d w it hi n 72 hoursCorpor ate humi lliat ionW o nt kn o w if your sys te m is h a s b een/ is b e ing atta cke dMo ne y wa s te d o n re p a rat io n an d do wn t im eComp an y d ata/ s e cr et s cou ld b e s to len
S om e we b si te s a re fe d w it h d ata t h at com e s f rom th e s a m e d ata b a s e a s o th e r inte rnal sys te ms
-
8/8/2019 06 System Hardening
10/60
Ezenta A/S 2005
10
Hardening one step at a time
Physic al Se curi t y ---------------------------------------OS In s tallat ion -----------------------------------------Accou nt Po licie s ----------------------------------------Loc al Po licie s -------------------------------------------Se rvic e s ------------------------------------------------Us e r Accou nt s -----------------------------------------IP Po licie s ------------- ---------------------------------Pe rmissio n s --------------------------------------------Ha rd en ing IIS ------------------------------------------Addi t ional Ha rd en ing ----------------------------------
Nu mberof
Weaknesses
-
8/8/2019 06 System Hardening
11/60
Ezenta A/S 2005
11
P rereq u isitesW h at shou ld
In s tall ALL ne ce ss a ry so ftwa re/ s e rvic e s b ef or e you b eg in.Make sur e t h at t h e y ALL w or k.W hy?
If so ftwa re/ s e rvic e dos nt w or k :Be ca us e o f t h e h a rd en ing ?
Did it w or k b ef or e we s ta r te d?Th e s e a re t im e wa s t ing si t u at io n s
Let s b eg in.
-
8/8/2019 06 System Hardening
12/60
12
Phy sical Secu
rit y
-
8/8/2019 06 System Hardening
13/60
Ezenta A/S 2005
13
Phy sical Sec u rit y
W e a ssum e t h at physic al s e curi t y is in p la ce.
-
8/8/2019 06 System Hardening
14/60
14
OS Installation
-
8/8/2019 06 System Hardening
15/60
Ezenta A/S 2005
15
O S Installation
N o sys te m up g ra d e s W hy? Too m an y g re y a rea sONLY clean in s tallat ion s
Tw o p a r t it ion s (we sh all b e usi ng one)01 sys te m f ile s02 we b a pp licat io n s
St ro ng a dmi n is t rat ive p a ss w ordsRa in bo w atta cks m ake 8 ch a ra c te r p a ss words t rivi al t o br eak
Onl y in s tall ne ce ss a ry compo nent s
-
8/8/2019 06 System Hardening
16/60
Ezenta A/S 2005
16
O S Installation
Us e a s tat ic IP in s tea d o f DHCP if possib le ( one le ss s e rvic e)
If t h e re a re mu lt ip le s e rv e rs in t h e DMZ, co n sid e r m ak ing aDMZ dom a in f rom which cri t ical s e rv e rs will in h e ri t t h e ir b a s el ine G POs .
-
8/8/2019 06 System Hardening
17/60
17
P roof of concept scan
-
8/8/2019 06 System Hardening
18/60
Ezenta A/S 2005
18
P roof of concept scanW in do w s 2003 v. W in do w s 2000
W hy bo t h e r usi ng w in do ws 2003 ?Mor e s e cur e by d efa u lt.
Can W in do w s 2000 b e a s s e cur e ?Ye s . It req uir e s wor k.
-
8/8/2019 06 System Hardening
19/60
Ezenta A/S 2005
19
P roof of concept scanW in do w s 2003 v. W in do w s 2000
W e w ill us e s tan d a rd too ls to in sp e ct a d efa u lt W in do ws 2003in s tallat ion.
Too ls to us e :N m a p . S can s t o p e rf orm:
Nm
ap
s
S P
0 O
p
1-65535N m a p s S P0 O g 53 p 1-65535N m a p s T P0 O p 1-65535
N Stealt h
W in do w s 2003 : xx.xx.xx.xx
-
8/8/2019 06 System Hardening
20/60
20
Local Sec
urit
ySettings
-
8/8/2019 06 System Hardening
21/60
Ezenta A/S 2005
21
P oliciesLoc al Se curi t y Sett ing s
-
8/8/2019 06 System Hardening
22/60
Ezenta A/S 2005
22
P oliciesAccou nt Po licie s
N e ve r us e dic t io na ry w ords .N e ve r re us e o ld p a ss w ords by alte ring o nl y o ne di g it.N e ve r choos e p a ss w ords b a s e d on p et s , h a bi t s , l ike s or dis like s . One mus t ne ve r b e a b le t o id ent if y a p a ss w ord by loo king at t h e t hi ng s o n your d e s k.
Us e upp e r- an d lowe rc a s e w ith symbo ls an d n umb e rs .Choos e p a ss w ords b a s e d o n phr a s e s:
Th 15 compu tr i5 pro tc te d by a s t r0ng p@ss word
-
8/8/2019 06 System Hardening
23/60
Ezenta A/S 2005
23
P oliciesAccou nt Po licie s: p a ss w ord Po licy
Enf orc e Pa ss word His t ory: 24Max imum Pa ss word Age : 42 d a ysMin imum Pa ss word Age : 2 d a ysMin imum Pa ss word Lengt h: 14Comp lex it y req uir e m ent s: Ena b le dUs e Re ve rsib le En cryp t io n : Dis a b le d
-
8/8/2019 06 System Hardening
24/60
Ezenta A/S 2005
24
P oliciesAccou nt Po licie s: Accou nt Loc kou t Po licy
Accou nt Loc kou t Dur at io n : 15 M in u te sAccou nt Loc kou t T hr e sho ld: 10 in val id atte mp t sRe s et Loc kou t C ou nte r: 15 M in u te s
-
8/8/2019 06 System Hardening
25/60
25
Services
-
8/8/2019 06 System Hardening
26/60
Ezenta A/S 2005
26
Services
W h at s e rvic e s do e s a we b - s e rv e r nee d?Are you sur e t h e y a re nee d e d?
YES : s e cur e t h e mN O: re mov e t h e m
This is t h e h a rd e s t t o get rig h t
-
8/8/2019 06 System Hardening
27/60
27
O r
-
8/8/2019 06 System Hardening
28/60
Ezenta A/S 2005
28
S y stem SettingsIs nt t h e re a q uic ke r wa y to ch ange sys te m s ett ing s?
Ye s . Meet t h e Security Analysis and Configuration s na p - in
-
8/8/2019 06 System Hardening
29/60
Ezenta A/S 2005
29
S y stem SettingsSe curi t y Anal ysis an d Co nf ig ur at io n
Ru n mmcFile Add / Re mov e Sna p - inAdd Se curi t y Co nf ig ur at ion an d Anal ysis AddRig h t Cl ick o n Se curi t y Anal ysis an d Conf ig ur at ion Op enData b a s e
Choos e a File N a m e Op enN a vigate t o Hig h Se curi t y Ba s el ine. inf Op enRig h t Cl ick o n Se curi t y Anal ysis an d Conf ig ur at ion Anal ys eCompu te r N o wSa ve t h e l og t o your d e s kt op
-
8/8/2019 06 System Hardening
30/60
30
U ser A cco u nts
-
8/8/2019 06 System Hardening
31/60
Ezenta A/S 2005
31
U ser A cco u ntsSe curi ng W ell kn o wn Us e r Accou nt s
Rena m e all bui lt- in a ccou nt s:Admi n is t rat or Gu e s t
W hy?Eve ryo ne kn ow s t h e na m e s o f t h e s e tw o W in do ws a ccou nt s .50% o f a bru te f orc e atta ck is al rea dy commo n kn owle d ge.
Th e d e scrip t ion s shou ld al so b e alte re d .
-
8/8/2019 06 System Hardening
32/60
Ezenta A/S 2005
32
U ser A cco u ntsSe curi ng W ell kn o wn Us e r Accou nt s
Assi gn s t ro ng p a ss words to th e s e a ccou nt sTh 15 1 s @ vry s t0ng p@s 5w ord do nt y0 u t h 1nk ?
Dis a b le d efa u lt g u e s t a ccou nt s ( if n o t al rea dy do ne by d efa u lt)
-
8/8/2019 06 System Hardening
33/60
33
I P P olicies
-
8/8/2019 06 System Hardening
34/60
Ezenta A/S 2005
34
I P P oliciesSt ruc tur e
IP Filte r a dvic e : g ive your ru le s g ood na m e s . Exa mp le s mi g h tloo k l ike t his:
< P OL ICY> < SERVICE>Pe rmi t I N BOU N D HTTP(S)Pe rmi t OUTBOU N D SS H
Pe rmi t OUTBOUN
D DN
SPe rmi t OUTBOU N D HTTP(S)Den y BIDIRECTI ON AL ALL
-
8/8/2019 06 System Hardening
35/60
Ezenta A/S 2005
35
I P P oliciesExa mp le sc ena rio
A we b s e rv e r mi g h t l oo k simi la r t o this:Pe rmi t I N BOU N D:
HTTPHTTPS ?TS ?
Pe rmi t OUTBOU N D:HTTPHTTPSDN S
-
8/8/2019 06 System Hardening
36/60
Ezenta A/S 2005
36
I P P oliciesLoc al Se curi t y Sett ing s
-
8/8/2019 06 System Hardening
37/60
Ezenta A/S 2005
37
I P P oliciesLet s get s ta r te d
Create I P Se curi t y Po licy N a m e : Se cur e W e bUn ch e ck A ct ivate t h e d efa u lt re spo n s e ru le Ch e ck E di t Prop e r t ie s Un ch e ck Us e A dd W iza rd
-
8/8/2019 06 System Hardening
38/60
Ezenta A/S 2005
38
I P P oliciesBa sic ru le s
Create 4 ru le sDen y BIDIRECTI ON AL ALLPe rmi t I N BOU N D HTTP(S)Pe rmi t OUTBOU N D HTTP(S)Pe rmi t OUTBOU N D DN S
W h en you re do ne, a ssi gn your new po licy
-
8/8/2019 06 System Hardening
39/60
Ezenta A/S 2005
39
I P P oliciesLet s loo k at t h e re su lt s
Too ls nee d e d:N Ma p
Exe rcis eGroups o f tw o or t hr eeChoos e w hich compu te r w ill p e r f orm t h e sc anUn-a ssi gn I P Po lici e s a s th e y al so b loc k ou t boud t raff icPe r f orm t h e f o llow ing por t sc an s:
N m a p s S P0 O p 1-65535N m a p s S P0 O g 53 p 1-65535N m a p s T P0 O p 1-65535
-
8/8/2019 06 System Hardening
40/60
40
F ile P ermissions
-
8/8/2019 06 System Hardening
41/60
Ezenta A/S 2005
41
P ermissionsAssi gn ing corr e ct N TFS p e rmissio n s
CGI f ile s: .EXE, . DLL, .CM D, . PLAdmi n is t rat ors: Fu ll C ont ro lS ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d & Exe cu te, Rea d
S crip t File s: .AS PX, .AS P, . PHPAdmi n is t rat ors: Fu ll C ont ro lS ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d & Exe cu te, Rea d
In clud e File s: .I N C, .S HTML, .S HTMAdmi n is t rat ors: Fu ll C ont ro l
S ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d & Exe cu te, Rea d
-
8/8/2019 06 System Hardening
42/60
Ezenta A/S 2005
42
P ermissionsAssi gn ing corr e ct N TFS p e rmissio n s
Stat ic File s: .HTML, . HTM, .TXT, .GI F, .J PGAdmi n is t rat ors: Fu ll C ont ro lS ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d
Data File s: .MDBAdmi n is t rat ors: Fu ll C ont ro lS ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d , W ri te, Rea d & Exe cu te, M odi f y
-
8/8/2019 06 System Hardening
43/60
43
Hardening IIS
-
8/8/2019 06 System Hardening
44/60
Ezenta A/S 2005
44
Hardening IIS
W e b s e rv e r exten sio n sApp licat ion De bu gg ingCus t om ErrorsHTTP Ve rbsURL S canLogg ing
-
8/8/2019 06 System Hardening
45/60
Ezenta A/S 2005
45
Web server ExtensionsPr e d ef ine d W e b Se rvic e Exten sio n s
Eve ry t hi ng is tur ne d off by d efa u ltA d efa u lt IIS 6.0 in s tallat ion w ill o nl y ru n si te s wit h s tat ic p age s , . HTML, . HTM.
-
8/8/2019 06 System Hardening
46/60
Ezenta A/S 2005
46
Web server ExtensionsPr e d ef ine d W e b Se rvic e Exten sio n s ( co nt.)
Act ive Se rv e r Page sAS P. N ET ve rsio n 1.1.4322Fro nt Page Se rv e r Exten sio n s 2002Inte rnet Data C onne ctorSe rv e r-S id e In clud e sW e bD AV
-
8/8/2019 06 System Hardening
47/60
Ezenta A/S 2005
47
A pplication D eb u ggingSt op IIS f rom s en di ng e rror m e ss age s to client s
St op a pp licat io n s f rom s en di ng d e bu gg ing d eta ils t o client s:Rig h t click on your we b si te in t h e IIS m anage rHom e Dir e ct ory Conf ig ur at io nApp De bu gg ingCh e ck Sen d text e rror t o client an d lea ve t h e bo x b lank
-
8/8/2019 06 System Hardening
48/60
Ezenta A/S 2005
48
Cu stom ErrorsRe dir e ct t o a cus tom e rror p age w h en e rror occur
Sen d cus t om e rror p age s to client s f or HTTP 500 s , 404 s:Rig h t click on your we b si te in t h e IIS m anage rCus t om Errors doub le click on 500Me ss age T yp e : URLURL: /< LOCATI ON OF CUST OM PAGE>
Make ce r ta in t h at e rror 500 m e ss age s do nt get s ent t o t h ebro ws e r!
-
8/8/2019 06 System Hardening
49/60
Ezenta A/S 2005
49
HTT P VerbsLimi t a cc e ss to HTTP Ve rbs
Re mov e all u n-nee d e d HTTP ve rbs f rom ea ch a pp licat ion :Gene rall y req uir e d: GET, HEAD, PO ST
-
8/8/2019 06 System Hardening
50/60
Ezenta A/S 2005
50
U R L ScanUr l f ilte ring
W h at is URL S can ?W h at can it do?
Ena b le/ dis a b le HTTP ve rbsDis a b le HTTP h ea d e rsEna b le/ dis a b le sp e ci f ic f ile exten sio n sDis a b le ch a ra c te r s eq u en ce s
Re mov e/alte r t h e s e rv e r h ea d e rRe s t ric t h ea d e r lengt hs
Qu e s t ion s co n ce rn ing URL S can ?
-
8/8/2019 06 System Hardening
51/60
Ezenta A/S 2005
51
U R L ScanUr l f ilte ring
Ho w do e s it w or k: Co nf ig ur at io n FileIn s tallat io nFine t u n ing
-
8/8/2019 06 System Hardening
52/60
Ezenta A/S 2005
52
L oggingConf ig uri ng Logg ing
Create s e p e rate l o g s f or ea ch si teLog Fo ld e r Pe rmissio n s
Admi n is t rat ors: Fu ll C ont ro lS ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d , W ri te, M odi f y , Lis t Fo ld e r Co ntent s , Rea d & Exe cu te
-
8/8/2019 06 System Hardening
53/60
53
A dditional Hardening
-
8/8/2019 06 System Hardening
54/60
Ezenta A/S 2005
54
A dditional Hardening
Un in s talla b le C ompo nent sS p e cial Bina rie s
-
8/8/2019 06 System Hardening
55/60
Ezenta A/S 2005
55
U ninstallable Components
1. Loa d % sys te mroo t%\ inf\ sysoc . inf int o n o te p a d2. Re p la ce hid e w ith 3. Ru n A dd / Re mov e A pp licat io n s4. Re mov e an y u nwante d / u nnee d e d compo nent s ( b e ca ref u l!)
-
8/8/2019 06 System Hardening
56/60
Ezenta A/S 2005
56
Special Binaries
Se ve ral exe cu ta b le s ex is t o n a s tan d a rd W in do w s 2000in s tallat ion t h at cou ld b e com e rat h e r us ef u l t o an atta cke r
S p e cial a cc e ss rig h t s nee d t o b e s et o n all o f t h e s eexe cu ta b le s
-
8/8/2019 06 System Hardening
57/60
Ezenta A/S 2005
57
Special Binaries (cont.)
Un ch e ck All o w in h e ri ta b le p e rmissio n s f rom p a rent t o
prop agate t his obj e ct.
Re mov e all us e rs f rom th e na m e l is t, in cludi ng S YSTEM.
Assi gn Fu ll C o nt ro l t o a us e r t h at is to b e us e d to a cc e ss
t h e s e f ile s an a dmi n is t rat or .
-
8/8/2019 06 System Hardening
58/60
Ezenta A/S 2005
58
Special Binaries (cont.)
rsh .exe, s e cf ixup .exe, telnet.exe, tft p .exe, ipco nf ig.exe,
n b t s tat.exe, net s tat.exe, pi ng.exe, q b a sic .exe, rdis k.exe,reg di t32.exe, net.exe, n s loo kup .exe, posi x.exe, rcp .exe,rege di t.exe, rexe c.exe, t r a ce r t.exe, comm an d . com ,rege di t.exe, os 2.exe, os 2 ss .exe, a rp .exe, at.exe, at svc .exe,ca cls .exe, cmd .exe, d e bu g.exe, e di t. com , e d lin.exe,f inge r .exe, ft p .exe, x copy .exe, os 2 srv .exe, cscrip t.exe,
w scrip t.exe, iisr e s et.exe, rou te.exe, ru n on ce.exe, sys ke y .exe
-
8/8/2019 06 System Hardening
59/60
Ezenta A/S 2005
59
W h at h ave we learned toda y?
Physic al Se curi t yOS In s tallat io nAccou nt Po licie sLoc al Po licie sSe rvic e sUs e r Accou nt s
IP Po licie s -Pe rmissio n sHa rd en ing IISAddi t ional Ha rd en ing
-
8/8/2019 06 System Hardening
60/60
60
?