Computer manufacturer and OS developers often build and deliver systems in default modes to secure the system from external attacks. From developer's view this is the most efficient mode of product delivery. As per the organisation or a user, they require more protected and secured system before it is placed into service.
Security baselines are standards which defines a minimum set of security controls for organisations. Security baselines typically address both technical issues such as software configuration and operational issues such as keeping applications up to date with vendor patches. In the security baselines, if hardware, OS, network and application followed the recommended minimum set of security settings then it will significantly decrease its vulnerability to security threats.
The process of securing and preparing the system against the internal and external threats and system vulnerabilities is called hardening. Reduce the main reasons of attack that includes the removal of unnecessary services, software and unnecessary usernames or logins. It makes the system more secure, reliable, efficient and gives optimised performance.
12.2 Password Selection
Get your grade
or your money back
using our Essay Writing Service!
Password selection is one of the critical activities that often get neglected as part of a good security baseline. Currently most systems are protected by a user ID and password. If an attacker discovers the correct user ID and password by guessing or by using freely available password cracker tools, then they can gain access to the system. By following basic guidelines and principles in choosing passwords, the passwords used on the system will protect the assets.
12.2.1 Selecting a Password
Users should consider a few basic requirements while choosing the password. Set a minimum number of characters and never accept shorter password. Do not use dictionary words and mix of lowercase and uppercase letters with usually one or two numbers. Randomly created passwords are strong passwords and they are difficult to guess and will defeat most password-cracking utilities. However, randomly generated passwords are difficult to remember and users often write down these passwords usually in a location close to the machine. Thus it defeats the purpose of the password.
12.2.2 Components of a Good Password
User should create their own easy to remember passwords. Password is meant to protect access and resources from hackers. It should not be easy for them to guess or crack through password cracking tools.
Common guidelines to make the password more difficult to guess or obtain are as follows:
It should be at least eight characters long.
It should include uppercase and lowercase letters, numbers, special characters or punctuation marks.
It should not contain dictionary words.
It should not contain the user's personal information such as their name, family member's name, birth date, pet name, phone number or any other detail that can easily be identified.
It should not be the same as the user's login name.
It should not be the default passwords as supplied by the system vendor such as password, guest, admin and so on.
12.2.3 Password Aging
Password aging is technique used by system administrators and it forces the user to change their passwords after specified period of time. If it is not changed within a specific period of time, it expires and must be reset. Password aging can also force a user to keep a password for a certain number of weeks before changing it.
Changing passwords periodically will protect against brute-force attacks because when password is changed the attacker must restart the attack from the beginning. If password is changed periodically, an attacker will never be able to cycle through all the possible combinations before the password is changed again.
Most operating systems have options that allow system administrators to apply password aging and prevent password reuse. Common guidelines are as follows:
User must change their passwords in every 60 to 90 days. A very secured service requires to change passwords every 30 to 45 days.
System must remember each user's last five to ten passwords and should not allow the user to reuse those passwords.
Most computers provide network security features to control outside access to the system. All nonessential softwares such as spyware blockers and antivirus programs prevent malicious software to run on the system. Even with all these security measures, systems are still vulnerable to outside access. System hardening is a step by step process of securely configuring a system to protect it against unauthorised access. It also helps to minimise the security vulnerabilities.
Always on Time
Marked to Standard
The three basic areas of hardening are as follows:
Operating system-based hardening - It includes information about securing and hardening various operating system. It also includes methods to secure file systems.
Network-based hardening - It examines the methods and procedures of hardening network devices, services and protocols.
Application-based hardening - It includes security of client-side user applications and services such as Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP) and Web servers.
12.3.1 Operating System-Based Hardening
Operating system hardening is the first step towards safeguarding systems from intrusion. Systems received from the vendors have preinstalled development tools and utilities which are beneficial to the new user as well as it also provide back-door access to an organisation's systems.
Operating system hardening includes the removal of all non essential tools, utilities and other systems administration options through which hackers can easily access the system. Hardening process will ensure that all security features are activated and configured correctly. This process makes the system secure, efficient, reliable and gives optimised performance.
Some of the security tips to harden the OS include the following:
Disable all unnecessary protocols.
Disable all unnecessary services.
Disable all unnecessary programs and processes.
Verify and then install all vendor patches.
Install all product updates.
Use vulnerability scanner to identify potential security weaknesses.
Configure file system security according to the least privilege rule.
Note: Least privilege rule states that, allow access to those individuals who require it and allow only as much access required to complete the task.
Controlling access to the resources is an important factor in maintaining system security. The most secure environment follows the rule of least privilege. The network administrator receives more complaints from users after following this rule as they are unable to access resources. However, receiving complaints from unauthorised users is more beneficial than suffering access violations that damage the organisation's capability to conduct business. The least privileged environment can use the user groups to assign the same access to the resources instead of assigning individual access controls. However, in some cases individual users need more or less access than other group members. To maintain security, network administrator provides greater control over what each user can and cannot access.
OS updates are provided by the manufacturer of the specific component. Updates contain improvements to the OS and hence, will make the product more secure, efficient and stable to the users. For example, Microsoft updates are labelled with security updates. These updates address security concerns recognised by Microsoft and install them if required. In addition, updates enhance the capability of a specific function that was underdeveloped at the time the system or application was released. Updates should be thoroughly tested in non-production environments before implementation. Since this new and improved function has more security breaches than the original components, it requires complete testing.
Hotfixes, security packs and patches are product updates to resolve a known issue.
Hotfixes - Hotfixes are components that are designed to fix a particular critical system fault. Hotfixes are created by the vendor when a number of client systems indicate that there is compatibility or functional problem with a manufacturer's products used on a particular platform. These are fixes for reported or known problems. Hence, hotfixes should only be installed to correct a specific problem.
Service Packs - Service packs are collection of updates or hotfixes. It correct known issues and provide drivers, updates and system administration tools that extends product functionality that include enhancements developed after the product is released. Service packs are tested on different hardware and applications to ensure compatibility of existing patches and updates. Service packs must be thoroughly tested and verified in non-production environment before it installed on working systems.
Patches - Patches are used to prevent hackers from invading the system with virus and other malware that exploits the operating systems vulnerabilities. This improves the usability and performance of the system. OS patches are available on the vendor Website that supplies the product. Since patches are issued at unpredictable intervals, it is important to configure the system to automatically connect with the latest security patch updates. When the new update is released, the OS will prompt to install. While preparing clean installation it is advisable to download and install all known patches before introducing the system to the network.
12.3.2 Network-Based Hardening
This Essay is
a Student's Work
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.Examples of our work
The tremendous growth of the Internet allows to openly access any system on a network. Hence, proper control over network access must be established on systems by controlling the services that are running and the ports that are opened for network access. In addition to the systems, network devices such as hub, routers, switches and modems must be examined for any security vulnerability.
Any flaws in the coding of the OS can be exploited to gain access to the network components. These components should be configured with very strict parameters to maintain network security. The softwares of these components require to be updated regularly.
By taking necessary steps, network administrator should limit or reduce attacks, accidental damage through their networks. In addition, network hardening also recommend the correct configuration of network devices and the requirement to enable and disable the services and protocols within a network.
Updating the firmware of the hardware device is provided by the manufacturers. These updates fix incompatibility problems or device operation problems. These updates should be applied if the update includes fixes for an existing condition or if it will make the device more secure and more functional or extends its operational life. It is recommended to install and test the firmware updates in a non-production environment to verify if the update contains the necessary fixes and benefits that are required.
Network devices such as routers and switches configured with default installation settings. These default settings leave a system extremely vulnerable as it is set for convenience and not for security. Choosing a good password and limiting access to any open ports is very important in maintaining security of the devices. Good passwords are one of the most effective security tools because a good password can be resistant to several forms of attack. Determining the minimum set of services that the devices are running and good passwords is important for maintaining security of those devices.
Apply patches and updates that are released by the product vendor in a regular interval.
Enabling and Disabling Services and Protocols - It is important to measure the current requirements and conditions of the network and infrastructure and then disable the unnecessary services and protocols. This leads to network infrastructure that is less vulnerable to attack.
Access Control Lists - Configure access list at the network devices to control access to a network. Access list can prevent certain traffic from entering and exiting a network. Access control lists are controlled by an administrator.
12.3.3 Application-Based Hardening
Application hardening is the process to prevent exploitation of various types of vulnerabilities in software application by implementing the latest updates. Applications such as browsers, office suites, e-mail client and services provided through servers such as Web servers, File Transfer Protocol (FTP), DNS servers and DHCP servers on a network require regular updates to provide protection against newly developed threats.
At present most of the organisations have a Web presence on the Internet for numerous business advantages. Due to Internet popularity, Web servers have become extremely popular targets for attackers. Original content on the Websites are replaced with hacker's data. E-commerce sites are attacked and user's personal account information is stolen. Microsoft's Internet Information Server (IIS) or Apache server are most popular Web servers applications in use today. To secure Web servers from hackers, administrator must apply updates and patches, remove unnecessary protocols and services and properly configured all native controls. It is also recommended to place the Web server behind a firewall or a reverse proxy.
Microsoft has developed URLScan and IIS Lockdown tools which are designed to secure IIS servers from attacks and exploits. URLScan is a monitoring utility that examines all incoming URLs and rejects any requests for files, directories or services outside the intended scope of the Website. The IIS Lockdown tool turns off unnecessary functions which reduces the attack surface available to an attacker.
E-mail servers and clients are vulnerable to different attacks such as Denial of Service (DoS) attacks, virus attacks, relay and spoofing attacks. There are numerous deficiencies in the different versions of e-mail server software such as Sendmail for Linux and UNIX and the Exchange or Outlook for Microsoft.
E-mail servers are constant potential sources of virus attacks and therefore must have the strongest possible protection for scanning incoming and outgoing messages. E-mail servers should not have non-essential services and applications installed. Administrative and system access should also be securely controlled to block installation or execution of unauthorised programs and trojans.
The following attack points should be considered while hardening an e-mail server:
Open mail relay allows unauthorised users to send e-mail through an e-mail server.
Storage limitation, to limit DoS attacks based on message size.
Spamming includes identical messages sent to numerous clients by e-mail.
Virus propagation, ensure the anti-virus programs and applications are performing correctly.
FTP allows number of users to access and download remotely stored data. It distributes application updates, device drivers and free software to users. Users access this data anonymously. This anonymous access to FTP servers becomes a problem as administrator does not provide anonymous access or does not properly secure the FTP service. This involves setting the appropriate permissions, not allowing the FTP process to be run by an unprivileged user and not allowing users to upload or modify files. Some FTP servers allow upload and download service for authorised users and hence, in that case anonymous access should be completely removed. To overcome buffer overflow problem ensure that FTP server software is up to date and patched.
DNS server converts system's host names into IP addresses so that the communication can be correctly routed through the network. Client systems use DNS to locate Web servers, e-mail servers, FTP servers and number of other servers and network services. DNS can be major target for an attacker.
The DNS server can be exploited by the following ways:
Stealing zone transfers - DNS servers are configured to provide information such as list of hosts and routers with IP addresses to other secondary DNS servers. This secondary DNS server is used to maintain a backup copy of the DNS database and to provide name resolution services for client systems. An attacker can receive a zone transfer and use it to track victim's network and search for potential targets.
Zone update spoofing - An attacker can spoof the address of the primary DNS server and send a bogus update to a secondary DNS server. Client systems receive incorrect information and network communication from this bogus server and redirects users to a location controlled by the attacker.
DNS cache poisoning - Some DNS servers allow attackers to insert bogus information into a DNS cache.
To secure and harden the DNS server from various types of exploits, actions to be taken are as follows:
Do not place any information on publicly accessible DNS server to avoid snooping around the DNS server.
Do not provide additional host information in Host Information (HINFO) records of DNS. HINFO record contains descriptive information about the OS and features of particular system and attacker could use this information to gain access.
Configure the DNS servers to only allow zone transfers to specific secondary servers.
Berkeley Internet Name Domain (BIND) allows zone transfer to be signed. Zone transfer signing allows secondary servers to verify the credentials of the primary server before accepting data.
Ensure that DNS software is patched and up to date to avoid DNS cache poisoning.
Network News Transfer Protocol (NNTP) servers allow news clients to connect to news servers to share information privately or to post articles to a public NNTP server. NNTP servers are vulnerable to DoS attacks, buffer overflows. To exploit server, attackers connect to a private NNTP server to gain any information to compromise network. Sometimes users post accurate diagrams of their network to ask a technical question and attacker can use this information to find ways to exploit a network. They can even offer bogus advice to create a hole in the network's defences.
To protect the organisation from NNTP server exploits, block the NNTP port at the firewall to make NNTP server inaccessible to external users. To protect posted private information, authenticate user to prevent anonymous logins to the NNTP server. Also encrypt communications using SSL/TLS to prevent packet sniffing of confidential data. Do not allow users to post confidential information to the public which will compromise their network.
File and Print Servers
Files and print servers in a network are used to share resources but it is a common way in which hackers can gain information and unauthorised access. When sharing is enabled to share the resources with a trusted internal network over a NIC, the system is also sharing those resources with the entire untrusted external network over the external interface connection. Attackers attempt to make unauthenticated connections to shared resources on the network. If sharing permissions are configured incorrectly for an easily exploited user account, attackers can gain access to resources and alter them. To secure the file and printer shares block access to shares and related information at the firewall. Use the rule of least privilege to secure shares from external attacker. Virtual Private Network (VPN) is also used to encrypt communications between clients and servers to secure data transmission.
Data repositories are locations that hold information about networks, applications and users. Attackers can use the information stored in data repositories to formulate attacks against organisation. Hence, ensure that this information is limited and restricted for external users. As well as authentication and encryption of the data is necessary to protect them from external attacks.
A directory service is used to store, organise and provide access to information in a directory. The information in a directory services can include system accounts, user accounts, mail accounts, service locations and shared resource information. The Lightweight Directory Access Protocol (LDAP) is a common directory service that organises data in a hierarchical manner. The top entry in a LDAP directory information tree is called root and this LDAP root server creates the hierarchy. The directory service hierarchy and the information it stores provide a good map of network infrastructure. This is convenient for authorised users in a network as well as for attacker. Attacker can use numerous ways to compromise LDAP servers such as attacker can use network resources information stored at directory service to examine network structure, resources and potential targets. Attacker can gain victim's network information that is transferred over LDAP through eavesdropping.
Some of the ways to protect LDAP hierarchy are as follows:
Protect LDAP hierarchy by configuring the strongest authentication to the different versions of LDAP. Both LADP v2 and LDAP v3 support anonymous and simple authentication which are not very secure. Anonymous authentication does not require password and simple authentication uses a password in unencrypted format which attacker can easily hack. Strong authentication over LDAP v2 and LDAP v3 is provided through Kerberos version 4 authentication and Simple Authentication and Security Layer (SASL) communications respectively.
Use Secure LDAP (LDAPS) that allows encrypting communications using SSL/TLS.
Block access to LDAP ports from the Internet so that attackers cannot make connections using these ports.
Database servers are used to store data. Both the data and the database server can be target for an attacker. An attacker can steal the data or take over the database server to exploit it.
Some of the ways that the database servers can be exploited are as follows:
Unexpected data queries or commands - Numerous database servers use Structured Query Language (SQL) which allows for the querying and posting of data. An attacker can use SQL commands to do unexpected things is called SQL injection.
Unauthenticated access - If unauthenticated access to database server is allowed then the attackers can easily connect and exploit the database server.
To secure database servers consider the following points:
Test the database by running irrelevant queries and attempt to access unauthorised information.
Do not allow unauthenticated connections to the database server.
While transferring confidential data to and from database server, use SSL/TLS or VPN connection to protect data.
To avoid database server to be queried by external users, block access to it at the firewall.
12.4 Chapter Review Questions
1. How an individual should secure a password?
Selecting a password with at least eight characters, at least one change in case and at least one number or special character
Storing the password in wallet or purse
Using the same password on every system
Changing passwords at least once a year
2. Which of the following steps is part of the hardening process for OS?
Remove unnecessary programs and processes
Setting appropriate permissions on files
Disable unnecessary services
All of these
3. Which amongst the following is the correct step to overcome buffer overflow problems?
Select strong passwords
Install the latest patches
Remove sample files
Set appropriate permissions on files
4. Which of the following requires software up to date and patched?
All of these
5. Rule of least privilege states that ____.
allow access to users who requires it
allow limited access
allow access to everyone
allow full access
Ans: A and C
6. Which of the following is designed to fix a particular critical system fault?
None of these
7. Which of the following extends product functionality after the release of product?
None of these
8. Which of the following fixes incompatibility problems or device operation problems?
None of these
9. Which of the following steps are used to secure Web servers?
Apply patches and updates
Place the web server behind a firewall
Remove unnecessary protocols and services
All of these
10. BIND stands for _______.
Berkeley Internet Network Domain
Berkeley Intranet Name Domain
Berkeley Internet Name Domain
Business Internet Network Domain
5. A and C
In the chapter, Security Baselines, you learnt about:
Components of a good password and password aging.
Different ways to harden the OS.
Different ways to harden the network and its devices.
Different ways to harden applications such as browsers, office suites, e-mail client and services provided through servers such as Web servers, E-mail servers, FTP servers, DNS servers, NNTP servers, file and print servers, directory services and databases.