Jedenfalls hatte ich Schlimmeres erwartet. Man musste sich nur ein paar Gedanken machen. Das reichte. Scheint so, dass die meisten Sicherheitsleute denken, Aber das trifft nicht notwendigerweise zu. Design of an unmanned robotic mission to Mars. Portsentry for attack detection. Effects of worms on Internet routing stability. Firewall fundamentals.
The normal workstation may only need to have the compatws template applied as the end workstations will only be used by the regular users. The Web servers as well as the DNS servers will most likely have tight security requirements as they could be placed outside the corporate firewall in a DMZ that is accessible from the Internet. It is important to remember that the generic security templates provided by Microsoft or used in such hardening tools as Bastille UNIX will need to be further customized by an organization in order to meet their specific security requirements.
In addition to identifying security issues, the tool offers specific remediation guidance.
MBSA will detect common security misconfigurations and missing security updates on Windows systems. The MBSA is an excellent tool that will provide insight into security vulnerabilities in your organization. However, by following a standard set of procedures and utilizing tools like security templates and MBSA, this task can be made significantly easier and can result in improved security across your network.
One of the first tasks to focus on is deciding which services and protocols need to be enabled and which should be disabled.
BE THE FIRST TO KNOW
Enabling and disabling services and protocols When you are considering whether to enable and disable services and protocols in relation to network hardening, there are extra tasks that must be done to protect the network and its internal systems. As with operating systems discussed earlier, it is important to evaluate the current needs and conditions of the network and infrastructure, and then begin to eliminate unnecessary services and protocols.
While removal of nonessential protocols is important, it is equally important to look at every area of the network to determine what is actually occurring and running on systems. The appropriate tools are needed to do this, and the Internet contains a wealth of resources for tools and information to analyze and inspect systems. FTP servers FTP servers are potential security problems as they are typically open to the Internet to support anonymous access to public resources.
All services other than FTP should be disabled or removed and contact from the internal network to the FTP server through the firewall should be restricted and controlled through Access Control List ACL entries, to prevent possible traffic through the FTP server from returning to the internal network. Some of the hardening tasks that should be performed on FTP servers include: Protection of the server file system Isolation of the FTP directories n Positive creation of authorization and access control rules n Regular review of logs n Regular review of directory content to detect unauthorized files and usage n n DNS servers Hardening DNS servers consists of performing normal OS hardening and then considering the types of control that can be done with the DNS service itself.
Zone transfers should only be allowed to designated servers. Additionally, those users who may successfully query the zone records with utilities such as nslookup should be restricted via the access control list ACL settings. Windows Server DNS server added controls to prevent zone transfer operations to machines that are not approved to request such information, thus better protecting the resources in the zone files from unauthorized use. Other attacks administrators must harden against include denial of service attacks DoS as well as cache poisoning, in which a server is fed altered or spoofed records that are retained and then duplicated elsewhere.
NNTP servers NNTP servers are also vulnerable to some types of attacks, because they are often heavily utilized from a network resource perspective. This vulnerability also exists in the case of listserv applications used for mailing lists. NNTP servers also have vulnerabilities similar to e-mail servers, because they are not always configured correctly to set storage parameters, purge newsgroup records, or limit attachments. However, this ability also has a dark side, especially when users are unaware that they are sharing resources.
If a trusted user can gain access, the possibility exists that a malicious user can also obtain access. On systems linked by broadband connections, crackers have all the time they need to connect to shared resources and exploit them. If a user does not need to share resources with anyone on the internal local network, the file- and print-sharing service should be completely disabled.
On most networks where security is important, this service is disabled on all clients.
This action forces all shared resources to be stored on network servers, which typically have better security and access controls than end-user client systems. DHCP servers DHCP servers add another layer of complexity to some layers of security, but also offer the opportunity to control network addressing for client machines. This allows for a more secure environment if the client machines are configured properly. In the case of the clients, this means that administrators have to establish a strong ACL to limit the ability of users to modify network settings, regardless of platform.
Nearly all operating systems offer the ability to add DHCP server applications to their server versions. Additional security concerns arise with DHCP. Among these, it is important to control the creation of extra DHCP servers and their connections to the network. A rogue DHCP server can deliver addresses to clients, defeating the settings and control efforts for client connection. In this case, a server OS is not responsible for the permissions assigned to the data access, which may make configuration of access or integration of the access rules more complex.
SAN configuration allows for intercommunication between the devices that are being used for the SAN, and thus freedom from much of the normal network traffic in the LAN, providing faster access. However, extra effort is initially required to create adequate access controls to limit unauthorized contact with the data it is processing. Directory services Hardening of directory services systems requires evaluation not only of the permissions to access information, but of permissions for the objects that are contained in the database.
This includes setting perimeter access controls to block access to LDAP directories in the internal network if they are not public information databases. Maintenance of security-based patches and updates from the vendor is absolutely imperative in keeping these systems secure. There are several different incarnations of NAC available: 1.
Join Kobo & start eReading today
Endpoint-based NAC requires the installation of software agents on each network client. These devices are then managed by a centralized management console. Hardware-based NAC requires the installation of a network appliance. The appliance monitors for specific behavior and can limit device connectivity should noncompliant activity be detected. These types of databases present unique and challenging conditions when considering hardening the system. For example, in most SQL-based systems, there is both a server function and a client front end that must be considered.
In most database systems, access to the database information, creation of new databases, and maintenance of the databases are controlled through accounts and permissions created by the application itself. Although some databases allow the integration of access permissions for authenticated users in the directory services system, they still depend on locally created permissions to control most access.
This makes the operation and security of these types of servers more complicated than is seen in other types.
Eleventh Hour Security+Exam SY Study Guide - Eleventh Hour Security+ [Book]
Unique challenges exist in the hardening of database servers. Most require the use of extra components on client machines and the design of forms for access to the data structure, to retrieve the information from the tables constructed by the database administrator. Permissions can be extremely complex, as rules must be defined to allow individuals to query database access to some records and no access to others. This process is much like setting access permissions, but at a much more granular and complex level.
This will help when you are analyzing questions that require configuration of ACL lists and determination of appropriate blocks to install to secure a network. Workstation OS Workstations can present special challenges. As laptops become more commonplace, they present specific challenges to the organization when it comes to securing operating systems, including configuration of the appropriate services as well as user and group rights. User rights and groups Ideally, the minimum required rights for a person to perform their job should be given.
However, if a user account is Remember the principle of compromised, the entire machine could be comleast access! In many cases, this will help you to make promised, which could potentially lead to the the correct choice. This allows the system administrator to reduce the rights assigned to regular users and follows the principle of least access.
Summary of exam objectives This chapter looked at the broad concept of infrastructure security and specifically discussed the concepts and processes for hardening various sections of systems and networks. OS security and configuration protections were discussed as were file system permission procedures, access control requirements, and methods to protect the core systems from attack. We also looked at how these hardening steps might improve and work with the OS hardening and ways to obtain, install, and test various fixes and software updates. As part of the overall operating system hardening process, you are disabling services on a Windows server machine.
How do you decide which services to disable? Disable all services, and then reenable them one by one. Research the services required and their dependencies, then disable the unneeded services. Leave all services enabled, since they may be required at some point in the future. Disable all workstation services. Robby is preparing to evaluate the security on his Windows XP computer and would like to harden the OS.
He is concerned as there have been reports of buffer overflows.
What would you suggest he do to reduce this risk? Remove sample files. Upgrade his OS. Set appropriate permissions on files. Install the latest patches. Yesterday, everything seemed to be running perfectly on the network.