06 System Hardening

8/8/2019 06 System Hardening

1/60

1

Hardening Windows 2003Web Servers


2/60

Ezenta A/S 2005

2

A genda

Physic al Se curi t yOS In s tallat io nAccou nt Po licie sLoc al Po licie sSe rvic e sUs e r Accou nt sIP Po licie sPe rmissio n sHa rd en ing IISAddi t ional Ha rd en ing


3/60

3

General


4/60

Ezenta A/S 2005

4

G eneralW ho shou ld take t his cours e

S ys te m Co n su ltant sSe curi t y Co n su ltant sS ys te m Archi te ct sAn yo ne w ho is r e spo n sib le f or th e co nf ig ur at io n an d / or th ea dmi n is t rat ion of a W in do w s 2003 en viro n m ent


5/60

Ezenta A/S 2005

5

G eneralSt rateg y: Creat ing a s e cur e en viro n m ent

Se cur e curr ent an d / or new imp le m entat io n s o f t h e W in do w s 2003 op e rat ing sys te m


6/60

Ezenta A/S 2005

6

G eneralSt rateg y: Ma inta in ing a s e cur e en viro n m ent

Ma inta in a s e cur e en viro n m ent by s ta ying o n t op o f s e curi t y issu e s th at a re rele vant t o your in s tallat ion

This is a pro a ct ive proc e ss!!


7/60

Ezenta A/S 2005

7

G eneralS cop e o f t his cours e

This cours e w ill f ocus o n t h e s e cur e co nf ig ur at ion o f aW in do ws 2003 s e rv e r hos t ing Inte rnet Inf orm at ion Se rvic e s (IIS) ve rsio n 6.0


8/60

Ezenta A/S 2005

8

G eneralPr e req uisi te s

Ex p e rien ce w it h IT s e curi t yEx p e rien ce w it h MMCEx p e rien ce d e p loyi ng we b a pp licat io n s in ente rpris een viro n m ent sS om e we b a pp licat ion d e vel opm ent kn owle d ge w ill b e us ef u l

bu t is n o t m an d at ory


9/60

Ezenta A/S 2005

9

G eneralW h at h a pp en s if I do nt h a rd en my we b s e rv e r?

Mos t sys te ms can b e compromis e d w it hi n 72 hoursCorpor ate humi lliat ionW o nt kn o w if your sys te m is h a s b een/ is b e ing atta cke dMo ne y wa s te d o n re p a rat io n an d do wn t im eComp an y d ata/ s e cr et s cou ld b e s to len

S om e we b si te s a re fe d w it h d ata t h at com e s f rom th e s a m e d ata b a s e a s o th e r inte rnal sys te ms


10/60

Ezenta A/S 2005

10

Hardening one step at a time

Physic al Se curi t y ---------------------------------------OS In s tallat ion -----------------------------------------Accou nt Po licie s ----------------------------------------Loc al Po licie s -------------------------------------------Se rvic e s ------------------------------------------------Us e r Accou nt s -----------------------------------------IP Po licie s ------------- ---------------------------------Pe rmissio n s --------------------------------------------Ha rd en ing IIS ------------------------------------------Addi t ional Ha rd en ing ----------------------------------

Nu mberof

Weaknesses


11/60

Ezenta A/S 2005

11

P rereq u isitesW h at shou ld

In s tall ALL ne ce ss a ry so ftwa re/ s e rvic e s b ef or e you b eg in.Make sur e t h at t h e y ALL w or k.W hy?

If so ftwa re/ s e rvic e dos nt w or k :Be ca us e o f t h e h a rd en ing ?

Did it w or k b ef or e we s ta r te d?Th e s e a re t im e wa s t ing si t u at io n s

Let s b eg in.


12/60

12

Phy sical Secu

rit y


13/60

Ezenta A/S 2005

13

Phy sical Sec u rit y

W e a ssum e t h at physic al s e curi t y is in p la ce.


14/60

14

OS Installation


15/60

Ezenta A/S 2005

15

O S Installation

N o sys te m up g ra d e s W hy? Too m an y g re y a rea sONLY clean in s tallat ion s

Tw o p a r t it ion s (we sh all b e usi ng one)01 sys te m f ile s02 we b a pp licat io n s

St ro ng a dmi n is t rat ive p a ss w ordsRa in bo w atta cks m ake 8 ch a ra c te r p a ss words t rivi al t o br eak

Onl y in s tall ne ce ss a ry compo nent s


16/60

Ezenta A/S 2005

16

O S Installation

Us e a s tat ic IP in s tea d o f DHCP if possib le ( one le ss s e rvic e)

If t h e re a re mu lt ip le s e rv e rs in t h e DMZ, co n sid e r m ak ing aDMZ dom a in f rom which cri t ical s e rv e rs will in h e ri t t h e ir b a s el ine G POs .


17/60

17

P roof of concept scan


18/60

Ezenta A/S 2005

18

P roof of concept scanW in do w s 2003 v. W in do w s 2000

W hy bo t h e r usi ng w in do ws 2003 ?Mor e s e cur e by d efa u lt.

Can W in do w s 2000 b e a s s e cur e ?Ye s . It req uir e s wor k.


19/60

Ezenta A/S 2005

19

P roof of concept scanW in do w s 2003 v. W in do w s 2000

W e w ill us e s tan d a rd too ls to in sp e ct a d efa u lt W in do ws 2003in s tallat ion.

Too ls to us e :N m a p . S can s t o p e rf orm:

Nm

ap

s

S P

0 O

p

1-65535N m a p s S P0 O g 53 p 1-65535N m a p s T P0 O p 1-65535

N Stealt h

W in do w s 2003 : xx.xx.xx.xx


20/60

20

Local Sec

urit

ySettings


21/60

Ezenta A/S 2005

21

P oliciesLoc al Se curi t y Sett ing s


22/60

Ezenta A/S 2005

22

P oliciesAccou nt Po licie s

N e ve r us e dic t io na ry w ords .N e ve r re us e o ld p a ss w ords by alte ring o nl y o ne di g it.N e ve r choos e p a ss w ords b a s e d on p et s , h a bi t s , l ike s or dis like s . One mus t ne ve r b e a b le t o id ent if y a p a ss w ord by loo king at t h e t hi ng s o n your d e s k.

Us e upp e r- an d lowe rc a s e w ith symbo ls an d n umb e rs .Choos e p a ss w ords b a s e d o n phr a s e s:

Th 15 compu tr i5 pro tc te d by a s t r0ng p@ss word


23/60

Ezenta A/S 2005

23

P oliciesAccou nt Po licie s: p a ss w ord Po licy

Enf orc e Pa ss word His t ory: 24Max imum Pa ss word Age : 42 d a ysMin imum Pa ss word Age : 2 d a ysMin imum Pa ss word Lengt h: 14Comp lex it y req uir e m ent s: Ena b le dUs e Re ve rsib le En cryp t io n : Dis a b le d


24/60

Ezenta A/S 2005

24

P oliciesAccou nt Po licie s: Accou nt Loc kou t Po licy

Accou nt Loc kou t Dur at io n : 15 M in u te sAccou nt Loc kou t T hr e sho ld: 10 in val id atte mp t sRe s et Loc kou t C ou nte r: 15 M in u te s


25/60

25

Services


26/60

Ezenta A/S 2005

26

Services

W h at s e rvic e s do e s a we b - s e rv e r nee d?Are you sur e t h e y a re nee d e d?

YES : s e cur e t h e mN O: re mov e t h e m

This is t h e h a rd e s t t o get rig h t


27/60

27

O r


28/60

Ezenta A/S 2005

28

S y stem SettingsIs nt t h e re a q uic ke r wa y to ch ange sys te m s ett ing s?

Ye s . Meet t h e Security Analysis and Configuration s na p - in


29/60

Ezenta A/S 2005

29

S y stem SettingsSe curi t y Anal ysis an d Co nf ig ur at io n

Ru n mmcFile Add / Re mov e Sna p - inAdd Se curi t y Co nf ig ur at ion an d Anal ysis AddRig h t Cl ick o n Se curi t y Anal ysis an d Conf ig ur at ion Op enData b a s e

Choos e a File N a m e Op enN a vigate t o Hig h Se curi t y Ba s el ine. inf Op enRig h t Cl ick o n Se curi t y Anal ysis an d Conf ig ur at ion Anal ys eCompu te r N o wSa ve t h e l og t o your d e s kt op


30/60

30

U ser A cco u nts


31/60

Ezenta A/S 2005

31

U ser A cco u ntsSe curi ng W ell kn o wn Us e r Accou nt s

Rena m e all bui lt- in a ccou nt s:Admi n is t rat or Gu e s t

W hy?Eve ryo ne kn ow s t h e na m e s o f t h e s e tw o W in do ws a ccou nt s .50% o f a bru te f orc e atta ck is al rea dy commo n kn owle d ge.

Th e d e scrip t ion s shou ld al so b e alte re d .


32/60

Ezenta A/S 2005

32

U ser A cco u ntsSe curi ng W ell kn o wn Us e r Accou nt s

Assi gn s t ro ng p a ss words to th e s e a ccou nt sTh 15 1 s @ vry s t0ng p@s 5w ord do nt y0 u t h 1nk ?

Dis a b le d efa u lt g u e s t a ccou nt s ( if n o t al rea dy do ne by d efa u lt)


33/60

33

I P P olicies


34/60

Ezenta A/S 2005

34

I P P oliciesSt ruc tur e

IP Filte r a dvic e : g ive your ru le s g ood na m e s . Exa mp le s mi g h tloo k l ike t his:

< P OL ICY> < SERVICE>Pe rmi t I N BOU N D HTTP(S)Pe rmi t OUTBOU N D SS H

Pe rmi t OUTBOUN

D DN

SPe rmi t OUTBOU N D HTTP(S)Den y BIDIRECTI ON AL ALL


35/60

Ezenta A/S 2005

35

I P P oliciesExa mp le sc ena rio

A we b s e rv e r mi g h t l oo k simi la r t o this:Pe rmi t I N BOU N D:

HTTPHTTPS ?TS ?

Pe rmi t OUTBOU N D:HTTPHTTPSDN S


36/60

Ezenta A/S 2005

36

I P P oliciesLoc al Se curi t y Sett ing s


37/60

Ezenta A/S 2005

37

I P P oliciesLet s get s ta r te d

Create I P Se curi t y Po licy N a m e : Se cur e W e bUn ch e ck A ct ivate t h e d efa u lt re spo n s e ru le Ch e ck E di t Prop e r t ie s Un ch e ck Us e A dd W iza rd


38/60

Ezenta A/S 2005

38

I P P oliciesBa sic ru le s

Create 4 ru le sDen y BIDIRECTI ON AL ALLPe rmi t I N BOU N D HTTP(S)Pe rmi t OUTBOU N D HTTP(S)Pe rmi t OUTBOU N D DN S

W h en you re do ne, a ssi gn your new po licy


39/60

Ezenta A/S 2005

39

I P P oliciesLet s loo k at t h e re su lt s

Too ls nee d e d:N Ma p

Exe rcis eGroups o f tw o or t hr eeChoos e w hich compu te r w ill p e r f orm t h e sc anUn-a ssi gn I P Po lici e s a s th e y al so b loc k ou t boud t raff icPe r f orm t h e f o llow ing por t sc an s:

N m a p s S P0 O p 1-65535N m a p s S P0 O g 53 p 1-65535N m a p s T P0 O p 1-65535


40/60

40

F ile P ermissions


41/60

Ezenta A/S 2005

41

P ermissionsAssi gn ing corr e ct N TFS p e rmissio n s

CGI f ile s: .EXE, . DLL, .CM D, . PLAdmi n is t rat ors: Fu ll C ont ro lS ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d & Exe cu te, Rea d

S crip t File s: .AS PX, .AS P, . PHPAdmi n is t rat ors: Fu ll C ont ro lS ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d & Exe cu te, Rea d

In clud e File s: .I N C, .S HTML, .S HTMAdmi n is t rat ors: Fu ll C ont ro l

S ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d & Exe cu te, Rea d


42/60

Ezenta A/S 2005

42

P ermissionsAssi gn ing corr e ct N TFS p e rmissio n s

Stat ic File s: .HTML, . HTM, .TXT, .GI F, .J PGAdmi n is t rat ors: Fu ll C ont ro lS ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d

Data File s: .MDBAdmi n is t rat ors: Fu ll C ont ro lS ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d , W ri te, Rea d & Exe cu te, M odi f y


43/60

43

Hardening IIS


44/60

Ezenta A/S 2005

44

Hardening IIS

W e b s e rv e r exten sio n sApp licat ion De bu gg ingCus t om ErrorsHTTP Ve rbsURL S canLogg ing


45/60

Ezenta A/S 2005

45

Web server ExtensionsPr e d ef ine d W e b Se rvic e Exten sio n s

Eve ry t hi ng is tur ne d off by d efa u ltA d efa u lt IIS 6.0 in s tallat ion w ill o nl y ru n si te s wit h s tat ic p age s , . HTML, . HTM.


46/60

Ezenta A/S 2005

46

Web server ExtensionsPr e d ef ine d W e b Se rvic e Exten sio n s ( co nt.)

Act ive Se rv e r Page sAS P. N ET ve rsio n 1.1.4322Fro nt Page Se rv e r Exten sio n s 2002Inte rnet Data C onne ctorSe rv e r-S id e In clud e sW e bD AV


47/60

Ezenta A/S 2005

47

A pplication D eb u ggingSt op IIS f rom s en di ng e rror m e ss age s to client s

St op a pp licat io n s f rom s en di ng d e bu gg ing d eta ils t o client s:Rig h t click on your we b si te in t h e IIS m anage rHom e Dir e ct ory Conf ig ur at io nApp De bu gg ingCh e ck Sen d text e rror t o client an d lea ve t h e bo x b lank


48/60

Ezenta A/S 2005

48

Cu stom ErrorsRe dir e ct t o a cus tom e rror p age w h en e rror occur

Sen d cus t om e rror p age s to client s f or HTTP 500 s , 404 s:Rig h t click on your we b si te in t h e IIS m anage rCus t om Errors doub le click on 500Me ss age T yp e : URLURL: /< LOCATI ON OF CUST OM PAGE>

Make ce r ta in t h at e rror 500 m e ss age s do nt get s ent t o t h ebro ws e r!


49/60

Ezenta A/S 2005

49

HTT P VerbsLimi t a cc e ss to HTTP Ve rbs

Re mov e all u n-nee d e d HTTP ve rbs f rom ea ch a pp licat ion :Gene rall y req uir e d: GET, HEAD, PO ST


50/60

Ezenta A/S 2005

50

U R L ScanUr l f ilte ring

W h at is URL S can ?W h at can it do?

Ena b le/ dis a b le HTTP ve rbsDis a b le HTTP h ea d e rsEna b le/ dis a b le sp e ci f ic f ile exten sio n sDis a b le ch a ra c te r s eq u en ce s

Re mov e/alte r t h e s e rv e r h ea d e rRe s t ric t h ea d e r lengt hs

Qu e s t ion s co n ce rn ing URL S can ?


51/60

Ezenta A/S 2005

51

U R L ScanUr l f ilte ring

Ho w do e s it w or k: Co nf ig ur at io n FileIn s tallat io nFine t u n ing


52/60

Ezenta A/S 2005

52

L oggingConf ig uri ng Logg ing

Create s e p e rate l o g s f or ea ch si teLog Fo ld e r Pe rmissio n s

Admi n is t rat ors: Fu ll C ont ro lS ys te m: Fu ll C o nt ro lIUS R_ SE RVER: Rea d , W ri te, M odi f y , Lis t Fo ld e r Co ntent s , Rea d & Exe cu te


53/60

53

A dditional Hardening


54/60

Ezenta A/S 2005

54

A dditional Hardening

Un in s talla b le C ompo nent sS p e cial Bina rie s


55/60

Ezenta A/S 2005

55

U ninstallable Components

1. Loa d % sys te mroo t%\ inf\ sysoc . inf int o n o te p a d2. Re p la ce hid e w ith 3. Ru n A dd / Re mov e A pp licat io n s4. Re mov e an y u nwante d / u nnee d e d compo nent s ( b e ca ref u l!)


56/60

Ezenta A/S 2005

56

Special Binaries

Se ve ral exe cu ta b le s ex is t o n a s tan d a rd W in do w s 2000in s tallat ion t h at cou ld b e com e rat h e r us ef u l t o an atta cke r

S p e cial a cc e ss rig h t s nee d t o b e s et o n all o f t h e s eexe cu ta b le s


57/60

Ezenta A/S 2005

57

Special Binaries (cont.)

Un ch e ck All o w in h e ri ta b le p e rmissio n s f rom p a rent t o

prop agate t his obj e ct.

Re mov e all us e rs f rom th e na m e l is t, in cludi ng S YSTEM.

Assi gn Fu ll C o nt ro l t o a us e r t h at is to b e us e d to a cc e ss

t h e s e f ile s an a dmi n is t rat or .


58/60

Ezenta A/S 2005

58

Special Binaries (cont.)

rsh .exe, s e cf ixup .exe, telnet.exe, tft p .exe, ipco nf ig.exe,

n b t s tat.exe, net s tat.exe, pi ng.exe, q b a sic .exe, rdis k.exe,reg di t32.exe, net.exe, n s loo kup .exe, posi x.exe, rcp .exe,rege di t.exe, rexe c.exe, t r a ce r t.exe, comm an d . com ,rege di t.exe, os 2.exe, os 2 ss .exe, a rp .exe, at.exe, at svc .exe,ca cls .exe, cmd .exe, d e bu g.exe, e di t. com , e d lin.exe,f inge r .exe, ft p .exe, x copy .exe, os 2 srv .exe, cscrip t.exe,

w scrip t.exe, iisr e s et.exe, rou te.exe, ru n on ce.exe, sys ke y .exe


59/60

Ezenta A/S 2005

59

W h at h ave we learned toda y?

Physic al Se curi t yOS In s tallat io nAccou nt Po licie sLoc al Po licie sSe rvic e sUs e r Accou nt s

IP Po licie s -Pe rmissio n sHa rd en ing IISAddi t ional Ha rd en ing


60/60

60

?

06 System Hardening

Documents

Transcript of 06 System Hardening