Security for Servers

IS/CS 698Min Song

What is web server

NetscapeNetscapeInternetInternet

ExplorerExplorer

Internet

http (80)

Web ServerWeb Server

https(443)

Common Web Server security threats

Unauthorized access Defacement Content theft Data manipulation

Improper usage Hosting improper/malicious contents (e.g phishing) Denial of Service

***loss of revenue ****loss of data (A-I-C)****Damage to organizational image

Motives Financial Gain fun political revenge proving competency

Common security flaws

Insufficient network boundary security controls

Flaws, bugs or improper configuration in web hosting software (OS, application etc)

Insecure design and coding of hosted application

Weak password Social engineering Lack of operational control

Defense-in-DepthPerimeter Defences: Packet Filtering,

Stateful Inspection of Packets, Intrusion Detection

Network Defences: VLAN Access Control Lists, Internal Firewall, Auditing, Intrusion Detection

Host Defences: Server Hardening, Host Intrusion Detection, IPSec Filtering, Auditing

Application Defences: AV, Content Scanning, Layer 7 (URL) Switching Source, Secure Web and Mail Servers

Data and Resources: Databases, Network Services and Applications, File Shares

Data & Resources

Application Defenses

Host Defenses

Network Defenses

Perimeter Defenses

Assu

me P

rior

Layers

Fail

Network Perimeter Defenses

Internet

Router Firewall

DMZNetwork

WWWServer

first line of defense

Prevent unauthorized access

Choosing a firewall

Criteria Firewall Types

Software Hardware / Appliance

Certification common criteria

A firewall is only effective when proper rules (local security policy) are applied.

Secure the host and consult specific security guidelines as specified by the firewall vendor.

•Packet filter•Stateful Inspection Firewall•Application Proxy Firewall

Intrusion Detection System

IDS system analyzes and identifies attempts to hack or break into a computer system. Identifies attacks through various methods including

anomaly detection signature matching

Types Host IDS Network IDS

IPS Host based Network Content based

Internet

Router Firewall

DMZNetwork

WWWServer

IDS

Internet

Router

DMZNetwork

WWWServer

IPSFirewall

Data & Resources

Application Defenses

Host Defenses

Network Defenses

Perimeter Defenses

Assu

me P

rior

Layers

Fail

Host Defense

Configure the Hosting operating system to provide optimum security Security requirements when selecting the

Operating system Certification Level (common criteria)

Minimize the OS Keep software up-to-date strong password policy enable detailed logging

Host Defense

Windows 2000 EAL 4 Red Hat Enterprise Linux AS/WS V3 EAL 3 Sun Solaris 8 EAL 4

Basic UNIX access control

In Unix, there are three levels of access control Individual (user): Each user has a unique id (uid) in the

system. Group: All users by default belong to the “user” group (some

distributions), or to a singleton group containing only that individual user. Users can belong to more than one group (most modern

versions). Usually a group is defined for access control category. E.g:

root/wheel (general administration) www/web (web server administration) mail (mail server administration) adhoc groups can be used to facilitate collaboration such as

directory and file sharing World (or all): The universe of all users.

File permissions

File ownership: Each file and directory in UNIX (including programs) is “owned” by a specific user, a specific group, and the world.

To each level of ownership there is an associated set of permission values: read, write and execute. These values can be true (permission granted) or false. Only the owner of a file (or the special user root) can change the file permission settings.Example:

drwxr-xr-x 11 brenodem brenodem 374 30 Aug 13:39 .

Indicates that the file ‘.’ (the current directory) is owned by user brenodem, who belongs to the singleton group brenodem. The directory was last modified on Aug. 30th at 13:39. The user brenodem is granted read, write, and execute privileges to the file. The group and world are granted read and execute (but not write) privileges to the files.

Meaning of file permissions

The meaning of permissions for files is clear, but can be complex for directories.

For instance, if a world-accessible file is located deep within a directory structure, all the parent directories of the file must grant execute permissions to the whole world. This is because, in order to traverse a directory structure,

UNIX executes cd on each directory (starting from the lowest common directory, for instance ‘/home’ ). On the other hand, it is NOT necessary that the same directories be world-readable.

If a directory is not readable by a principal, its contents cannot be listed. However, it may well contain files that are readable by that principal, and these can be opened if their name are known.

Proper file and directory permissions

Any UNIX system contains several directories that are world executable, where most of the OS services reside: /bin (commands) /etc (configuration files for the above) /usr (utilities and applications) /usr/local or /local (extra utilities and applications)

These directories are not required to be world readable, only their content files need to be world readable. If the directories are not world readable (and owned by root) then only the system administrator will be able to have a global view of the system configuration and capabilities.

These directories should be writable only by root to prevent the installation of programs without the administrator’s knowledge. In particular they must be “owned” by root.

Changing ownership and permissions

The root user can change ownership and permissions on files at will. chown username filename

In some distributions, a user may change ownership of its own files to other users.

To change group ownership of a file, you must own the file and you must belong to the new group the file will be assigned to: chgrp groupname filename

To change permissions, you must be the file’s owner chmod [o|g|a|u][+|-][r|w|x] filename example: chmod og+wx filename adds permissions to write

and execute the file to both the file owner and file group owner.

Effective ID

When a user tries to execute a program The UNIX system decides whether the user is

authorized to execute (for instance, the user may belong the the file group owner, and the file may be executable by the group).

When the program is initiated, its effective ID is set to the ID of the user (or program) calling it. For instance, if a utility program is owned by root

(typical), but called by a regular user, the effective id of the running program will equal that of the caller (user), not root.

This standard mechanism is not sufficient in some cases. For instance, the login program.

SUID

The login program is invoked by regular users, but must have root privileges in order to access the protected password files (/etc/shadow), and to authenticate the user. (Effectively spawning a program under a particular user name even if called by another.)

This is called a “set user id” program (suid).

-r-sr-xr-x 1 root wheel 26756 16 Aug 10:32 /usr/bin/login

Note the ‘s’ in the list of privileges. That means that the caller (could be anybody, as the file is world executable) will spawn a program with the privileges of the group wheel (which can access the password file, and spawn programs (shell) under arbitrary user identities.)

Proper configuration of file permissions

The system of file access permissions underscores most of the access control decisions of the UNIX operating system.

It is a flexible mechanism that enables different configurations to accommodate different usage needs.

Improper configuration of file and directory permissions can create serious vulnerabilities.

The use of SUID programs is a powerful mechanism that should be utilized only when necessary. For instance, a fragile program with SUID permissions can be easily

exploited to grant administrative privileges to an attacker.

Data & Resources

Application Defenses

Host Defenses

Network Defenses

Perimeter Defenses

Assu

me P

rior

Layers

Fail

Web and Application Server Security

Selecting the Application Software Minimize Keep up-to-date Avoid remote updation Use secured and encrypted channel to

update content

Database Security

Aggregation Bypass attacks Improper or unauthorized access Data contamination Denial of Service

Antivirus

Use an anti-virus package on Web Server system and on clients used for administration and content management

All documents and files hosted on the web server should checked for virus and Trojans.

Logging, Backup and Integrity check

Enforce a proper backup policy Centralized Syslog server Ensure log files are regularly archived, secured

and analyzed Maintain a latest copy of Web site content on a

secure host or on media. Maintain integrity check of all important files in

the system.

Network Security vs. Physical Security

“With all the talk of network security and online threats…a baseball bat may be the most effective denial-of-service weapon of all.” (TechTV News, 2000)

Physical Access

If an intruder gets physical access to a computer, they can easily gain access to the information stored on the computer.

Methods Destroying Simply tucking the computer under their arm and

walking off with it to collect the data at their leisure.

Starting a computer with no passwords. Removing the hard drive and starting it on their

own computer with full access to the information stored on the drive.

What is Physical Security?

“Physical Security’ is almost everything that happens before an attacker starts typing commands on the keyboard.” 1

- For instance…

1. An alarm system that dials the police when there is a break-in at the office.

2. A key lock on a computer to disable the keyboard and keep unauthorized users from gaining access.

3. A UPS to prevent power surges from damaging your equipment and provide reserve power during a power-outage

1 Garfinkel, Simson and Spafford, Gene, Practical Unix & Internet Security, O’Reilly and Associates, 1996, page 357

2003 CSI/FBI Computer Crime and Security Survey

Most (91 %) employ some kind of physical security to protect their computer. Almost one in ten organizations do not use

any extra physical precautions to protect their computer assets.

Difficulties involved with safeguarding portable devices Laptop theft – 250 respondents, Financial

loss of $6,830,500,

Implementation Cont.

Physically securing the servers Servers must be placed in a locked room. If needed, protect the room using electronic card

access, thus recording any access to the room. If no hardware-based RAID system is installed in

servers, there should be at least a software-based RAID system installed. 

If needed, use surveillance cameras.  Lock CPU case and ensure key is protected. Make a backup key and keep this key in a safety

deposit box (outside the office). 

Implementation Cont.

Physically securing the servers cont. The server room should be arranged in a way that

people outside the room cannot see the keyboard (thus seeing users/admin passwords). 

Any unused modem must be disabled/removed.  No password evidence around the system.  Any documentation concerning LAN settings,

telecom equipments settings.  Only a limited number of people should have access

to the server room (no maintenance person should be allowed in these rooms). 

Keep track of your computer inventory (e.g. laptops are often stolen without company knowledge).

Challenges

Enforcing security policies to everybody in an organization.

Social Engineering. Implementing tighter

security prevents having open atmosphere to share knowledge at universities.