Chapter 14: System Hardening and Baselines

Hardware Root of Trust

A Hardware Root of Trust is the concept that if one has trust in a source's specific security functions, this layer can be used to promote security to higher layers of a system. Because roots of trust are inherently trusted, they must be secure by design.

Storage Area Network (SAN)

A Storage Area Network (SAN) is a means of storing data across a secondary network. SANs operate to connect data storage devices as if they were local storage, yet they are separate and can be collections of disks, tapes, and other storage devices. Because the dedicated network is separate from the normal IP network, accessing the SAN requires going through one of the attached machines. This makes SANs a bit more secure than other forms of storage, Although loss through a compromised client machine is still a risk.

VLAN Management

A Virtual LAN, or VLAN, is a group of hosts that communicate as if they were on the same broadcast domain. By controlling the members of a VLAN, administrators can logically separate network traffic throughout the organization.

Environment:

A modern environment is separated into multiple areas designed to isolate the functions of development, test, and production. These areas are primarily used to prevent accidents from arising from untested code ending up in production, and they are segregated by access control lists as well as hardware, thus preventing users from accessing multiple different areas of the environment.

Microsoft Security Baselines

A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. Choosing which to set can be a laborious process. Security baselines bring an expert based consensus view to this task. Microsoft provides a security compliance toolkit to facilitate the application of Microsoft Recommended baselines for a system, called the Microsoft Security Compliance Toolkit (SCT). It is a set of tools that allows administrators to download, analyze, test, edit, and store Microsoft recommended security configuration baselines for Windows.

Trusted Operating System (TOS)

A trusted operating system is one that is designed to allow multilevel security in its operation. This is further by its ability to meet a series of criteria required by the U.S. Government.

Vulnerability Scanner

A vulnerability scanner is a program designed to probe hosts for weaknesses, misconfigurations, old versions of software, and so on... There are essentially three main categories or vulnerability scanners: 1. Network 2. Host 3. Application A Network Vulnerability Scanner probes a host (or hosts) for issues across its network connections. Hosts Vulnerability Scanners are designed to run on a specific host and look for vulnerabilities and misconfigurations on that host. Application Vulnerability Scanners are designed to look for vulnerabilities in applications or certain types of applications. Due to the number of checks they can perform, network scanners generate a great deal of traffic and a large number of connections to the system being examined, so care should be taken to minimize the impact on production systems and production networks. Note: If you want to scan a specific host for vulnerabilities, weak password policies, or unchanged passwords, and you have direct access to the host, a host vulnerability scanner might be the tool to use. If you want to examine a specific application or multiple instances of the same type of application (such as a website). an application scanner is the tool of choice.

Permissions/ACL

Access Control Lists (ACLs) form one of the foundational bases for security on a machine. ACLs can be used by the operating system to make determinations as to whether or not a user can access a resource.

Disabling Unnecessary Ports and Services

An important management issue for running a secure system is to identify the specific needs of a system for its proper operation and to enable to only items necessary for those functions. Disabling unnecessary ports and services prevents their use by unauthorized users and improves system throughput and security. (applies the implicit deny concept)

Anti-Spam

Anti-Spam are products that attempt to filter out endless stream of junk email so you don't have to. Most anti-spam products use similar techniques and approaches for filtering out spam: -Blacklisting -Header Filtering -Content Filtering -Language Filtering -User defined filtering -Trapping -Enforcing the specifications of the protocol -Egress filtering (outgoing messages)

Anti-virus

Anti-virus (AV) products attempt to identify, neutralize, or remove malicious programs, macros, and files. Although anti-virus products have had over two decades to refine their capabilities, the purpose of the anti-virus program remains the same: to detect and eliminate computer viruses and malware. Most anti-virus products combine the following approaches when scanning for viruses: -Signature based scanning - much like an IDS, the antivirus product scans programs, files macros, emails, and other data for known worms, viruses, and malware. -Heuristic scanning (analysis) - Heuristic scanning does not rely on a virus dictionary. Instead it looks for suspicious behavior. Heuristic scanning typically looks for commands or instructions that are not normally found in application programs, such as attempts to access a reserved memory register. Most anti-virus products use either a weight based system or a rule based system in their heuristic scanning. A Weight Based System rates every suspicious behavior based the degree of threat associated with that behavior. A Rule based system compares activity to a set of rules meant to detect and identify malicious software. Current anti-virus products are highly configurable and most offerings will have the following capabilities: -Automated updates -Automated scanning -Media scanning -Manual scanning -Email scanning -Resolution Anti-virus solutions are typically installed on individual systems (desktops, servers, and even mobile devices), but network-based anti-virus capabilities are also available in my commercial gateway products.

Antivirus Software for Workstations:

Anti-virus packages are available from a wide range of vendors. Running a network of computers without this basic level of protection will be an exercise in futility. Note: Anti-virus is an essential security application on all platforms, there are numerous compliance schemes that mandate anti-virus deployment, including Payment Card Industry Data Security Standard (PCI DSS) and North American Electric Reliability Council Critical Infrastructure Protections (NERC CIP).

App Locker

App locker is a component of enterprise licenses of Windows 7 and later that enables administrators to enforce which applications are allowed to run via a set of predefined rules.

Appliance

Appliances are standalone, wired into the network, and designed to run an application to perform a specific function on traffic. For reasons of economics, portability, and functionality, the vast majority of appliances are built on top of a Linux system.

Application Patches

Application patches are most likely going to come from the vendor that sells the application. Application patches are likely to come in three varieties: -Hotfixes -Patches -Upgrades Some application "patches" contain new or enhanced functions, and some change user-defined defaults during the installation of the patch. If you are deploying an application patch across a large group of users, it is important to understand exactly what that patch does.

Whitelisting vs. Blacklisting Applications

Applications can be controlled at the OS level when they are started via blacklisting or whitelisting. Blacklisting is essentially noting which applications should not be allowed to run on the machine. Whitelisting is the exact opposite: it consists of a list of allowed applications. Microsoft has two mechanisms that are part of the OS to control which users can use which applications: -Software restrictive policies - are employed via group policies and allow significant control over applications, scripts, and executable files. -User account level control - is enforced via AppLocker, a service that allow significant control over applications, scripts, and executable files. On a Linux platform, similar capabilities are offered from 3rd party vendor applications.

Device Configuration

As important as it is to keep software up to date, properly configuring network devices is equally, if not more, important. Here are some general steps to take when securing networking devices: -Limit Access to those who need it. -Choose good password. -Password protect the console and remote devices. -Turn off unnecessary services. -Change the SNMP community strings. Note: The use of "public" as an SNMP community string is an extremely well known vulnerability. Any system using an SNMP community string of "public" should have the string changed immediately.

Application Configuration Baseline

As with operating systems, applications (particularly those providing public services such as web servers and mail servers) will have recommended security and functionality settings. In some cases, vendors will provide those settings, in other cases, an outside organization such as NSA, ISSA, or SPANS will provide recommended configurations for popular applications. Many large organizations will develop their own Application Configuration Baseline - that list of settings, tweaks, and modifications that creates a functional and hopefully secure application for use within the organization.

Secure Baseline

Baselining is the process of establishing a software's base state. As a best practice, anything that is not required for operations should be removed or disabled on the system; then, all the appropriate patches, hotfixes, and settings should be applied to protect and secure it. This become the system's secure baseline and represents a secure state for the system or network device and a reference point of the software and configuration. Software and hardware can be tied intimately when it comes to security, so they must be considered together.

UFEI / BIOS

Basic Input / Output System (BIOS) is the firmware that a computer system uses as a connection between the actual hardware and the operation system. BIOS is typically stored on nonvolatile flash memory, which allows for updates, yet persists wen the machine is powered down. The purpose of BIOS is to initialize and test the interfaces to the actual hardware in a system. Once the system is running, the BIOS translates low-level access to the CPU, Memory, and Hardware devices, making a common interfaces for the OS to connect to. Unified Extensible Firmware Interface (UFEI) is the current replacement for BIOS. It is more secure.

Disable Default Accounts/Passwords

Because accounts are necessary for many systems to be established, default accounts with default passwords are a way of life in computing. Disabling default accounts/Passwords should be such a common practice that there should be no systems with this vulnerability.

Handling Big Data

Big data is the industry buzzword for very large datasets being used in many enterprises. Datasets in the Petabyte, Exabyte, and even Zettabyte range are now being explored in some applications. Security needs to be kept in mind.

Cloud Storage

Cloud computing is the use of online resources for storage, processing, or both. When data is stored in the cloud, encryption can be used to protect the data, so that what is actually stored is encrypted data.

Data Encryption

Data encryption continues to be the best solution for data security. Properly encrypted, the data is not readable by an authorized party.

Data at Rest

Data that is stored.

Desired State Configuration (DSC)

Desired State Configuration (DSC) is a power shell based approach to the configuration management of a system.

Electromagnetic Interference (EMI)

EMI is an electrical disturbance that affects an electrical circuit.

FDE/SED (Full Drive Encryption and Self Encryption Drives)

FDE and SED are methods of implementing cryptographic protection on hard drives and other similar storage media with the express purpose of protecting the data even if the drive is removed from the machine.

Firmware Version Control

Firmware is present in virtually every system, but in many embedded systems it plays an even more critical role because it may also contain the OS and Application. Firmware Updates require extreme quality measures to ensure that errors are not introduced as part of the update process

Patches

Fix a collection of issues.

Hotfixes

Fix a single issue

Full Disk

Full Disk Encryption refers to the act of encrypting an entire partition in one operation. Then as specific elements are needed, those particular sectors can be decrypted for use.

Establishing General Unix Baselines

General Unix baselining follows similar concepts as baselining for windows OSs: disable unnecessary services, restrict permissions on files and directories, remove unnecessary software, apply patches, remove unnecessary users, and apply password guidelines. Like Windows systems, Unix systems are easiest to secure and baseline if they are providing a single service or performing a single function, such as acting as a Simple Mail Transfer Protocol (SMTP) server or web server. Prior to performing any software installations or baselining, the administrator should define the purpose of the system and identify all of the required capabilities and functions Services on a Unix system (called Daemons) can be controlled through a number of different mechanisms. The OS can also start and stop services automatically through configuration files usually stored in /etc. (Note that Unix systems vary a good deal in this regard, some use a super server process, such as INETD, while others have individual configuration files for each network service). Unlike Windows, Unix systems can also have different run-levels in which the system can be configured to bring up different services, depending on the run-level selected.

Supply Chain

Hardware and firmware security is ultimately dependent of the manufacturer for the root of trust.

Hardware Security

Hardware, in the form of servers, workstations, and even mobile devices, can represent a weakness or vulnerability in the security system associated with an enterprise. While hardware can be easily replaced if lost or stolen, the information that is contained by the devices complicates the security picture. Data or information can be safeguarded from loss by backups, but this does little in the way of protecting it from disclosure to an unauthorized party. There are software measures that an assist in the form of encryption, but these also have drawbacks in the form of scalability and key distribution. Notes: Physical security is an essential element of a security plan. Unauthorized access to hardware are networking components can make many security controls ineffective.

Hardware/Firmware Security

Hardware, in the form of servers, workstations, and even mobile devices, can represent a weakness or vulnerability in the security system associated with an enterprise. While hardware can easily replaced if lost or stolen, the information that is contained by the devices complicates the security picture

IPv4 vs IPv6

IPv4 is the Defacto communication standard in use on almost every network around the planet. Unfortunately, IPv4 contains some inherent shortcomings and vulnerabilities. In an effort to address these issues, IPv6 was created. If your network is not using IPv6, then you should disable IPv6 on all clients and servers to prevent malicious traffic from using this protocol to bypass security devices. This follows the principle of "if you are not using something, disable it".

Anti-malware

In the early days of PC use, threats were limited. But things have changed since those early days, and current threats a pose a much greater risk than before. According to the Sans Internet Storm Center, the average survival time of a unpatched Windows PC on the internet is less than 60 minutes.

Individual Files

Individual files can also be encrypted in a system. This can be done on the OS level or via a third party app. Managing individual file encryption can be tricky, as the problem moves to an encryption key security problem.

Electromagnetic Pulse (EMP)

Is a burst of current in an electronic device as a result of a current pulse from electromagnetic radiation. EMP can produce damaging current and voltage surges in today's sensitive electronics.

Data Execution Prevention (DEP)

Is a collection of hardware and software technologies to limit the ability of malware to execute in a system. Windows uses DEP to prevent code execute from data pages.

Hardware Security Module (HSM)

Is a device used to manage or store encryption keys. It can also assist in cryptographic operations such as encryption, hashes, and the application of digital signatures.

network operating system (NOS)

Is an operating system that includes additional functions and capabilities to assist in connecting computers and devices, such as printers, to a Local Area Network (LAN).

Operating System

Is the basic software that handles things such as input, output, display, memory management, and all the other highly detailed tasks required to support the user environment and associated applications.

Application Whitelisting

Is the exact opposite: it consists of a list of allowed applications.

Integrity Measurement

Is the measuring and identification of changes to a specific system away from an expected value. Whether it is the simple changing of data as measured by a hash value or the TPM-based integrity measurement of the system boot process and attestation of trust, the concept is the same: take a known value, store a hash or other key value, and then, at the time of concern, recalculate and compare the values. Notes: Understand how TPM, UFEI, Secure Boot, Hardware root of trust, and integrity measurement work together to solve a specific security issue

User Account Level Control

It is enforced via AppLocker, a service that allows granular level control over which users can execute which programs, through the use of rules, an enterprise can exert significant control over who can access and use installed software. On a Linux platform, similar capabilities are offered from third party vendor applicaitons.

Kiosk

Kiosk are standalone machine, typically operating a browser instance on top of a windows OS.

Software Updates

Maintaining current vendor patch levels for your software is one of the most important things you can do to maintain security. This is also true for the infrastructure that runs the network. Firmware on these devices need to be up to date.

Database

Major database engines have built in encryption capabilities. The advantage to these encryption schemes is that they can be tailored to the data structure, protecting essential columns while not impacting columns that are not sensitive.

OS types

Many different systems have the need for an operating system. Hardware in networks requires an operating system to perform the networking function. Severs and workstations require an OS to act as the interface between applications and hardware. Kiosks and appliances require a OS as well.

Group Policies

Microsoft defines a Group Policy as "an infrastructure used to deliver and apply on or more desired configurations or policy settings to a set of targeted computers within an Active Directory environment. Policy settings are stored in a group policy object (GPO) and are referenced internally by the OS using a Globally Unique Identifier (GUID). A single policy can be linked to a single user, a group of users, a group of machines, or an entire organizational unit (OU), which makes updating common settings on a large groups of users or systems much easier. Group policies can overwrite local policy settings. local policies are created and applied to a specific system (locally), are not user specific, and are overwritten by GPOs. Policies are applied in hierarchical order - local, then site, then domain, and so on. This means settings in the domain policy can be overridden or reversed by settings in the policies. If there are no conflict, the policy settings are aggregated (combined). Creating GPOs is usually done through either the Group Policy Object Editor or the Group Policy Management Console (GPMC). The GPMC is a more powerful Gui-based tool that can summarize GPO settings; Simplify security filtering settings; backup, clone, restore, and edit GPOs; and perform other tasks. Microsoft group policies can provide many useful options, including the following: -Network Location Awareness -Ability to process without ICMP -VPN compatibility -Power Management -Location based printing In Windows, policies are applied in hierarchical order. local policies are applied first, then site policies, then domain policies, and finally OU (organizational unit) policies. If a setting from a later policy conflicts with a setting from an earlier policy, then the setting from the later policy wins and is applied.

Hardening Microsoft Operating Systems

Microsoft has spent years working to develop the most secure and securable OS on the market. Here are some of the security capabilities in the Windows environment: -User Account Control (UAC) - allows users to operate the system without requiring administrative privileges. -Windows Firewall - includes an outbound filtering capability -BitLocker - allows encryption of all data on a server including any data volumes. -Windows clients work with Network Access Protection (NAP) -Windows Defender - is a built-in malware detection and removal tool.

Microsoft Security Compliance Manager

Microsoft provided a tool called security compliance Manager (SCM) to assist systems and enterprise administrators with the configuration of security options across a wide range of Microsoft platforms. SCM has been replaced by DSC.

Hardening Windows Servers

Microsoft touted Windows Servers 2008 as it's "most secure server" to date upon its release. -BitLocker allows encryption of all data on a server, including any data volumes. -Role based (group policy) installation of functions and capabilities minimizes the server's footprint -Network Access Protection (NAP) controls access to network resources based on a client computer's identity and compliance with corporate governance policy. -Read-only domain controllers can be created and deployed in high-risk locations, but they can't be modified to add new users, change access levels, etc.. -More granular password policies allow for different password policies on a group or user basis. -Web sites or web applications can be administered within IIS 7. -The traditional ROM-BIOS has been replaced with Unified Extensible Firmware Interface (UEFI) -The trustworthy and verified boot process has been extended to the entire windows OS boot code with a feature known as secure boot. -Early Launch Anti-Malware (ELAM) has been instituted to ensure that only known, digitally signed antimalware programs can load right after secure boot finishes (without requiring UEFI or Secure Boot). -DNSSEC is fully integrated -Data classification with Rights Management Service is fully integrated so that you can control which users and groups can access which documents based on content or marked classification. -Managed service accounts, introduced in Server 2008 R2, allow for advanced self-maintaining features with extremely long passwords, which can automatically reset every 30 days, all under the control of Active Directory in the enterprise -Credential guard enables the sue of virtualization-based security to isolate credential information, preventing password hashes or Kerberos tickets from being intercepted. -Windows Server 2016 includes device guard to ensure that only trusted software can be run on the server.

Mobile OS

Mobile devices began as phones with limited additional capabilities.

Anti-Spyware

Most anti-virus products will include anti-spyware capabilities as well. Spyware is the term used to define malware that is designed to steal information from the system, such as keystrokes, passwords, pins, and keys.

Network Segmentation

Network Segmentation is the use of network addressing schemes to restrict machine to machine communication within specific boundaries. This mechanism uses the network structure and the protocols themselves to accomplish a limitation of communication.

Network

Network components use a network operating system to provide the configuration and computation portion of networking. There are many vendors of vendors of networking equipment, and each has its own propriety operating system. Cisco has the largest footprint with its IOS (Internetworking Operating System). Juniper has Junos, Which is built off of a Stripped Linux Core. As software defined networking (SDN), the concept of a network operating system will become more important and mainstream because it will become a major part of day to day operations in the IT enterprise.

Linux Hardening

One of the "strengths" behind Linux is the ability of a sysadmin to fully control all of the features, the ultimate in customizable solutions. This can lead to leaner and faster processing, but can also lead to security problems. The application space is where user applications exist and run. These are above the kernel and can be changed while operating by simply restarting the application. The kernel space is integral to the system and can only be changed by rebooting the hardware. Thus, updates to kernel processes require a reboot to finish and become active. Securing Linux is in many way like securing any other operating system. Issues such as securing the services, keeping things up to date, and enforcing policies are all the same objectives regardless of the type or version of OS. The differences occur in how one achieves these objectives. Using passwords as an example, there is not centralized method like Active Directory and Group Policies. Instead these functions are controlled granularly using commands on the system. It is possible to manage passwords to the same degree as through unified systems; it just takes a bit more work. The same goes for controlling access to administrative or root access accounts. The PS (Process Status) command is used to view what processes are running. You can identify the service by its unique process identifier (PID) and then use the KILL command to stop the service. Linux is built around the concept of a file - everything is a file. Making everything addressable as a file makes permissions easier. Users are not files; they are subjects in the subject object model. Subjects act upon objects according to permissions. Users exist in the singular, and in groups, and permissions are layered between the owner of the object, groups, and single subjects (users). In Linux, a group is a list of users; this allows for shorter Access Control Entry (ACE) lists on objects because groups are checked first. The CHMOD command is used to change a file's permissions. For applications in the user space on a Linux box, setting the correct permissions is extremely important. These a permissions are what protect configurations and other settings that enable or disable a lot of functionality - and could if set erroneously, allow attackers to perform a wide range of attacks, including installing malware that can watch other users. Directories also use the same nomenclature as files for permissions, a W indicates that the contents can be written, a R indicates that the contents can be read, and X allows a directory to be entered. Both R and W have no effect without X being set. A setting of 777 indicates that anyone can list and create/delete files in a directory. 755 gives the owner full access, while others may only list the files. 700 restricts access only to the owner. The Switch User (SU) command can be used to run a command as another user, usually root.

Secure Boot and Attestation

One of the challenges in securing an OS is the myriad of drivers and other add-ons that hook into the OS and provide specific added functionality. If these additional programs are not properly vetted before installation, this pathway can provide a means by which malicious software can attack a machine. Because these attacks can occur at boot time, at a level below security applications such as antivirus software, they can be difficult to detect and defeat. UEFI offers a solution to this problem called Secured Boot, which is a mode that when enabled only allows signed drivers and OS loaders to be invoked. Secure boot enables the Attestation that the drivers and OS loaders being used have not changed since they were approved for use. Secure boot is supported by Windows and Linux.

Pop-up Blockers

One of the most annoying nuisances associated with web browsing is the pop up add. Pop up Blockers are programs designed to prevent this behavior typically in browsers.

Windows Local Security Policies:

Open the command prompt as the administrator or an account with admin privileges on a windows system, type SECPOL to bring up the local security policy utility.

Secure Configuration

Operating systems can be configured in a variety of manners - from completely with lots of functionality, whether it is needed or not, to stripped services needed to perform a particular task. This process of securing an OS is called hardening, and it is intended to make the system more resistant to attack, much like armor or steel is hardened to make it less susceptible to breakage or damage. You must meet several key requirements to ensure that the system hardening processes described in this section achieve their security goals. These are OS independent and should be a normal part of all system maintenance operations: -The base installation of all OS and application software comes from a trusted source and is verified as correct by using hash values. -Machines are connected only to a completely trusted network during the installation, hardening, and update process. -The base installation includes all current patches and updates for both the OS and applications. -Current backup images are taken after hardening and updates to facilitate system restoration to a known state These steps ensure that you know what is on the machine, can verify its authenticity, and have an established backup version. Notes: System hardening is the process of preparing and securing a system and involves the removal of all unnecessary software. Configurations: Modern software is configuration driven. This means that setting proper configurations is essential for the secure operation of the software. Using weak configuration files so attackers can weaken or misconfigure a system is a security failure. Default configurations should be checked to ensure the desired level of security.

Patch Management

Patch Management is the process used to maintain systems in an up-to-date, fashion, including all required patches. Every OS, from Linux to Windows, require software updates, and each OS has different methods for assisting users in keeping their systems up to date. Vendors typically follow a hierarchy for software updates: -Hotfix -Patch -Service Pack

Patch Management

Patch management is the processing of planning, testing, and deploying patches in a controlled manner. To assist in their patch management efforts, many organizations use a patch management product that automates many of the mundane and man power intensive tasks associated with patch management. For example, many patch management products provide the following: -Ability to inventory applications and operating systems in use. -Notifications of patches that apply to your environment. -Periodic or continual scanning of systems to validate patch status and identify missing patches -Ability to select which patches to apply and to which systems to apply them. -Ability to push patches to systems on an on-demand or schedule basis -Ability to report patch success or failure -Ability to report patch status on any or all systems in the environment. Patch management solutions can also be useful to satisfy audit or compliance requirements, as they can show a structured approach to patch management, show when and how systems are patched, and provide a detailed accounting of patch status within the organization. Microsoft provides a free patch management product called Windows Server Update Services (WSUS) Patch availability: Software vendors update software and eventually end support for older vendors. Software that has reached end of life can represent a threat to security as it is no longer being patched against problems as they are discovered.

Application Hardening:

Perhaps as important as OS and network hardening is Application Hardening - securing an application against local and internet based attacks. Hardening applications is fairly similar to hardening operating systems - you remove the functions or components you don't need, restrict access where you can, and make sure the application is kept up to date with patches.

Permissions Issues:

Permissions are the cornerstone of security and ACLs are how they are enforced. ACL mistakes and failures result in improper configuration of permissions, one of the most common errors in security. This is a problem to keep in mind through the material in the book. One question that should be in the forefront in the professional's mind both in configuring and testing is this: Are the permissions being done correctly?

Host-based Firewalls

Personal firewalls are host-based protective mechanisms that monitor and control traffic passing into and out of a single system. Software firewalls are extremely commonplace - so much that most modern OSs come with some type of personal firewall included. Linux based OSs have had built-in software-based firewalls for a number of years, including TCP Wrapper, IPChains, and IPTables. TCPWrapper - is a simple program that limits inbound network connections based on port number, domain, or IP address and is managed with two text files called Host.Allow and Host.Deny. IPChains - is a more advanced, rule-based software firewall that allows for traffic filtering, Network Address Translation (NAT), and redirection. Three configurable "chains" are used for handling network traffic: Input, Output and Forward. The Input Chain rules for traffic that is coming into the system. The Output Chain contains rules for traffic that is leaving the system. The Forward Chain contains rules for traffic that was received by the local system but it is not destined for the local system. (traffic is processed by the three chains) IPTables - uses the same three chains for policy rules and traffic handling as IPChains, but with IPTables each packet is processed only by the appropriate chain allowing for granular control and enhances performance.

Protection Rings

Protection rings were devised in the Multics Operating System in the 1960s to deal with security issues associated with time-sharing operations. Protection rings can be enforced by hardware, software, or a combination of the two, and they serve to act as a means of managing privilege in a hierarchical manner. Ring 0 is the level with the highest privilege and is the element that acts directly with the physical hardware (CPU and Memory) (OS Kernel). Higher levels, with less privilege, must interact through adjoining rings through specific gates in a predefined manner. Use of rings separates elements such as applications from directly interfacing with the hardware without going through the OS and, specifically, the security kernel, as shown here: Ring 0 = OS Kernel Ring 1 = Device Drivers (and Admin/root account) Ring 2 = Libraries (DLL files) Ring 3 = Applications

Data Based Security Controls:

Security controls can be implemented on a host machine for the express purpose of providing data protection on the host.

Server

Servers require an operating system to bridge the gap between the server hardware and the applications that are being run. Currently, Server OSs include Microsoft Windows Servers, many flavors of Linux, and more and more VM/Hypervisor environments. For performance reasons, Linux has a significant market share in the realm of server OSs, although windows server with its Active Directory technology has made significant inroads into the market share.

Securing Management Interfaces

Some network security devices will have "management Interfaces" that allow for remote management of the devices themselves (SSH, WebGUI) which are not allowed on any other interface. Due to this high level of access, management interfaces and management applications must be secured against unauthorized access. They should not be connected to public network connections (the internet) and DMZ connections.

Server Hardening Tips:

Specific security needs can vary depending on the server's specific use, but at minimum, the following are beneficial: -Remove unnecessary protocols such as telnet, NetBios, Internetwork Packet Exchange (IPX), and File Transport Protocol (FTP). -Remove unnecessary programs such as Internet Information Services (IIS) -Remove all shares that are not necessary -Rename the administrator account, securing it with a strong password. -Remove or disable the local Admin account in Windows. -Disable unnecessary User Accounts. -Disable unnecessary ports and services. -Keep the operating system (OS) patched and up to date. -Turn on Event Logging for determined security elements. -Control physical access to servers. -write down the hash values of all critical files once you have baselined and configured the server.

Workstation

The OS on a workstation exists to provide a functional working space for a user to interact with the system and its various applications.

TPM (Trusted Platform Module)

The Trusted Platform Module (TPM) is a hardware solution on the motherboard, one that assists with key generation and storage as well as random number generation. When the encryption keys are stored in the TPM, they are not accessible via normal software channels and are physically separated from the hard drive or other encrypted data locations.

Hardening Unix or Linux Based Operating Systems

The concepts behind securing different Unix or Linux based operating system are similar.

Machine Hardening

The key management issue behind running a secure server setup is to identify the specific needs of a server for its proper operation and enable only items necessary for those functions. Keeping all other services and users off the system improves system throughput and increase security. Reducing the attack surface area associated with a server reduces the vulnerabilities now and in the future as updates are required. The primary method of controlling the security impact on a network is to reduce the available attack surface area. Turning off all services that are not needed or permitted by the policy will reduce the number of vulnerabilities. Removing methods of connecting additional devices to a workstation to move data - such as optical drives or USB ports - assists in controlling the movement of data into and out of the device. User-level controls, such as limiting e-mail attachment options, screening all attachments at the email server level, and reducing network shares to needed shares only, can be used to limit excessive connectivity that can impact security. Once a server has been built and is ready to be placed into operation, the recording of the hash values on all of its crucial files will provide valuable information later in case of a question concerning the possible system integrity after a detected intrusion.

Anti-Virus Software for Servers:

The need for antivirus protection on servers depends a great deal on the use of the server. Some types of servers, such as email servers, require extensive anti-virus protections because of the services they provide. Other servers (domain controllers, and remote access servers), may not require any anti-virus software, as they do not allow users to place files on them.

OS Security

The operating system itself is the foundation of system security. The operating system does this through the use of a security kernel. The Security Kernel is also called a reference monitor and is the component of the operating system that enforces the security policies of the operating system.

Baselining

The process of establishing a system's (operational) security state.

Mobile Devices

The protection of mobile devices goes beyond simple encryption of the data, as the device can act as an authorized endpoint for the system, opening up avenues of attack.

Windows Defenders

The stated purpose of Windows Defender is to protect your computer from spyware and other unwanted software. It has the following capabilities: -Spyware detection and removal -Scheduled scanning -Automatic updates -Real-time protection -Software Explorer -Configurable responses

Test

The test environment is one that fairly closely mimics the production environment, with the same versions of software (down to the patch level), same sets of permissions, file structures, and so on.

Service Pack

This refers to a large collection of patches or hotfixes rolled into a single, rather large package.

Hotfix

This term refers to a (usually) small software update designed to address a specific problem, such as a buffer overflow in an application that exposes the system to attacks.

Patch

This term refers to a more formal, larger software update that can address several or many software problems.

Host Software Baselining

To Secure, Configure, and Patch Software, administrators must first know what software is installed and running on systems. Sometimes called "default", "gold", or "standards" configurations, a software baselines contains all the approved software that should appear on a desktop or server within the organization.

USB Encryption

Universal Serial Bus (USB) offers an easy connection mechanism to connect devices to a computer. Many mechanisms exist, from encryption on the USB device itself, to OS-enabled encryption, to independent encryption before the data is moved. Each of these mechanisms has advantages and disadvantages, and it is ultimately up to the user to choose the best method based on the sensitivity of the data.

Network Hardware:

While considering the baseline security of systems, you must consider the role the network connection plays in the overall security profile. Once computers are attached to a network, they are open access from any other user on that network. Proper controls over network access must be established on computers by controlling the services that are running and the ports that are opened for network access. This should be done to network devices as well (switches, routers, and modems). OSI Model: level 1 = Physical level 2 = Data link level 3 = Network level 4 = Transport level 5 = Session level 6 = Presentation level 7 = Application

Securing a Workstation:

Workstations are attractive targets for crackers because they are numerous and can serve as entry points into the network and the data that is commonly the target of an attack. Although security is a relative term, following these basic steps will increase workstation security immensely: -Remove unnecessary protocols such as telnet, Netbios, and IPX. -Remove unnecessary Software. -Remove modems unless needed and authorized -Remove all shares that are not necessary -Rename the administrator account, securing it with a strong password. -Remove or disable the local admin account in Windows -Disable all unnecessary user accounts. -Disable all unnecessary ports and services -Install an antivirus program and keep it updated. -Remove or disconnect floppy drive if not needed. -Consider disabling USB ports via BIOS or restrict data movement to USB devices. -Install a firewall if one doesn't exist -Keep the OS patched and up to date -Keep all applications patched and up to date -Turn on event logging for determined security elements.

Development

a development system is one that is sized, configured, and set up for developers to create applications and systems.

Data in Transit

any data transmitted over a network

Software Restrictive Policies

are employed via group policies and allow significant control over applications, scripts, and executable files. The primary mode is by machine and not by user account

Data in Use

data in temporary storages buffers while an application is using it example, RAM. Protecting data while in use is a much trickier proposition than protecting it in transit or storage. Protected memory schemes and address space randomization are two tools that can be used to prevent data security failures during processing. Secure coding principles, including the definitive wiping of critical data elements once they are no longer needed, can assist in protecting data in use.

Upgrades

have a more positive spin to patches. and might change some user-defined defaults during its installation.

Application Blacklisting

is essentially noting which applications should not be allowed to run on the machine.

Microsoft Attack Surface Analyzer

one of the challenges in a modern enterprise is understanding the impact of system changes from the installation or upgrade of an application on a system. To help overcome that challenge, Microsoft has released the Attack Surface Analyzer (ASA), a free tool that can be deployed on a system before a change and then again after a change to analyze the changes to various system properties as a result of the change.

Data Security

refers to the actions taken in the enterprise to secure data, wherever it resides: in transit, at rest, or in use.

Sandboxing

refers to the quarantine or isolation of a system from its surroundings (virtual machines).