版權說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權,請進行舉報或認領
文檔簡介
1、Building Your IT Security ChecklistSample checklist/audit plans for Unix, NT and Windows 2000 Active Directory1What have we just done?uThe Top 20 threats meet our risk criteria:Have a high probability of occurringResult in the loss of a critical serviceBe extremely expensive to fix laterResult in he
2、avy, negative publicity2Applying TBS to the real world!nTBS = Time Based SecuritynTop Ten Vulnerabilities, the vulnerabilities responsible for most hacksnApply TBS as an approach to an effective understandable security policynBasicsnPerimeternUnixnNTnWindows 20003The TBS Audit LayersnA complete IT a
3、udit/security checklist is a set of component audits/checklists. You should be able to measure E, D and R times for each layer of the security architecture.nComponentsnProcedural: E = D+RnPerimeter(Firewall): E = D+RnUNIX: E = D+RnNT/Windows 2000: E =D+R4CIS Rulers5CIS Rulers: A Security and Audit C
4、hecklistnLevel 1 nMandatory Actions required regardless of the hosts location or function.nLevel 2nDependent on your network topologynDifferent for switched nets vs. shared nets vs. wireless nets, etc.6CIS Rulers: Security Checklist & Audit PlanFTP WWW DB MailSwitched Wireless Non SwitchedLEVEL
5、1Level 3Level 27CIS Rulers: ProceduralnGeneral Administration PoliciesnKey security tool installednUser Accounts and environmentnSystem LogsnNetwork File sharingnGeneral Email IssuesnThis review is done during the Audit Planning Phase of the audit process8CIS Ruler: ProceduralnGeneral Administration
6、 PoliciesnAcceptable Use PolicynBackup PolicynSecurity Administrator dutiesnWhois Contact Information (Tech/Admin)nSystem changelogs (Source Revision Control)nIncident ResponsenMinimum software requirementsnUser, temp, system account policiesnPatches9CIS Ruler Example: Backups Does a backup policy e
7、xist? Do backup logs exist? What data is backed up How often data is backed up Type of backup (full, differential, etc.) How the backups are scheduled and verified How the backup media is handled and labeled How the backup media is stored How long the backup media is retained How backup media is rot
8、ated and expired How backup data is recovered 10CIS Ruler: ProceduralnKey security tools installednNetwork routers implement minimum filtering requirementsnVerify network routers are properly configured and monitored for in/out trafficnAre all firewalls properly configured and monitored for in/out t
9、rafficnThe above rules prevent DDOS attacks from affecting other nets.11CIS Ruler: ProceduralnUser Accounts and EnvironmentnRemove obsolete user entries from systemnSystem LogsnHow long are they kept? Are they secured?nNetwork file sharingnReview what filesystems this system can accessnReview what f
10、ilesystems this system exportsnEmail PolicynAbuse Policy?12CIS Ruler: Written Documentation, PoliciesuWhere is it?uIs it available to anyone that needs it?uIs it up to date?uIs anything major missing (SGI policies, but no HP policies)?13CIS Ruler Example: Security PolicynPurpose - the reason for the
11、 policy.nRelated documents lists any documents (or other policy) that affect the contents of this policy.nCancellation - identifies any existing policy that is cancelled when this policy becomes effective.nBackground - provides amplifying information on the need for the policy.14CIS Ruler:nScope - s
12、tates the range of coverage for the policy (to whom or what does the policy apply?).nPolicy statement - identifies the actual guiding principles or what is to be done. The statements are designed to influence and determine decisions and actions within the scope of coverage. The statements should be
13、prudent, expedient, and/or advantageous to the organization.nAction - specifies what actions are necessary and when they are to be accomplished.nResponsibility - states who is responsible for what. Subsections might identify who will develop additional detailed guidance and when the policy will be r
14、eviewed and updated.15Procedural: Incident Response Plan nAre the six Incident Response steps covered?nPreparationnIdentificationnContainmentnEradicationnRecoverynLessons Learned (if there are no lessons learned documents either the plan isnt followed or no incidents have occurred).16Procedural: Tra
15、ining & EducationnDo technical people have the training to do their job competently?nAre there standards their skills can be measured against?nAre there standards of compliance that ensure they are using their training in accordance with policy?17Procedural: Physical SecuritynConsoles in physica
16、lly secure areas?nFire suppression?nBackups? Offsite backups?nNetwork components secured?nPhone wiring secured?18Procedural: Windows 2000nThese are based on the SANS “Securing Windows 2000” booklet.nLeast Privilege PrinciplenAvoid granting unnecessary Admin privs.nLimit Domain Trust.nRestrict modems
17、 in workstations and servers.nLimit access to sniffer software (Network Monitor).19Procedural: Windows 2000nKeep system software updated.nUpdate and Practice a Recovery Plan.nRequire strong passwords.nRequire password protected screen savers.nEstablish Auditing and Review Policies.nRequire Administr
18、ators to have a User and Administrator account.nRequire antivirus software.nInstall host based IDS.nPerform periodical low-level security audits.20CIS Procedural Ruler ReviewnProcedural rulers give you a starting point for determining your sites policy pienThese policies include acceptable use, priv
19、acy, incident response, accountability, backup and any other appropriate actionnThe CIS procedural ruler is a consensus list of practices done at the charter members sites.21CIS Rulers for Solaris and LinuxnThis section explains the items listed in the CIS Security Benchmarks for Solaris and Linux.n
20、The commands are very similar and the strategy is the same for both OS.nWell be hardening the Solaris system in the lab portion of this course.22CIS Level 1 Ruler: UnixnPatchesnKey Security Tools InstallednSystem Access, authentication, authorizationnUser Accounts and EnvironmentnKernel Level TCP/IP
21、 tuningnKernel Tuning23CIS Level 1 Ruler: UnixnBatch Utilities: at/cronnUMASK issuesnFile/Directory Permissions/AccessnSystem LoggingnSSHnMinimize network services24CIS Level 1 Ruler: Unix25CIS Level 1 Unix Ruler - PatchesnDefine a regular procedure for checking, assessing, testing and applying the
22、latest vendor recommended and security patches.nKeep 3rd party application patches updated.nWhy?nThe first line of defense is proper patch/Service Pack installation.nPatches are living and need to be updated regularly26CIS Level 1 Unix Ruler: Security ToolsnThese tools help decrease your detection t
23、ime, DnInstall the latest version of TCP Wrappers on appropriate network servicesnSSH for login, file copy and X11 encryptionnInstall crypto file signature function to monitor changes in critical system binaries and config files (tripwire)27CIS Level 1 Unix Ruler: Security ToolsnInstall Portsentry o
24、r similar personal FW softwarenRun NTP or some other time sync toolnRun “l(fā)ogcheck” or similar syslog analysis or monitoring toolnInstall the latest version of sudo28CIS Level 1 Unix Ruler: Access, AuthorizationnNo trusted hosts features: .rhosts, .shosts or /etc/hosts.equivnCreate appropriate banner
25、 for any network interactive servicenRestrict direct root login to system consolenVerify shadow password file format is usednVerify PAM configuration29CIS Level 1 Unix Ruler: Kernel TCP/IP TuningnSystem handling of ICMP packets is securednSystem handling of source routed packets securednSystem handl
26、ing of broadcast packets securednUse strong TCP Initial Sequence NumbersnHarden against TCP SYN Flood attacks30CIS Level 1 Unix Ruler: Kernel , Batch UtilitiesnEnable kernel level auditingnEnable stack protectionnEnsure ulimits are defined in /etc/profile and /etc/.loginnRestrict batch file access t
27、o authorized usersnEnsure cron files only readable by root or cron user31CIS Level 1 Unix Ruler: UMASK, File Perms, AccessnSet daemon umask to 022 or stricternSet user default umask (022 or 027)nConsole EEPROM password enabled?nCheck /dev entries for sane ownership and permissionsnMount all filesyst
28、ems RO or NOSUIDnAll filesystems except / mounted NODEV32CIS Level 1 Unix Ruler: File Perms and AccessnVerify passwd, group, shadow file permsnVerify SUID, SGID system binariesnDisable SUID, SGID on binaries only used by rootnNo World-write dirs in roots search pathnSticky bit set on all temp direct
29、oriesnNo NIS/NIS+ features in passwd or group files if NIS/NIS+ is disabled33See what we can find /usr/bin/find / -local -type f -name .rhosts -exec ls -al ; -exec cat ; 2 (.rhosts) /usr/bin/find / -local -type f -user root -perm -4000 -exec ls -dal ; 2 (SUID files) /usr/bin/find / -local -type f -u
30、ser root -perm -2000 -exec ls -dal ; 2 (SGID files) find /(-local o prune) -perm 000002 print find /name .netrc -print find / -perm 1000 34Audit Report ExampleAudit MethodLs la (list files) against critical files to determine their permissionsFindingSeveral system configuration files in /etc are wri
31、tableRisk Level: HighSecurity Implication The /etc directory is critical for establishing the operating configuration of many system services including startup and shutdown. If an attacker is able to modify these files, it may be possible to subvert privileged operating system commands.Recommendatio
32、n Change permissions of all files in /etc to be writable by root or bin only.35/dev Permissions Exhibit# ls l /devtotal 72-rwxr-xr-x 1 root root 26450 Sep 24 1999 MAKEDEVcrw- 1 root sys 14, 4 Apr 17 1999 audiocrw- 1 root sys 14, 20 Apr 17 1999 audio1brw-rw- 1 root disk 32, 0 May 5 1998 cm206cdcrw-w-
33、w- 1 root root 5, 1 May 26 15:17 consolebrw- 1 root floppy 2, 1 May 5 1998 fd1brw-rw- 1 root disk 16, 0 May 5 1998 gscdbrw-rw- 1 root disk 3, 0 May 5 1998 hdabrw-rw- 1 root disk 3, 1 May 5 1998 hda1brw-rw- 1 root disk 3, 10 May 5 1998 hda10brw-rw- 1 root disk 3, 11 May 5 1998 hda11brw-rw- 1 root dis
34、k 3, 12 May 5 1998 hda12brw-rw- 1 root disk 3, 13 May 5 1998 hda13brw-rw- 1 root disk 3, 14 May 5 1998 hda14brw-rw- 1 root disk 3, 15 May 5 1998 hda15brw-rw- 1 root disk 3, 16 May 5 1998 hda1636World-Writeable and SUID/SGID FilesAudit MethodFind commands were executed on the servers to locate all fi
35、les with world-writeable permissions and SUID/SGID permissions. The output was redirected to appropriate files for later analysis. FindingA large number of world-writeable and SUID/SGID files were found on the server XYZ. Further, a number of files in the /usr, /opt and /var directories allow all us
36、ers to have write permission. Security Implication World-writeable files allow any user or an intruder to change the contents of a file, effecting information integrity. Also, for executable files, an intruder may replace the file with a trojan horse that can damage the system and its integrity. SUI
37、D/SGID files execute with the privilege of the owner/group. These can be subverted by an unauthorized user or intruder to escalate their privilege to those of the owner/group of the SUID/SGID file. Risk Level: High Recommendation Review all world-writeable and SUID/SGID files on the system. Using fr
38、eeware tools like fix-modes or YASSP can facilitate identifying and correcting the permissions on files. After the review, create a list of all the remaining “approved” World-writeable and SUID/SGID files on the system and store in a secure place. Periodically, check the system against this list to
39、identify changes and ensure that such changes are approved. NFS shared files, especially files in /usr, /opt and /var should be exported read-only to specific hosts. Further, through /etc/vfstab, the exported file systems (except special cases like /tmp, /dev and /) should be mounted with the nosuid
40、 option to prevent the inadvertent granting of SUID privilege on NFS mounted files.37CIS Level 1 Unix Ruler: System Logging and SSHnCapture messages sent to syslog AUTH facility (enable system logging)nCopy syslogs to central syslog servernAudit failed logins and SU attemptsnEnable system accounting
41、nLogins allowed via SSH only (no rsh, rlogin, ftp or telnet)38CIS Level 1 Unix Ruler: Reduce /etc/inetd.confnDisable name (UDP)nDisable exec/rexec (TCP)nDisable login/rlogin (TCP)nDisable uucp (TCP)nDisable systat (TCP)nDisable netstat (TCP)nDisable time (TCP/UDP)39CIS Level 1 Unix Ruler: Reduce /et
42、c/inetd.confnDisable echo (TCP)nDisable discard (TCP/UDP)nDisable daytime (TCP/UDP)nDisable chargen (TCP/UDP)nDisable rusersd (RPC)nDisable sprayd (RPC)nDisable rwall (RPC)40CIS Level 1 Ruler: Reduce /etc/inetd.confnDisable rstatd (RPC)nDisable rexd (RPC)nUse TCP Wrappers for all enabled network ser
43、vices (TCP/UDP)41Sample /etc/inetd.conf# Shell, login, exec, comsat and talk are BSD protocols.#shell stream tcp nowait root /usr/sbin/tcpd in.rshdlogin stream tcp nowait root /usr/sbin/tcpd in.rlogind#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd#comsat dgram udp wait root /usr/sbin/tcpd sat
44、talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkdntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkdThis is a fragment of /etc/inetd.conf where shell, login, talk, and ntalk probably should be commented out. Note the /usr/sbin/tcpd so this system is probably running tcpwrappers. More of th
45、e file is in the notes pages.42CIS Level 1 Unix Ruler: Restrict RPCnRestrict NFS client request to originate from privileged portsnNo filesystem should be exported with root accessnExport list restricted to specific range of addressesnExport RO if possiblenExport NOSUID if possible43CIS Level 1 Unix
46、 Ruler: Email, X11/CDEnUse Sendmail v8.9.3 or later. (v8.11.6 is current 6/01/02)nRestrict sendmail prog mailernVerify privileged and checksums for mail programsnEnsure X server is started with XauthnUse SSH to access X programs on remote hosts44CIS Level 1 Unix Ruler: User Accts, EnvironmentnEnforc
47、e strong passwordsnNo null passwordsnRemove root equivalent users (UID=0)nNo “.” in root PATHnNo .files world or group writablenRemove .netrc, .exrc, .dbxrc filesnUser $HOME dirs should be .5135: udp 21:07:16.66 .5135 .26617: udp 695135 is SGI Object Server with a known vulnerability46CIS Level 1 Ru
48、ler ReviewnThe previous action items should be done on any Unix system on your network regardless of its functionnA similar checklist is being developed for Windows 2000.nThe Level 1 rulers impose a minimum security standard on all Unix and Windows 2000 systems.47CIS Level 2 RulersnOnce Level 1 rule
49、rs have been applied, you pick the appropriate Level 2 ruler.nThis is very organization specific. What works at my site might not apply at yours.nAdditional service may be disabled if they arent needed.48CIS Level 2 Ruler: UnixnKernel-level TCP/IP tuningnPhysical Console SecuritynSSHnMinimize networ
50、k servicesnMinimize RPC network servicesnGeneral email issuesnX11/CDE49CIS Level 2 Ruler: UnixnKernel TuningnNetwork options for non-router machinesnDisable multicastnPhysical Console SecuritynEnable EEPROM password. Who knows it?nSSHnRestrictively configure it50CIS Level 2 Ruler: UnixnMinimize Netw
51、ork ServicesnDisable inetd entirelynDisable FTPnDisable TelnetnDisable rsh/rloginnDisable comsatnDisable talknDisable tftp51CIS Level 2 Ruler: UnixnMinimize network servicesnDisable tftpnDisable fingernDisable sadminnDisable rquotadnDisable CDE Tooltalk server (ttdbserverd)nDisable RPC/UDP/TCP ufsnD
52、isable kcms_server52CIS Level 2 Ruler: UnixnDisable fontservernDisable cachefs servicenDisable Kerberos servernDisable printer servernDisable gssdnDisable CDE dtspcnDisable rpc.cmsd calendar server53CIS Level 2 Ruler: UnixnMinimize Network ServicesnIf FTP service is enabled, see additional level 3 r
53、equirements for FTP serversnIf tftp is enabled, use the security optionnIf sadmind is enabled, use the security option54CIS Level 2 Ruler: UnixnMinimize RPC network servicesnDisable NFS servernDisable AutomounternDisable NFS client servicesnAdd ports 2049, 4045 to privileged port listnDisable NISnDi
54、sable NIS+nReplace rpcbind with more secure version55CIS Level 2 Ruler: UnixnGeneral Email IssuesnDont run sendmail on machines that dont receive mailnRemove mail aliases which send data to programs (Vacation)nX11/CDEnDisable CDE if not needednUse the SECURITY extension for X-Server to restrict acce
55、ss56CIS Level 2 Ruler ReviewnLevel 2 rulers are site specific.nThey are more sensitive to vendor software requirements. For example, a vendor product may require that you enable the dreaded r-commands. You have no choice so you keep an eye on that vulnerability.nThey may impose stricter standards.57
56、CIS Unix Ruler ReviewnCIS Rulers are a good starting point for developing a Unix audit plan. Solaris, Linux, HP-UX available, AIX under review, CISCO router under reviewnLevel 1 ruler defines minimum security standards for all Unix systemsnLevel 2-3 rulers are more network and function specificnProc
57、edural rulers address policy issues58SummarynThe CIS benchmark document and scanning tool is an excellent resource you should use immediately to strengthen the security of your Solaris and Linux systems.nThe scanning tool provides you with a simple score that you can use to present to management.59L
58、ab ExercisenLets apply the steps in the CIS benchmark to the demonstration system.nWell run the scanning tool to get a baseline, make our mods and rerun the scanning tool to measure our progress.60Appendix 1Audit Checklists forWindowsThe SANS Institute61W2K CIS RulersnCIS Rulers have been developed
59、for Windows 2000 and NT systemsnFormat is similar to the Unix rulers (levels 1-3)nLevel 2, IIS benchmarks are in test at present.nTheyre free!62Sample Windows 2000 Level 2 Ruler63Sample VT Level 2 Ruler: Active Directory ROEnThe Child domain must have at least 1 fulltime peer BDC for the child domai
60、nnThe child domain controllers must meet Microsofts minimum computer hardware requirementsnNo 3rd party of Microsoft add-on software are allowed on child domain controllersnIIS, Certificate Services, Indexing Service, Windows Media Services, DNS, DHCP, WINS, printer/file services64Sample VT Level 2 Ruler: A
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
- 4. 未經(jīng)權益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責。
- 6. 下載文件中如有侵權或不適當內(nèi)容,請與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
最新文檔
- 代理收款合同范例
- 建筑勘察設計合同
- 簡化保價合同協(xié)議
- 電腦定制化購銷協(xié)議
- 便利店薯片購銷合同
- 個人借款合同的還款方式
- 借款協(xié)議書集團內(nèi)部
- 工作服采購合同模板
- 蕪湖市房屋買賣合同版式示例
- 集中采購和政府采購合同的效益分析
- 《地質(zhì)災害監(jiān)測技術規(guī)范》
- 2024-2030年中國云母制品制造市場發(fā)展狀況及投資前景規(guī)劃研究報告
- 2025年上半年內(nèi)蒙古鄂爾多斯伊金霍洛監(jiān)獄招聘17名(第三批)易考易錯模擬試題(共500題)試卷后附參考答案
- QC080000培訓講義課件
- 24秋國家開放大學《農(nóng)產(chǎn)品質(zhì)量管理》形考任務1-2+形考實習1-3參考答案
- 科技興國未來有我主題班會教學設計
- 房子管護合同范例
- 光伏施工安全措施
- 2024-2025華為ICT大賽(網(wǎng)絡賽道)高頻備考試題庫500題(含詳解)
- 汽車智能制造技術課件
- 江蘇省揚州市邗江中學2025屆物理高一第一學期期末學業(yè)質(zhì)量監(jiān)測試題含解析
評論
0/150
提交評論