security plus notes section2 

security notes section2

hardening OS

applying updates: software updates

1 security patch: a broadly release fix for a specific product addressing a security vulnerability.

2 critical update: a broadly release fix for a specific problem addressing a critical, nonsecurity related bug.

3 update: a broadly released fix for a specific problem addressing a noncritical, nonsecurity related bug.

4 hotfix: a single package composed of one or more files that addresses one user's problems and is generally not distrubuted to others.

5 updates rollout: a collection of security patches, critical updates, updates, and hotfixes released as a one package.

6 service pack: a cumulative set of hotfixes, security patches, critical updates, and updates created since the release of the product, including many resolved problems that have not been made available through any other software updates, and design changes or features requested by users.

7 intergrated service pack: a version of a product released with a service pack in one package

8 feature pack: a release of a product that adds functionality but does not address security issues usually included in the product in the next version of the software.

9 version: a major new release of the software incorporating all previous updates along with new features.

**patch manager system: features,# design patches to update certain group of computers # auto reboot after installing of the patch # reporting the verifies of download and installation of the patch # third party tools connect to the system***

securing file system

common windows uesr privileges:

read---see files and subfolders within the folder and view folder ownership and permissions

write---create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions.

list folder contents--- see the name of files and subfolders in the folder

read and excute---move through folders to reach other files and folders even if the user does not have permission for those folders.

modify---delete or rename the folder

full control---change permissions, take ownership, and delete subfolders and files

common windows security templates:

# Rootsec.inf applies the default settings to the HD on which XP was originally installed, Rootsec.inf does not override any settings that have been changed.

# Compatws.inf a compatibility template, also called the basic template. sets permissions for local users group so that legacy programs are more likely to run.

# Securews.inf removes all members from the group known as the power users group, but does not modify ACLs.

#Hisecws.inf a secure template that requires all network communications to be digitally signed and encrypted however, this template should not be used to access a server on the network.

***GPOs, changes to local GP cannot override a globle setting for all computers, known as a domain based setting.

hardening servers:

websevers: @user acls to limit a web surfer's ability to navigate and browse web content and run selected applications, never give a web user permission to write to the server. suggested web server ACLs :

content files (.html .gif .jpg .txt) read only; script files (.asp) execute; common gateway interface (.exe .dll .cmd) execute;

@update server regularly by installing patches and services packs

@be familiar with exposed web server vulnerabilities by subscribing to security organizations that distribute information on the latest flaws, or regularlt visit attacker web site.

@delete sample files included with the web server installation that are intended as refrences, these might contain security holes.

@isolate the web server from the internal network

@be sure that the web server records its actions in a log file and examine the files regularly

@delete common gateway interface programs and scripts that are no longer required

@if the server sends or recieces sensetives information, user a technology that encrypts the transmission

mail servers:

@remove all app, except for emails, mail server handles only emails

@frequently exploited by spammers (open mail relay), config trust permissions such as ip range of addresses which are valid for senging messages.

FTPserver:

@making sure that anonymous logon is turned off unless it is absolutely required

@restricting access only to specific users by ip address

@setting the ACL to read only for an ftp server that only permit downloads

@limiting the number of logon attempts

USENET--NNTP

Data

3 primary types of database attacks:

#target the databse management system such as microsoft SQL servers or Oracle, with buffer overflow attacks

#attempt to manipulate the format of how the data is stored by giving malicious structured quert languate SQL commands

#target the data itself

*SQL injection: manipulate the input form to pass unauthorized commands to the database----access only given to authorized individuals

firmware updates:

EPROM have a tiny crystal window, to erase the chip, hold the chip under ultraviolet light, so light passes through window.

EEPROM erase using electrical signals applied to specific pins.

ROM EPROM EEPROM are known as firmware.

workstations and servers:

>>disable nonessential services

>>do not allow uesrs to grant permissions to other users over objects

>>install antivirus software systems and applications

>>regularly update OS and app

>>remove any user accounts that are not essential

>>require strong passwords with a minimun length of 8 char that expires after 30 days and cannot be reused

>>review audit logs regularly

>>set ACLs for all network uesrs

>>use CHAP, kerberos, and certificate when possible

>>use security templates

>>when using biometric devices, require additional authenitcation such as a token

switches and routers:

Switches and routers are sometimes managed by using SNMP, also part of TCP/IP protocol suite, which allows network equipment gather data about network performance. Software agents are loaded onto each network device such as SNMP management station, which will be managed, each agent monitors network traffic and stores that information in its MIB.

Review: SNMP---UDP; ports 161 162. Cisco uses randomly selected UDP port in the range from 49152 to 59152 UDP ports. when message is sent, it resets the router by turing it off and then back on. **This could also launch a DoS by repeatly sending messages to the port, causing routers to keep resetting.

Routers and switches:

# Configure the logon prompt so that it does not display any information about the brand or model of the device

# Disable HTTP and SNMP access if they are not being used

# If SNMP must be used, install SNMPv3

# If unencrypted access must be used for services such as telnet, limit that access to specific trusted clients.

# Log all activity

# Use encryption when communicating with the devices

An attacker gain access to the network through router c, sends a spoofed updates message to router a and router b indicating that the link between routers a and b is down, then has router c advertise itself as the alternative through which all routers a and b should send direct traffic, allowing the attacker to see all network communications.

RAS:

#Authentication and authorization

#Data encryption

#Account lockout number of user attempts before denied access

#Packet-filtering rule base