Hardening: Theory and General Practice

Hardening is the process of protecting a system against unknown threats. This book by Jonathan Hassell (Hardening Windows, Apress, ISBN: 1-59059-266-2) is designed to provide a quick and easy checklist-style reference for system administrators who need to anticipate attacks and compromises. This chapter looks at the theories behind security and hardening a system, and how you can take very general approaches to overall organizational security before investigating specific hardening practices on your Windows client and server machines.

hassell“You should be exactly as paranoid as it is cost-effective to be.”
—Scott Collins

These are wise words from security expert Scott Collins, and they serve as the underlying motivation behind this book.

Computer security seems to be making the news a lot lately. Almost every week, malevolent forces crawl out of the woodwork to take down high-profile websites. Companies lose millions of dollars and suffer damage to computer systems. As a result, large companies spend thousands of dollars on security sys tems and products to protect the doors to their corporate networks. Microsoft recently bore the brunt of two intruder attacks on its web properties. The result was hours of downtime and decreased customer confidence.

It’s hard to know the number of intruders currently threatening the computer realm. Many systems administrators and users have built up a tolerance to attempted hacking. They have accepted intruders as the norm, as by-products of using a directly connected system. Many attempts, whether successful or not, go unnoticed by users. Internet security experts agree, though, that the number of attempts at security breaches is increasing, as is the sophistication and efficiency of the attempts. To keep up, vendors and security hardware manufacturers struggle to plug the security holes that intruders uncover and exploit with today’s easy-to-use system-cracking tools.

An intruder attack is only one facet of security with which you should be concerned. Viruses are another big security threat; the fact that they spread easily only increases their infestations. For example, worm viruses spread when users open email attachments, which cause the virus to email itself to the user’s entire contact list. Other Trojan horse viruses can come into your system and leave a back door for intruders who will use your computer to make countless attacks on other users’ machines.

Helping you learn how to protect your computing environment from these various threats is the purpose of this book. System administrators all around the world know the Internet is a hostile environment. They can’t tell when a hacker will attempt to gain access to the SQL server, but they can bet that there will be an attempt soon. Because the operating system is vital to a computer’s functioning, and because it’s the only layer between the machine’s available resources and its users, it’s critical that the OS resists compromise.

Hardening is this process of protecting a system against unknown threats. System administrators harden against whatever they think could be a threat. This book is designed to provide a quick and easy checklist-style reference for system administrators who need to anticipate those attacks and compromises. You’ll need to harden Windows NT, 2000, XP, and Server 2003 against these threats. And in this chapter, I’ll look at the theories behind security and hardening a system, and how you can take very general approaches to overall organizational security before investigating specific hardening practices on your Windows client and server machines.

This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.

Buy this book now.

{mospagebreak title=What Is Security?}

To protect the well-being or integrity of something, to ensure the safety of property or interests in an object from intrusion, or to keep a concept or object private, you’ll need to secure a system. In the hostile environment of the Internet, system administrators need to restrict access to assets. To grant access to a selected group of users, you need to know who to trust and how to verify the credentials of—authenticate—those you allow to use your systems.

The cornerstones of any security policy include the following:

  • Privacy, or the ability to keep things private and confidential
  • Trust, or the question of whether you should take data or objects at face value

     

  • Authenticity, or verifying that contacts are made with people who are accurately representing their identity

     

  • Integrity, or the process of ensuring a system hasn’t yet been compromised and will remain secure

     

This book will focus entirely on the practical aspects of hardening a Windows-based computer. What are these practical checkpoints, which comprise the rest of this book, designed to do? What is the underlying motivation? Focusing for a bit on the more general aspects of computer security allows you to harden your systems in ways that you might otherwise ignore or fail to imagine. Therefore, I’ll discuss security and its associated theoretical issues, and then move into practical considerations that aren’t limited to just Windows machines—suggestions that are appropriate for any connected machine.

This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.

Buy this book now.

{mospagebreak title=The Security Dilemma}

Security depends on two things: First, a person must define what security means for them, and second, that person must communicate that idea clearly and competently to the community around him. Security suffers from such a problem these days because of issues related directly to these two requirements. Security for each person is different. Though one person may be satisfied with a BIOS password and a floppy disk, another person might take great pains to double-and triple-encrypt files. She may wish to transfer them only over IPsec-protected links, and purchase trusted Secure Sockets Layer (SSL) certificates for any type of public service she offers. And because the definition, meaning, and intrinsic value of security differs so wildly between parties, it’s difficult to communicate a clear security policy to the user community. Therein lies a critical problem—you can only have effective security when everyone understands the level of security required and when everyone agrees security is necessary. And in practice, as you might imagine, an understanding of security on the part of the user is something that’s usually severely lacking.

The very existence of security resides in trust. In fact, it can be argued that every security problem boils down to the simplest level as a question of trust. The idea of security is introduced for the sole purpose of protecting yourself against parties whom you don’t trust. To do this, usually some kind of technology is put into place to move trust from a risky “zone” to a safer, more palatable area. A great example is a front door lock: You don’t trust the general public, and therefore you’re wary of them stealing your belongings without your knowledge. You install a lock on the front door of your house. You still don’t trust the general public, but you trust the lock to do its job to keep the untrusted people out. You obviously have less of a problem trusting the lock than trusting the intentions of a great number of people to whom you’re unaccustomed. You can’t fully trust the lock either, so you install an alarm system that notifies the police if someone breaks in. You’ve displaced your trust from the public to the police, the alarm system, and the lock.

Each day, you proceed about your business, placing your trust semiconsciously in banks, automated teller machines, online shopping sites, the police, all levels of government, and other various establishments. The list goes on and on. You don’t question this trust, because it’s seldom broken, but that isn’t always the end result. For example, when a child learns to drive a car, he places lives at risk. Because of this risk, most municipalities and governments require the child to pass an exam to demonstrate her mastery of the safe operation of the equipment. Computer systems are equally capable of causing great damage, even though they aren’t sentient. Your life is interrupted when computer systems malfunction, and this indicates an increasing reliance on them. Your trust in computers and their users is often quite misplaced. This is where the problems truly come from.

This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.

Buy this book now.

{mospagebreak title=Enemies of Security}

To achieve truer security, system administrators need to examine a method for analyzing systems to probe their weaknesses and detail their own assumptions about those systems’ security, rather than blindly placing trust in them. If security is to be discussed in a more serious way, there needs to be the following:

  • Identification of what one is trying to protect

     

  • Evaluation of the main sources of risk and where trust is placed

     

  • Assumption of possible countermeasures to potential attacks

     

You can define a secure system as one in which all of the threats have been analyzed and one in which countermeasures are in place for all of the threats. There are a few stumbling blocks that hinder your ability to create secure systems. The first is complexity: Users will become impatient and work around security if it becomes too cumbersome for their work style and flow. Next is the need for backward compatibility in software. Often security is tightened in later revisions of software, but to remain operable with the previous version of a package, security restrictions might be loosened. Additionally, backups create a somewhat obscure but very real hole. The fact that backups are usually conducted with redundancy in mind might translate to more opportunity for data to be stolen. Security must be applied to backups as well as normal operations.

The problem, however, is how to know what all of the possible threats against a system are. That’s where this book comes in. You can’t always know all of your threats; it’s impossible to have that sort of knowledge. But you can batten down the hatches and take precautions to forestall and thwart any future attempted intrusions.

Some General Hardening Suggestions

In the rest of this chapter, I’ll discuss some points that you can consider to harden your network overall. I’ve broken them down into three encompassing categories: software, hardware, and network considerations. Again, the following aren’t meant to be specific suggestions; they’re meant more as broad launching points for the specific checkpoints presented later in this book, and for future improvements to the integrity of your network that you can make on your own.

This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.

Buy this book now.

{mospagebreak title=Some General Hardening Suggestions: Software Considerations} 

Let’s begin with the behemoth: service packs. Service packs are applications that are released after the public release of a software package. More specifically, they’re collections of hotfixes, or patches to flaws that are found after an appli-cation’s mainstream availability. Most of these service packs include security to correct areas of the program code that weren’t secured by the developers and therefore have vulnerabilities. You can be sure that your system will be examined by nefarious users looking for these vulnerabilities; you can be equally certain new vulnerabilities are being searched out as you read this by these same miscreants. The bottom line: Keep all machines on the network updated and check with the operating system and application vendors on a regular basis for service releases and hotfix patches.

Next on the list are viruses, a rapidly growing irritation. As you may be aware, many new viruses are released weekly. Because of this, if an Internet connection comes anywhere near any machine, you should use antivirus software. It should be kept up-to-date on a regular basis. To protect yourself, take a look at these guidelines:

  • Any software downloaded from the Internet should be stored and installed on test systems before any production deployment, and the system should be scanned for viruses after the software has been tested.

     

  • Like safe sex, don’t download software from unknown sources; a prominent violation of this policy is the retrieval of programs from peer-to-peer file transfer services. This not only endangers the host computer, but the entire network. Lately, viruses are beginning spread after initial execution onto network shares and, depending on the strain of virus, it can cause many hours of downtime, which results in a significant financial liability.

     

  • For best results, you should configure your virus software to the most restrictive level, thereby ensuring that any virus activity is contained to one computer without infecting the network.

     

  • Most modern antivirus programs include the option to attempt to repair an infected file—you will likely have mixed results with this feature. It’s acceptable to repair the infected file for a period of time so that the system can become operational.

     

  • As a matter of practice, I always recommend that infected systems be wiped clean and reinstalled from an empty hard disk as soon as possible. As hard as the antivirus companies try, they may never completely penetrate a virus’s payload; they might not ever realize the true extent of a virus’s damage to a system, so to be safe, restarting the system from a known clean baseline is always the cheapest insurance.

     

  • Block all potentially malicious file types, such as VBS, EXE, COM, and SCR, from your mail server. These file types are rarely used for legitimate business purposes and can accidentally be executed by unsuspecting users. This can compromise your entire network. Remember the Melissa virus?

     

  • Set your antivirus to scan the selected extension for virus patterns that may exist. This ensures that a virus doesn’t slip past your firewall.

This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.

Buy this book now.

{mospagebreak title=Some General Hardening Suggestions: Hardware and Network Considerations} 

In this section, you’ll look at some considerations about hardening your hardware. Because this book focuses on Windows, it doesn’t contain room anywhere else for these kinds of suggestions, but I’d be remiss not to include them. In any case, Windows depends as much on external hardware devices for security as it does on its own internal mechanisms.

The most obvious piece of the physical-device puzzle is the firewall, an integral part of any network that is connected to the Internet. Without a firewall, any Internet-connected machine can be subjected to denial-of-service attacks, targeted service attacks, network-penetration efforts, and other bad events. All of these attacks are very difficult to trace back to their origin, too, making a “forensic analysis” next to impossible. Consider the following firewall suggestions:

  • Block TCP ports 135, 139, and 445, and UDP ports 135, 137, and 445. These are Microsoft Windows’s networking ports that have been traditionally vulnerable to a great many distributed service attacks, and there’s little use for them over the Internet.

     

  • Block all other unused ports. Each time you open a port you create a hole in the wall that you’ve built around your network, and you replace it with a window. The more ports you open—the more windows you install in your wall—the more transparent your network becomes to the outside. The bottom line? Open ports invite attacks.

     

The firewall’s brother in the security family is an intrusion detection system (IDS), another vital part of hardening a Windows-based network. An IDS “sniffs out” or inspects all traffic going in and coming out of a network, and distinguishes patterns inside that traffic that could indicate suspicious activity. An IDS differs from a firewall in that a firewall looks for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and doesn’t signal an attack from inside the network. An IDS, on the other hand, evaluates a suspected intrusion once it has taken place, and signals an alarm. An IDS also watches for attacks that originate from within a system. It’s a beneficial addition to your network, and I highly recommend it.

Remote access remains one of the weakest links in network security if it’s incorrectly implemented, and in many cases it’s the holy grail for intruders looking to do damage. If you allow remote access to your network either through dial-up connections or through a virtual private network (VPN) connection, you should restrict dial-up access to trusted users, and limit the functionality of those users from remote locations. Policies can be designed in such a way that user activity will be traced. I would recommend a VPN connection: Data that travels over a VPN is much less susceptible to interception than normal point-to-point protocol (PPP) connections over the plain old telephone networks. If your data is particularly critical, you might consider putting systems in place that require credential validation for any resource that is accessed remotely, like client-side certificates and strong password authentication methods.

Also, it’s a safe bet to say that intruders would rather use the convenience and availability of the Internet than work harder at “war dialing,” which is when an intruder generates phone numbers on a random basis and dials them to see if a modem answers. However, if your business needs require a modem bank to answer incoming calls, you might consider mandating a dial-back setting to a predetermined number; this is a great way to ensure that a connection is made only between the appropriate parties.

Physical segmentation of the network is always a good choice for security. If your hardware devices allow you to perform this segregation easily, then there’s little reason to not segment them. Virtual LANs (VLANs) are a great way to wall off large sections of your network. If you place your firewall within a separate VLAN from your network and specify that only your firewall can access your network, then you’ve just eliminated the chance that an intruder could use another window of entry into your network. Segmenting a network can also add an element of security from an internal perspective, because you can segment a network in such a way that all users can see the servers but no user can see each other. This reduces the possibility of hacking user data stored on user machines and greatly reduces the chance of a virus spreading around the computers. If the virus code can’t find other computers to infect, it cannot spread.

I feel compelled to include this bit here, even though a later chapter is devoted completely to Internet Information Services (IIS) hardening tips, because it’s so vital to security. Many exploits are targeted against IIS because it’s a very generic and widely used web server, and it’s left on by default in most instances. Because of this prevalence of worms, which travel at great speeds and exploit unsecured IIS web servers on publicly accessible networks, it’s highly recommended—imperative, even. Systems running IIS should be installed on an isolated network segment, or with no network cable attached, until the latest service packs and hotfixes are installed. Microsoft has published an IIS Lockdown tool, which is now part of the Microsoft Baseline Security Analyzer for Windows 2000 Server computers running IIS. It’s very important that this tool be used to harden the IIS box.

This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.

Buy this book now.

{mospagebreak title=Checkpoints}

In this chapter, I’ve discussed theories about security, and I’ve also listed some very broad, general suggestions for hardening the hardware, network, and software owned by your organization. Here’s a recap of what’s been covered so far:

  • Learn the cornerstones of good security policy: privacy, trust, authentication, and integrity.

     

  • Understand the social implications of security.

     

  • Recognize the security dilemma—that users must understand the need for security and agree to the extent to which security is implemented.

     

  • Consider transfers of trust in security policy.

     

  • Understand the process of defining the concept of security: identification of the object to protect, evaluation of risk, and proposals for countermeasures to potential attacks.

     

  • Recognize some of the enemies of a secure system: complexity, backward compatibility, backups.

     

  • Embrace the role that hardening takes in protecting against unknown threats.

     

  • Apply service packs to operating systems and applications throughout your company.

     

  • Purchase, install, and keep updated antivirus software installed throughout your company networks.

     

  • Test and scan new downloads, and practice safe computing when transferring files from public networks.

     

  • Wipe virus-infected systems to a clean hard disk as soon as possible.

     

  • Block malicious file attachments as they enter your network at the email server, before it reaches the client.

     

  • Install a firewall and close off networking ports (TCP 135, 139, and 445; UDP 135, 137, and 445) and any other unused ports.

     

  • Consider the purchase and installation of an intrusion detection system.

     

  • Properly restrict access to remote entry points to your network, and encourage the use of virtual private networks over traditional telephonic and modem connections.

     

  • Implement dial-back for standard telephone connections.

     

  • Investigate the physical segmentation of your network.

     

  • Properly harden and secure any IIS systems on the network, and relegate IIS systems to a blocked-off segment of the network during the installation of patches.

     

  • Read the rest of this book.

This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.

Buy this book now.

One thought on “Hardening: Theory and General Practice

[gp-comments width="770" linklove="off" ]