System Hardening

System Hardening
 Shoring up defenses, reducing exposed functionality, disabling less-used
features
 Called attack surface reduction
 80/20 rule of functionality
 The Pareto principle (also known as the 80/20 rule, the law of the vital
few, or the principle of factor sparsity) states that, for many events,
roughly 80% of the effects come from 20% of the causes.
 Not always achievable
 Strip mobile code support on servers
 Servers easier to harden
 Used for specific and controlled purposes
 Administrative users with better skills than workstation users
 System Hardening
The process of securing and preparing a system for the
production environment is called hardening this will
reduce the IT vulnerability.
Systems hardening is a collection of tools, techniques, and best
practices to reduce vulnerability in technology applications, systems,
infrastructure, firmware, and other areas. The goal of systems
hardening is to reduce security risk by eliminating potential attack
vectors

Source:Principles of Computer Security: CompTIA Security+ and Beyond, Fifth Edition, 5th Edition,2018
 The vulnerabilities can occur in multiple ways,

Solution- Hardening
 Harden operating systems and network operating systems, Implement host-level security,
Harden applications, Establish group policies, Secure alternative environments
 Hardening systems, servers, workstations, networks, and applications is a process of
defining the required uses and needs and then aligning security controls to limit a system’s
desired functionality.
 Video link

 C:\Users\Admin\Desktop\BCI3004_Ebased_Security\Video\What is system hardening.mp

4
 Windows Defenses
 Microsoft Security Development Lifecycle
 Practice #1 - Provide Training
 Practice #2 - Define Security Requirements
 Practice #3 - Define Metrics and Compliance Reporting 
 Practice #4 - Perform Threat Modelling
 Practice #5 - Establish Design Requirements
 Practice #6 - Define and Use Cryptography Standards
 Practice #7 - Manage the Security Risk of Using Third-Party Components
 Practice #8 - Use Approved Tools
 Practice #9 - Perform Static Analysis Security Testing (SAST)  
 Practice #10 - Perform Dynamic Analysis Security Testing (DAST)
 Practice #11 - Perform Penetration Testing
 Practice #12 - Establish a Standard Incident Response Process 
 Windows Defenses…..

 Net effect approx. 50% reduction in security bugs

 Vista used SDL start to finish
 Categorize Security Defenses
 Account defenses
 Network defenses
 Buffer over-run defenses
 Browser defenses
 Account Defenses
 Least Privilege
 Operate with just enough privileges for task
 Another defense is to strip privileges from an account soon
after an application start
 Windows Vista reserves default with User Account Control
(UAC)
 Users prompted to perform privileged operations
 Network Defenses
 Need more than account/user defenses
 Vulnerable to network attacks
 IPSec and IPv6 with AH, ESP, IKE packets
 Built-in software firewall
 Block inbound connection of specific ports
 Block outbound connections
 Browser Defenses

 Browser is key point of attack

 Via script code, graphics, helper objects, add-ons, cookies
 the most commonly exploited features such as Active
X, Java, plug-ins, cookies, JavaScript, and VBScript.
 Added defenses in IE7
 ActiveX disabled by default
 Protected mode
 Cryptographic Services
 Encrypting File System (EFS)
 Files and directories encrypted/decrypted transparently
 Generates random key, protected by DPAPI
 Bitlocker Drive Encryption in Vista
 Encrypts entire volume with AES
 Key either USB or Trusted Platform Module TPM 1.2
compatible chip
 Data Protection API (DPAPI)
 Manages encryption key maintenance
 Keys derived from user’s password
 Linux System Hardening
 Can be done at system and application levels
 Generalized steps to Linux System Hardening
 Preliminary Planning
 Physical System Security
 Operating System Installation
 Securing Local File Systems
 Configuring and Disabling Services
 Securing the root account
 User Authentication and User Account Attributes
 Securing Remote Authentication
 Setup Ongoing System Monitoring
 Backups
 OS-Level Security Tools and Techniques
 OS Installation: Software Selection and Initial Setup
 Patch Management
 Network-Level Access Controls
 Using iptables for “Local Firewall” Rules
 Antivirus Software
 User Management
 Password ageing
 Root Delegation
 Logging
 OS Installation
 Security begins with O/S installation
 What software is run
 Unused applications liable to be left in default, un-hardened and un-
patched state
 Generally should not run:
 SMTP relay, X Window system, RPC services, R-services, inetd,
SMTP daemons, telnet etc
 Setting some initial system s/w configuration:
 Setting root password
 Creating a non-root user account
 Setting an overall system security level
 Enabling a simple host-based firewall policy
 Enabling SELinux – kernel security module – provides access control
policies
 Patch Management
 Installed server applications must be:
 Configured securely
 Kept up to date with security patches
 Patching can never win “patch rat-race”
 Have tools to automatically download and Install security
updates
 Example: up2date, YaST, apt-get
 Should not run automatic updates on change-controlled
systems without testing
Network Access Controls

 Network a key attack vector to secure

 Libwrappers & TCP wrappers a key tool to check access
 Before allowing connection to service, tcpd first evaluate
access control
 Defined in /etc/hosts.allow
 Defined in /etc/hosts.deny
 Using iptables for “Local Firewall” Rules

 Also have the very powerful netfilter Linux kernel native firewall
mechanism and iptables user-space front end
 Useful on firewalls, servers, desktop
 Typically for “personal” firewall use will:
 Allow incoming requests to specified services
 Block all other inbound service requests
 Allow all outbound (locally-originating) requests
 Do have automated rule generators
 If need greater security, manual configuration is required
 Antivirus Software
 Historically Linux not as vulnerable to viruses
 Windows targeted more due to popularity
 Prompt patching of security holes more effective for worms
 Viruses abuse users privileges
 Non-privileged user account
 Less scope of being exploited
 Growing Linux popularity means growing exploits
 Hence antivirus software will be more important
 Various commercial and free Linux A/V
 Basis for comparison Virus Worm Trojan Horse

A computer program that connects

It eats resources of a system to It permits an intruder to obtain
itself to another legitimate program to
Meaning bring it down rather than some confidential information
cause harm to the computer system or
performing destructive actions. about a computer network.
the network.

Replicates itself without any Downloaded as software and

Execution Depends on the transfer of a file.
human action. executed.

Replication occurs Yes Yes No

Remotely controlled No Yes Yes

Rate of spreading Moderate Faster Slow

Initiates by attaching a virus to an Utilizes system or application Attaches itself to a program and
Infection
executable file. weaknesses. interpret as useful software.

Purpose Modification of the information. Halt the CPU and memory. Steals the user's information.
User Management

 Guiding principles in user-account security:

 Be careful setting file / directory permissions
 Use groups to differentiate between roles
 Use extreme care in granting / using root privileges
Password Aging

 Maximum and minimum lifetime for user passwords

 Globally changed in /etc/login.defs
 To change password settings for existing users
 command line -> change
 Root Delegation
 “su” command allows users to run as root
 Use su with –c flag to allow you to run a command instead of an
entire shell as root
 Must supply root password
 Drawback: many people will know root password
 SELinux RBAC can limit root authority but it’s complex
 “sudo” allows users to run as root
 But only need user’s password, not root password
 “sudoers” defined in /etc/sudoers file
 Open and configure the sudoers file using ‘visudo’
 Logging
 Linux logs using syslogd or Syslog-NG
 Writes log messages to local/remote log files
 Syslog-NG preferable because it has:
 Variety of log-data sources / destinations
 Much more flexible “rules engine” to configure
 Can log via TCP which can be encrypted
 Change default logging settings on both
 Log files careful management
 Balance number and size of log files
 Rotate log files and delete old copies - logrotate
Application Security (Hardening)
 A large topic
 Many security features are implemented in
 Similar ways across different applications
 Sub-topics
 Running as unprivileged user/group
 Running in chroot jail
 Modularity
 Encryption
 Logging
 Running As Unprivileged User/Group
 Every process “runs as” some user
 Extremely important user is not root
 Since any bug can compromise entire system
 May need root privileges, e.g. bind port
 Have root parent perform privileged function
 But main service from unprivileged child
 User/group used should be dedicated
 Easier to identify source of log messages
Running in “chroot” Jail

 “chroot” confines a process to a subset of /

 Maps a virtual “/” to some other directory
 Directories outside the chroot jail aren’t visible or reachable
at all
 Contains effects of compromised daemon
 Complex to configure and troubleshoot
 Modularity
 Applications running as a single, large, multipurpose process
can be:
 More difficult to run as an unprivileged user
 Harder to locate / fix security bugs in source
 Harder to disable unnecessary functionality
 Hence modularity a highly prized feature
 Providing a much smaller attack surface
 cf. postfix vs sendmail, Apache modules
 Encryption
 Sending logins & passwords or application data over networks
in clear text exposes them to various network eavesdropping
attacks
 Hence many network applications now support encryption to
protect such data
 SSL and TLS protocols in OpenSSL library used
 May need own X.509 certificates to use
 Can generate/sign using openssl command
 May use commercial/own/free CA
Logging

 Applications can usually be configured to log to any level of

detail (debug to none)
 Centralized logging using (syslog) can be used for consistency
 Must ensure there is some form of logging management as
discussed before like rotating
 OS and Network OS Hardening
 Hardening of the OS is the act of configuring an OS securely, updating it, creating rules and policies to help
govern the system in a secure manner, and removing unnecessary applications and services. This is done to
minimize a computer OS's exposure to threats and to mitigate possible risk.
 Hardening an operating system (OS) or network operating system (NOS) refers to the process of making the
environment more secure from attacks and intruders.
 Programs clean-up
 Use of service packs
 Patches and patch management
 Group policies
 Configuration baselines
Disabling Unnecessary Ports and Services

 Disabling unnecessary ports and services prevents their use by unauthorized users and
improves system throughput and increases security. Systems have ports and connections
that need to be disabled if not in use.
 Secure configurations
 Disable default accounts/passwords
 Application whitelisting/blacklisting
 Sandboxing refers to the quarantine or isolation of a system from its surroundings
 Server Hardening

 Remove unnecessary protocols such as Telnet, NetBIOS, Internetwork Packet Exchange (IPX), and File
Transfer Protocol (FTP).
 Remove unnecessary programs such as Internet Information Services (IIS).
 Remove all shares that are not necessary.
 Rename the administrator account, securing it with a strong password.
 Remove or disable the Local Admin account in Windows.
 Disable unnecessary user accounts.
 Disable unnecessary ports and services.
 Keep the operating system (OS) patched and up to date.
 Keep all applications patched and up to date.
 Turn on event logging for determined security elements.
 Control physical access to servers.
 Securing a Workstation
 Remove unnecessary protocols such as Telnet, NetBIOS, and IPX, unnecessary software, modems unless
needed and authorized and all shares that are not necessary.
 Rename the administrator account, securing it with a strong password.
 Disable the Local Admin account in Windows, unnecessary user accounts and unnecessary ports and
services.
 Install an antivirus program and keep abreast of updates and firewall.
 Keep the operating system (OS) and applications patched and up to date.
 Turn on event logging for determined security elements.
 Anti Malware
Antivirus (AV) products attempt to identify, neutralize, or remove malicious programs, macros, and files.
 Signature-based scanning - Much like an intrusion detection system (IDS), the antivirus products scan
programs, files, macros, e-mails, and other data for known worms, viruses, and malware. The antivirus
product contains a virus dictionary with thousands of known virus signatures that must be frequently
updated,
 Heuristic scanning - is a method of detecting viruses by examining code for suspicious properties. To
counter this problem, the heuristic model was specifically designed to spot suspicious characteristics that
can be found in unknown, new viruses and modified versions of existing threats as well as known malware
samples.
 Network Hardening
Proper controls over network access must be established on computers by controlling the services that are
running and the ports that are opened for network access
 These network devices should be configured with very strict parameters to maintain network security.
 Like normal computer OSs that need to be patched and updated, the software that runs network
infrastructure components needs to be updated regularly.
 An outer layer of security should be added by implementing appropriate firewall rules and router Access
Control Lists.
 Application Hardening

 Securing an application against local and Internet-based attacks.

 Hardening applications is fairly similar to hardening operating systems—you remove the
functions or components you don’t need, restrict access where you can, and make sure the
application is kept up to date with patches.
 As most problems with applications tend to be buffer overflows in legitimate user input
fields, patching the application is often the only way to secure it from attack.