Anda di halaman 1dari 39

Chapter 4: Security Baselines

Security+ Guide to Network Security


Fundamentals
Second Edition
Objectives

Disable nonessential systems


Harden operating systems
Harden applications
Harden networks

Security+ Guide to Network Security 2


Fundamentals, 2e
Disabling Nonessential Systems

First step in establishing a defense against computer


attacks is to turn off all nonessential systems
The background program waits in the computers
random access memory (RAM) until the user presses
a specific combination of keys (a hot key), such as
Ctrl+Shift+P
Then, the idling program springs to life

Security+ Guide to Network Security 3


Fundamentals, 2e
Disabling Nonessential
Systems (continued)
Early terminate-and-stay-resident (TSR) programs
performed functions such as displaying an instant
calculator, small notepad, or address book
In Microsoft Windows, a background program, such
as Svchostexe, is called a process
The process provides a service to the operating
system indicated by the service name, such as
AppMgmt

Security+ Guide to Network Security 4


Fundamentals, 2e
Disabling Nonessential
Systems (continued)
Users can view the display name of a service, which
gives a detailed description, such as Application
Management
A single process can provide multiple services

Security+ Guide to Network Security 5


Fundamentals, 2e
Disabling Nonessential
Systems (continued)

Security+ Guide to Network Security 6


Fundamentals, 2e
Disabling Nonessential
Systems (continued)

Security+ Guide to Network Security 7


Fundamentals, 2e
Disabling Nonessential
Systems (continued)
A service can be set to one of the following modes:
Automatic
Manual
Disabled
Besides preventing attackers from attaching
malicious code to services, disabling nonessential
services blocks entries into the system

Security+ Guide to Network Security 8


Fundamentals, 2e
Disabling Nonessential
Systems (continued)
The User Datagram Protocol (UDP) provides for a
connectionless TCP/IP transfer
TCP and UDP are based on port numbers
Socket: combination of an IP address and a port number
The IP address is separated from the port number by a
colon, as in 19814611820:80

Security+ Guide to Network Security 9


Fundamentals, 2e
Disabling Nonessential
Systems (continued)

Security+ Guide to Network Security 10


Fundamentals, 2e
Hardening Operating Systems

Hardening: process of reducing vulnerabilities


A hardened system is configured and updated to
protect against attacks
Three broad categories of items should be hardened:
Operating systems
Applications that the operating system runs
Networks

Security+ Guide to Network Security 11


Fundamentals, 2e
Hardening Operating
Systems (continued)
You can harden the operating system that runs on the
local client or the network operating system (NOS)
that manages and controls the network, such as
Windows Server 2003 or Novell NetWare

Security+ Guide to Network Security 12


Fundamentals, 2e
Applying Updates
Operating systems are intended to be dynamic
As users needs change, new hardware is introduced,
and more sophisticated attacks are unleashed,
operating systems must be updated on a regular
basis
However, vendors release a new version of an
operating system every two to four years
Vendors use certain terms to refer to the different
types of updates (listed in Table 4-3 on page 109)

Security+ Guide to Network Security 13


Fundamentals, 2e
Applying Updates (continued)

A service pack (a cumulative set of updates including


fixes for problems that have not been made available
through updates) provides the broadest and most
complete update
A hotfix does not typically address security issues;
instead, it corrects a specific software problem

Security+ Guide to Network Security 14


Fundamentals, 2e
Applying Updates (continued)

Security+ Guide to Network Security 15


Fundamentals, 2e
Applying Updates (continued)

A patch or a software update fixes a security flaw or


other problem
May be released on a regular or irregular basis,
depending on the vendor or support team
A good patch management system includes the
features listed on pages 111 and 112 of the text

Security+ Guide to Network Security 16


Fundamentals, 2e
Securing the File System

Another means of hardening an operating system is


to restrict user access
Generally, users can be assigned permissions to
access folders (also called directories in DOS and
UNIX/Linux) and the files contained within them

Security+ Guide to Network Security 17


Fundamentals, 2e
Securing the File System (continued)

Microsoft Windows provides a centralized method of


defining security on the Microsoft Management
Console (MMC)
A Windows utility that accepts additional components
(snap-ins)
After you apply a security template to organize security
settings, you can import the settings to a group of
computers (Group Policy object)

Security+ Guide to Network Security 18


Fundamentals, 2e
Securing the File System (continued)

Group Policy settings: components of a users


desktop environment that a network system
administrator needs to manage
Group Policy settings cannot override a global setting
for all computers (domain-based setting)
Windows stores settings for the computers hardware
and software in a database (the registry)

Security+ Guide to Network Security 19


Fundamentals, 2e
Hardening Applications

Just as you must harden operating systems, you


must also harden the applications that run on those
systems
Hotfixes, service packs, and patches are generally
available for most applications; although, not usually
with the same frequency as for an operating system

Security+ Guide to Network Security 20


Fundamentals, 2e
Hardening Servers

Harden servers to prevent attackers from breaking


through the software
Web server delivers text, graphics, animation, audio,
and video to Internet users around the world
Refer to the steps on page 115 to harden a Web
server

Security+ Guide to Network Security 21


Fundamentals, 2e
Hardening Servers (continued)

Mail server is used to send and receive electronic


messages
In a normal setting, a mail server serves an
organization or set of users
All e-mail is sent through the mail server from a
trusted user or received from an outsider and
intended for a trusted user

Security+ Guide to Network Security 22


Fundamentals, 2e
Hardening Servers (continued)

Security+ Guide to Network Security 23


Fundamentals, 2e
Hardening Servers (continued)

In an open mail relay, a mail server processes e-mail


messages not sent by or intended for a local user
File Transfer Protocol (FTP) server is used to store
and access files through the Internet
Typically used to accommodate users who want to
download or upload files

Security+ Guide to Network Security 24


Fundamentals, 2e
Hardening Servers (continued)

Security+ Guide to Network Security 25


Fundamentals, 2e
Hardening Servers (continued)

FTP servers can be set to accept anonymous logons


using a window similar that shown in Figure 4-8
A Domain Name Service (DNS) server makes the
Internet available to ordinary users
DNS servers frequently update each other by
transmitting all domains and IP addresses of which
they are aware (zone transfer)

Security+ Guide to Network Security 26


Fundamentals, 2e
Hardening Servers (continued)

Security+ Guide to Network Security 27


Fundamentals, 2e
Hardening Servers (continued)

IP addresses and other information can be used in an


attack
USENET is a worldwide bulletin board system that
can be accessed through the Internet or many online
services
The Network News Transfer Protocol (NNTP) is the
protocol used to send, distribute, and retrieve
USENET messages through NNTP servers

Security+ Guide to Network Security 28


Fundamentals, 2e
Hardening Servers (continued)

Print/file servers on a local area network (LAN) allow


users to share documents on a central server or to
share printers
Hardening a print/file server involves the tasks listed
on page 119 of the text
A DHCP server allocates IP addresses using the
Dynamic Host Configuration Protocol (DHCP)
DHCP servers lease IP addresses to clients

Security+ Guide to Network Security 29


Fundamentals, 2e
Hardening Data Repositories

Data repository: container that holds electronic


information
Two major data repositories: directory services and
company databases
Directory service: database stored on the network
that contains all information about users and network
devices along with privileges to those resources

Security+ Guide to Network Security 30


Fundamentals, 2e
Hardening Data
Repositories (continued)
Active Directory is the directory service for Windows
Active Directory is stored in the Security Accounts
Manager (SAM) database
The primary domain controller (PDC) houses the
SAM database

Security+ Guide to Network Security 31


Fundamentals, 2e
Hardening Networks

Two-fold process for keeping a network secure:


Secure the network with necessary updates
Properly configure it

Security+ Guide to Network Security 32


Fundamentals, 2e
Firmware Updates

RAM is volatileinterrupting the power source


causes RAM to lose its entire contents
Read-only memory (ROM) is different from RAM in
two ways:
Contents of ROM are fixed
ROM is nonvolatiledisabling the power source does
not erase its contents

Security+ Guide to Network Security 33


Fundamentals, 2e
Firmware Updates (continued)

ROM, Erasable Programmable Read-Only Memory


(EPROM), and Electrically Erasable Programmable
Read-Only Memory (EEPROM) are firmware
To erase an EPROM chip, hold the chip under
ultraviolet light so the light passes through its crystal
window
The contents of EEPROM chips can also be erased
using electrical signals applied to specific pins

Security+ Guide to Network Security 34


Fundamentals, 2e
Network Configuration

You must properly configure network equipment to


resist attacks
The primary method of resisting attacks is to filter
data packets as they arrive at the perimeter of the
network

Security+ Guide to Network Security 35


Fundamentals, 2e
Network Configuration (continued)

Rule base or access control list (ACL): rules a


network device uses to permit or deny a packet
(not to be confused with ACLs used in securing a
file system)
Rules are composed of several settings (listed on
pages 122 and 123 of the text)
Observe the basic guidelines on page 124 of the text
when creating rules

Security+ Guide to Network Security 36


Fundamentals, 2e
Network Configuration (continued)

Security+ Guide to Network Security 37


Fundamentals, 2e
Summary

Establishing a security baseline creates a basis for


information security
Hardening the operating system involves applying the
necessary updates to the software
Securing the file system is another step in hardening
a system

Security+ Guide to Network Security 38


Fundamentals, 2e
Summary (continued)

Applications and operating systems must be


hardened by installing the latest patches and updates
Servers, such as Web servers, mail servers, FTP
servers, DNS servers, NNTP servers, print/file
servers, and DHCP servers, must be hardened to
prevent attackers from corrupting them or using the
server to launch other attacks

Security+ Guide to Network Security 39


Fundamentals, 2e