Security+ Guide to Network Security Fundamentals, 2e

4-1

Chapter 4 Security Baselines At a Glance Instructors Notes

Chapter Overview Chapter Objectives Technical Notes Lecture Notes Quick Quizzes Discussion Questions A itional Activities

Security+ Guide to Network Security Fundamentals, 2e

4-!

Instructors Notes Chapter Overview

"n this chapter# stu ents be$in to establish the securit% baseline &or in&or'ation( Now that the% are &a'iliar with the principles o& in&or'ation securit% an the three pillars o& authentication# access control# an au itin$# the% can start to buil e&enses &or their in&or'ation s%ste's( These baselines are at the core o& e&ensive counter'easures a$ainst attacks an serve as the basis &or all other e&enses( )tu ents will e*a'ine the two steps &or establishin$ securit% baselines in this chapter( +irst# the% 'ust turn o&& an% pro$ra' in their co'puter s%ste' that is not essential( )econ # the% 'ust 'ake their har ware an so&tware as i'penetrable as the% can( Takin$ these steps creates the basis &or in&or'ation securit%(

Chapter Objectives
A&ter rea in$ this chapter# stu ents will be able to, Disable nonessential s%ste's -ar en operatin$ s%ste's -ar en applications -ar en networks

Technical Notes
HAN S!ON "#O$%CTS .roject 4-1 .roject 4-! .roject 4-3 .roject 4-4 .roject 4-4 HA# &A#% %'IC%S #%()I#% Co'puter .C Co'puter .C Co'puter .C Co'puter .C Co'puter .C O"%#ATING S*ST%+ #%()I#% /in ows 0. /in ows 0. /in ows 0. /in ows 0. /in ows 0. OTH%# #%SO)#C%S .ossible special per'issions i& workin$ in a school1s lab Clip)rv service# Local )ervices utilit% or )%ste' Con&i$uration 2tilit% tool "nternet connectivit% "nternet connectivit% "nternet connectivit%

This chapter shoul not be co'plete in one class session( "t is reco''en e that %ou split the chapter into at least two class sessions# i& possible( The a'ount o& subject 'atter to be covere can be covere in an%where between a 4to 5-hour perio # plus an% at-ho'e e*ercises %ou wish to assi$n(

,ecture Notes isablin- Nonessential Syste.s

A lo$ical &irst step in establishin$ a e&ense a$ainst co'puter attacks is to turn o&& all nonessential s%ste's( The back$roun pro$ra' waits in the co'puter1s ran o' access 'e'or% 67A89 until the user presses a speci&ic co'bination o& ke%s known as a hot /ey# such as Ctrl:)hi&t:.( Then the i lin$ pro$ra' sprin$s to li&e( These earl% pro$ra's# which per&or'e &unctions such as ispla%in$ an instant calculator# s'all notepa # or a ress book# were calle ter.inate!an0!stay!resi0ent 6TS#9 pro-ra.s(

Security+ Guide to Network Security Fundamentals, 2e

4-3

"n 8icroso&t /in ows# a back$roun pro$ra'# such as )vchost(e*e# is calle a process( The process provi es a service to the operatin$ s%ste'# which is in icate b% the service na.e# such as App8$'t( 2sers can view the 0isplay na.e o& a service# which $ives a etaile escription# such as Application 8ana$e'ent( A sin$le process can provi e 'ultiple services( "n +i$ure 4-1 on pa$e 1;4 o& the te*t# the ispla% na'e <Application 8ana$e'ent= appears in the )ervice 6Local9 win ow# while the process )vchost(e*e appears in the Task 8ana$er# as shown in +i$ure 4-! on pa$e 1;4 o& the te*t(

Quick Reference

Discuss the three 'o es that a service can be set to as liste on pa$e 1;5 o& the te*t(

>esi es preventin$ attackers &ro' attachin$ 'alicious co e to services# isablin$ nonessential services eli'inates another vulnerabilit% b% blockin$ entries into the s%ste'( The 2ser Data$ra' .rotocol 62D.9 provi es &or a connectionless TC.?". trans&er( TC. an 2D. are base on port nu.bers( Table 4-1 on pa$es 1;5 an 1;@ o& the te*t lists so'e o& the 1#;!3 well-known TC. port nu'bers an their associate services( The co'bination o& an ". a ress an a port nu'ber is known as a soc/et1 the ". a ress is separate &ro' the port nu'ber b% a colon# as in 1AB(145(11B(!;,B;( +i$ure 4-3 on pa$e 1;@ o& the te*t shows the ports that TC. an 2D. use on a t%pical s%ste'( Table 4-! on pa$e 1;B o& the te*t lists so'e /in ows 0. services an reco''en s settin$s &or ho'e an o&&ice co'puters(

Quick Reference

Discuss the reasons that can 'ake eter'inin$ which services are not essential i&&icult# as illustrate on pa$es 1;B an 1;A o& the te*t(

Har0enin- Operatin- Syste.s

The process o& re ucin$ vulnerabilities is known as har0enin-( A har ene s%ste' is con&i$ure an up ate to protect a$ainst attacks( Three broa cate$ories o& ite's shoul be har ene , operatin$ s%ste's# the applications that the operatin$ s%ste' runs# an networks( Cou can har en the operatin$ s%ste' that runs on the local client or the networ/ operatin- syste. 6NOS9 that 'ana$es an controls the network# such as /in ows )erver !;;3 or Novell Net/are(

Applyin- )p0ates
Operatin$ s%ste's are inten e to be %na'ic( As users1 nee s chan$e# new har ware is intro uce # an 'ore sophisticate attacks are unleashe # operatin$ s%ste's 'ust be up ate on a re$ular basis( -owever# ven ors release a new version o& an operatin$ s%ste' ever% ! to 4 %ears( Den ors use certain ter's to re&er to the i&&erent t%pes o& up ates# which are liste in Table 4-3 on pa$e 11; o& the te*t( A service pac/# which is a cu'ulative set o& up ates inclu in$ &i*es &or proble's that have not been 'a e available throu$h up ates# provi es the broa est an 'ost co'plete up ate( The secon co''on t%pe o& up ate is a hot2i3( A hot&i* oes not t%picall% a ress securit% issues( "nstea # it corrects a speci&ic so&tware proble'# such as a &eature that oes not work properl%( The thir co''on up ate is a patch# or a so&tware up ate to &i* a securit% &law or other proble'( .atches 'a% be release on a re$ular or irre$ular basis# epen in$ on the ven or or support tea'(

Quick Reference

Discuss the &eatures o& a $oo patch 'ana$e'ent s%ste' as escribe on pa$es 111 an 11! o& the te*t(

Security+ Guide to Network Security Fundamentals, 2e

4-4

Securin- the 4ile Syste.

Another 'eans o& har enin$ an operatin$ s%ste' is to secure the &ile s%ste' b% restrictin$ user access( Eenerall%# users can be assi$ne per'issions to access &ol ers 6also calle irectories in DO) an 2N0?Linu*9 an the &iles containe within the'( Table 4-4 on pa$es 11! an 113 o& the te*t lists the co''on &ol er per'issions an what the% allow the user to o in /in ows( 8icroso&t /in ows provi es a centralize 'etho o& e&inin$ securit% on a co'puter calle the +icroso2t +ana-e.ent Console 6++C9( The 88C is a /in ows utilit% that accepts a itional co'ponents known as snap!ins(

Quick Reference

Describe the co''on /in ows securit% te'plates as illustrate on pa$e 113 o& the te*t(

A&ter %ou appl% a securit% te'plate to or$anize securit% settin$s# %ou can i'port the settin$s to a $roup o& co'puters( )uch a $roup o& co'puters is known as a Group "olicy object( Group "olicy settin-s e&ine the co'ponents o& a user1s esktop environ'ent that a network s%ste' a 'inistrator nee s to 'ana$e# such as the pro$ra's available to the user# the pro$ra's that appear on the user1s esktop# an options &or the )tart 'enu( Eroup .olic% settin$s cannot overri e a $lobal settin$ &or all co'puters# known as a 0o.ain!base0 settin-( /in ows stores settin$s &or the co'puter1s har ware an so&tware in a atabase known as the re-istry(

(uic/ (ui5
1( !( 3( 4( 4( FFFFFFFFFF can provi e a valuable tool &or an attacker to use a$ainst the s%ste'( ANS&%#6 )ervices The co'bination o& an ". a ress an a port nu'ber is known as a6n9 FFFFFFFFFF( ANS&%#6 socket A6n9 FFFFFFFFFF is a 'ajor release o& so&tware# inclu in$ an operatin$ s%ste'( ANS&%#6 version FFFFFFFFFF 'a% be release on a re$ular or irre$ular basis# epen in$ on the ven or or support tea'( ANS&%#6 .atches Dalues in the re$istr% are known as FFFFFFFFFFFFFF( ANS&%#6 ke%s

Har0enin- Applications
Gust as %ou 'ust har en operatin$ s%ste's# so too 'ust %ou har en the applications that run on those s%ste's( -ot&i*es# service packs# an patches are $enerall% available &or 'ost applicationsH althou$h# not usuall% with the sa'e &reIuenc% as &or an operatin$ s%ste'( +i$ure 4-4 on pa$e 114 o& the te*t shows the results o& a 8>)A scan in icatin$ which applications shoul be up ate (

Har0enin- Servers
Cou 'ust har en servers to prevent attackers &ro' breakin$ throu$h the so&tware( The 'ost co''on t%pe o& server is a &eb server# which elivers te*t# $raphics# ani'ation# au io# an vi eo to "nternet users aroun the worl (

Quick Reference

Discuss the steps that %ou shoul per&or' to har en a /eb server as liste on pa$e 114 o& the te*t(

Security+ Guide to Network Security Fundamentals, 2e

4-4

A&ter /eb servers# the 'ost popular t%pe o& "nternet-base server is the .ail server# which is use to sen an receive electronic 'essa$es( "n a nor'al settin$# a 'ail server serves an or$anization or set o& users# an all e-'ail is sent throu$h the 'ail server &ro' a truste user or receive &ro' an outsi er an inten e &or a truste user# as shown in +i$ure 4-5 on pa$e 115 o& the te*t( "n an open .ail relay# a 'ail server processes e-'ail 'essa$es that are not sent b% or inten e &or a local user( +i$ure 4-@ on pa$e 11@ o& the te*t shows an open 'ail rela%( Another t%pe o& "nternet server is a 4ile Trans2er "rotocol 64T"9 server# which is use to store an access &iles throu$h the "nternet( +T. servers are t%picall% use to acco''o ate users who want to ownloa &iles# such as so&tware up ates# or uploa &iles# such as a presentation that all atten ees o& a con&erence can access( +T. servers can be set to accept anon%'ous lo$ons usin$ a win ow si'ilar to the one shown in +i$ure 4-B on pa$e 11B o& the te*t(

Quick Reference

Discuss the tasks to har en an +T. server as liste on pa$e 11B o& the te*t(

A o.ain Na.e Service 6 NS9 server is one tool that 'akes the "nternet available to or inar% users( DN) servers &reIuentl% up ate each other b% trans'ittin$ all o& the o'ains an ". a resses o& which the% are aware( This is calle a 5one trans2er( This t%pe o& in&or'ation woul be bene&icial to attackers because the ". a resses an other in&or'ation can be use in an attack( Another t%pe o& server involves )S%N%T# a worl wi e bulletin boar s%ste' that can be accesse throu$h the "nternet or 'an% online services( The Networ/ News Trans2er "rotocol 6NNT"9 is the protocol use to sen # istribute# an retrieve 2)JNJT 'essa$es throu$h NNT" servers( )ervers on a local area network 6LAN9 that allow users to share ocu'ents b% storin$ the' on a central server or to share printers are known as print72ile servers(

Quick Reference

Describe the tasks involve in har enin$ a print?&ile server as shown on pa$e 11A o& the te*t(

A HC" server allocates ". a resses usin$ the yna.ic Host Con2i-uration "rotocol 6 HC"9( D-C. servers <lease= ". a resses to clients(

Har0enin- ata #epositories

A ata repositor% is a container that hol s electronic in&or'ation( 8ost or$anizations access two 'ajor ata repositories, irector% services an co'pan% atabases( A 0irectory service is a atabase store on the network that contains all the in&or'ation about users an network evices alon$ with privile$es to those resources( The irector% service &or /in ows is calle Active irectory( The Active Director% is store in the Security Accounts +ana-er 6SA+9 atabase( The pri.ary 0o.ain controller 6" C9 is the na'e o& the server that houses the )A8 atabase(

Quick Reference

Describe the three pri'ar% t%pes o& atabase attacks as liste on pa$e 1!; o& the te*t(

Security+ Guide to Network Security Fundamentals, 2e

4-5

Har0enin- Networ/s
As with har enin$ operatin$ s%ste's# keepin$ a network secure is basicall% a two-&ol process, &irst secure the network with necessar% up ates an then properl% con&i$ure it(

4ir.ware )p0ates
One ke% &eature o& 7A8 is that it is volatile, interruptin$ the power source causes 7A8 to lose its entire contents( The secon t%pe o& 'e'or% is rea0!only .e.ory 6#O+9( 7O8 is i&&erent &ro' 7A8 in two wa%s( +irst# the contents o& 7O8 are &i*e ( )econ # 7O8 is nonvolatile# which 'eans that isablin$ the power source oes not erase its contents( Cou can elete the contents o& %rasable "ro-ra..able #ea0!Only +e.ory 6%"#O+9 chips an replace it with new instructions( J.7O8 chips have a tin% cr%stal win ow( To erase an J.7O8 chip# %ou hol the chip un er ultraviolet li$ht so the li$ht passes throu$h the win ow( The contents o& %lectrically %rasable "ro-ra..able #ea0!Only +e.ory 6%%"#O+9 chips can also be erase usin$ electrical si$nals applie to speci&ic pins( 7O8# J.7O8# an JJ.7O8 are known as 2ir.ware# which is so&tware that has been written onto 7O8(

Networ/ Con2i-uration
Alon$ with up ates to the network &ir'ware# %ou 'ust also properl% con&i$ure network eIuip'ent to resist attacks( The pri'ar% 'etho o& resistin$ attacks is to &ilter ata packets as the% arrive at the peri'eter o& the network(

Quick Reference

Discuss the list o& in&or'ation in the packet that can be use as criteria &or &ilterin$ as shown on pa$e 1!! o& the te*t(

The rules that a network evice uses to per'it or en% a packet are so'eti'es calle a rule base or an access control list 6ACL9# not to be con&use with ACLs iscusse previousl% in re$ar to securin$ a &ile s%ste'(

Quick Reference

Discuss the settin$s that co'pose rules as shown on pa$es 1!! an 1!3 o& the te*t( J*a'ine Table 4-5 on pa$e 1!4 o& the te*t# which lists a sa'ple rule base( Also# e*a'ine the basic $ui elines that shoul be use when creatin$ rules as shown on pa$e 1!4 o& the te*t(

(uic/ (ui5
1( !( 3( 4( 4( The FFFFFFFFFFFFF server is use to rela%# or <bounce#= e-'ail &ro' one outsi e source to other sources( ANS&%#6 'ail DN) servers &reIuentl% up ate each other b% trans'ittin$ all o& the o'ains an ". a resses o& which the% are aware# which is known as a6n9 FFFFFFFFFFFFF( ANS&%#6 zone trans&er FFFFFFFFFF has the e&&ect o& broa castin$ ever% 'essa$e to ever% site( ANS&%#6 Network News Trans&er .rotocol 6NNT.9 FFFFFFFFFF is so&tware that has been written onto 7O8( ANS&%#6 +ir'ware The rules that a network evice uses to per'it or en% a packet are so'eti'es calle a6n9 FFFFFFFFFF( ANS&%#6 rule base or access control list 6ACL9

Security+ Guide to Network Security Fundamentals, 2e

4-@

iscussion (uestions
1( !( -ow can %ou be sure that a process is nonessentialK Discuss several i&&erent strate$ies that can be use to har en ata repositories(

A00itional Activities
1( !( -ave stu ents research the i&&erence between an essential an a nonessential process an su''arize what the% &in ( -ave stu ents practice with so'e o& the proce ures use to har en a network an ocu'ent their pro$ress(