006.itsecurity bcp v1
TRANSCRIPT
Operating System & Server Security
Presented by
Mohammad Ashfaqur RahmanCompliance Professional
www.linkedin.com/in/ashfaqsaphal
Objective
● Concept of OS security● Possible attack on Operating System● Hardening Example● HW security
OS Security
● Key functions of an operating system:
– Computer resource management
– Provides a user interface– Runs software utilities and
programs– Enforce security measures– Schedules jobs
OS Security
OS Security
● In-build features– Authorization and Authentication– Resource Management– Response to remote process
Attack !● Possible attack and known vulnerability
– Authentication over the network• Password crack• Anonymous / Guest login
– Restart / Shutdown machine– Rootkit placement– Access to resource
• Activate / deactivate HW component• Identity theft
Example : User Management● 80%++ incident are due to insufficient control on user● Best practice for user management
– Password policy• Complexity• Trivial password management• Aging
– Account / login locking• Too many authentication failure• Rename administrator account (windows)• Disable guest / nobody etc account
– User group policy– Minimal file permission
Example : WindowControl Panel → Administrative Tools → Local Security Setting → Local Policies → Security Options
● Allow CD-ROM / Floppy Access to → localy autheticated user only
● Allow to format and Eject Removable Media to → Administrator only
● Require strong (windows 2000 or later) session key
● Restrict anonymous access to Named Pipes and shares
● Disable automatic execution of the system debugger
● Disable autoplay for new users by default● Disable Dial-in access to other Server
Example : WindowControl Panel → Administrative Tools → Services
● FTP publishing service → Disable● Telnet Service → Disable● TFTP Service → Disable● SMTP → Disable● SNMP → Disable● SNMP → Disable
// In short disable the services which are not required
Example : Linux● Disable USB
● rm /lib/modules/2.6.18-308.24.1.el5/kernel/drivers/usb/storage/usb-storage.ko
● Password / User data file permission● chown root:root passwd shadow group
gshadow● chmod 644 passwd group● chown root:root passwd shadow group
gshadow
Example : Linux● Set Permission to file system file
● chown root:root /etc/fstab● chmod 0644 /etc/fstab
● Set Umask● /etc/sysconfig/init● /etc/profile ● /etc/csh.login● /etc/csh.cshrc● /etc/bashrc
Example : Linux● Set permission of Log files
● for file in `cat /etc/syslog.conf | grep -v \# | grep var | awk {'print $2'}`; do chmod 600 $file*;chown root:root $file*; done
● Restrict remote login of root user● /etc/ssh/sshd_config
Example : Linux● Disable services that are not required
● for FILE in chargen chargenudp cups-lpd cups daytime daytime-udp echo echo-udp eklogin finger gssftp imap imaps ipop2 ipop3 krb5-telnet telnet klogin kshell ktalk ntalk pop3s rexec rlogin rsh rsync servers services sgi_fam shell talk telnet tftp time time-udp vsftpd wuftpd
● do● chkconfig ${FILE} off● done
Example : Linux● Enforce password policy
● /etc/login.def● PASS_MAX_DAYS 45● PASS_MIN_LEN 8● PASS_MIN_DAYS 1
● Enable password for boot loader (using /sbin/grub-md5-crypt)
● /etc/grub.conf● password --md5
● Implement SUDO● /etc/sudoers
Example : Linux● Set authentication for single user mode
● /etc/inittab● ~~:S:wait:/sbin/sulogin
● Restrict root access by “su”● grep ^wheel /etc/group
● No member should be in “wheel” group
Hardware Security● OS and Physical Security both are required
– OS should prevent malicious code execution– Physical environment should ensure
• Managing temperature• Physical Access Control• Humidity Control
Hardware Security● Secure Deployment of hypervisor
– Patching– Updated Software
● Updated Firmware● Remove default username password● Create personal user for administration● Enable secure SNMP● Disable SNMP Trap
Let's Discuss