a6 security misc on figuration

8/2/2019 A6 Security Misc on Figuration

1/17

A6:

SECURITY MISCONFIGURATION

BY Shaikh Asadullah


2/17

SECURITY MISCONFIGURATION ?

This happens when the system admins,DBAs,

and developers leave security holes in the

configuration of computer systems.

Examplesy Router ACL

y Default accounts and passwords

y Unnecessary default, backup, sample apps, libraries

y Unused administrative services(FTP,DNS)

y Software i.e Unpatched , outdated or default


3/17


4/17


5/17


6/17

HOW ATTACKERS DO IT

Collect info about the targeted system's stack

y OS and version number

y Web server type (Apache, IIS, etc.)

y

RDBMS (MySQL, SQL Server, Oracle, etc.)y Web development language

y Tools/libraries used (Castle, NHibernate, etc.)

Check their data sources for all known exploits

against any part of that stack.

y There are known vulnerabilities for each level of the

stack.


7/17

HOW WE PROTECT?

Don't give away info about your stack

Change default user accounts

Delete unused pages and user accounts

Turn off unused services

Whitelist pages

Stay up-to-date on patches

Consider internal attackers as well as external.

Use automated scanners


8/17

CHANGE DEFAULT ACCOUNTS

When you install an OS or server tool, it has a

default root account with a default password.

Examples:

y Windows "Administrator" & "Administratory Sql Server "sa" & no password

y Oracle "MASTER" & "PASSWORD

y Apache "root" & "changethis" Make sure you

change these passwords!

Make sure you change these passwords!

Completely delete the accounts when possible


9/17

DELETE UNUSED PAGES

Remove all files and pages

that are no longer

needed.

Focus on:Installation default and

sample pages

y Pages that we've migrated

y

Old and backed-up configfiles.


10/17

DELETE UNUSED ACCOUNTS

As soon as an employee or contractor leaves,

change his password.

Change his username.

Move files and delete the account Look for old client accounts and delete them.


11/17

TURN OFF UNUSED SERVICES

Look through all running services

If they're not being used, turn them off

Disable them upon system startup

Pay particular attention to:y Services enabled upon install

Remote debugging Content management

y Services turned on ad-hoc One-time use

"This is a temporary fix. We'll put a better solution in later.

Inside IISy Directory browsing

y Ability to run scripts and executables


12/17

WHITELIST PAGES

Serve only pages that are allowed.

Intercept requests for pages and disallow any

request for something other than ...

y

*.htmly *.jsp

y *.js

y *.css

y etc.

Whitelists are better than blacklists.


13/17

UPDATE PATCHES

Patch Tuesday is the most

overlooked defense

Day-one vulnerabilities

Subscribe to vendors' alertlists

RSS feed to

Wired,Slashdot, etc.


14/17

CONSIDER INTERNAL ATTACKERS

Rootkits can be installed.

Private files can be exposed.

Users Authentication and previleges.

Web.config can't be served to browsers, but it canbe read by employees.

y Encrypt parts of it


15/17

USE AUTOMATED SCANNERS

o Download and install one or more automated

scanners.

y Microsoft Baseline Security Analyzer (MBSA)

y

WebScarab from OWASPy Nikto

y Samurai

Attackers will use tools(e.g Rootkits) like this

against you.


16/17

SUMMARY

Many hackers find ways to damage our systems

that can be stopped by some simple maintenance

of the stack.

y

Applying patchesy Removing or changing authentication on unneeded

or default accounts

y Whitelist the files served

y Using automated scanners


17/17

REFERENCES

Secure deployment section in the OWASP

http://www.owasp.org

http://www.cirt.net

http://sectools.org

a6 security misc on figuration

Documents