822 Chapter 17  Installing, Configuring, Upgrading, and Optimizing Security An example of a mobile user, on the other hand, is a salesperson who is in the field calling on customers. In his possession is a $6,000 laptop capable of doing everything shy of changing the oil of the company car. Whenever the salesperson has a problem with the computer, he calls from 3,000 miles away and begins the conversation with, “It did it again.” You not only have no idea to whom you are talking, you have no idea to what the it refers. In short, roaming users use different computers within the same LAN, whereas mobile users use the same workstation but do not connect to the LAN. Because you cannot force mobile users to connect to a server on your LAN each time they boot (and when they do, it is over slow connections), you are less able to enforce administrative restrictions—such as Group Policies. That having been said, however, you should never think it impossible to apply administrative restrictions on mobile users. System Policies are the predecessors of Group Policies (used in Windows 9x) and restrict what they can govern to Registry settings only, whereas Group Policies exceed that functionality. In the absence of a regular connection to the LAN (and, therefore, to Active Directory), there are automatically a number of Group Policy restrictions that you cannot enforce or utilize (a cruel fact you must accept). Therefore, it is always in the best interest of the admin- istrators to have the systems connect to the network (and require them to do so), whenever possible. The following is a list of some of the restrictions that cannot be enforced without such a connection: Roaming Profiles By placing a user’s profile on the server, that user is able to have the same desktop regardless of which computer they use on a given day. Assigning and Publishing Software The Software Installation snap-in enables you to cen- trally manage software. You can publish software to users and assign software to computers. Redirecting Folders The Folder Redirection extension enables you to reroute special Win- dows 2000 folders—including My Documents, Application Data, Desktop, and the Start menu—from the user profile location to elsewhere on the network. Installing the Operating System Remotely The Remote Installation Services (RIS) extension enables you to control the Remote Operating System Installation component, as displayed to the client computers. Aside from these, you can place all the other settings directly on the mobile computer— making them local policies. Local policies can apply to the following: Administrative Templates The administrative templates consist mostly of the Registry restrictions that existed in System Policies. They enable you to manage the Registry settings that control the desktop, including applications and operating system components. Scripts Scripts enable you to automate user logon and logoff. Security Settings The Security Settings extension enables you to define security options (local, domain, and network) for users within the scope of a Group Policy object, including Account Policy, encryption, and so forth. 4831xc17.fm Page 822 Wednesday, September 13, 2006 10:00 AM Hardening a System 823 Creating the Local Policy You can create a local policy on a computer by using the Group Policy Editor. You can start the Group Policy Editor in one of the following two ways:  From the Start button, choose Run and then enter gpedit.msc. or  From the Start button, choose Run and then enter MMC. Within the MMC console, choose Console  Open, and then select GPEDIT.MSC from the System32 directory. When opened, a local policy has two primary divisions: Computer Configuration and User Configuration. The settings that you configure beneath Computer Configuration apply to the computer, regardless of who is using it. Conversely, the settings that you configure beneath User Configuration apply only if the specified user is logged on. Each of the primary divisions can be useful with a mobile workforce. Note that the Computer Configuration settings are applied whenever the computer is on, whereas the User Configuration settings are applied only when the user logs on. The following options are available under the Computer Configuration setting: Software Settings These settings typically are empty on a new system. Administrative Templates These settings are those that administrators commonly want to apply. Windows Settings The Windows Settings further divide into the following: Scripts Scripts are divided into Startup and Shutdown, both of which enable you to con- figure items (for example, .EXE, .CMD, and .BAT files) to run when a computer starts and stops. Although your implementation may differ, for the most part, little here is pertinent to the mobile user. Security Settings Security Settings are divided into Account Policies, Local Policies, Public Key Policies, and IP Security Policies on the local machine. The following sections examine Account Policies and Local Policies choices. Account Policies The Account Policies setting further divides into Password Policy and Account Lockout Policy. The following seven choices are available under Password Policy: Enforce Password History This allows you to require unique passwords for a certain num- ber of iterations. The default number is 0, but it can go as high as 24. Maximum Password Age The default is 42 days, but values range from 0 to 999. Minimum Password Age The default is 0 days, but values range to 999. Minimum Password Length The default is 0 characters (meaning no passwords are required), but a number up to 14 can be specified. Passwords Must Meet Complexity Requirements Of The Installed Password Filter The default is disabled. 4831xc17.fm Page 823 Wednesday, September 13, 2006 10:00 AM 824 Chapter 17  Installing, Configuring, Upgrading, and Optimizing Security Store Password Using Reversible Encryption For All Users In The Domain The default is disabled. User Must Logon To Change The Password The default is disabled, thus allowing a user with an expired password to specify a new password during the logon process. Because the likelihood of laptops being stolen always exists, it is strongly encouraged that you make use of good password policies for this audience. An example policy is as follows:  Enforce password history: 8 passwords remembered  Maximum password age: 42 days  Minimum password age: 3 days  Minimum password length: 6 to 8 characters Leave the other three settings disabled. The Account Lockout Policy setting divides into the following three values: Account Lockout Counter This is the number of invalid attempts it takes before lockout occurs. The default is 0 (meaning the feature is turned off). Invalid attempt numbers range from 1 to 999. A number greater than 0 changes the values on the following two options to 30 minutes; otherwise, they are Not Defined. Account Lockout Duration This is a number of minutes ranging from 1 to 99999. A value of 0 is also allowed here and signifies that the account never unlocks itself—administrator interaction is always required. Reset Account Lockout Counter After This is a number of minutes, ranging from 1 to 99999. When you are working with a mobile workforce, you must weigh the choice of a user calling you in the middle of the night when she has forgotten her password against keeping the system from being entered if the wrong user picks up the laptop. A good recommendation is to employ lockout after five attempts for a period of time between 30 and 60 minutes. Local Policies The Local Policies section divides into three subsections: Audit Policy, User Rights Assign- ment, and Security Options. The Audit Policy section contains nine settings, the default value for each being No Auditing. Valid options are Success and/or Failure. The Audit Account Logon Events entry is the one entry you should consider turning on for mobile users to see how often they are logging in and out of their machines. When auditing on an event is turned on, the entries are logged in the Security log file. The User Rights Assignment subsection of Local Policies is where the meat of the old System Policies comes into play. User Rights Assignment has 34 options, most of which are self-explanatory. Also shown in the list that follows are the defaults for who can perform these actions, with Not Defined indicating that no one is specified for this operation. The list of rights and default permissions include the following:  Access This Computer From The Network: Everyone, Administrators, Power Users  Act As Part Of The Operating System: [blank] 4831xc17.fm Page 824 Wednesday, September 13, 2006 10:00 AM Hardening a System 825  Add Workstations To Domain: [blank]  Backup Files And Directories: Administrators, Backup Operators  Bypass Traverse Checking: Everyone  Change The System Time: Administrators, Power Users  Create A Pagefile: Administrators  Create A Token Object: [blank]  Create Permanent Shared Objects: [blank]  Debug Programs: Administrators  Deny Access To This Computer From The Network: [blank]  Deny Logon As A Batch Job: [blank]  Deny Logon As A Service: [blank]  Deny Logon Locally: [blank]  Enable Computer And User Accounts To Be Trusted For Delegation: [blank]  Force Shutdown From A Remote System: Administrators, Power Users  Generate Security Audits: [blank]  Increase Quotas: Administrators  Increase Scheduling Priority: Administrators, Power Users  Load And Unload Device Drivers: Administrators  Lock Pages In Memory: [blank]  Log On As A Batch Job: Administrator  Log On As A Service: [blank]  Log On Locally: Everyone, Administrators, Users, Guests, Power Users, Backup Operators  Manage Auditing And Security Log: Administrators  Modify Firmware Environment Values: Administrators  Profile Single Process: Administrators, Power Users  Profile System Performance: Administrators  Remove Computer From Docking Station: [blank]  Replace A Process Level Token: [blank]  Restore Files And Directories: Administrators, Backup Operators  Shut Down The System: Everyone, Administrators, Users, Power Users, Backup Operators  Synchronize Directory Service Data: [blank]  Take Ownership Of Files Or Other Objects: Administrators 4831xc17.fm Page 825 Wednesday, September 13, 2006 10:00 AM 826 Chapter 17  Installing, Configuring, Upgrading, and Optimizing Security This is the default list. You can add additional groups and users to the list, but you cannot remove them. (This functionality is not needed.) If you want to “remove” users or groups from the list, simply uncheck the box granting them access. If your mobile users need to be able to install, delete, and modify their environment, make them a member of the Power Users group. The Security Options section includes 38 options, which, for the most part, are Registry keys. The default on each is Not Defined, with the two definitions that can be assigned being Enabled and Disabled, or a physical number (as with the number of previous logons to cache). The ability to backup a system, and recover/restore it is extremely important. Exercise 17.1 discusses recovering a Windows XP system. Exercise 17.2 walks you through the process of creating a backup in a different operating system—SuSE Linux. EXERCISE 17.1 Recovering a Windows XP System This exercise assumes the use of Windows XP and asks you to rate your knowledge of the tools available within it: 1. Assume you created a backup set with ASR, as done in Exercise 9.1. Do you know how to restore it and why you would need to? 2. If the GUI were inaccessible, do you know enough about the command-line NTBACKUP.EXE options to be able to restore a backup? 3. Are you familiar with the Safe Mode boot options? What is the difference between the options, and why would you choose one over another? 4. Is Recovery Console installed on your server(s)? If not, do you know how to do so and why you would use it? Virtually every network operating system offers tools of this sort, although their names differ. If you aren’t running Windows XP, make certain you know the equivalent tools in the operat- ing system you’re running. You must know how to recover a system and not just how to back it up in order to be an effective administrator. EXERCISE 17.2 Create a Backup with SuSE Linux This exercise assumes the use of SuSE Linux Enterprise Server 9. To create a backup: 1. Log in as root and start YaST. 2. Choose System and System Backup. 4831xc17.fm Page 826 Wednesday, September 13, 2006 10:00 AM Auditing and Logging 827 Auditing and Logging Most systems generate security logs and audit files of activity on the system. These files do absolutely no good if they aren’t periodically reviewed for unusual events. Many web servers provide message auditing, as do logon, system, and application servers. The amount of information these files contain can be overwhelming. You should establish a procedure to review them on a regular basis. A rule of thumb is to never start auditing by trying to record everything, because the sheer volume of the entries will make the data unus- able. Approach auditing from the opposite perspective and begin auditing only a few key things, and then expand the audits as you find you need more data. These files may also be susceptible to access or modification attacks. The files often contain critical systems information including resource sharing, security status, and so on. An attacker may be able to use this information to gather more detailed data about your network. In an access attack, these files can be deleted, modified, and scrambled to prevent system administrators from knowing what happened in the system. A logic bomb could, for example, delete these files when it completes. Administrators might know that something happened, but they would get no clues or assistance from the log and audit files. You should consider periodically inspecting systems to see what software is installed and whether passwords are posted on sticky notes on monitors or keyboards. A good way to do this without attracting attention is to clean all the monitor faces. While you’re cleaning the monitors, you can also verify that physical security is being upheld. If you notice a password on a sticky note, you can “accidentally” forget to put it back. You should also notify that user that this is an unsafe practice and not to continue it. Under all conditions, you should always work within the guidelines estab- lished by your company. 3. Click Profile Management and choose Add; then enter a name for the new profile, such as fullsystemback. 4. Click OK. 5. Enter a backup name (using an absolute path), and make certain the archive type is set to a tar variety. Then click Next. 6. At the File Selection window, leave the default options and click Next. 7. Leave the Search Constraints as they are and click OK. At the main YaST System Backup dialog box, click Start Backup. After several minutes of reading packages, the backup will begin. EXERCISE 17.2 (continued) 4831xc17.fm Page 827 Wednesday, September 13, 2006 10:00 AM 828 Chapter 17  Installing, Configuring, Upgrading, and Optimizing Security You should also consider obtaining a vulnerability scanner and running it across your network. A vulnerability scanner is a software application that checks your network for any known security holes; it’s better to run one on your own network before someone outside the organization runs it against you. One of the best-known vulnerability scanners is SAINT— Security Administrator’s Integrated Network Tool. Updating Your Operating System Operating system manufacturers typically provide product updates. For example, Microsoft provides a series of regular updates for Windows 2000 (a proprietary system) and other appli- cations. However, in the case of open-source systems (such as Linux), the updates may come from a newsgroup, the manufacturer of the version you’re using, or a user community. In both cases, public and private, updates help keep operating systems up to the most current revision level. Researching updates is important; when possible, so is getting feedback from other users before you install an update. In a number of cases, a service pack or update has ren- dered a system unusable. Make sure your system is backed up before you install updates. Make sure you test updates on test systems before you implement them on production systems. Three types of updates are discussed here: hotfixes, service packs, and patches. Hotfixes Hotfixes are used to make repairs to a system during normal operation, even though they might require a reboot. A hotfix may entail moving data from a bad spot on the disk and remapping the data to a new sector. Doing so prevents data loss and loss of service. This type of repair may also involve reallocating a block of memory if, for example, a memory problem occurred. This allows the system to continue normal operations until a permanent repair can be made. Microsoft refers to a bug fix as a hotfix. This involves the replacement of files with an updated version. Service Packs A service pack is a comprehensive set of fixes consolidated into a single product. A service pack may be used to address a large number of bugs or to introduce new capabilities in an OS. When installed, a service pack usually contains a number of file replacements. Make sure you check related websites to verify that the service pack works properly. Some- times a manufacturer will release a service pack before it has been thoroughly tested. An untested service pack can cause extreme instability in an operating system or, even worse, ren- der it inoperable. 4831xc17.fm Page 828 Wednesday, September 13, 2006 10:00 AM Revisiting Social Engineering 829 Patches A patch is a temporary or quick fix to a program. Patches may be used to temporarily bypass a set of instructions that have malfunctioned. Several OS manufacturers issue patches that can be applied either manually or by using a disk file to fix a program. When you’re working with customer support on a technical problem with an OS or appli- cations product, customer service may have you go into the code and make alterations to the binary files that run on your system. Double-check each change to prevent catastrophic fail- ures due to improperly entered code. When more data is known about the problem, a service pack or hotfix may be issued to fix the problem on a larger scale. Patching is becoming less common, because most OS manufac- turers would rather release a new version of the code than patch it. Revisiting Social Engineering Social engineering attacks can develop very subtly. They’re also hard to detect. Let’s look at some classic social engineering attacks:  Someone enters your building wearing a white lab jacket with a logo on it. He also has a toolbox. He approaches the receptionist and identifies himself as a copier repairman from a major local copier company. He indicates that he’s here to do preventative service on your copier. In most cases, the receptionist will let him pass and tell him where the copier is. Once the “technician” is out of sight, the receptionist probably won’t give him a second thought. Your organization has just been the victim of a social engineering attack. The attacker has now penetrated your first and possibly even your second layer of security. In many offices, including security-oriented offices, this indi- vidual would have access to the entire organization and would be able to pass freely anywhere he wanted. This attack didn’t take any particular talent or skill other than the ability to look like a copier repairman. Impersonation can go a long way in allowing access to a building or network.  The next example is a true situation; it happened at a high-security government installa- tion. Access to the facility required passing through a series of manned checkpoints. Pro- fessionally trained and competent security personnel manned these checkpoints. An employee decided to play a joke on the security department: He took an old employee badge, cut his picture out of it, and pasted in a picture of Mickey Mouse. He was able to gain access to the facility for two weeks before he was caught. Social engineering attacks like these are easy to accomplish in most organizations. Even if your organization uses biometric devices, magnetic card strips, or other electronic mea- sures, social engineering attacks are still relatively simple. A favorite method of gaining entry to electronically locked systems is to follow someone through the door they just unlocked, a process known as tailgating. Many people don’t think twice about this event— it happens all the time. 4831xc17.fm Page 829 Wednesday, September 13, 2006 10:00 AM 830 Chapter 17  Installing, Configuring, Upgrading, and Optimizing Security Famed hacker Kevin Mitnick coauthored a book called The Art of Deception: Controlling the Human Element of Security in which 14 of the 16 chapters are devoted to social engineering scenarios that have been played out. If nothing else, the fact that one of the most notorious hackers known—who could write on any security subject he wants—chose to write a book on social engineer- ing, should emphasize the importance of the topic to you. As an administrator, one of your responsibilities is to educate users to not fall prey to social engineering attacks. They should know the security procedures that are in place and follow them to a tee. You should also have a high level of confidence that the correct pro- cedures are in place, and one of the best ways to obtain that confidence is to check your users on occasion. Preventing social engineering attacks requires more than just providing training about how to detect and prevent them. It also involves making sure that people stay alert. One form of social engineering is known as shoulder surfing, which is nothing more than watching some- one when they enter their username/password/sensitive data. Social engineering is easy to do, even with all of today’s technology at our disposal. Edu- cation is the one key that can help. Don’t overlook the most common personal motivator of all: greed. It may surprise you, but people can be bribed to give away information. If someone gives out the keys, you won’t nec- essarily know it has occurred. Those keys can be literal—as in the keys to the back door—or figurative—the keys to decrypt messages. The movie and book The Falcon and the Snowman detailed the accounts of two young men, Christopher Boyce and Andrew Daulton Lee, who sold sen- sitive United State codes to the Russians for several years. The damage they did to U.S. security efforts was incalculable. In another case, U.S. Navy Petty Officer John Walker sold electronic key sets to the Russians that gave them access to communications between the U.S. Navy and the nuclear submarine fleet in the Atlantic. Later, he sold information and keys for ground forces in Vietnam. His actions cost the U.S. Army countless lives. At the height of his activities, he recruited family members and others to gather this information for him. It is often comforting to think that we cannot be bought. We look to our morals and stan- dards and think that we are above being bribed. The truth of the matter, though, is that almost everyone has a price. Your price may be so high that for all practical purposes you don’t have a price that anyone in the market would pay, but can the same be said for the other adminis- trators in your company? Social engineering can have a hugely damaging effect on a security system, as the previous note illustrates. 4831xc17.fm Page 830 Wednesday, September 13, 2006 10:00 AM Recognizing Common Attacks 831 Recognizing Common Attacks Most attacks are designed to exploit potential weaknesses. Those weaknesses can be in the implementation of programs or in the protocols used in networks. Many types of attacks require a high level of sophistication and are rare. You need to know about them so that you can identify what has happened in your network. In this section, we’ll look at these attacks more closely. Back Door Attacks The term back door attack can have two meanings. The original term back door referred to troubleshooting and developer hooks into systems. During the development of a compli- cated operating system or application, programmers add back doors or maintenance hooks. These back doors allow them to examine operations inside the code while the code is run- ning. The back doors are stripped out of the code when it’s moved to production. When a software manufacturer discovers a hook that hasn’t been removed, it releases a maintenance upgrade or patch to close the back door. These patches are common when a new product is initially released. The second type of back door refers to gaining access to a network and inserting a program or utility that creates an entrance for an attacker. The program may allow a certain user ID to log on without a password or to gain administrative privileges. Such an attack is usually used as either an access or modification attack. A number of tools exist to create back door attacks on systems. One of the more popular tools is Back Orifice, which has been updated to work with Windows Server 2003 as well as earlier versions. Another popular back door program is NetBus. Fortunately, most conventional antivirus software will detect and block these types of attacks. Back Orifice and NetBus are remote administration tools used by attackers to take control of Windows-based systems. These packages are typically installed by using a Trojan horse program. Back Orifice and NetBus allow a remote user to take full control of systems that have these applications installed. Back Orifice and NetBus run on all of the current Windows operating systems. Spoofing Attacks A spoofing attack is an attempt by someone or something to masquerade as someone else. This type of attack is usually considered an access attack. A common spoofing attack that was pop- ular for many years on early Unix and other time-sharing systems involved a programmer writing a fake logon program. This program would prompt the user for a user ID and pass- word. No matter what the user typed, the program would indicate an invalid logon attempt and then transfer control to the real logon program. The spoofing program would write the logon and password into a disk file, which was retrieved later. 4831xc17.fm Page 831 Wednesday, September 13, 2006 10:00 AM [...]... upstream providers Many newer routers can track and attempt to prevent this attack by setting limits on the length of an initial session to force sessions that don’t complete to close-out This type 4831xc17.fm Page 836 Wednesday, September 13, 2006 10: 00 AM 836 Chapter 17 Installing, Configuring, Upgrading, and Optimizing Security of attack can also be undetectable An attacker can use an invalid IP address,... attack B DDoS attack C Worm attack D Social engineering attack 10 Which file extension should not be allowed with an e-mail attachment? A .DOC B .PIF C .TXT D .XLS 11 Which type of attack denies authorized users access to network resources? A DoS B Worm C Logic bomb D Social engineering 4831xc17.fm Page 843 Wednesday, September 13, 2006 10: 00 AM Review Questions 843 12 As the security administrator... steal a valid IP address and use it to gain authorization or information from a network 17 A A TCP ACK attack creates multiple incomplete sessions Eventually, the TCP protocol hits a limit and refuses additional connections 4831xc17.fm Page 846 Wednesday, September 13, 2006 10: 00 AM 846 Chapter 17 Installing, Configuring, Upgrading, and Optimizing Security 18 D A smurf attack attempts to use a broadcast... program onto dozens or even hundreds of computer systems that use DSL or cable modems The attack program lies dormant on these computers until they get an 4831xc17.fm Page 835 Wednesday, September 13, 2006 10: 00 AM Recognizing Common Attacks 835 attack signal from a master computer This signal triggers these systems, which launch an attack simultaneously on the target network or system The master controller... one target The nasty part of this type of attack is that the machines used to carry out the attack belong to normal computer users The attack gives no special warning to those users When the attack is complete, the attack program may remove itself from the system or infect the unsuspecting user’s computer with a virus that destroys the hard drive, thereby wiping out the evidence Can You Prevent Denial...4831xc17.fm Page 832 Wednesday, September 13, 2006 10: 00 AM 832 Chapter 17 Installing, Configuring, Upgrading, and Optimizing Security The most popular spoofing attacks today are IP spoofing and DNS spoofing With IP spoofing, the goal is to make the data... UDP can be attacked UDP, like TCP, doesn’t check the validity of IP addresses The nature of this layer is to trust the layer below it, the IP layer 4831xc17.fm Page 837 Wednesday, September 13, 2006 10: 00 AM General Rules for the Exam 837 The most common UDP attacks use UDP flooding UDP flooding overloads services, networks, and servers Large streams of UDP packets are focused at a target, causing... a ping request to the broadcast address of the network This request is sent to all the machines in a large network The reply is then sent to the machine identified with the ICMP request (the spoof is complete) The result is a DoS attack that consumes the network bandwidth of the replying system, while the victim system deals with the flood of ICMP traffic it receives Smurf attacks are very popular... general rules to adhere to, regardless of which operating systems are employed on your servers and clients Most of these are common sense There are various 4831xc17.fm Page 838 Wednesday, September 13, 2006 10: 00 AM 838 Chapter 17 Installing, Configuring, Upgrading, and Optimizing Security New Attacks on the Way The attacks described in this section aren’t comprehensive New methods are being developed as... utilities, and so forth should be safely guarded behind secure rights and permissions You should regularly check to see who has used such tools (see 4831xc17.fm Page 839 Wednesday, September 13, 2006 10: 00 AM General Rules for the Exam 839 auditing later in this list) and make sure they are not being used by users who should not be able to do so Control permissions to resources as granularly as possible . Account Policy, encryption, and so forth. 4831xc17.fm Page 822 Wednesday, September 13, 2006 10: 00 AM Hardening a System 823 Creating the Local Policy You can create a local policy on a computer. Installed Password Filter The default is disabled. 4831xc17.fm Page 823 Wednesday, September 13, 2006 10: 00 AM 824 Chapter 17  Installing, Configuring, Upgrading, and Optimizing Security Store Password. Users  Act As Part Of The Operating System: [blank] 4831xc17.fm Page 824 Wednesday, September 13, 2006 10: 00 AM Hardening a System 825  Add Workstations To Domain: [blank]  Backup Files And Directories: