CompTIA CASP+ CAS-004 – Chapter 04 – Implementing Security for Systems, Applications, and Storage Part 2
- Host Hardening
Another one of the ongoing goals of operation security is to make sure that all the systems have been hardened to the extent that it’s possible while still providing functionality. Hardening is just simply the process of securing a system so that we have a level of functionality and nothing more. Essentially a living example of the concept of least privilege from a logical perspective this means is we go in and we get rid of any unnecessary applications. Applications utilize services which utilize ports so we can kind of see the theme here. If you have unnecessary things running on a system then inevitably you have open doors into that system.
So we want to turn those things off. We want to take the steps to block those unrequired ports. We need to remove unnecessary accounts or at the very least disable them. We should change default accounts, change their names, we should change the passwords for those default accounts. This includes both operating systems as well as network devices and then one that we don’t have on the list there. But is important is if external storage devices and media are allowed then we need to control what we are able to do with those. Hardening is made much easier through centralized management. With centralized management we can do a number of things. One is standard operating environment and configuration baselines.
When we deploy standard images that have been secured with security baselines it’s much easier to maintain security. A security baseline is just a set of configuration settings that gives us this minimum level of security for each image in Windows these baselines can be controlled through the use of group policy. The policy settings can be made in the image and applied to users and computers and then they can be refreshed periodically.
That’s technically every 90 minutes by default when the computer connects to the domain controller it also means they can’t be altered by the user. So it helps us to create a standard operating environment and it gives us a number of advantages. Another thing that we can do for hardening is application. Whitelisting and blacklisting. Whitelisted applications are those that are allowed. Blacklisted applications are those that are prohibited.
But it goes a little bit more than that. If you are blacklisting that means you’re going to allow everything except those programs that you specifically disallow. If you’re whitelisting it means you’re going to allow nothing except for those that you allow. You really need to figure out which one you’re going to do. Whitelisting is a little bit more difficult because it’s easier to miss something. Here again centralized management is going to be key because we want to have some consistency. So we use group policy and application control policies aka App locker on Windows Seven and later that will give us the ability that will give us the ability to do that.
This isn’t a Microsoft class but group policy we’ve mentioned now a couple of times is incredibly capable at centralized management. A lot of the things that are available in group policy are related to security. And so we’ll take a bit of time here in the next slide to talk about that. We’ll also just talk about some command shell extensions. So Windows is known for its GUI, but basically anything you can do in the GUI, you can do in the command line. That’s even more true now with Windows, PowerShell, Linux and Unix have always been more used with command line environments for DayToday operations. And so that’s another element of the hardening process. And patch management, making sure systems are up to date consistently is another component within hardening.
- Group Policy
So in a Windows environment you have Active Directory, which is your centralized security database that contains user accounts. Computer accounts represents every entity on the network, and a function within Active Directory is Group Policy. Group Policy is centralized management to a T. Basically I can create something known as a GPO or Group Policy objects within an Active Directory environment. And the settings in those GPO, those can apply then to users and computers. They’re applied at computer startup as well as user login and then on the periodic refresh cycle. Now technically you can do centralized or decentralized control.
Group Policy is leveraging the hierarchy in Active Directory that really starts with the domain, and then within the domain you have containers known as organizational units. So if you want something, a security baseline, for instance, to affect everybody, you would link that GPO to the domain and then everybody within the domain would have those settings applied. If you want settings to only apply to particular users or computers, then we would link that GPO to an organizational unit. Just think of it as a folder, really, but it’s a folder that contains users and computers and other Active Directory objects. We can also do filtering based on security groups, users or WMI queries.
So you can attach a GPO to a particular container, but then you can filter so that it only affects certain people or certain computers. There are a number of different security options within Group Policy. So you have account policies that allow us to consistently implement password policies, account lockout settings and Kerberos authentication settings. We have Local Policies, which is where your audit settings live, as we saw, as well as a whole slew of security options and user rights, event log settings, so we can control the age of the logs, the backup processes, overriding events, et cetera. Restricted groups can be used to control the membership of sensitive groups like local admin groups or domain administrative groups. We can even push out file and registry ACLs and configure public key policies as well as IPsec policies for our computers.
- Demo – Configuring Group Policy Security
So we’ve mentioned group policy and its ability to configure security for individual computers as well as multiple computers. I just want to take a look at some of those options because these are options that you could use to harden the system. There are certainly more automated options for hardening operating systems, but these, these would certainly be there. So I just wanted to take a look at some of the additional things. We’ve looked at some of these already. We’ve been in security settings and seen account policies and local policies. What we didn’t do was we did not go into the security options and there are a whole bunch of security options in here.
So for instance, disabling the administrator account, disabling the guest account, renaming that account. If you’re going to disable it, then it’s probably just leave it disabled, but you could still rename it and all of that would be considered one of those. I’m going to modify the default configuration so that it increases security. We’ve got not displaying the last username and password or last username, sorry, which is the default. And so from a security perspective, that could be a hardening element. We could have message, text and title for users when they’re logging on, giving them some sort of acceptable use. And then you do have requirements for biometrics disabling cached logins when the user is not connected to the domain network.
We can increase security for Microsoft Network traffic as well. And then you can enforce the use of user account control, among other things. Obviously there are a number of elements in there. Another part of this would be going into Administrative templates or getting out of those security settings. Even though we have certificate settings, we have application control policies to lock down programs so that they can’t be used. But under here, under Administrative Templates and Windows components, I mean, it’s pretty big. We can force updates.
That’s one way to harden the systems is to make sure that we’re doing patch management. So I can go in here at the GPO level, at the domain and I can force automatic updates. The thing that the GPOs do is they prevent the user from then being able to change it. So we could specify how we want it installed, when we want it scheduled and installed. And we can even have them use an internal server, a WSU server or Sccm server. And so that can be a way that we ensure that patches are being pushed out over up here. We can enforce BitLocker that would increase the default security for operating system drives or removable data drives. If we’re concerned with that, we say control the use of BitLocker on removable drives enabled, allow them to apply it, allow them to suspend it.
They are going to be able to use BitLocker on those drives here though I can say you can’t write to a removable drive unless it is protected by BitLocker. Okay, so that’s yet another option. And if you really want to even go further, you’ve got some device restrictions. I’m not sure why I’m not seeing those. Oh, because I think it’s under system.
Yeah, that’s right. Okay. It’s kind of difficult sometimes to remember where all this stuff is, but under device installation, you have device installation restrictions, and you can actually prevent the installation of certain types of devices. Prevent the installation of removable devices, disabling, you guessed it, USB storage devices, SD cards, that kind of thing. All right, so that’s just a way of hardening the system. I mean, as we’ve said, you basically want all your patches installed. You want your antivirus and a malware software updated. You want your Firewall turned on, you want the default configurations removed. Well, in a Windows network, which most of us are going to find ourselves in, you can centrally do all of that through group policy, and that ensures consistency for the application of these settings.
- Command Shell Restrictions
Now, a lot of highlevel administrative tasks have to be performed in the command shell. As we said, Windows has always been known for its GUI, but it has a command line as well. And in many cases you can’t do everything you need to do in the GUI. You have to use the shell. Of course, administrators of other operating systems like Linux or Unix are going to make more use of the command line for day to day operations, as do the operating systems of routers and switches. The risk of mistakes, coupled with the possibility of somebody having malicious intent playing havoc at the command line, mean that it’s advisable in some cases to implement some sort of command shell restrictions. A restricted command shell is just a CLI command line interface where only certain commands are available. In Linux and Unix, a number of command line shells are available, and they differ in terms of the power of the commands that they allow. So what we see here are some of the most common Unix and Linux based shells. Other popular shells would be Windows, PowerShell and the Linux Terminal shell. So Tcsh is similar to the seashell.
Your born shell is sh. That’s the most basic shell available on all Unix systems. Seashell is similar to the C programming language. In syntax, you have Bash, which combines the advantages of Seashell and another shell called the Corn shell that is the default on most Linux distros PowerShell and Windows. A more recent CLI that’s available and extremely powerful, no pun intended. And then the Cisco iOS and the commands that are available in Cisco depend on the mode that you’re operating in.
So you start out in user mode, where you can’t really do much, you can view things, but you’re not doing any significant changes. And then you progress to privilege mode. Privilege mode is where more commands are enabled. You could put a password on the device, so the user will be prompted from moving from user to privilege mode. And that’s typically something that’s done for even more granular control of administrative access. We can create user accounts and privilege levels based on those user accounts.
- Out-of-Band Management
Not all interfaces on a system are created equal. Some of them, especially those connected to infrastructure devices and servers, need to be more tightly controlled and monitored just due to the assets that they lead to. There are certain things that we can do to control those sensitive interfaces. So let’s start with talking about out of band management.
An interface is an outlet out of band or OB if it’s connected to a separate and isolated network that’s not accessible from the land or the outside world. These interfaces typically live, or are live, I should say, even when the device is turned off. Okay, so it gives us access to that device physically, even if it’s turned off. Interfaces can be ethernet or serial, but there are some guidelines for their configuration because they’re a highly powerful interface. Number one, we should place all OOB interfaces on a separate subnet that has a private VLAN, so it should be separate from the data network, separate VLAN on the switches for that subnet.
If you’re crossing a wide area network connection, you should use a different Internet connection than that of the production network. We can also use quality of service to make sure that management traffic doesn’t affect production performance in an adverse way. And if the network interface cards support it, you can use wake on land to make sure the systems are available even when they are shut down. Some newer computers that have the Intel V Pro chipset and a version of the Intel Active management technology can be managed out of band even when the system is off.
It’s usually coupled with the out of band management feature in System Center, which is a Microsoft product. System center config manager. So it allows you to power on computers, power off computers, restart non functioning computers, boot to an image, reimage a system, remotely reconfigured the BIOS, boot to a CLI, et cetera. So those are very advantageous, and that’s coming standard in a lot of systems now.
- Dedicated Interfaces
An OOB is a type of dedicated interface, but additional options exist such as ACLs. Access control lists are used to control access to a particular interface based on the source and destination addresses. They’re primarily used on routers and firewalls, and they provide additional functionality so they do not provide the ability to detect, act or prevent any sort of IP spoofing. IP spoofing can be used to make a connection to a system that trusts only certain IP addresses.
So I’m going to modify my header so that I have a trusted IP address and I’m able to actually access that system so they are useful. But it’s not the end all. Be all management interfaces are used for accessing devices remotely. Typically, a management interface is disconnected from the inband network and it’s connected to the device’s internal network. Through that interface, you can access the device using utilities like SSH, Telnet, the Simple Network Management protocol, et cetera. And we’re using that to gather statistics from the device. In some cases the interface is an actual physical port. In that case it would be labeled as the management port. In other cases it’s just a port that’s logically separated from the network like a private VLAN. The point is to keep them used for remotely managing the device and to keep them separate from regular network traffic.
There aren’t any real disadvantages to using a management interface, but it’s incredibly important to secure them. Cisco devices have a dedicated terminal line called VTY ports, and that port should always be configured with a password. Technically, they have up to 16 lines that exist on some switches and you can go in and configure that particular line with a login. Data interfaces are used for data traffic and they are not used for local or remote management. These interfaces can operate at either layer two or layer three, depending on the type of device, and they also have ACLs that are defined either layer. On routers we call them access list. On switches we call them we call it port security. It’s possible for routers and switches to also have logical software or interfaces as well. An example of that is the loopback interface. Those can be used predominantly for testing.
- External I/O Restrictions
One of the ways that malware and various other problems can be introduced to the network is through peripheral devices that users connect to their computers. They bring these peripheral devices in and make that connection and that bypasses firewalls and security devices. At the same time, sensitive data can also leave the network this way.
And so to address this, you really should implement controls. And many organizations will over the types of peripherals that users can bring in and connect, if any. USB storage devices is probably one of the biggest culprits that’s any type of thumb drive, external hard drive, network interface, et cetera. These should be strictly controlled and they can be restricted using local or centralized policies like group policy that we have talked about. They can cause data leakage, malware, remote access, unauthorized access, et cetera. And so we really need to have some controls over them.
Restrictions can be enforced through rights management and encryption. BitLocker to Go is able to enforce encryption on those USB devices. You can require that they’re encrypted before they can be used. It’s also possible to allow some, but not all users to use these devices, right? So you can just say, well, nobody can use them, or only certain types can use, or only certain users are allowed to use. You can also incorporate that with DRM. Azure’s. Implementation of this is sometimes called Azure Information Rights Management. Azure is the Microsoft public cloud. It is either referred to as IRM or RMS rights management services. But it’s the same thing and it will provide digital content protection for the data that’s stored on those drives.
- Wireless Technologies
Wireless technologies are also going to provide openings for malware and other problems. In some cases it’s just unauthenticated access to the network. In other cases it’s people putting information on personal devices at risk. So we really need to understand the various vulnerabilities and that’s going to take us into wireless connectivity and the different technologies that are used. Now, some of this may be for familiar to you, it’s not unique to CASP. This is stuff that we go through, an A plus network, plus security, plus there’s some overlap here. Let’s start with bluetooth. Bluetooth is a wireless technology that’s used to create personal area networks. This is short range devices, short range connections between devices and peripherals, headphones, keyboards, mice, those are your most common Bluetooth devices.
Bluetooth operates at the 2. 4 GHz frequency, speeds up to 1. 3 megabits per second and distances up to really now well exceeding 10 meters with the latest versions. But there are several attacks that can take advantage of Bluetooth technology. Blue Jacking and Blue snaring are the two most common. Blue Jacking is an unsolicited message that’s sent to a Bluetooth enabled device. This is usually for the purpose of adding a business card to the victim’s contact list. All you have to do to prevent this is put the device in no discoverable mode. I have a side business and we had an individual who was on the forum for this type of business, a bunch of people around the country and he was actually suggesting a product that would perform blue jacking.
And if you had a location, an actual storefront that you could utilize this device so that anybody walking by you would get a message advertising your store. I mean incredibly intrusive. I don’t know how these devices even exist out in the marketplace. I said no, but I thought that was humorous and I think of it every time I see blue jacking. Blue Snaring involves unauthorized access to a device using the Bluetooth connection. So Blue Jacking is just kind of advertising blue snaring. Is the attacker actually trying to access information? I’m not trying to send messages, I’m trying to gain access to it.
The use of Bluetooth can be controlled and such control should be considered in high security environments. If nothing else, we should just educate users on how to use this. But mobile device management solutions can try to push out security for these devices. The next connectivity type is NFC or near field communication. This is a set of protocols that allow two devices, one of which is usually a mobile device or both of which are mobile devices, to establish connection. But they have to be within two inches of each other. So NFC is really for devices that have particular apps to read electronic tags, make payments, share photos, et cetera. But it is something that is available on all mobile devices like smartphones today. And it presents many security vulnerabilities. Among them is eavesdropping, data corruption and manipulation and interception attacks. Physical theft of the device would then make purchases from the phone possible. So some organizations may just want to forbid this functionality. If you’re talking about company owned smartphones in a BYOD initiative, it’s not really something necessarily that we want to have on there.
IRDA is the Infrared Data Association that provides specifications for infrared communications. Infrared is different than standard WiFi because it’s short distance and it uses infrared light rather than radio waves. It also requires a direct line of sight between the devices. This is typically not used today for actual data communications on smartphones and tablets. It is often used in digital cameras and other digital image capture devices.
And so it is possible those devices accept certain files, and the files could contain harmful programs, but not as much of an issue as the other ones because it’s in frequency of use. RF is just radio frequency, and radio frequency technologies differ in the frequency they use and the range over which they can broadcast. From an enterprise perspective, the highest level of concern is with 800 and 211 and RFID. Those are two widely used technologies, and we’ll be discussing them more here. But before we can discuss 811 wireless, which has become known as W Land Wireless Land, we really need to talk about the components structure of a wireless LAN.
- Wi-Fi Components
Wireless Lans, also known as WiFi, representative of the 8211 standards, standardized by the IEEE like other network standards. And here are the primary components you have. The AP, sometimes known as WAP, just stands for access point. Right. It’s a wireless transmitter and receiver that hooks into the wired portion of the network and provides an access point to this network for wireless devices. Sometimes they’re called bridge, a wireless bridge.
In some cases, they’re simply wireless switches. In other cases, a little bit more common. They’re also routers. Early APS were devices with functionality built into each device. These are called fat, or intelligent APS. But they’re increasingly, at least in enterprises, being replaced with thin APS, which are really just only antennas that they hook back to a central system called the wireless controller. The SSID, or service set identifier is the name used to identify your particular wireless LAN.
By default, these SSIDs are broadcast by the AP, but they can be hidden, as is done with some organizations. The AP is either operating in infrastructure mode I’m sorry, the wireless land is operating in infrastructure mode or ad hoc mode. It’s always infrastructure mode if you have an AP. Okay, so the vast majority of wireless lands out there have access points and therefore are in infrastructure mode. In ad hoc mode, there’s no access point.
So stations communicate directly with one another. It would be a point to point type of communication. With WiFi, we also have wireless standards. These are the 8211 standards, but they’ve been amended a number of times to add additional features and functionality. And so we’ll look at those here shortly. But you also have security protocols as well, because we’re using radio frequencies. This is just over the air, and anybody tuned into the right frequency and connected to our network could easily capture data.
- 802.11 Standards
So let’s start with the wireless standards again. 8211 was the original. It specified the use of either frequency hopping spread spectrum FHSS or direct sequence spread spectrum, and supported operations in the 2. 4 GHz frequency range of speeds of whopping one megabits to two megabits per second. Technically, the First Amendment to eight to eleven was 8211. It called for a different frequency mechanism called Orthogonal Frequency Division multiplexing of DM. Unfortunately, that would require hardware upgrades to existing equipment.
So this standard saw very limited adoption for some time. It did operate in the 5 GHz frequency band and supported speeds up to 54 megabits per second. Since 811 A didn’t really catch on, 811 B dropped support for FHSS and increased the speeds of up to eleven megabits per second. It was widely adopted because it is backward compatible with the original 811 standard. 811 F may be a new one. To some, that’s an amendment that addressed problems introduced when wireless clients would roam from one access point to another. That’s not common in smaller networks, but in larger networks where one access point cannot suffice for coverage for the whole building, then we have roaming, and in some cases there would be a delay and it would break application connections.
And so the 811 F standard, or amendment I should say, to the previous standards, just helped to improve the sharing of authentication information. 800 and 211 G standard added support for OFDM like 811 A, which made it capable of 54 megabits per second. It however, still operated on the 2. 4 GHz frequency. So it was backward compatible with both 800 and 211 eleven and eleven B. That’s just as fast as A. But many people actually switched to A at this point because it was less crowded than the band. I think that was true at one time, but then eleven G definitely gained ground over A.
G was around for quite a while. And then we got 811 N. This uses newer concepts called multiple input, multiple output MIMO MIMO to achieve much higher rates of speed, up to 650 megabits per second. That’s in part because of the memo, in part because you are using channels that are 40 MHz wide. It does operate at both 2. 4 GHz or 5 GHz, but it performs best in the pure 5 GHz bands because you don’t have slower devices, older devices, excuse me. Slowing it down. 8211 AC is a multistation throughput of at least a gigabit per second. Single link throughput of at least 500 megabits per second. This is operating the 5 GHz band as well, also using MIMO technologies or even additional maim technologies. So that’s the highest speed, and that would be the latest standard.