Escolar Documentos
Profissional Documentos
Cultura Documentos
14/4/2011
References
Security+ Guide to Network Security Fundamentals, Third Edition; Mark Ciampa.
Chapter 7: Access Control Chapter 3: Protecting Systems
Server Security
InfoSecurity
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Objectives
Define access control Describe logical access control methods Describe physical access control methods Explain how to harden server O/S. Explain SQL injection and how to harden web server.
Server Security
Access Control
Access control
The process by which resources or services are granted or denied on a computer system or network
Authentication
Checking the users credentials to be sure that they are authentic and not fabricated; such as password
Authorization
Granting permission to take the action; such as user authorized to login
InfoSecurity
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Server Security
The end user cannot implement, modify, or transfer any controls This is the most restrictive model because all controls are fixed MAC model is typically used in defense and military environments where it is absolutely vital to ensure that documents do not fall into wrong hands. The traditional Unix system of users, groups, and read-write-execute permissions is an example of MAC
Server Security 6
InfoSecurity
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
To overcome the vulnerabilities , O/S such as Apple Macintosh, UNIX and Windows Vista prompt users for permission whenever software is installed - known as User Account Control (UAC)
Server Security
Server Security
InfoSecurity
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Server Security
Server Security
10
InfoSecurity
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Job rotation
Instead of one person having sole responsibility for a function, individuals are periodically moved from one job responsibility to another
Least privilege
Each user should be given only the minimal amount of privileges necessary to perform his or her job function
Implicit deny
If a condition is not explicitly met, then it is to be rejected
Server Security 11
Server Security
12
InfoSecurity
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Server Security
14
InfoSecurity
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
In Windows, the Access control entry (ACE) includes four items of information:
A security identifier (SID) for the user account, group account, or logon session An access mask that specifies the access rights controlled by the ACE A flag that indicates the type of ACE A set of flags that determine whether objects can inherit permissions
Server Security 15
Group Policies
Group Policy
A Microsoft Windows feature that provides centralized management and configuration of computers and remote users
Using the Microsoft directory services known as Active Directory (AD)
Group Policy is usually used in enterprise environments to restrict user actions that may pose a security risk Group Policy settings are stored in Group Policy Objects (GPOs). These objects may link to multiple domains or web sites, which allows for multiple systems and users to be updated by a change to a single GPO. Group Policies are applied for computers when they start up and for users when they log on.
Server Security 16
InfoSecurity
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Account Restrictions
Account Restrictions
Time of day restrictions
Limit when a user can log on to a system These restrictions can be set through a Group Policy or set on individual systems
Account expiration
Setting a users account to expire Orphaned accounts remain active after an employee has left an organization
Can be controlled using account expiration
Server Security
17
Passwords
Password
The most common logical access control A secret combination of letters and numbers that only the user knows A password should never be written down
Must also be of a sufficient length and complexity so that an attacker cannot easily guess it.
Server Security
18
InfoSecurity
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Passwords
Attacks on passwords
Brute force attack
Simply trying to guess a password through combining a random combination of characters
Dictionary attack
Begins with the attacker creating hashes of common dictionary words
And compares those hashed dictionary words against those in a stolen password file
Rainbow tables
Make password attacks easier by creating a large pregenerated data set of hashes from nearly every possible password combination
Server Security 19
Passwords
Password policy
A strong password policy can provide several defenses against password attacks The first password policy is to create and use strong passwords One of the best defenses against rainbow tables is to prevent the attacker from capturing the password hashes A final defense is to use another program to help keep track of passwords.
Server Security
Password Rules
Set a minimum number of characters. Implement password aging. Prompt users to change passwords on a regular basis. Do not accept passwords based on dictionary words. Do not allow users to reuse passwords. Audit password files with some popular password-cracking utilities. Perform audits as often as possible. Monthly, every other month, or every quarter. If accounts with easily-cracked passwords exist, review the password policy and change passwords immediately.
20
InfoSecurity
10
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Physical Security
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. Oh, the things a bad guy can do if he can lay his hands on your computer! Here's a sampling, going from Stone Age to Space Age:
He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer. He could unplug the computer, haul it out of your building, and hold it for ransom. He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I've configured the BIOS on my computer to prompt for a password when I turn the power on. No problem if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways). He could remove the hard drive from your computer, install it into his computer, and read it. He could make a duplicate of your hard drive and take it back his lair. Once there, he'd have all the time in the world to conduct brute-force attacks, such as trying every possible logon password. Programs are available to automate this and, given enough time, it's almost certain that he would succeed. He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.
21
Server Security
22
InfoSecurity
11
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Computer Security
The most fundamental step in physical security is to secure the system itself.
Remove or disable hardware such as USB ports and DVD drives. This prevent attacker to reach and to install programs on server. Secure network servers on rack-mount which can be stacked with up to 50 other servers in a closely confined area. Racked mounted units are typically connected to a single KVM (keyboard, video, mouse) switch.
Server Security 23
Door Security
Hardware locks
Preset lock - automatically locks behind the person, unless it has been set to remain unlocked Deadbolt lock - extends a solid
metal bar into the door frame for extra security. Requires that the key be used to both open and lock the door
Server Security 24
InfoSecurity
12
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Door Security
Door access systems Cipher lock - combination
locks that use buttons that must be pushed in the proper sequence to open the door Tailgate sensor
Use multiple infrared beams that are aimed across a doorway and positioned so that as a person walks through the doorway.
Server Security 25
Door Security
Physical tokens
Objects to identify users ID badge
The most common types of physical tokens ID badges originally were visually screened by security guards Today, ID badges can be fitted with tiny radio frequency identification (RFID) tags
Can be read by an RFID transceiver as the user walks through the door with the badge in her pocket
Server Security
26
InfoSecurity
13
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Mantraps
Mantrap
A security device that monitors and controls two interlocking doors to a small room (a vestibule) that separates a nonsecured area from a secured area
Mantraps are used at high-security areas where only authorized persons are allowed to enter
Such as sensitive data processing areas, cash handling areas, critical research labs, security control rooms, and automated airline passenger entry portals
Server Security 27
Video Surveillance
Closed circuit television (CCTV)
Using video cameras to transmit a signal to a specific and limited set of receivers
Some CCTV cameras are fixed in a single position pointed at a door or a hallway Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view
Server Security
28
InfoSecurity
14
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Server Security
29
Server Security
30
InfoSecurity
15
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Server Security
31
Hotfix
Addresses a specific customer situation; may not be distributed outside that customers organization\
Service Pack
A cumulative package of all hotfixes, patches and updates.
Server Security 32
InfoSecurity
16
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Patches can sometimes create new problems, such as preventing a custom application from running correctly.
Server Security 33
Server Security
34
InfoSecurity
17
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
For Windows-based systems, there are two defenses against buffer overflows
1. 2. Data execution prevention (DEP) Address space layout randomization (ASLR)
Server Security
35
InfoSecurity
18
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Server Security
37
Configuration baseline
A configuration baseline establishes the O/S configuration settings for each computer in the organisation (mentioned earlier in logical access control methods)
Security template
A checklist to configure a suite of configuration baseline security settings.
Deployment
Deploy the security template
Server Security 38
InfoSecurity
19
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Server Security
39
strSQL = "SELECT * from UserTable Where UserID='' or 1=1 ; -- " & " AND ' Pword='" & tb_pword.Text & "' "
-- means comment
Server Security 40
InfoSecurity
20
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Server Security
41
Server Security
42
InfoSecurity
21
AY2011S1
School of Information Technology, Nanyang Polytechnic
14/4/2011
Summary
Access control is the process by which resources or services are denied or granted
Logical access control methods include using access control lists (ACLs) and password management. Physical access control attempts to limit access to computer equipment by unauthorized users
Hardening the operating system is key in resisting attacks. Web servers are prime targets for attackers
Server Security 43
InfoSecurity
22