AY2011S1

School of Information Technology, Nanyang Polytechnic

14/4/2011

Info Security Technology

Topic 4 Server Security

Server Security 1

References
Security+ Guide to Network Security Fundamentals, Third Edition; Mark Ciampa.
Chapter 7: Access Control Chapter 3: Protecting Systems

Server Security

InfoSecurity

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Objectives
Define access control Describe logical access control methods Describe physical access control methods Explain how to harden server O/S. Explain SQL injection and how to harden web server.

Server Security

Access Control
Access control
The process by which resources or services are granted or denied on a computer system or network

Basic Steps of Access Control

Identification
A user accessing a computer system would present credentials or identification; such as a username

Authentication
Checking the users credentials to be sure that they are authentic and not fabricated; such as password

Authorization
Granting permission to take the action; such as user authorized to login

Granted access rights

Rights given to certain services or applications in order to perform duties, such as user allowed to access specific data.
Server Security 4

InfoSecurity

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Access Control Models

Access control model
Provides a predefined framework for hardware and software developers who need to implement access control in their devices or applications Once an access control model is applied. Custodians can configure security based on the requirements set by the owner, so that end users can
perform their job functions.

There are four major access control models

Mandatory Access Control Discretionary Access Control Role Based Access Control Rule Based Access Control

Server Security

Mandatory Access Control

Mandatory Access Control (MAC) model
The owner and custodian (security policy administrator ) are responsible for managing access controls.
The owner first defines a policy the strictly defines the users who can have specific operations over the resources. The policy is then implemented.

The end user cannot implement, modify, or transfer any controls This is the most restrictive model because all controls are fixed MAC model is typically used in defense and military environments where it is absolutely vital to ensure that documents do not fall into wrong hands. The traditional Unix system of users, groups, and read-write-execute permissions is an example of MAC
Server Security 6

InfoSecurity

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Discretionary Access Control

Discretionary Access Control (DAC) model
The least restrictive model used in a home environment A user has total control over any resources that he or she owns. Along with the programs that are associated with those resources. A user can also change the permissions for other users over resources DAC has two significant weaknesses
It relies on the end-user to set the proper level of security A users permissions will be inherited by any programs

To overcome the vulnerabilities , O/S such as Apple Macintosh, UNIX and Windows Vista prompt users for permission whenever software is installed - known as User Account Control (UAC)

Server Security

User Account Control

Three primary security restrictions implemented by UAC:
Run with limited privileges by default Applications run in standard end user accounts Standard end users perform common tasks

Server Security

InfoSecurity

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Role Based Access Control

Role Based Access Control (RBAC) model
A newer alternative approach to mandatory access control (MAC) and discretionary access control (DAC). Widely accepted as a best practice. Considered a more real world approach than the other models Assigns permissions to particular roles in the organization, and then assigns end users to that role Resources are set to be a certain type, to which users with that particular role have access Systems implemented some form of RBAC include Microsoft Active Directory, Microsoft SQL Server and Oracle DBMS.

Server Security

Rule Based Access Control

Rule Based Access Control (RBAC) model
Dynamically assign roles to users based on a set of rules defined by a custodian (security policy administrator ) Each resource contains a set of access properties based on the rules Rule Based Access Control is often used for managing user access to one or more systems.
For example, a router can assign a certain role to the user based on her network address or protocol. This will determine whether the user can access resources in different networks. Another example include situations such as permitting access for an account or group to a network connection at certain hours of the day or days of the week.

Server Security

10

InfoSecurity

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Practices for Access Control

Separation of duties
Requires that if the fraudulent application of a process could potentially result in a breach of security, the process should be divided between two or more individuals.

Job rotation
Instead of one person having sole responsibility for a function, individuals are periodically moved from one job responsibility to another

Least privilege
Each user should be given only the minimal amount of privileges necessary to perform his or her job function

Implicit deny
If a condition is not explicitly met, then it is to be rejected
Server Security 11

Practices for Access Control

Server Security

12

InfoSecurity

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Access Control Methods

Two categories of access control methods
Logical Access Control
access control lists (ACLs), group policies, account restrictions, and password computer security, door security, mantraps, video surveillance, and physical access logs
Server Security 13

Physical Access Control

Logical Access Control Methods

Logical access control includes
access control lists (ACLs), group policies, account restrictions, and passwords

Server Security

14

InfoSecurity

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Access Control Lists (ACLs)

Access control list (ACL)
Specifies which users are allowed to access the resource and what operations
they can perform on it

In Windows, the Access control entry (ACE) includes four items of information:
A security identifier (SID) for the user account, group account, or logon session An access mask that specifies the access rights controlled by the ACE A flag that indicates the type of ACE A set of flags that determine whether objects can inherit permissions
Server Security 15

Group Policies
Group Policy
A Microsoft Windows feature that provides centralized management and configuration of computers and remote users
Using the Microsoft directory services known as Active Directory (AD)

Group Policy is usually used in enterprise environments to restrict user actions that may pose a security risk Group Policy settings are stored in Group Policy Objects (GPOs). These objects may link to multiple domains or web sites, which allows for multiple systems and users to be updated by a change to a single GPO. Group Policies are applied for computers when they start up and for users when they log on.
Server Security 16

InfoSecurity

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Account Restrictions
Account Restrictions
Time of day restrictions
Limit when a user can log on to a system These restrictions can be set through a Group Policy or set on individual systems

Account expiration
Setting a users account to expire Orphaned accounts remain active after an employee has left an organization
Can be controlled using account expiration

Server Security

17

Passwords
Password
The most common logical access control A secret combination of letters and numbers that only the user knows A password should never be written down
Must also be of a sufficient length and complexity so that an attacker cannot easily guess it.

Server Security

18

InfoSecurity

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Passwords
Attacks on passwords
Brute force attack
Simply trying to guess a password through combining a random combination of characters

Passwords typically are stored in an encrypted form called a hash

Attackers try to steal the file of hashed passwords and then break the hashed passwords offline

Dictionary attack
Begins with the attacker creating hashes of common dictionary words
And compares those hashed dictionary words against those in a stolen password file

Rainbow tables
Make password attacks easier by creating a large pregenerated data set of hashes from nearly every possible password combination
Server Security 19

Passwords
Password policy
A strong password policy can provide several defenses against password attacks The first password policy is to create and use strong passwords One of the best defenses against rainbow tables is to prevent the attacker from capturing the password hashes A final defense is to use another program to help keep track of passwords.
Server Security

Password Rules
Set a minimum number of characters. Implement password aging. Prompt users to change passwords on a regular basis. Do not accept passwords based on dictionary words. Do not allow users to reuse passwords. Audit password files with some popular password-cracking utilities. Perform audits as often as possible. Monthly, every other month, or every quarter. If accounts with easily-cracked passwords exist, review the password policy and change passwords immediately.
20

InfoSecurity

10

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Physical Security
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. Oh, the things a bad guy can do if he can lay his hands on your computer! Here's a sampling, going from Stone Age to Space Age:
He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer. He could unplug the computer, haul it out of your building, and hold it for ransom. He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I've configured the BIOS on my computer to prompt for a password when I turn the power on. No problem if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways). He could remove the hard drive from your computer, install it into his computer, and read it. He could make a duplicate of your hard drive and take it back his lair. Once there, he'd have all the time in the world to conduct brute-force attacks, such as trying every possible logon password. Programs are available to automate this and, given enough time, it's almost certain that he would succeed. He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.

Reference: 10 Immutable Laws of Security (by Microsoft)

Topic 5 Server Security

21

Physical Access Control Methods

Physical access control primarily protects computer equipment. It is designed to prevent unauthorized users from gaining physical access to equipment in order to use, steal, or vandalize it. Physical access control includes
computer security, door security, mantraps, video surveillance, and physical access logs

Server Security

22

InfoSecurity

11

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Computer Security
The most fundamental step in physical security is to secure the system itself.
Remove or disable hardware such as USB ports and DVD drives. This prevent attacker to reach and to install programs on server. Secure network servers on rack-mount which can be stacked with up to 50 other servers in a closely confined area. Racked mounted units are typically connected to a single KVM (keyboard, video, mouse) switch.
Server Security 23

Door Security
Hardware locks
Preset lock - automatically locks behind the person, unless it has been set to remain unlocked Deadbolt lock - extends a solid
metal bar into the door frame for extra security. Requires that the key be used to both open and lock the door
Server Security 24

InfoSecurity

12

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Door Security
Door access systems Cipher lock - combination
locks that use buttons that must be pushed in the proper sequence to open the door Tailgate sensor
Use multiple infrared beams that are aimed across a doorway and positioned so that as a person walks through the doorway.
Server Security 25

Door Security
Physical tokens
Objects to identify users ID badge
The most common types of physical tokens ID badges originally were visually screened by security guards Today, ID badges can be fitted with tiny radio frequency identification (RFID) tags
Can be read by an RFID transceiver as the user walks through the door with the badge in her pocket

Server Security

26

InfoSecurity

13

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Mantraps
Mantrap
A security device that monitors and controls two interlocking doors to a small room (a vestibule) that separates a nonsecured area from a secured area

Mantraps are used at high-security areas where only authorized persons are allowed to enter
Such as sensitive data processing areas, cash handling areas, critical research labs, security control rooms, and automated airline passenger entry portals
Server Security 27

Video Surveillance
Closed circuit television (CCTV)
Using video cameras to transmit a signal to a specific and limited set of receivers

Some CCTV cameras are fixed in a single position pointed at a door or a hallway Other cameras resemble a small dome and allow the security technician to move the camera 360 degrees for a full panoramic view

Server Security

28

InfoSecurity

14

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Physical Access Log

Physical access log
A record or list of individuals who entered a secure area, the time that they entered, and the time they left the area Can also identify if unauthorized personnel have accessed a secure area

Physical access logs originally were paper documents

Today, door access systems and physical tokens can generate electronic log documents

Server Security

29

Hardening the Server O/S

Hardening the server operating system to resist attacks is often a three-pronged approach that involves:
1. Managing operating system updates 2. Buffer overflows protection 3. Configuring operating system protections

Server Security

30

InfoSecurity

15

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Managing O/S Updates

Most important step in hardening O/S to resist attacks is to apply updates. Due to the increased length and complexity of operating systems, unintentional vulnerabilities were introduced and then these were exploited by attackers

Server Security

31

Managing O/S Updates

Software Fixes
Patch
A broadly released software security update intended to cover vulnerabilities that have been discovered

Hotfix
Addresses a specific customer situation; may not be distributed outside that customers organization\

Service Pack
A cumulative package of all hotfixes, patches and updates.
Server Security 32

InfoSecurity

16

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Managing O/S Updates

Patch management techniques
Install updates automatically Download updates but let me choose whether to install them Check for updates but let me choose whether to download and install them Never check for updates

Patches can sometimes create new problems, such as preventing a custom application from running correctly.
Server Security 33

Buffer Overflow Protection

Buffer overflow
Occurs when a process attempts to store data in random access memory (RAM) beyond the boundaries of a fixed-length storage buffer Extra data overflows into the adjacent memory locations and under certain conditions may cause the computer to stop functioning

Attackers also use a buffer overflow in order to compromise a computer

Server Security

34

InfoSecurity

17

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Buffer Overflow Protection

Basic defenses
Write defensive program code that will protect against these attacks Use a programming language that makes these attacks more difficult

For Windows-based systems, there are two defenses against buffer overflows
1. 2. Data execution prevention (DEP) Address space layout randomization (ASLR)

Server Security

35

Data Execution Prevention (DEP)

Most modern CPUs support an NX (No eXecute) bit to designate a part of memory for containing only data DEP will not allow code in the memory area to be executed Windows Vista allows software developers to enable NX hardware protection specifically for the application software that they develop
Server Security 36

InfoSecurity

18

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Address Space Layout Randomization (ASLR)

Randomly assigns executable operating system code to one of 256 possible locations in memory This makes it harder for an attacker to locate and take advantage of any functionality inside these executables ASLR is most effective when it is used in conjunction with DEP

Server Security

37

Configuring O/S Protection

Most organizations take a four-fold approach to configuring operating system protections:
Security policy
Plans and policies established by the organization to defines the defense mechanism (mentioned in topic 2)

Configuration baseline
A configuration baseline establishes the O/S configuration settings for each computer in the organisation (mentioned earlier in logical access control methods)

Security template
A checklist to configure a suite of configuration baseline security settings.

Deployment
Deploy the security template
Server Security 38

InfoSecurity

19

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Hardening Web Servers

Because of their open exposure, Web servers are prime targets for attackers SQL injection
One of the most common types of attacks Uses a form of injection like XSS Hinges on an attacker being able to enter an SQL database query into a dynamic Web page

SQL (structured query language)

A language used to view and manipulate data that is stored in a relational database

Server Security

39

How SQL injection works?

strSQL = "SELECT * from UserTable Where UserID='" & tb_userid.Text & " ' AND ' Pword='" & tb_pword.Text & "' "

strSQL = "SELECT * from UserTable Where UserID='' or 1=1 ; -- " & " AND ' Pword='" & tb_pword.Text & "' "

-- means comment
Server Security 40

InfoSecurity

20

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Hardening Web Servers

Variations to the SQL injection attack
Deleting data from the database Accessing the host operating system through function calls Retrieving a list of all usernames and passwords

Server Security

41

Hardening Web Servers

Server Security

42

InfoSecurity

21

AY2011S1
School of Information Technology, Nanyang Polytechnic

14/4/2011

Summary
Access control is the process by which resources or services are denied or granted
Logical access control methods include using access control lists (ACLs) and password management. Physical access control attempts to limit access to computer equipment by unauthorized users

Hardening the operating system is key in resisting attacks. Web servers are prime targets for attackers
Server Security 43

InfoSecurity

22