CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)

3.5.3.9.2  Databases 1 2 3 4 5 6 7 8 9 10 3.7  Success Questions

OS, Network and Application Hardening

When hardening an OS, some steps you may wish to take include:

• Research common guidelines that include a set of specific activities for hardening each specific OS you use, and start with these as a base of potential improvements; build on it from there, adding and subtracting items as needed.
  
  
• Improved user/password management (remove unused accounts, enforce password guidelines such as length and ageing, log logins/logouts/attempts/account changes, consider putting users into groups to ease administration and enforce lockout of accounts after a number of unsuccessful attempts).
  
  
• Analyze where you’ve just “taken the defaults” during an OS installation and decide whether it was appropriate; some defaults may install unnecessary services which lead to vulnerabilities; in general, you should make sure that only required components are installed, and only required services are enabled.
  
  
• Tighten “polices” in use (if your OS supports it (such as Windows), you can use system and network policies to lock down entire groups of machines and users at a time).
  
  
• Select a secure file system (on Windows machines, file systems like FAT are not secure, because permission-based access is not used; a better Windows choice is FAT; also consider an encrypting file system so that if an attacker steals the disk and tries to read it directly on another machine, he will not be able to get the data; you might also consider the “robustness” of the file system and its resistance to data corruption… some file systems are better than others).
  
  
• Select secure authentication mechanisms (choose something like Kerberos rather than a mechanism that transmits the password in cleartext; in Windows 2000 and higher, this has already been done for you courtesy of the Kerberos functionality built into the OS).
  
  
• Set appropriate permissions on files and directories (do not allow users to write into system directories; follow guidelines appropriate to your organization for restricting users’ access to other users’ files).
  
  
• Keep on top of updates, such as patches (a fix to a software problem; sometimes patches add new features, but usually just fix bugs), hotfixes (interim fixes issued for critical bugs that are often security-related; they are generally developed more quickly and are less tested than service packs) and service packs (or update pack, which is a collection of patches; service packs are often heavily tested to minimize the potential for trouble after installation); be aware that ANY update you install to your system may break something, so you should test any update during non-production hours to ensure compatibility with your existing system configurations.

When hardening a network, some steps you may wish to take include:

• Update firmware (the updateable programming that determines how a device operates; it is important to watch for vendor updates and update firmware on a regular basis, since it can correct security bugs in hardware devices just as OS updates correct OS vulnerabilities).
  
  
• Carefully configure each device (changing any default or blank passwords on the device will remove lots of “low hanging fruit” from attackers; make any configuration changes recommended by the vendor to improve security).
  
  
• Disable any non-required services on the device, as unnecessary services running on the device increase vulnerability without adding any functionality your organization needs.
  
  
• Use access control lists to specify traffic that will and will not be allowed to pass through the device (it is common to deny all inbound traffic, and list exceptions that will be permitted such as traffic inbound on port 80 to the web server, inbound on port 25 to the mail server, etc., and often common to permit all outbound traffic; “permit all outbound traffic” is becoming less popular as employers crack down on employee use of peer-to-peer Internet services, and workday Internet browsing; you should also use access control lists to specify that inbound traffic with a source address equal to your inside network should not be allowed, and outbound traffic with a source address not inside your network should not be allowed, to help foil TCP/IP spoofing).

When hardening network applications, you should ensure that the platform on which they are deployed (the OS) is secure by following the guidelines listed above for hardening an OS. Since these machines tend to be more attractive targets to attackers, special attention should be paid to keeping them up to date with patches and secured. Most network applications in common use involve services running on well-known TCP/IP ports (that is, on ports numbered 0-1023), although TCP/IP ports up to 65535 are possible. In general, you should make sure that only required services and applications are installed on each server; a common guideline is to require that each server do only one thing (be a web server, be an email server, be a database server, etc.).

3.5.3.9.2  Databases 1 2 3 4 5 6 7 8 9 10 3.7  Success Questions