Hands-on Lab 5 - Host Security
(DUE March 21, 2006 by midnight EST)
"Although firewalls stop most Internet-based attacks, they cannot stop all outside attackes, and they are even less effective for attacks from within a corporation. The bottom line is that some atacks inevitably will reach victim hosts within the firm." [Corporate Computer and Network Security, Raymond Panko, Prentice-Hall, 2004, pg. 216.]
In this asssignment, you will gain some experience in hardening Windows and Linux computers. This will include ensuring that unnecessary services are turned off, managing users and groups, managing access permissions, and inspecting the computer logs.
You are going to be connecting to our SAIL (Security and Assurance of Information Lab) Lab through a VPN tunnel. You will also be using a program called RealVNC (http://www.realvnc.com/) that will allow you to remotely connect and control another computer.
Pre-assignment:
- review the following documents about securing Windows hosts:
- Create a new standard user with your first initial and last name as the username (e.g. wsummers) on either Sail1, Sail2, or Sail3 (Windows host)
- Add your user to the PowerUser Group
- review the following documents about securing Linux hosts:
- You will need to connect to Sail6-10 and then to the Linux virtual machine on Sail6-10 with ssh (secure shell). If you have not already downloaded a ssh client, you can get putty
Instructions for use of putty is found at Secure Telnet and FTP using Putty
- Log into either Sail6, Sail7, Sail8, Sail9, or Sail10 (Windows XP) using the account you were given in the Lab Discussion Group in WebCT. You can log into the Linux virtual machine running through Virtual PC (10.0.3.x2 where x is the Sail number) by one of the following three methods (usernames and passwords are the same as with the Windows XP admin accounts):
- Run putty to connect to the Linux virtual machine using ssh with the apppropriate IP address.
- To use the GUI in the virtual machine, you can do the following:
- Connect using putty as above.
- Run vncserver from the Linux command line (Note down the number (y) after the RedHat-Sailx: (these are sequential numbers depending on the number of sessions running)
- From the Windows XP desktop (native), run the Vncviewer and connect to 10.0.3.x2:y)
- Find the Virtual PC icon on the Windows XP desktop (native) and connect to the RH Linux Service that is running. Although this is the easiest, there are problems with the GUI working properly.
- Explore the systems
Assignment - PART I: Windows
- Host Hardening, Installation, and Patching
- Log onto the Windows computer with your account
- Which computer are you logged into for this assignment?
- Identify the lastest Service Pack installed on the computer. How did you find it?
- Does this computer need "patch updating"? How would you apply the updates?
- Turning Off Unnecessary Services
- Log onto the Windows computer with your account and find the list of Services in the Computer Management MMC
- Is the Computer Browser service running? What does it do?
- Is the Telnet service running? What does it do?
- Is the Windows Firewall service running? What does it do?
- Is the Remote Assistance service running? What does it do? What dependencies does this service have?
- How would you turn services on or off?
- Run netstat -a from the command line. What services are running?
- (Run netstat -h to find other options for netstat)
- How else can you find out what programs are running in Windows?
- You discover a process running that is not listed in Services or in the Task Manager. How would you kill(terminate) the process?
- Briefly discuss these three ways to determine what services/programs are running in Windows.
- Managing Users and Groups
- Log onto the Windows computer with your account and find the list of Users and Groups in the Computer Management MMC
- Check to make sure that the Guest account is disabled
- Is the Administrator account enabled? What Groups is the Administrator account in?
- What groups is your account in? Add yourself to the BackUp Operators group.
- What are the permissions on your userid's folder? If Everyone has permission, remove it.
- Event Logging
- Log onto the Windows computer with your account and find the Event Logs in the Computer Management MMC
- Discuss the differences between the three event logs in Windows
- Log off the Windows computer
Assignment - PART II: Linux
Create a new standard user with your first initial and last name as the username (e.g. wsummers) on either Sail6, Sail7, Sail8, Sail9, or Sail10
Host Hardening, Installation, and Patching
- Log onto the Linux computer with your account
- Which computer are you logged into for this assignment?
- Identify the version of RedHat linux installed on the computer. Look for redhat-release
- Does this computer need "patch updating"? How would you apply the updates?
Turning Off Unnecessary Services
- Log onto the Linux computer with your account
- find the list of services running by typing ps aux | more
- find the list of services that you are running by typing ps aux | grep username where username is your username
- Run netstat -a | more from the command line.
- (Run netstat -h to find other options for netstat)
- How would you kill(terminate) a process?
- Briefly discuss these two ways to determine what services/programs are running in Linux.
Managing Users and Groups
- Log onto the Linux computer with your account and find the list of users and groups in /etc/passwd and /etc/group.
- Note that the passwords are not displayed in passwd. They are stored in /etc/shadow. You need to switch to the root account to view the encrypted passwords in /etc/shadow [This is done by typing su at the command prompt and then entered the administrator password.]
- What accounts are in the group netsecurity?
- What groups is your account in?
- What are the permissions on your userid's /home folder?
Event Logging
- Log onto the Linux computer with your account
- Find out who else is on the computer using who and finger [log file /var/run/utmp]
- Use last to track who has logged in and out of the system [log file /var/log/wtmp] - When was the system last rebooted?
- Log in as root and view /var/log/secure to track access and authentication information
Review the Apache (httpd) log files
- Switch to the root account
- View the access_log file in /etc/httpd/logs
- View the error_log file in /etc/httpd/logs
- /etc/httpd/conf contains the configuration file httpd.conf for Apache
Log off the Linux computer
Post-assignment: Answer the following questions -
- Compare your experiences in securing Windows and Linux.
TURN YOUR ASSIGNMENT IN USING THE DROPBOX IN WEBCT