Server hardening
What is server hardening?
- process of securing an operating system/server is called hardening
- makes the system more resistant to attacks
approach :
- process of hardening is the same (it also has its own approach)
- different steps must be taken to secure each operating system
What does it cover?
- security hardware (preventing physical access)
- securing OS
- securing applications (eg databases, web servers, email servers etc)
- access control
Levels to server hardening
1) hardware level
- limit direct access to physical machine to only a few individuals
- unused ports should be disabled from BIOS (eg USB)
- password should be applied on BIOS
BIOS : the program a computer’s microprocessor uses to start the computer system after it is powered on.
2) application level
- applications should not use default ports (FTP, SMTP etc)
- application rights should be reviewed individually (different applications should have different rights)
-many other considerations as applications differ in function and purpose
3) OS level (five-step process)
Passwords
What are passwords?
- secret word/string of characters that is used for authentication, to prove identity or gain access to a resource
-selecting a good password for user account is critical to protect information systems
- security VS usability
> as security increases, usability decreases and vice versa)
because good passwords are usually hard to remember
Components of a good password
1) not easy for someone to guess or obtain using password-cracking utilities; set complex password (length, combination of many types of characters etc)
2) easy to remember but also secure; use of language, like a passphrase
3) change passwords frequently; change after a certain number of days
4) do not reuse an old password; keep a copy of users old passwords
Handling your password
- taking responsibility of your own password :
- do not share it with anyone
- do not store your passwords on mobile devices and/prn papers, walls or under the table
Password complexity
1) a password can be made more difficult to guess/obtain by following these guidelines :
- at least 8 character long
- at least 3 of the following 4 elements
one or more uppercase letters
one or more lowercase letters
one or more numerals
one or more special characters/ punctuation marks - should not consist dictionary words
- never be the same as login name/contain any login name
- should not contain user’s personal information or any item that is easily identified with the user (first & last names, family member name, birthdates, pet names etc)
Passphrase (password)
Can be formed in this way:
- taking the first letter of each word in a sentence
- taking the first letter from the first word, second letter from the second word and so on
- combining words
- replacing letters with other characters
(combinations of the above and etc)
Password aging
- virtually, any password can be cracked by testing all possible passwords (brute force)
> they should be changed regularly
- enforced password aging : have users change their passwords every 60-90 days
- even if the password has been cracked, it will fail once its changed
> limits the possibility of undetected compromised passwords
Minimum password age policy
- determines how long users must keep a password before they can change it
- prevents a user from dodging the password history policy
- the specific minimum age should be set from 3-7 days
> users are less likely to switch back to an old password immediately, but are still able to change it in a reasonable amount of time
Maximum password age policy
- determines how long users can keep a password before they are required to change it
- forces the user to change their passwords regularly
Password reuse
1) do not allow reuse of previous passwords
2) to prevent password reuse :
- store the last 5-10 passwords in a hash
- do not allow users to reuse previous passwords
- compare new passwords with a pool of previously set passwords
Enforce password history policy
- will set how often an old password can be reused
- discourages users from reusing a previous password = preventing them from alternating between several common passwords
- some may try to work around this policy
eg : disallow last 10 passwords, so change password 10 times immediately, but its prevented with the Minimum Password Age policy
Password policy guidelines
organizational rules that staff needs to adhere to
steps to address password issue
1) create a password policy
- examine business and security needs
- decide acceptable level of security
- password complexity rules
2) announce the policy
- announce the policy
- give a copy of policy to all users
- every user should understand the policy
3) enforce the policy
- use tools to help ensure users use complex passwords
- password auditing
- Minimum Password Length policy
- Passwords must meet complexity requirements policy
1.
- determines the minimum number of characters needed to create a password
- long passwords are harder to crack than short ones
- every user needs to set passwords according to the complexity rules
Attacks on passwords
1) brute force
- use of trial and error approach and hoping that eventually the guess is correct
- old method but still effective and popular
2) reverse brute force
- uses a common password against multiple usernames in an attempt to gain access to a network
3) online guessing
- attempt different passwords at login prompt
4) offline cracking
- attempt to steal the file of hashed passwords then break the hashed passwords offline
Offline cracking of passwords (Attacks on passwords)
1) capture user ID and passwords hashes (user database/password file)
2) using brute force attack : guess a password, hash it, try to find a matching hash
3) dictionary attack :
- hash a list of the words from the dictionary
- compare to captured hashes
4) rainbow tables
- hash a list of all possible passwords (not just dictionary words)
- compare to captured hashes
- extremely difficult to produce a list of all possible passwords
eg : 26 lower and upper case letters, 10 digits, 32 special characters = 216,320 possibilities in a password
- daunting, so they focus on weak passwords and common techniques to create so-called strong passwords
Others attacks on passwords
1) social engineering
- phishing, shoulder surfing, dumpster diving
2) capturing
- keyloggers and protocol analyzers
3) password reset
- requires physical access
- attacker reboots computer with an OS on a USB drive
- OS contains a password resetting software
