Changes

Jump to: navigation, search

SEC520/labs/Lab 5

18,689 bytes added, 16:25, 31 January 2018
Created page with "<h1> <span class="mw-headline">Hardening Windows</span></h1> <a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2> <br /> In the..."
<h1> <span class="mw-headline">Hardening Windows</span></h1>
<a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2>
<br />
In the previous two labs, you should have learned how to penetrate your vulnerable Windows 2003 server using a variety of vulnerability testing strategies. In this lab, students will learn how to make their Windows servers less vulnerable to these types of attacks (i.e. <b>hardening</b> the Windows 2003 server):<br /><br />
<dl><dd><ul><li>
Students will learn to setup <b>Account &amp; Auditing Policies</b> (including the shutting-down of unnecessary services). This is performed an application called the <b>Security Configuration Wizard</b> (<b>SCW</b>).
</li></ul>
</dd></dl>
<dl><dd><ul><li>Students will then learn to <b>limit the roles and priviledges of regular and administrative accounts</b>, and set up a method of <b>logging to help monitor any suspicious activity</b>.
</li></ul>
</dd></dl>
<dl><dd><ul><li>Students will learn to setup and implement <b>NTFS</b> to provide addition security for files (similar to using <i>ACLs</i> when you hardened your Linux system).
</li></ul>
</dd></dl>
<dl><dd><ul><li>Finally, students will learn to <b>apply sofware upgrades (patches)</b> to make their Windows server less vulnerable, and to automate the process of software updates.
</li></ul>
</dd></dl>
<br /><br />
<a name="Objectives" id="Objectives"></a><h2> <span class="mw-headline">Objectives</span></h2>
<ol>
<li>Setup and maintain <b>User Account and Auditing (logging) Policies</b>i (including shutting down any unnecessary services).
</li><li>Implement <b>NTFS</b> to provide additional security access to files
</li><li><b>Monitor system logs</b> for any suspicious activity (intrusion)</li>
</li><li><b>Apply and automate software updates</b> (patches)
</li></ol>
<p><br>
</p>
<a name="Required_Materials_.28Bring_to_All_Labs.29" id="Required_Materials_.28Bring_to_All_Labs.29"></a><h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
<ul>
<li> <b>SATA Hard Disk</b> (in removable disk tray).
</li><li> <b>Lab Logbook (Lab4 Reference Sheet)</b> (to make notes and observations).
</li></ul>
<p><br>
</p>
<a name="Prerequisites" id="Prerequisites"></a><h2> <span class="mw-headline">Prerequisites</span></h2>
<ul><li> <a href="https://scs.senecac.on.ca/~fac/sec520/labs/SEC520_Lab_4.html">SEC520 Lab 4</a>
</li></ul>
<p><br>
</p>
<a name="Linux_Command_Online_Reference" id="Linux_Command_Online_Reference"></a><h2> <span class="mw-headline">Online Tools and References</span></h2>

<ul>
<li><a href="http://www.windowsecurity.com/articles/security-configuration-wizard-windows-server-2003-sp1.html" target="_new">Security Configuration Wizard (Service Pack 1 - Windows 2003 Server)</a></li>
<li><a href="http://www.windowsecurity.com/articles/understanding-windows-ntfs-permissions.html" target="_new">NTFS (Setting up Share Permissions)</a></li>
<li><a href="http://support.microsoft.com/kb/327838" target="_new">Automating Updates - Windows 2003 Server</a></li>
<li><a href="https://www.sans.org/media/score/checklists/ID-Windows.pdf" target="_new">Intrusion Discovery (Windows)</a></li>
</ul>

<p><br>
</p>
<a name="Resources_on_the_web" id="Resources_on_the_web"></a><h2> <span class="mw-headline">Course Notes</span></h2>
<ul>
<li><a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w8_l1.odp" target="_new">odp</a> | <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w8_l1.pdf" target="_new">pdf</a> | <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w8_l1.ppt" target="_new">ppt</a> (Slides: Hardening Windows 2003 Server)</li><li><a href="http://lcweb.senecac.on.ca:2052/assetviewer.aspx?bookid=12602&chunkid=978290911&rowid=177" target="_new">Hardening Windows Second Edition (E-book)</a> (Chapter 5)</li>
<li>YouTube Video: <a href="http://www.youtube.com/watch?v=df1_yx2fa8g" target="_new">Security Configuration Wizard 2003</a></li>
</ul>

<p><br>
</p>
<a name="Performing_Lab_2" id="Performing_Lab_2"></a><h1> <span class="mw-headline">Performing Lab 5</span></h1>
<a name="Task1" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #1: Setting Account &amp; Auditing Policies (Security Configuration Wizard)</span></h2>
<br />
The Security Configuration Wizard (<b>SCW</b>) is a tool to allow the adminstrator to control or "lock down" your Windows 2003 server in terms of:<ul><li>Which services can be turned on and off</li><li>Which users have access to running services</li><li>Service policies</li></ul>
<br />
In this section, you will learn to install, configure and implement security policies using <b>SCW</b>.
<br /><br />
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Idea.png" width="35" height="35" border="0" /></a></div>
<div><b>Locking Down the Server's BIOS</b><br />The system adminstrator should prevent the server's BIOS from bootin from removable drives, and setup a BIOS password to limit access to editing the server's BIOS. Since you are using the college's computers, you are not able to lock down the BIOS, but it is worth mentioning when you are securing computers in the future.</div>
</div>
<br />
INSTRUCTIONS:
<br />
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Important.png" width="35" height="35" border="0" /></a></div>
<div><b>Service Pack 1 Required</b><br />In order to install, setup and configure the Security Configuration Wizard, you need to install Service Pack 1 on your Windows 2003 server before proceeding with this section.<br /><br />In order to <b>install Service Pack 1</b>, you need to download and install</b>. Here is a link to obtain Service Pack 1:<br /><a href="http://technet.microsoft.com/en-us/windowsserver/bb463273.aspx">http://technet.microsoft.com/en-us/windowsserver/bb463273.aspx</a> </div>
</div>
<br />
<ol>
<li>Boot up your Kali Linux (host), and boot up your Windows 2003 server.</li>
<li>Log in as <b>administrator</b>.</li>
<li>Make certain that you installed <b>Service Pack 1</b> before proceeding (refer to <i>"Service Pack 1 Required"</i> above).</li>
<li>In order to install <b>SCW</b>, select <b>Control Panel</b> , double click <b>Add/Remove Programs</b> , select <b>Security Configuration Wizard</b> checkbox, click <b>Next</b>, and click <b>Finish</b>.</li>
<li>Launch the <b>SCW</b> application, click <b>Next</b>.</li>
<li>At the <b>Configuration Action</b> dialog box, select <b>Create a new security policy</b> and then click <b>Next</b>.</li>
<li>The <b>Select Server</b> dialog box should appear. select <b>current server</b> and click <b>Next</b></li>
<li>It may a few minutes for <b>SCW</b> to process the default settings.<br /> Click <b>View Configuration</b> and then click <b>Next</b> in order to view the <i>various roles</i>, <i>running applications</i> and <i>open ports</i> on your current server.</li>
</ol>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Idea.png" width="35" height="35" border="0" /></a></div>
<div><b>Security Policy Template</b><br /><b>SCW</b> allows security settings to be saved in a file, that can be used to import into other newly-installed or exising Window 2003 servers in order to save time...</div>
</div>

<br />
<ol>
<li value="9">Click <b>Next</b> to go to the <b>Select Client Features</b> dialog box. This allows the administrator to run various client services on the server. </li>
<li>Click <b>Next</b> to go tot he <b>Select Administration and Other Options</b> dialog box. This section allows the adminstrator to enable special (usually remote) services (ports).</li>
<li>Click <b>Next</b> to access the <b>Select Additional Services</b> dialog box. This allows the administrator to detect running services and display other services that are not enabled, but are available.</li>
<li>Click <b>Next</b> to proceed to the last (verification) dialog box, and click <b>Next</b> to proceed with setting the various parts of your current server's security policy.</li>
</ol>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Idea.png" width="35" height="35" border="0" /></a></div>
<div><b>Security Policy Elements</b><br />Security policies in <b>SCW</b> consists of several categories: <ul><li><b>Network Security</b> (port and application settings</li><li><b>Registry</b> (communication protocols between machines)</li><li><b>Audit Policy</b> (logging user and system events)</li></ul></div>
</div>
<br />

<ol>
<li value="13">In the <b>Network Security</b> section, make selections to tighten up your system to expose the smallest possible number of services running on your Windows Server (as you did in lab 4: <i>System Hardening Linux - Part 1</i>). </li>
<li>In the <b>Registry Settings</b> section, make selections for <b>encryption type</b> relating to what was taught in class (slides). You can also setup <b>LDAP</b> to require users on remote machines to provide authentication when logging in.</li>
<li>In the <b>Audit Policy</b> section, set the policy to <b>complete auditing</b>.</li>
<li>proceed to the summary dialog box to confirm settings, and also save your security policy using the name <b>lab8_security_policy</b>.</li>
<li>Proceed to Task #2</li>
</ol>
<p><b>Answer the Task #1 observations / questions in your lab log book.</b>
</p>
<br />

<a name="Task2" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #2: Implementing New Technology File System (NTFS)</span></h2>
<br />
<b>NTFS</b> is a newer file system developped for Windows operating systems that provide improved disk space utilization, file system journaling, as well as security. This newer file system technology incorporates <b>Access Control Lists (ACLs)</b> which you have learned and configured in <i>lab #5: Linux Hardening - Part 2</i>.
<br /><br />
In this section, we will learn how to use ACLs to "finely-tune" group access to directories and files, and differentiate between setting permissions via ACL and setting permissions .

<br /><br />
INSTRUCTIONS:
<ol>
<li>Read the tutorial on how to use ACLs with Windows NTFS Permissions at the following link:<br /><a href="http://www.windowsecurity.com/articles/understanding-windows-ntfs-permissions.html" target="_new">Understanding Windows NTFS Permissions</a></li>
<li>Perform the following steps (as in Lab #5, but using Windows NTFS Permissions):<ol>
<li>Create the following directory: <b>c:\share</b></li>
<li>Set passthrough permissions, and set permissions for the share
directory to allow students to access and list contents for this
directory.</li>
<li>Use the groupadd command to create a new group name called <b>project</b> </li>
<li>Create a file in the share directory called <b>project.txt</b> </li>
<li>Set permissions for same group members to view and modify contents of the file <b>C:\share\project.txt</b></li>
<li>Create two user accounts called: <b>user1</b> and <b>user2</b> (Use the <b>useradd</b> command with an option to create a home directory and to belong to group: <b>project</b>.</li>
<li>Switch to <b>user1</b>, and confirm that they can access and modify the file: <b>C:\share\project.txt</b></li>
<li>Repeat the above step for <b>user2</b>.</li>
<li>Why can't you allow <b>user1</b> to read and modify the project.txt file, but only allow <b>user2</b> to only read the project.txt file? Answer in your lab log-book.</li>
</ol></li>
<li>Proceed to Task #3.</li>
</ol>

<p><b>Answer Task #2 observations / questions in your lab log book.</b>
</p><p><br>
</p>

<a name="Task3" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #3: Monitoring Logs &amp; Activity / Tripwire for Windows</span></h2>
<br />
In this section, we will be using similar techniques to monitor suspicious activity in your Windows 2003 server as you did in <b>lab7</b> (for your Linux server). The tools in Windows will be a combination of Graphical and command-line.
<br /><br />
INSTRUCTIONS:
<ol>
<li>In your hardened Windows server, open the command prompt.</li>
<li>Run the <b>Event Manger</b> graphical tool by issing the following MS command:
<pre>
<b>eventvwr.msc</b>
</pre>
<br />
Check the logs for the following activity:
<ul>
<li>Event logging stopped</li>
<li>Windows File Permission not active</li>
<li>Telnet Service started successfully (this service is vulnerable)</li>
<li>Significant number of unsuccessful login attempts</li>
</ul>
<br />
</li>
<li>Run the following graphical and command-line tools, in order to view and identify all of the services running on your Windows 2003 server (both normal and suspicious):
<pre>
<b>taskmgr.exe</b>

<b>services.msc</b>

<b>tasklist /svc</b>
</pre>
<br />
As with the previous Linux hardenening lab, determine which services are vulnerable, and shut-down vulnerable or unnecessary services. Which services did you shut down? Record your answer in your lab log-book.
<br /><br />
<li>Perform a <b>Search for Files or Folders</b> that are over 10000KB in size (i.e. use the <b>search options</b> before starting search). Did you locate any files of this size? What do you think files greater than 10000KB would indicate? Record your answers in your log lab-book.
<li>View your Windows registry file to detect any suspicious or strange programs by issuing the following command:
<pre>
<b>regedit</b>
</pre>
<br />
For interest, perform a <i>netsearch</i> for a listing of common programs (contained in the registry) that could pose a hazard to your Windows system.
<br /><br />
<li>Next, issue the following MS commands in order to detect unusual network activity:
<pre>
<b>net view</b>

<b>net session</b>

<b>net user</b>

<b>netstat -na</b>
</pre>
<br /></li>
<li>Run the following Windows commands to observe any unusual scheduled tasks:
<pre>
<b>schtasks</b>

<b>msconfig.exe</b>
</pre>
<br /></li>
<li>Finally, run the following Windows command to detect any unusual (recentrly added) user accounts to the Windows system:
<pre>
<b>lusrmgr.msc</b> </pre>
<br /></li>
</ol>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="35px-Idea.png" width="35" height="35" border="0" /></a></div>
<div><b>Tripwire Alternative for Windows?</b><br />
As a matter of interest, there is an alternative IDS for MS Windows (amoung other platforms). The name of the application is called <b>OSSEC</b> which is a scalable, multi-platform, and open source (free).<br /><br />Here is a link to this application:<br />
<a href="http://www.ossec.net/" target="_blank">http://www.ossec.net/</a>
</div>
</div>
<br />
<ol>
<li value="9">Take a moment to note general similarities and difference between hardening your Windows server (as opposed to your Linux server). Record your observations in your lab log-book.</li>
<li>Proceed to Task #4.</li>
</ol>

<p><b>Answer Task #3 observations / questions in your lab log book.</b>
</p><p><br>
</p>

<a name="Task4" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #4: Apply / Automate Software Updates</span></h2>


<br />
INSTRUCTIONS:
<ol>
<li>Read the tutorial on how to setup automatic updates in Windows 2003 server at the following link:<br /><a href="http://support.microsoft.com/kb/327838" target="_new">How to Schedule Automatic Updates in Windows Server 2003</a></li>
<li>Using the above tutorial, setup your Windows 2003 server to automatically update the server.</li>
<li>Try the same process in Lab 3 to try to penetrate your Windows 2003 server. Where you successful? Record your findings in your lab lab-book.
<li>Besides making system updates automatic, what other steps could a system administrator take in order to protect their system from newer network attacks? Record your answer in your lab log-book.</li>
<li>Proceed to "Completing The Lab".</li>
</ol>

<p><b>Answer Task #4 observations / questions in your lab log book.</b>
</p><p><br>
</p>


<a name="Completing_the_Lab" id="Completing_the_Lab"></a><h1> <span class="mw-headline"> Completing the Lab </span></h1>
<p><b>Arrange evidence for each of these items on your screen, then ask
your instructor to review them and sign off on the lab's completion:</b>
</p>
<ol>
<li>Contents of security policy file called: <b>lab8_security_policy</b>.</li>
<li>Compare ACLs by demonstrating running services via <b>user1</b> and <b>user2</b>.</li>
<li><b>Automatic Updates</b> enabled.</li>
<li>Results of <b>hardened Windows 2003</b> <u>second attempt</u> at penetration testing.</li>
<li>Completed Lab 5 notes.</li>
</ol>
<p><br>
</p>
<a name="Preparing_for_Quizzes" id="Preparing_for_Quizzes"></a><h1> <span class="mw-headline"> Preparing for Quizzes </span></h1>

<ol>
<li>What is the purpose of a <b>security policy</b> as it related to a Windows server?</li>
<li>What is required from a new Windows 2003 Server install in order to install and configure <b>SCW</b>?</li>
<li>List and breifly explain the elements of a security policy using the <b>SCW</b>.</li>
<li>List 4 features of <b>NTFS</b>.</li>
<li>Why is it advantageous to set automatic updates for your Windows 2003 server as it relates to network security?</li>
</ol>

Navigation menu